Textbook of AI

Glossary

C2PA / Content Provenance

C2PA stands for the Coalition for Content Provenance and Authenticity, an industry consortium founded in 2021 by Adobe, Microsoft, Intel, the BBC, Truepic and Arm. The coalition produces an open standard, the C2PA specification, for content credentials: cryptographically signed manifests bound to media files that record their origin, capture device, generative-AI involvement and edit history.

How it works

Each piece of content can carry an embedded manifest containing one or more assertions (e.g. "captured by this camera serial number at this GPS location at this time", "edited in Photoshop with these tools", "generated by DALL·E 3 with this prompt"). The manifest is signed by the producing tool's certificate, and chained: each downstream edit appends a new signed assertion. Verifiers can inspect any media file and recover the cryptographic provenance chain.

The standard is media-format-agnostic, JPEG, PNG, MP4, WAV, PDF, and uses JUMBF (JPEG Universal Metadata Box Format) as the embedding container.

Adoption

  • Cameras, Sony, Nikon and Leica have shipped firmware producing C2PA-signed photographs.

  • Generative AI, OpenAI's DALL·E and Sora, Adobe Firefly, and Microsoft Designer all attach C2PA Content Credentials to their outputs.

  • Platforms, Meta (Facebook, Instagram), TikTok and YouTube now read C2PA credentials and surface a "made with AI" label when present.

  • Newsrooms, the BBC, the New York Times and Reuters are part of the Content Authenticity Initiative (CAI), the broader umbrella organisation distributing C2PA tooling.

Limitations

  • Opt-in, only cooperating producers attach credentials; bad actors omit them.

  • Stripping, re-saving a file in a non-aware tool, screenshotting, or simply uploading to a platform that strips metadata removes the credentials.

  • No evidence of absence, the absence of a credential does not prove inauthenticity.

  • Privacy trade-off, credentials can leak information (camera serial, location, editing history) the producer did not intend to share.

Status

As of 2026, C2PA is the de facto standard for synthetic-media provenance, referenced in the Biden 2023 EO, the EU AI Act, and the UK Online Safety Act secondary legislation. The challenge is no longer technical adoption but the harder problem of public literacy: most viewers do not know to look for a Content Credential icon.

References

  • C2PA Specification v2.x (2024). c2pa.org.

  • Content Authenticity Initiative (2024). contentauthenticity.org.

  • EU AI Act, Article 50.

Related terms: Watermarking AI Content, Deepfakes, Synthetic Content Detection

Discussed in:

This site is currently in Beta. Contact: Chris Paton

Textbook of Usability · Textbook of Digital Health

Auckland Maths and Science Tutoring

AI tools used: Claude (research, coding, text), ChatGPT (diagrams, images), Grammarly (editing).