Combating "Fake News" With a Smartphone "Proof Mode"

(The Guardian Project) #1

Originally published at:

We have been working for many years with our partners at WITNESS, a leading human rights media training and advocacy organization, to figure out how best to turn smartphone cameras into tools of empowerment for activists. While it is often enough to use the visual pixels you capture to create awareness or pressure on an issue, sometimes you want those pixels to actually be treated as evidence. This means, you want people to trust what they see, to know it hasn’t been tampered with, and to believe that it came from the time, place and person you say it came from.

Enter, ProofMode, a light, minimal “reboot” of our more heavyweight, verified media app, CameraV. Our aim was to create a lightweight (< 3MB!), almost invisible utility (minimal battery impact!), that you can run all of the time on your phone (no annoying notifications or popups), that automatically adds extra digital proof data to all photos and videos you take. This data can then be easily shared, when you really need it, through a “Share Proof” share action, to anyone you choose over email or a messaging app, or uploaded to a cloud service or reporting platform.



On the technical front, what the app is doing is automatically generating an OpenPGP key for this installed instance of the app itself, and using that to automatically sign all photos and videos at time of capture. A sha256 hash is also generated, and combined with a snapshot of all available device sensor data, such as GPS location, wifi and mobile networks, altitude, device language, hardware type, and more. This is also signed, and stored with the media. All of this happens with no noticeable impact on battery life or performance, every time the user takes a photo or video. We have been running it for months on fairly old, low end phones, and you just forget it is happening.


While we are very proud of the work we did with the CameraV and InformaCam projects, the end results was a complex application and proprietary data format that required a great deal of investment by any user or community that wished to adopt it. Furthermore, it was an app that you had to decide and remember to use, in a moment of crisis. With ProofMode, we both wanted to simplify the adoption of the tool, and make it nearly invisible to the end-user, while making it the adoption of the tool by organizations painless through simple formats like CSV and known formats like PGP signatures.

The source and direct APK downloads are available on Github:

The beta release is also available today for Android phones on Google Play. We hope to have an iPhone version in beta in the next few months.

We have also published a sample batch proof data set on Github here:


Our design goals included the following:

  • Run all of the time in the background without noticeable battery, storage or network impact
  • Provide a no-setup-required, automatic new user experience that works without requiring training
  • Use strong cryptography for strong identity and verification features, but not encryption
  • Produce "proof" sensor data formats that can be easily parse, imported by existing tools (CSV)
  • Do not modify the original media files; all proof metadata storied in separate file
  • Support chain of custody needs through automatic creation of sha256 hashes and PGP signatures
  • Do not require a persistent identity or account generation
We also were able to take advantage of the new Android "Quick Settings" developer API, to add a ProofMode toggle button right along side other system functions like Wifi, Location, Bluetooth and more. This fulfills a vision that WITNESS has had for a while in mainstreaming the concept of our prototype into mainstream adoption, giving every citizen journalist a quick mode to activate when their moment arrives.


You can read a bit more in the project README on the workflow we imagine being used for all of this. What we hope is that the ProofMode app is simple and low impact enough that potential users will install and forget that it is there. It will go along doing its business quietly without fuss, until the users realizes they have taken a photo or video that might have some value as digital evidence. Then, using the SHARE PROOF action, send their proof data set off to an organization, journalist, lawyer, or other advocate that would be able to verify the chain of custody and integrity of the files and proof using off the shelf OpenPGP and CSV visualization tools. While we have a bit more work to do on the last part, we already have many partners in the human rights world who are skilled and capable of doing just that.

If you’d like to learn more about the CameraV app and our collaboration with WITNESS and Coletivo Papo Reto video activist group in Brazil, please watch this video below from the Al Jazeera “Rebel Geeks” documentary.


(Matclab) #2


Do you have some information on how you prevent someone to extract the private key from the application, which would allow him to sign fake photos ?

(Tom) #3

So I’m a bit confused as to what this proves. If there isn’t any data that is included in the image, couldn’t someone who receives the image (optionally with proof) just make their own hash of the image, upload fake data (e.g. a different gps location and timestamp) sign it with their own key then say “hey person X who claims to have originally uploaded this picture just stole my copy that was from another event a long time ago…it has no relation to this current event!”. The only thing that this proves is that at one point the picture came from the phone with that key on it.

On the other hand if the signed hash of the metadata was visually appended to the bottom of the image (think the old date stamps on photos from the 90s), that wouldn’t be something that could be removed and passed of as someone else’s. This wouldn’t have to be done at the time the photo was captured, but could be done later when uploading the photo off of the phone. However, if the original, unadulterated, photo was also released off the phone, then anyone who gets it could take credit for it in the future.

(N8fr8) #4

It is true, that if someone has a rooted phone, they can extract the privacy key from the app. To be honest, since it is just OpenPGP, anyone could just do this all by hand without an app. That said, they would have to fake a lot of data, both in the exif/metadata in the media file itself, and then in the accompanying “proofmode” metadata we provide. This includes sensor data for speed, location, heading, and more. We also expect existing tools for looking for modified pixels in an image would still be used, along with other verification workflows that exist in newsrooms and human rights organizations today.

All in all, we are just trying to add more good quality supporting data to the conversation. This isn’t a magic bullet, but it does make using technologies like cryptographic signing, hashing, and sensor monitoring more accessible to novice users.

(N8fr8) #5

Releasing this as a prototype/beta was meant to draw out feedback just like this around potential ways bad actors could fake proof. As I wrote in the other response, there is nothing to stop someone from just handrolling all of this data. That is true, but the bar for doing so will continue to get higher as we continue to add more supporting sensor data from the device that all has to be faked to line up just right.

We are also soon to add auto-notarization, which would post the media hash to a variety of endpoints including an SMS-based notary, Twitter, Pastebin and hopefully a Blockchain-based timestamp service. This would address the issue you raised with regards to ownership / provenance.

We are on the fence about modifying the original media file. This is also tricky since we are supporting both photo and video files, so we would have to add the extra data to multiple video frames. Watermarking is a known approach to handling this type of problem, including for tracking leaks of information. We can look into it more.

Again, our hope is that by adding a “FIRST!” capability via the auto-notarization we can combat the duplicates and fakes issue.