Countering AI disinformation and deep fakes with digital signatures
According to The Economist, disinformation campaigns (often state-sponsored) use “AI to rewrite real news stories”:
In early March a network of websites, dubbed CopyCop, began publishing stories in English and French on a range of contentious issues. They accused Israel of war crimes, amplified divisive political debates in America over slavery reparations and immigration and spread nonsensical stories about Polish mercenaries in Ukraine… the stories had been taken from legitimate news outlets and modified using large language models.
Deep fakes of still images and now video clips are similarly based on legitimate original photos and video. Detecting such fakery can be challenging.
An obvious partial solution (that I haven’t seen discussed) is for legitimate news sources to digitally sign original photos, video, and news stories.
Web browsers (or extensions) can automatically confirm or flag fakery of the original source (news publisher, journalist, photographer). All that’s needed is a consensus standard on how to encode such digital signatures—the sort of thing that W3C and similar organizations produce routinely.
Such signatures could be conveyed in a custom HTML wrapper that needn’t be visible to readers with web browsers unable to parse them—there’s no need to sprinkle “BEGIN PGP SIGNED MESSAGE” at the start of every article; these can be invisible to users.
Signatures could be layered—a photo could be signed by the camera capturing the original (manufacturer, serial number), the photographer (name, nym, unique email address), and publisher, all at the same time, similarly for text news articles.
Video could be signed on a per-frame basis as well as a whole-clip or partial-clip basis. Per frame signatures could include consecutive frame numbers (or timestamps), enabling trivial detection of selective editing to produce out-of-context false impressions.
Writers and photographers who wish to remain anonymous could sign with a nym (pseudonym; a unique identifier under control of an author—for example an email address or unique domain name not publicly connected with an individual); this would still enable anonymous sources to maintain reputations.
Signatures that reliably and uniquely identify original news sources (“nytimes.com″, ”thefp.com″, ”aljazeera.com″, etc.) could be used by third party services to produce reliability/trust/bias ratings for individual publishers. Again, a simple consensus standard would allow any web browser (or extension) to retrieve such ratings from such third parties (people with differing views will likely trust different rating organizations).
If there’s a desire for immutability or verifiable timestamps, articles (or signed article hashes) could be stored on a public blockchain.
Somebody...please pursue this?
Nice, I agree that we could use some foresight and planning on this issue sooner than later.
The other comments seem to poke major holes in this scheme. Perhaps it can be rescued?
I’d assumed it would work like this: you’d need to check the source, but you could have proxies do that for you if you trust them. If you trust the New York Times to at least not tell you any major lies, you’d need to go to their website to know they’d really written the article, if you saw it referenced or reproduced elsewhere. I’d hope that could be done in the browser as you describe, so that NYTimes says yes, we certify that this particular URL is accurately reproducing our claims, so you can trust this article as far as you trust us.
That service could (and probably would) be made more general, having specific organizations whose business model is adding that stamp that says “we think the claims on this URL are valid to our standards”.
Any certification scheme that hashes with to actual content- words or images—would preclude any editing whatsoever of those sources. Maybe that would work just fine. You don’t actually need to edit images whose purpose is factual journalism (although you certainly want to, to improve emotional impact and artistic merit). You couldn’t summarize or quote from articles and have the certificate remain intact, but maybe that’s fine; out of context quotes and inaccurate summaries are a bane of the modern world.
I’d love to see some more rational analysis of how we might deal with this set of issues. If we do a good job, we might actually wind up with a better information economy than the mess of misaligned incentives we have right now.
What’s to stop CopyCop from telling people they’re a trusted news source and proudly digitally signing their images? Perhaps you could have cameras sign their pictures in the pixels of the image, but this precludes (almost all types of) editing of images used online, and also CopyCop will shortly acquire a camera that can sign arbitrary images with the manufacturer’s key, if it actually becomes important.
There’s nothing to stop them, of course. But an article known to be from a reputable source is likely to have more impact than one from a known source of disinformation.
I have not claimed this is more than a “partial solution”.
I think one of the reasons this hasn’t become common (the concept and mechanism isn’t exactly new) is because of the massive complexity of trust relationships required to identify and validate the keys of “original trust sources”. Images and text get edited, resized, and transformed at a LOT of layers for a lot of reasons, and maintaining the chain of custody, especially with no authority to impose WHO is responsible for a compromised or forged key, is pretty unlikely.
I’ve posted a modified version of this, which I think addresses the comments above: https://nerdfever.com/countering-ai-disinformation-and-deep-fakes-with-digital-signatures/
Briefly:
Browsers can verify for themselves that an article is really from the NYT; that’s the whole point of digital signatures
Editing can be addressed by wrapping signed original signatures with the signature of the editor.
CopyCop can not obtain a camera that signs with “https://www.nikon.com/″ unless the private key of Nikon has leaked (in which case it can be revoked by Nikon and replaced with a new one—this means old signatures can’t be trusted). This is the whole point of digital signatures.
There’s no need to maintain a chain of custody. The signatures themselves do that. All that’s needed is a functional Public Key Infrastructure.
That all said, of course this remains “an obvious partial solution”.