Make It Until You Can Fake It

Do you really think I post all of those Tweets myself?

Aug 07, 2024

Dateline: Auckland, 8th August 2024.

I’m sorry to say that I’d never heard of the British pop star FKA Twigs, but I was fascinated by her testimony to a US Senate Judiciary subcommittee that she has developed her own deepfake version of herself (trained on her personality but able to speak French, Korean and Japanese, which she cannot) so that she can leave the bots to interact with journalists and her legions of fans while she focuses on her music.

The Problem

This seems a very farsighted and innovative use of the technology. Ms. Twigs says that in an age that demands a lot of press interaction and promotional work, this will free her up to "spend more time making art”. I am already getting confused about what “real” means in a variety of circumstances, so I am naturally concerned to know how the fans and journalists will know that they are looking at the real fake FKA Twigs and not a fake fake FKA Twigs?

It is already quite difficult to tell a real celebrity from a celebrity fake, as evidenced by the fact that American pop singer Katy Perry’s own mother was fooled by a picture of the star attending the Met Gala in a billowing floral gown. On Instagram, Ms. Perry shared a screen grab of the text message from her mother saying “What a gorgeous gown, you look like the Rose Parade, you are your own float lol” and her responding “lol mom the AI got you too, BEWARE!”

DaveGPT

My legions of adoring fans, friends and family will soon face a similar problem. Much like FKA Twigs, I have a deepfake version of myself up and running so that I can focus more on my writing, fantasy soccer team and proceeding with an AI-powered reorganisation of my sock drawer (I’m joking of course, there is no app for this yet, although I’m sure it is only a matter of time). Acolytes can now visit DaveGPT for guidance without interrupting my communication with muses. But how will a journalist, for example, know that the DaveGPT that they are asking about implementation options for central bank digital currency is the real DaveGPT and not a fake DaveGPT counterbot operated by agents of a foreign power dedicated to the downfall of our financial system by spreading fake news under the guise of thought leadership?

with kind permission of Helen Holmes (CC-BY-ND 4.0)

This is a serious problem. In fact, the whole issue of “deepfakes” is obsessing me at the moment. There is a fundamental problem here, which is that in general people believe what they want to believe. For example, the WSJ reports on a survey of high school students with respect to the disturbing trend for fake nudes, who said that it was likely they would assume a photo was real if it looked real, especially if they thought the victim was the type of person who would share a nude photo (my emphasis). As far as I am concerned, students should be taught to assume that all photographs are fake, unless provided with incontrovertible evidence to the contrary. But what might that evidence be?

In some cases, therefore, people know that the content is fake, but they don’t care. This phenomenon is apparent in the adult entertainment world of Onlyfans. Many of Onlyfans’ top earners, who have thousand or even millions of followers, already use agencies to help keep up with the fans’ demands for personal attention. These agencies provide teams of contractors whose job is to masquerade as the model and exchange messages with the fans. But surely the fans must know, unless they are total morons, that a model with ten thousand followers cannot possibly be messaging them personally!

Give a gift subscription

The Real Thing

Speaking on the Andreessen-Horowitz YouTube channel, noted venture capitalist Marc Andreessen recently said that "Detecting deepfakes is not going to work because AI is already too good, so the solution is to certify content as real”.

He is absolutely correct. Indeed, I’ve suggested before that we need to start setting the default on browsers and devices to not display any text, image or video that does not have a valid digital signature that certifies the source. So if you are looking at a video of Joe Biden playing pool with Vladimir Putin, you will at least know who created it. Now, what actually constitutes and certifies a digital signature is of course rather complicated. The digital signature cannot tell you whether the audio segment or video clip or image is true! What it can tell you is who created it and whether it has been changed by someone else, but even that is a giant step away from the fetid botswamp that is the current internet, where absolutely nothing can be taken at face value.

An example that caught my eye recently was the case of Bella Hadid. I’d not heard of her before either, but she is a celebrity of some sort and posted an image purporting to be of a starving child in Gaza during Israel’s assault on Hamas. As it turned out, the picture was of a starving Syrian child from some years ago, resulting in some embarrassment for the poster and a social media spat, both of which might have been avoided if Instagram simply refused to display the image without a digital signature to confirms the source: Was it Reuters or Dave’s Photoshop? Was it an original photograph with a digital signature that checks out or has it been altered in some way so that the digital signature check fails?

Again, I stress that it is not to say that the photograph would not be displayed if it came from Dave’s Photoshop, but at least people looking at the image online would know that it came from Dave’s Photoshop and could factor that into their assessment of the image.

The Bot Whisperers

You might wonder how Instagram could know that it was Dave’s Photoshop that produced the image. Well, that’s easy. Photoshop could be updated to write the digital signature into the image metadata by default. So when I save an image, Photoshop computes a hash across the image and the metadata and then encrypts it using my private key. Instagram could then recompute the hash and follow a link to my public key and use it decrypt the metadata: if the hashes match, it’s my image and it’s not been manipulated.

Imagine that there's a video clip that comes from a police body cam. Suppose that when the body cam saves a video to a memory card or wherever, it at that point attaches a digital signature. This is actually quite easy to do since computing the digital signature over the content is quite simple, all that is needed is tamperproof hardware to store the private key that will be used to sign the video. This could be in the form of a secure element in the camera, or secure elements in a mobile phone connected by Bluetooth or in the form of the smart card carried by the officer and tapped against the body cam after it has been instructed to export video clip.

Since the public key of the police force or squad or unit would be known to the, well, public, it would be easy for anyone to check the signature and see that the content came from the police and had not been altered. Now if someone takes a clip and edits it to get an extract, the extract will no longer have the digital signature. Suppose it is the BBC doing the editing. Then when the BBC save the edited clip it will now have a new digital signature computed over it and signed using a BBC private key. Again the public key of the BBC is public and anyone can now verify that this clip did indeed come from the BBC and not from the police.

Suppose I get hold of that clip and edit it and then save it and upload it to YouTube: It will no longer have the digital signature of the police or the BBC. In fact, it may have no digital signature at all. Maybe YouTube won't even upload video that doesn't have a digital signature that can be checked or maybe YouTube will upload the video but put a red border around it to indicate that the province cannot be determined. So, you go to YouTube to play the video and see the red box, but you decide you want to see the video anyway and hit play. What happens?

Perhaps you don't see anything, just a black box, because your web browser has a default setting to only play videos with a digital signature that it can verify. It doesn't matter whether the digital signature is the BBC, the police or the Kremlin, but it is a digital signature that the browser can verify by obtaining the relevant public key. I don't doubt that browsers would begin to cache the public keys of major news organisations, public bodies, pop groups and "influencers", so it wouldn't be that much of an overhead to check the digital signatures of content.

Just because content comes from a bot, by the way, does not make it fake. On the contrary, we need bots to have private keys so that they can sign content too. And if you are wondering under what circumstances this might be important, note that Ukraine already presented an AI-generated spokesperson “Victoria” who will make official statements on behalf of the foreign ministry. The non-existent spokesperson even gesticulates with her hands and moves her head as she speaks!

Present Your Credentials

If that all seems a little futuristic. note that TikTok has just announced that it plans to start labelling AI-generated images and video using a digital watermark known as Content Credentials. The Content Credentials technology was spearheaded by the Coalition for Content Provenance and Authenticity, a group co-founded by Adobe, Microsoft and others. It has already been adopted by the likes of ChatGPT creator OpenAI. YouTube and Meta have also said they plan to use it. If you use OpenAI's Dall-E tool to generate an image, OpenAI attaches a watermark to the resulting image and adds data to the file (using hashes and digital signatures as mentioned earlier) that can later indicate whether it has been tampered with. If that marked image is then uploaded to TikTok, it will be automatically labeled as AI-generated.

Content credentials are "tamper evident”. In other words, you are not prevented from changing an image that has Content Credentials, but if you do then the credentials are no longer valid. You need to update the hash, along with a timestamp and an optional description of what changed, and then re-sign the content.

There is work progressing around zero-knowledge proofs and related technologies that actually make me feel quite optimistic about population-scale schemes that do not require trust in the editing software itself, so it is not a pipe-dream to think that an era where original content and AI-generated content will be clearly labelled, and that is an important and desperately-needed step.

Is it enough to (voluntarily) label AI content though? The internet is drowning in “botshit”. As the writer Cory Doctorow points out, this botshit can be produced at "a scale and velocity that beggars the imagination". He highlights Amazon’s decision to cap the number of self-published "books” that an author can submit to a mere three per day! Given the tidal wave of AI-generated nonsense being uploaded — including “books” about King Charles’ cancer and so on — we need to go further than encouraging tool makers to label AI content: we need to mandate it.

Until such time as our browsers, phones and TV can automatically label (and block, where necessary) AI-generated content, I think that we should assume that everything is AI-generated unless presented with cryptographic evidence that it was produced by a specific person or organisation, even if we do not know (or care) who that person is. Marc Andreesssen is right to point to digital signatures as the way forward and this means, as I am fond of repeating, that the IS-A-PERSON credential will be more valuable than ever.