"Proof Mode" for your Smartphone Camera

ProofMode is an app for your smartphone that adds data to the photos you take to prove that they are real and unaltered:

On the technical front, what the app is doing is automatically generating an OpenPGP key for this installed instance of the app itself, and using that to automatically sign all photos and videos at time of capture. A sha256 hash is also generated, and combined with a snapshot of all available device sensor data, such as GPS location, wifi and mobile networks, altitude, device language, hardware type, and more. This is also signed, and stored with the media. All of this happens with no noticeable impact on battery life or performance, every time the user takes a photo or video.

This doesn't solve all the problems with fake photos, but it's a good step in the right direction.

Posted on March 1, 2017 at 6:02 AM • 21 Comments


Bogdan KulynychMarch 1, 2017 6:29 AM

I don't see how signing metadata along with the picture produces "proofs". I can sign whatever sensor snapshot I want with whatever picture I want. Am I missing something?

Using Peter Todd's OpenTimestamps, however, would have partially helped.

zucMarch 1, 2017 6:30 AM

Its always surprised me that there isn't (to my knowledge) any service that does time-based signing. Eg, some trustable (?! I guess this is the problem) government institution provides an API to submit some data to a server which is signed with some private key, that is then destroyed. The associated public key is published and can be used to verify the date and time that the data was signed.

ThothMarch 1, 2017 6:45 AM


In a blunt respond, they just do it with "magic" ;-P .

Look at the source code (scroll down) under the createSignature() method in the link below. They take in a PGPSecretKey object and a password object called pass in char[] form. Not only are the PGP Private Key extracted into RAM memory together with the decryption password char[], they made no effort whatsoever to scrub the PGP Private Key from memory by calling some form of destroy() function and have no clue on overwriting the password char[] objects with zeros.

Some might call into question the sufficiency of overwriting password char[] objects with zero bytes and calling the destroy() for the Secret Key material as sufficient but at the very lease, it would be a basic entry security practice.

They simply left the key and password hanging in memory like many other so-called "Security Apps" that have extremely low quality security and do not bother to do the basic "due diligence" at all.

Not only is this ProofMode app not going to proof much (i.e. GPS spoofing, GSM interception and modification ...), it is going to put the user at extreme risk.

Imagine an activist being caught with ProofMode on their smartphones, with the Trump tyranny on-going and Trump's recent push to back the corrupted LEAs, the corrupted LEAs would have even more reach and ability to coerce and force the password to the PGP Private Keys with techniques including Enhanced Interrogation Techniques (i.e. waterboarding) since Trump have shown willingness to legalize the use of torture even against fellow Americans.

A better scheme that I have came up with in the past is to use a secure server backed by a HSM or smart card to generate a User Keypair. The User Public Key would be installed into the smartphone without needing any passwords whatsoever. The Frontline Private Key would be stored in a HSM or smart card attached to a remote server in a safe location for provisioning. The usual defenses like using multiple quorums of administrators to control the Private Key would be set in place. The smartphone would essentially only be able to encrypt data with the User Public Key so that in the event of coercion, the user would have nothing to disclose and the control of the Private Key would be within the jurisdiction of another country and a quorum of administrators to control it from a HSM or smart card. Torture would be less likely option under this scheme due to the captured user not truely knowing or possessing the User Private Key and would turn the efforts to execute EITs on the captured journalist a rather meaningless and unfavourable task.

Link: https://github.com/guardianproject/proofmode/blob/master/app/src/main/java/org/witness/proofmode/crypto/DetachedSignatureProcessor.java

BrianMarch 1, 2017 8:02 AM

Isn't securely dating files already a solved problem? I know that when I sign code, I also use a trusted third party time server to date it.

Also, I'll note that any such proof must be re-signed with a new date once every 5-10 years, or the proof runs the risk of being expired by advances in cryptography.

My InfoMarch 1, 2017 10:34 AM

This doesn't solve all the problems with fake photos,

Not at all. Particularly not when there is no security for the private key. And not when "thieves in law" will inevitably push something like this as a de facto standard in court.

The thing with the law in the U.S. is this. I'll use federal law as an example, but each state is similar, but even worse. We have

  1. U.S. Constitution, including the Bill of Rights and remaining amendments
  2. U.S. Code
  3. Code of Federal Regulations
  4. Executive Orders

In general the Constitution itself is moot. No one in the federal government obeys the Constitution, since SCOTUS has not ruled on the exact issue at hand, and if they have, it's some abstract lawyerly interpretation of it. The U.S. Code is supposed to be the law in accordance with the Constitution, but see, the thing is, here's the law, and here's how the law is supposed to be applied. And then there are the executive orders on what's supposed to be enforced and what's not considered a priority. And the political reality of it is I mean, fuck, come on, you just can't possess a firearm if you've been diagnosed as fuckin' mental and shit.

LHOHQMarch 1, 2017 10:42 AM

Facts are different than truth. For a long time it was a fact that the sun went around the earth, even if it wasn't true.

This is a way to assert the factuality of photographs, and a means to support truth claims that an image hasn't been manipulated.

It's an old myth that a photograph means truth: even Dorothea Lange's iconic photo of the migrant mother was chosen -- edited -- from a number of options.


But knowing the manner in which one's perceptions are manipulated is protection from one's beliefs being manipulated.

Don't over think this, nerds

chuckMarch 1, 2017 10:54 AM

Don't Canon cameras have some sort of 'forensic mode' with protected keys and some such?

My InfoMarch 1, 2017 11:20 AM


Don't over think this, nerds

Oh, I know. That photo has to be printed out and framed before introducing it as evidence to the court.

JPMarch 1, 2017 11:24 AM

I'm confused. Not only I see little gain in the "certifiability" side, as a few previous posters surmised already; I also worry about having lots of data from my phone, my geographic coordinates and a timestamp being attached to every single picture I take.

Is there a possibility of an actor given a hundred pictures to be able to use these signatures to say which ones were taken by the same camera? If it is possible then I think the TLAs are more interested in seeing this technology spread than anyone else.

Darryl DaughertyMarch 1, 2017 4:56 PM

A quality, low-cost non-repudiation service would be of benefit to private investigators if there's a significant risk of challenges in court over authenticity of visual evidence. But it needs storage of the metadata incl. time and location on a neutral, third-party website where it cannot be edited.

MrCMarch 1, 2017 5:28 PM

I fail to see how this accomplishes anything at all. What's to stop me from editing a photo, inventing some believable metadata, extracting the key from my phone, and signing the edited photo? For that matter, what's to stop me from faking the whole process using GPG without ever touching the app at all? And, more importantly, why would anyone ever believe any photos signed in this way are legitimate in light of the foregoing possibilities?

supersaurusMarch 1, 2017 5:36 PM

what does "real and unaltered" mean wrt digital photos? is a photo the phone automatically sharpened "altered"? is demosaicing bayer filter raw data "altering" it? is digitally altering the exposure "altering"? if your camera applied a filter so a raw taken under fluorescent light doesn't turn green and a raw taken under tungsten lighting doesn't turn red, are those "alteration"? do you have any idea what algorithms are applied to that glorious "unaltered" data before the file is saved?

have you looked at color-coded raw bayer filter output lately? can you get an actual raw image file out of your phone?

if the written file is a jpeg does the lossy compression not count as "alteration"?

in other words the only "real and unaltered" data you are likely to possess in digital photo processing is the raw file, and even that may have had a number of digital alterations before the file is saved, but you never "see" that data until it is processed, so I don't know what "real and unaltered" is supposed to mean. I think this is a fantasy that harks back to film days, but even then the solutions used, the temperatures they were used at and the times in each solution changed the results with the film, and printing on paper the same, i.e. the "raw" chemical data on the film or paper created by exposure to light was altered in many ways before you could see it.

you can actually display "raw" scanner data, but you won't like the result...ordinarily a tremendous amount of processing happens to that data before it gets saved as a jpeg (possibly lossy) or a tiff.

Charlie ToddMarch 1, 2017 9:17 PM

I thought that watermarks made non-repudiation and integrity easy. Chip vendors that read the sensor plane should watermark raw video with device manufacturer, model, and serial number. Many watermarks survive highlighting or cropping, IIRC. Anonymity is less valuable than being able to tell that a photo has been largely unaltered. Camera makers would just need to protect their end. Paparazzi should love this since they'd be able to prove when their photos get ripped off.

WinterMarch 2, 2017 5:31 AM

Nothing is perfect. What this does is giving a photographer a way to declare that her photograph was not altered after he created it. Just like signing an email.

It is like a signature on a print.

Sebastian B.March 2, 2017 9:11 AM

@Winter: This is actually a good comparison. Like a signature it's no proof against any previous (deeper) modification but it can secure the data were not modified after "recording" (what ever this means).

supersaurusMarch 3, 2017 5:23 AM

here are a couple of bullets on the design from the link our host provides:

x Produce “proof” sensor data formats that can be easily parse, imported by existing tools (CSV)

x Do not modify the original media files; all proof metadata storied in separate file

what prevents changing that storied metadata before it is easily parse, i.e. what provably links the two files? what prevents me from altering the photo file and then altering the metadata file to match? the secret sauce?

@Winter: signing an email does absolutely nothing to prove authenticity unless you mean cryptographically, and in that case what method?

@Sebastian B: "what ever this means" is a good summary of the whole scheme.

Nick PMarch 13, 2017 11:43 PM

@ Bruce

I was actually going to make an protected, video stream for things like recording the police. It would protect both integrity and authenticity of the videos along with timestamps. Then, I found out there were patents of some sort on timestamped or authenticated video. I avoided reading the details since you get more damages if you know what's in them (rolls eyes). I did back off on it, though, since the odds of getting trolled would be high.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.