The White House wants to ‘cryptographically verify’ videos of Joe Biden so viewers don’t mistake them for AI deepfakes::Biden’s AI advisor Ben Buchanan said a method of clearly verifying White House releases is “in the works.”

  • Pup Biru
    link
    fedilink
    English
    arrow-up
    7
    ·
    9 months ago

    i wouldn’t say signature exactly, because that ensures that a video hasn’t been altered in any way: no re-encoded, resized, cropped, trimmed, etc… platforms almost always do some of these things to videos, even if it’s not noticeable to the end-user

    there are perceptual hashes, but i’m not sure if they work in a way that covers all those things or if they’re secure hashes. i would assume not

    perhaps platforms would read the metadata in a video for a signature and have to serve the video entirely unaltered if it’s there?

    • thantik@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      9 months ago

      You don’t need to bother with cryptographically verifying downstream videos, only the source video needs to be able to be cryptographically verified. That way you have an unedited, untampered cut that can be verified to be factually accurate to the broadcast.

      The White House could serve the video themselves if they so wanted to. Just use something similar to PGP for signature validation and voila. Studios can still do all the editing, cutting, etc - it shouldn’t be up to the end user to do the footwork on this, just for the studios to provide a kind of ‘chain of custody’ - they can point to the original verification video for anyone to compare to; in order to make sure alterations are things such as simple cuts, and not anything more than that.

      • Pup Biru
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        9 months ago

        you don’t even need to cryptographically verify in that case because you already have a trusted authority: the whitehouse… of the video is on the whitehouse website, it’s trusted with no cryptography needed

        the technical solutions only come into play when you’re trying to modify the video and still accurately show that it’s sourced from something verifiable

        heck you could even have a standard where if a video adds a signature to itself, editing software will add the signature of the original, a canonical immutable link to the file, and timestamps for any cuts to the video… that way you (and by you i mean anyone; likely hidden from the user) can load up a video and be able to link to the canonical version to verify

        in this case, verification using ML would actually be much easier because you (servers) just download the canonical video, cut it as per the metadata, and compare what’s there to what’s in the current video

    • AbouBenAdhem@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      Rather that using a hash of the video data, you could just include within the video the timestamp of when it was originally posted, encrypted with the White House’s private key.

        • AbouBenAdhem@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          9 months ago

          It does if you can also verify the date of the file, because the modified file will be newer than the timestamp. An immutable record of when the file was first posted (on, say, YouTube) lets you verify which version is the source.

          • Natanael@slrpnk.net
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            No it does not because you can cut out the timestamp and put it into anything if the timestamp doesn’t encode anything about the frame contents.

            It is always possible to backdate file edits.

            Sure, public digital timestamping services exists, but most people will not check. Also once again, an older timestamp can simply be cut out of one file and posted into another file.

            You absolutely must embedd something which identifies what the media file is, which can be used to verify ALL of the contents with cryptographic signatures. This may additionally refer to a verifiable timestamp at some timestamping service.

    • Natanael@slrpnk.net
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Apple’s scrapped on-device CSAM scanning was based on perceptual hashes.

      The first collision demo breaking them showed up in hours with images that looked glitched. After just a week the newest demos produced flawless images with collisions against known perceptual hash values.

      In theory you could create some ML-ish compact learning algorithm and use the compressed model as a perceptual hash, but I’m not convinced this can be secure enough unless it’s allowed to be large enough, as in some % of the original’s file size.

      • Pup Biru
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        you can definitely produced perceptual hashes that collide, but really you’re not just talking about a collision, you’re talking about a collision that’s also useful in subverting an election, AND that’s been generated using ML which is something that’s still kinda shakey to start with

        • Natanael@slrpnk.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Perceptual hash collision generators can take arbitrary images and tweak them in invisible ways to make them collide with whichever hash value you want.

          • Pup Biru
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            from the comment above, it seems like it took a week for a single image/frame though… it’s possible sure but so is a collision in a regular hash function… at some point it just becomes too expensive to be worth it, AND the phash here isn’t being used as security because the security is that the original was posted on some source of truth site (eg the whitehouse)

            • Natanael@slrpnk.net
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              No, it took a week to refine the attack algorithm, the collision generation itself is fast

              The point of perceptual hashes is to let you check if two things are similar enough after transformations like scaling and reencoding, so you can’t rely on that here

              • Pup Biru
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                oh yup that’s a very fair point then! you certainly wouldn’t use it for security in that case, however there are a lot of ways to implement this that don’t rely on the security of the hash function, but just uses it (for example) to point to somewhere in a trusted source to manually validate that they’re the same

                we already have the trust frameworks; that’s unnecessary… we just need to automatically validate (or at least provide automatic verifyability) that a video posted on some 3rd party - probably friendly or at least cooperative - platform represents reality

                • Natanael@slrpnk.net
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  I think the best bet is really video formats with multiple embedded streams carrying complementary frame data (already exists) so you decide video quality based on how many streams you want to merge in playback.

                  If you then hashed the streams independently and signed the list of hashes, then you have a video file which can be “compressed” without breaking the signature by stripping out some streams.