Take any image with a verifiable record of where it came from. Open it on a phone. Press the two buttons that take a screenshot. The new file looks identical to the eye. Every trace of where the original came from is gone.
That single, mundane action is the hardest problem in content provenance, and most coverage of the subject talks around it. The promise of provenance is appealing: a future where you can check whether a photo is real, whether a video was generated, whether a quote was written by a person. Two large efforts are building toward that future from opposite directions. One signs the file. One marks the content itself. Each works. Each has a real weakness. And the screenshot, the re-upload, the paraphrase: these defeat or degrade them in ways no amount of engineering fully closes. Understanding why is the difference between trusting a green checkmark too much and knowing exactly what it does and does not tell you.
Where provenance came from, and the two camps it split into
The push for content provenance predates the generative AI panic. In 2019, Adobe launched the Content Authenticity Initiative, a consortium built around a simple idea: attach a tamper-evident record of origin and edits to a piece of media so a viewer can see where it came from. In parallel, Microsoft and the BBC ran Project Origin, aimed narrowly at news, trying to give published journalism a traceable signal against disinformation.
In February 2021, those two efforts merged into a standards body: the Coalition for Content Provenance and Authenticity, or C2PA. The founding members were Adobe, Arm, the BBC, Intel, Microsoft, and Truepic. The coalition published its first technical specification in January 2022. The consumer-facing brand for what the standard produces is Content Credentials, the small "CR" mark you may have seen on images. By early 2026 the membership and affiliate community around it had passed 6,000 organizations.
So far that is one camp. The other came from a different problem. As image and text generators spread, Google DeepMind built SynthID, a watermarking system first shown at Google I/O in 2023. The two approaches share a goal and almost nothing else. C2PA records provenance in data that travels alongside the file. SynthID hides a signal inside the file. That distinction sounds small. It is the whole argument.
How C2PA works: signing the file
C2PA attaches what the standard calls a manifest to a piece of media. Think of the manifest as a sealed logbook stapled to the file. It holds three things.
First, assertions: structured statements about the asset. What camera captured it, what software touched it, which edits were applied, whether a generative model was involved, sometimes a thumbnail of an earlier state. Second, a cryptographic signature, built on the same X.509 certificate system that secures websites, which binds those assertions to an identity and makes any later tampering detectable. Third, a content binding, a hash of the file itself that ties the manifest to that specific image or video so the logbook cannot be lifted onto a different file.
When a C2PA-aware tool edits the content, it does not overwrite the old manifest. It adds a new one. The result is a chain of custody: capture, then crop, then color grade, then export, each step signed. A viewer with a verification tool, such as the Content Credentials inspector, can open the chain and read the history.
This is genuinely useful. Camera makers have built it into hardware. Leica moved first, shipping the M11-P in October 2023 as the world's first camera with Content Credentials built in, and brought the feature to the SL3-S by firmware in early 2025. Sony, Nikon, Canon, Fujifilm, and Panasonic have all joined the effort or shipped C2PA-capable bodies, and Sony built a Camera Verify system aimed at newsrooms. On the AI side, OpenAI, Google, Adobe, and Meta attach Content Credentials to generated media. LinkedIn and TikTok began surfacing the information in 2024. The standard is also on a path to formal recognition: a draft is moving through the International Organization for Standardization as ISO/DIS 22144, which would give regulators a stable specification to point at, though as of early 2026 it remained a draft rather than a published standard.
How SynthID works: marking the content
SynthID does not staple anything on. It changes the content itself, slightly, in a pattern a detector can read and a human cannot perceive.
The method differs by medium. For images and video, SynthID modulates pixel values during generation, nudging frequency components and color channels below the threshold of human vision. For audio, it alters the waveform inaudibly. For text, it does something cleverer: as the model picks each word, it subtly biases the probabilities it assigns to candidate tokens, leaving a statistical fingerprint across the passage without changing the meaning.
Because the mark lives in the signal rather than in attached data, it survives things that destroy metadata. Google states the image and video watermark withstands cropping, filters, frame rate changes, and lossy compression, and the audio watermark survives noise, MP3 encoding, and speed changes. SynthID is built into Google's own products: Gemini for text, Imagen for images, Lyria for audio, Veo for video. The scale is real. Google said at I/O 2025 that SynthID had been used to watermark content, and by December 2025 the figure had passed 10 billion pieces across the four media types. In 2025 Google also opened a SynthID Detector portal, initially for journalists, researchers, and developers, so the mark can be checked rather than only embedded.
Put plainly: C2PA tells you the documented history of a file. SynthID tells you whether a specific AI system made the content. They answer different questions, which is why the serious proposals use both.
The core weakness: provenance breaks in transit
Here is the part the marketing tends to skip. Both approaches fail, in different ways, exactly where it matters most: when content travels.
C2PA's weakness is that the manifest is attached, not embedded. Anything that re-encodes the file can drop it. A screenshot is the cleanest example. The screenshot tool creates a brand new image from what is on the display. It carries no manifest, because the manifest was never on the screen, only stapled to the original file. The provenance is simply not copied.
Re-uploading does the same thing more quietly. Social platforms run every upload through compression and resizing pipelines built to serve billions of files cheaply. Those pipelines strip the manifest as a side effect, and sometimes on purpose, since the same metadata can carry GPS coordinates and device identifiers a platform would rather not republish. Instagram, X, Facebook, LinkedIn, and TikTok all routinely remove C2PA manifests during upload processing. The result is a grim irony. The content that most needs verifiable provenance, the image going viral, the clip everyone is arguing about, is precisely the content that has passed through the most re-encoding steps and is least likely to still carry its credentials. A photo can be published with a perfect manifest, shared to X where it is recompressed, screenshotted by a reader, forwarded through a messaging app, and reposted to a blog. By the end of that chain the version reaching the largest audience almost certainly has no provenance trace at all.
SynthID does not have the screenshot problem, because the mark is in the pixels and a screenshot copies the pixels. But it has its own weakness: a watermark can be degraded. Academic work through 2025 found that SynthID's text watermark is vulnerable to meaning-preserving attacks. Paraphrasing a watermarked passage, running it through back-translation, or splicing it with unmarked text can push detection confidence down toward unreliable. For images, removal tools have been demonstrated, though most of them trade watermark strength for visible quality loss rather than achieving clean removal. Google itself does not claim the system is infallible. The honest summary is that a watermark raises the cost of erasing provenance without making it impossible, and a motivated actor can usually degrade the signal enough to create doubt.
There is a second SynthID limit that has nothing to do with attacks. SynthID only detects SynthID. It marks content from Google's models and tells you nothing about an image from Midjourney, a passage from a non-Google model, or a video from any of the other generators. Each major AI company has tended to build its own marking scheme. Without interoperability, no single watermark covers the field, so a "no watermark found" result means almost nothing on its own.
Why provenance is genuinely hard, not just unfinished
It is tempting to read all of this as engineering not finished yet. It is deeper than that. Provenance runs into three problems that are structural.
The first is that authenticity is not the same as truth. A C2PA manifest certifies history, not honesty. A staged photograph captured on a certified camera produces a flawless, fully signed manifest. A real document photographed to support a false claim gets the same valid chain. The cryptography proves the file has not been altered since signing. It cannot tell you the scene in front of the lens was not a lie. Provenance answers where did this file come from, never is this claim true.
The second is that signatures only mean something if you trust the signer. C2PA lets a signer use a self-issued certificate. That is reasonable, but it means anyone can sign anything and attach whatever assertions they like. A manifest is only as trustworthy as the certificate behind it and the trust list a verifier checks against. Building and maintaining those trust lists, and getting every viewer's software to check them properly, is a hard, unglamorous, ongoing job. Researchers have shown convincing-looking forged credentials can be assembled quickly when verification is sloppy.
The third is the transit problem above, and it is not closing on its own. Provenance only helps if the signal reaches the viewer, and the path from creation to viewer is full of steps that strip or weaken it. You cannot fix that purely at the format layer. It requires every camera, editor, platform, browser, and messaging app in the chain to preserve and display the signal, which is a coordination problem across the entire internet, not a coding task.
What is actually being built, and what it can deliver
The serious response to all this is to stop relying on any single mechanism. Adobe's work on what it calls durable Content Credentials is the clearest example. It combines three layers that cover each other's gaps: the C2PA manifest as before, an invisible watermark in the content, and a perceptual fingerprint, a compact numerical signature of what the file looks or sounds like.
The fingerprint is the clever part. If a file loses its manifest to a screenshot or a re-upload, its pixels can still be fingerprinted and matched against a database where an authoritative copy of the credentials is stored. The watermark can carry a short pointer to where that record lives. So even a stripped file can, in principle, be reconnected to its history: fingerprint the orphaned image, find the match, retrieve the credentials. No one layer is reliable alone. Together they degrade more gracefully.
Regulation is pushing the same way. The European Union's AI Act includes transparency rules, in Article 50, that require providers of systems generating synthetic audio, image, video, or text to mark that output in a machine-readable way. Those obligations apply from 2 August 2026. The first draft of the accompanying Code of Practice, published in December 2025, explicitly favors a multi-layered approach, watermarking plus metadata plus logging, precisely because regulators have absorbed the lesson that one layer is not enough.
A realistic view of what this infrastructure can deliver, then, looks like this. It will not give you a universal, tamper-proof badge that survives every screenshot and settles every argument. That badge is not coming, because the weaknesses are structural. What it can deliver is meaningful: a strong, checkable signal for content that travels through cooperating tools and platforms, a much higher cost and effort to fake or strip provenance at scale, and a way for honest creators to claim authorship and edit history that holds up most of the time. That is the right frame for anyone in content. Provenance is not proof. It is evidence, often good evidence, that gets weaker the further content travels from its source. Treat a present, valid credential as a real and useful signal. Treat an absent one as the absence of a signal, not as a verdict. And never let a green checkmark switch off the older skill, which is judging the source, the context, and the claim on their own merits.
Council summary
This post argues that content provenance has two camps, C2PA signing the file and SynthID marking the content, and that both break or weaken precisely where content travels: screenshots and re-uploads strip C2PA manifests, while paraphrasing and removal tools degrade SynthID. The deeper point is that the weaknesses are structural, not a matter of unfinished engineering: authenticity is not truth, signatures only mean something with a trusted signer, and preserving a signal across every tool in the chain is an internet-wide coordination problem. Review verified the standard names, owners, and dates, including the C2PA founding members and 2021 merger, the January 2022 first spec, ISO/DIS 22144 still a draft, SynthID first shown at Google I/O 2023 and past 10 billion watermarked pieces by December 2025, and EU AI Act Article 50 obligations applying from 2 August 2026. One factual error was corrected: the Leica M11-P, not the SL3-S, was the first camera with built-in Content Credentials, shipping in October 2023. The takeaway for anyone in content is to treat a valid credential as useful evidence that weakens with distance from the source, and never to let a checkmark replace judgment of the source and the claim.
Comments