Page MenuHomePhabricator
Create Task
Maniphest T387075

Display C2PA metadata when available on photos uploaded to Wikimedia Commons
Open, Needs TriagePublicFeature
Actions

Description

Feature summary
A new initiative to help determine the provenance of an image, called “Content Credentials” has recently emerged as one way to help detect AI or otherwise manipulated images. Image editing applications, AI-generation tools, and camera makers are implementing these credentials.

When an image that contains these credentials are uploaded to Wikimedia Commons, Commons should display this metadata alongside the image.

Use case(s)

One potential use case would be someone looking for an image to use on a Wikimedia project and they want to make sure, as best they can, that the image is an actual photo of what it claims to represent. Let’s say someone wanted to add a photo of a city, monument, or an example of something to a Wikipedia article. They search Commons, find a hundred photos of <thing>. Displaying the C2PA metadata would be one indicator of which of these 100 images are of the actual <thing> and not an AI-generated or otherwise manipulated image.

This basic concept would also extend to anyone wanting to use an image from Commons elsewhere, outside our projects. A student doing a report on a city and wanting to add an image of the actual city to their presentation, for instance.

Benefits

As AI-generated images are proliferating and the quality of said images increases, it is becoming more difficult to distinguish between a photo taken with a camera or a photo generated by a computer. Misinformation and disinformation is on the rise. The difficulty an average person has on determining what is “real” becomes more difficult. Displaying this metadata is one additional indicator of the providence of an image and would help people distinguish between an un-manipulated photo and a computer generated one.

The confusion around what is real and what is AI is leading to a distrust of, well anything, but in this instance, institutions – such as Wikipedia. If a well-meaning contributor were to add an AI-generated image to an article, and a reader discovered that the image was not of the subject being described, but computer-generated,that could erode trust in our projects. The same could be said of images found on Commons and used elsewhere. People will begin to distrust what they find and use on Commons.

See also

Related Objects

Event Timeline

Ckoerner created this task.Feb 22 2025, 8:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 22 2025, 8:53 PM
Ckoerner updated the task description. (Show Details)Feb 22 2025, 9:02 PM
Raymond subscribed.Feb 22 2025, 10:01 PM
Frank_Schulenburg subscribed.Feb 22 2025, 10:07 PM
Peachey88 added a project: MediaWiki-File-management.Feb 23 2025, 5:38 AM
Peachey88 moved this task from Backlog to Metadata parsing on the MediaWiki-File-management board.
taavi subscribed.Feb 23 2025, 7:43 AM

So if I'm reading the linked pages correctly, this system is based on cameras, photo editing tools, and other tools involved in editing the image to cryptographically sign the file in some way. How would we decide which signatures are valid and which are not? How does this ensure that this doesn't end up promoting proprietary tools as more "trustworthy" than similar free software tools?

Ckoerner added a comment.Feb 28 2025, 10:30 PM

Hey taavi,

So if I'm reading the linked pages correctly, this system is based on cameras, photo editing tools, and other tools involved in editing the image to cryptographically sign the file in some way.

Yes, the video I linked to does a pretty good job explaining the cryptographic side of things. Even as a layperson I think I understand it. :)

How would we decide which signatures are valid and which are not?

There is an open-source API for implementing the verification check.

https://opensource.contentauthenticity.org/docs/introduction and their Github.

How does this ensure that this doesn't end up promoting proprietary tools as more "trustworthy" than similar free software tools?

As far as I understand this is an open initiative that is run by a non-profit.

I hope these answers are helpful.

Bawolff subscribed.Mar 1 2025, 4:04 AM

A major question here is do we actually validate the sigs or do we just display the value? If we do validate and its invalid, do we still display it or do we pretend it doesnt exist or show a warning of some kind?

Bawolff added a comment.EditedMar 1 2025, 4:12 AM
How does this ensure that this doesn't end up promoting proprietary tools as more "trustworthy" than similar free software tools?

As far as I understand this is an open initiative that is run by a non-profit.

Being an open initiative doesn't really matter much. It seems likely that open source tools may be locked out of such an ecosystem

[Personally I'm not sure if we should care. I'm more in the camp of display whatever metadata exists, and let users decide how to interpret it]

Bawolff added a comment.Mar 1 2025, 4:30 AM

So if I'm reading the linked pages correctly, this system is based on cameras, photo editing tools, and other tools involved in editing the image to cryptographically sign the file in some way. How would we decide which signatures are valid and which are not?

https://opensource.contentauthenticity.org/docs/prod-cert seems to imply that any S/MIME cert is trusted using normal S/MIME PKI. Trusting everyone feels like a big gaping hole if your goal is to detect AI.

Perhaps though the goal is more to know who to blame for AI than to detect it?

I have my doubts about the effectiveness of this whole scheme. Maybe the main benefit is the non-malicious use case to detect files that are accurately labelled as containing AI.

Bawolff added a comment.Mar 1 2025, 4:32 AM

Oh, maybe i misunderstood. https://opensource.contentauthenticity.org/docs/verify-known-cert-list/ says there is a hard coded list.

It feels like trust management in this thing is very hap-hazard.

Geertivp subscribed.Mar 1 2025, 6:25 PM

For info: https://help.openai.com/en/articles/8912793-c2pa-in-dall-e-3

Shizhao subscribed.Mar 3 2025, 7:40 AM
Michael subscribed.Mar 5 2025, 1:38 PM
Shizhao added a comment.Mar 6 2025, 3:31 AM

There is a workshop on this topic at W3C on 12 March 2025: https://www.w3.org/events/workshops/2025/authentic-web-workshop/

CKoerner_WMF subscribed.Mar 11 2025, 3:12 PM
In T387075#10608522, @Shizhao wrote:

There is a workshop on this topic at W3C on 12 March 2025: https://www.w3.org/events/workshops/2025/authentic-web-workshop/

(Putting my staff hat on for a second) Thanks @Shizhao, I've passed along this information and someone from the Foundation will be attending.

Jdrewniak subscribed.Mar 12 2025, 4:04 PM

Hi all, I attended the Authentic Web Mini Workshop, part 1 mentioned above. The W3C is still in the very early stages of accepting proposals for tools that enable verifiability on the web. They are gathering proposals for such technologies with the goal of determining if any of them should become a web standard. The technologies currently identified are:

Proposals will be evaluated by the W3C based on a technical framework using two axes:
What role the tool plays in the web ecosystem:

  1. Content Consumer - Person receiving the information (audience, reader)
  2. Content Provider/Source - Person(s) or organizations delivering content
  3. Content Promoter - Person(s) or organization that amplify the spread of information
  4. Credibility Facilitator - Person(s) or organization who is helping the consumer decide what to trust.
  5. Platform - Technological system, and by extension the person or organization who maintains and controls it.

How the tool enables credibility based on the following factors:

It's worth noting that the W3C Credible Web Community Group and framework above is focused on credibility, which is broad term that encompasses elements of trust and reputation. The proposal outlined above specifically aims to enabled transparency, which is not a judgement on believability, but a display of provenance/origin. This seems like a useful framework when considering this proposal and it's impact/goals.

SToyofuku-WMF subscribed.Mar 12 2025, 8:57 PM
Pppery merged a task: T392614: Content Credentials support.Apr 24 2025, 5:39 PM
Pppery added a subscriber: Keseperuna.
Aklapper mentioned this in T393884: Issue X.509 certificates to wikimedians, that are honored by CAI/c2pa (Content Authencity Initative), for signing media uploads to WMF projects.May 12 2025, 2:28 PM
C.Suthorn subscribed.May 12 2025, 6:32 PM
Juandev subscribed.May 23 2025, 9:44 AM
Likibp subscribed.Aug 31 2025, 11:15 AM
Omphalographer subscribed.Sep 20 2025, 12:44 AM

As a Commons user: it would be extremely helpful for MediaWiki to recognize and call out the presence of C2PA claims, even if the content of these claims is not fully decoded or verified. A number of AI image generation services, such as ChatGPT, use C2PA data to mark the images they generate. Even just displaying the software agent name from these claims would be of great value in identifying AI-generated images.

Bawolff mentioned this in T405138: We should extract Iptc4xmpExt:DigitalSourceType from image metadata.Sep 20 2025, 2:56 AM
Nemoralis subscribed.Fri, Oct 10, 11:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits