Content authenticity and proof of provenance may not be the most exciting subject, but they are important to understand and consider — especially in a world where AI content has now overtaken human content on the Web.

This is a dive into C2PA. 

C2PA, the Coalition for Content Provenance and Authenticity, has been slowly moving from the margins of digital media into the spotlight. 

In September, the World Privacy Forum published Privacy, Identity, and Trust in C2PA, a look at both the promise and the pitfalls of the standard. I spoke with the report’s co-author, Kate Kaye, deputy director of World Privacy Forum, to understand what this really means for news media.  

At its core, C2PA is a system that attaches provenance metadata to digital files. Think of it as a chain of provenance for media: a cryptographically signed record of where a piece of content came from, how it was created, and how it’s been edited. 

It doesn’t verify “truth” or “authenticity” in the journalistic sense. Instead, it provides signals that allow downstream platforms or users to see the journey a file has taken. In an era of deepfakes and synthetic media, that matters (although it can’t detect them, that’s where SynchID comes in, below).

The World Privacy Forum’s review makes clear that C2PA is no silver bullet. Governance around identity remains unsettled. Early versions included identity assertions naming the humans or organisations behind a file. That has now been stripped from the core framework and deferred to a separate working group. 

On the one hand, this reduces privacy risks. On the other, it leaves major questions about how identity claims will be managed — and by whom.

Other challenges remain. The framework allows some redactions, such as location, but certain “action assertions” — the record of edits — cannot be removed. That can create risks for journalists working in sensitive environments. 

Metadata stripping is another perennial problem: Many platforms automatically wipe metadata on upload, breaking the provenance chain. Workarounds like sidecar manifests or watermarking exist, but each has trade-offs. 

And looming over everything is the issue of gatekeeping. Trust in C2PA relies on certificate authorities and trust lists, yet it’s unclear who decides which entities make the cut. The risk of centralisation (i.e., tech platforms) is real. 

So are news publishers adopting it? Not widely. 

Progress has been more visible among toolmakers and hardware firms like Adobe, Microsoft, Nikon, and Canon, all of which are baking C2PA into products. Agencies such as AP and AFP have piloted provenance in photojournalism, where attribution and integrity are most at stake. 

But most newsrooms have yet to integrate it into their CMSes or workflows. 

On this, Kaye told me: “Regarding news media adoption, in general according to my research there seems to be a lack of clarity among some attempting to implement C2PA who tell me it has been difficult to keep up to speed with its evolving technical specifications, a process that has been somewhat opaque including for some in the media industry.”

The hesitation is understandable: Provenance requires costly upgrades, doesn’t directly generate revenue, and often gets stripped away downstream. With governance questions unresolved and privacy concerns in play, many publishers are waiting for regulators or platforms to mandate adoption before moving.

Where SynthID, and other watermarking systems, fit

This is where watermarking technology, comes in. 

Let’s use SynthID, Google DeepMind’s technology, as an example. Instead of attaching metadata, SynthID embeds imperceptible digital watermarks directly into media files (pixels, audio waveforms, and even text). Unlike metadata, which can be stripped or lost, these signals survive common edits like cropping, compression, or screenshots.

C2PA and SynthID aren’t competitors but complements. C2PA provides the structured framework: “Who created this, how, and when.” SynthID provides resilience: “Was this AI-generated in the first place?” The C2PA spec already anticipates integrating watermarking and fingerprinting as part of its provenance chain. 

For media, this convergence matters. If provenance signals are going to survive outside controlled environments such as when content circulates on social platforms, embedded watermarks may prove more reliable than metadata alone.

What to do now

• Start embedding provenance workflows internally. Add C2PA manifest generation early in your production pipelines, even if you don’t expose it to readers yet to test.

• Participate in trust governance. Engage in working groups shaping trust lists and certification. We shouldn’t leave this solely to the platforms.

• Use provenance as a brand differentiator. Visible metadata and watermarks can be credibility markers in a trust-poor environment, which is important in the AI content tsunami we are expecting.

• Scenario plan for metadata collapse. Test how C2PA and watermarking like SynthID behave in real distribution contexts.

• Respect creator privacy. Support redaction and pseudonymity, especially for journalists in high-risk environments.

• Tie provenance to monetisation. Use provenance and watermarking to enforce licensing and limit unauthorised AI training or redistribution. 

C2PA won’t stop misinformation on its own, and adoption among publishers remains limited. But combined with watermarking approaches like SynthID, it offers a way to reassert provenance and protect content integrity. 

For journalism, provenance could become as essential as subscriptions or paywalls — not as a direct revenue driver but a necessary layer of trust in an AI-driven, fractured distribution landscape.

If you’d like to subscribe to my bi-weekly newsletter, INMA members can do so here.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .