Why Proof?
You see a wide pink sky and bushes in a relatively nondescript landscape. You hear an explosion in the background. The camera shakes as a man repeats, strangely calm, “Allahu akhbar.” A few seconds later, an explosion rocks the ground in front of the person filming, and the camera falls, sideways, to the ground. The man isn’t speaking anymore.
With the mass proliferation of videos showing human rights abuses online today, this video could potentially have been taken any number of places. And in fact, as devastating news about Syria continues to proliferate, it’s not uncommon to hear the media questioning accounts of human rights abuses such as illegal use of chemical weapons. While it’s hard to hear reporters calmly questioning the veracity of disturbing videos, it also makes sense—unverifiable information, including videos, isn’t useful for advocacy or evidentiary purposes. And it matters; the UN Security Council continues to weigh various proposals to address chemical attacks on civilians by the regime, and they continue to be blocked by Russia. Russia and Syrian President Bashar al-Assad claim that video evidence of attacks “has been staged.” Meanwhile, Trump has bombed an airbase in Syria.
But verification of videos showing human rights abuses is not an easy task. Just ask the Syrian Archive, the organization that verified the graphic video described above [viewer discretion advised] of a chemical weapons attack in Syria. The Archive uses myriad methods to verify videos. For example, the Archive verifies location by “comparing reference points (e.g. buildings, mountains ranges, trees, minarets) with Google Earth satellite imagery, OpenStreetMap imagery and geolocated photographs from Panoramio” as well as analyzing regional accents.
For the Archive, verifiable indicators of location, along with metadata about when and how an image was captured, are valuable indicators of authenticity. But they’re not always easy to find. That’s why WITNESS and Guardian Project have been working on ProofMode, an Android app that captures rich metadata about images and video, while cryptographically signing them to increase verifiability and provide a chain of custody. Guardian Project released ProofMode to the Google Play store on February 24, 2017.
ProofMode is a work in progress, and since its release it’s already received a number of security and workability updates. It is available as a free and open-source project for all to review, audit, learn from and build upon.. We welcome feedback on ProofMode- Guardian Project is already hard at work directly responding to valuable public critiques.
What does ProofMode do?
ProofMode is a small (currently still less than 3 mb!), lightweight app that can be easily switched on, or in appropriate circumstances left running in the background. It has little impact on your phone’s battery life or performance, and almost no interface to contend with. Instead, it works mainly through your phone’s existing apps and user interface (UI). When you take a picture, ProofMode “wakes up [and cryptographically] signs the new media file.” (more on that process below). “Additionally, a sensor data snapshot is taken to gather correlating proof. This is saved as a CSV file, and also signed…”
Sensor data includes:
- Latitude & longitude, if users have location turned on on their device
- Timestamp (currently in unix timestamp formula that can be converted using Excel)
- Network type, ie WIFi or mobile, and IP address, and WiFi MAC address
- Device information (make, model, unique device id number, and screen size
- “Locale” (the country and language that the phone has been set to, usually something you select the first time you turn your phone on).
Additionally, the CSV file includes a SHA256 hash, which provides another way to see if the original data has been modified.
When a user taps the share action through the existing UI in Android, they get the option to “Share Proof.” From there, they get three options:
- They can share everything- the original captured photo or video, the cryptographic signatures, and the sensor readings.
- They can share only the sensor readings and proof, without the media. This just makes a slightly smaller message.
- They can share only strings of characters that represent a short portion of the proof data.
Many of the places where human rights defenders work have low levels of internet connectivity. The app is made with this problem in mind. The third option can be done using only a text message, helping to establish that the media existed at a certain time, even if there is no Internet connection available. The app also does not require mobile data or an Internet connection to create the digital signatures and gather most of the sensor readings.
As Guardian Project explains, it’s meant to be “a light, minimal “reboot” of our more heavyweight, verified media app, CameraV.” While these files aren’t foolproof (more on that below), they offer a much stronger starting point for verification than the kind of raw videos the Syrian Archive faces.
ProofMode’s Encryption and Sha256 Hash
ProofMode provides extra data to check whether a photo or video has been changed since it was captured using cryptographic capabilities, known as hashing and signing.
Hashing means applying a mathematical algorithm to produce a unique value (most often displayed as a string of hexadecimal characters) that represents any set of bytes, such as your photo or video files. Any file can be fed into the hash function, and the output is always a unique fingerprint of sorts that should match if the file has not been changed, providing verification of the integrity of the file.
But who created the file? Unlike the hash function, which only verifies integrity of the file, signing has a two-fold purpose- to verify integrity and source. Signing uses the process of public key encryption, which requires the use of data known as keys. Keys are linked directly to a person, device, or app, allowing authentication of where or by whom the file was created.
Using these functions, ProofMode adds to the set of data points that can be examined together by someone trying to determine the authenticity of a photo. For example, to determine the device that a piece of media originated on, someone could compare the PGP identity and device ID. To verify the data integrity, they could compare PGP signatures and SHA256 hash. To verify the location they could compare the GPS location and WiFi networks.
What next
We know that ProofMode is a work in progress, and we want your feedback. As with all encryption and apps created for human rights purposes, the more eyes on it the better! The Guardian Project posted a great breakdown of the changes made to ProofMode in the weeks since its launch. These changes have been aimed at increasing the assurances that a proof isn’t tampered with or falsified, and at making the app more usable and stable.
In particular, the Guardian Project is using the Google SafetyNet API to strengthen ProofMode’s signing process. SafetyNet adds an extra set of data, signed cryptographically by Google’s servers, that documents the version of the ProofMode app used, checks whether the device it was running on was modified or “rooted” in any way, and adds a timestamped notarization of the media file hash.
ProofMode is needed now more than ever. It’s not just images from Syria. ProofMode could help authenticate videos of police violence, or violations of environmental regulations by corporations. What’s more, as sites like Facebook are scrambling to address the fake news issue, ProofMode could be another tool in the fight against misinformation. ProofMode is even useful for more routine needs, like documenting the state of your apartment when you move out or taking pictures for an insurance report.
We want ProofMode to serve both as an immediately useable tool and a solid reference design for social media and device makers who want to make media more verifiable. That’s why we’re going to continue improving it. But we need your help! Please feel free to reach out to us at proofmode@witness.org with any comments or suggestions.