You should never have trusted images before generative AI either. Trace the source and only trust the image if the source is legitimate.

Negative proof: the AI company signs it with their watermark.

Positive proof: the photographer signs it with their personal key, providing a way to contact them. Sure, it could be a fake identity, but you can attempt to verify and conclude that.

Cumulative positive and negative proof: on top of the photographer, news organizations add their signatures and remarks (e.g. BBC: “we know and trust this person”, Guardian: “we verified the scene”, Reuters: “we tried to verify this photo, but the person could not be contacted”).

The photo, in the end, would not be just a bitmap, but a container file containing the bitmap (possibly with a steganographically embedded watermark) and various signatures granting or withdrawing trust.

The final output image is just a grid of pixels, just like any other image. Assuming the image has no metadata or has been stripped of metadata, how do you really tell the difference in the first place?

Sure, you can look for JPEG artifacts and chromatic noise and all, but it’s pretty easy to overlay that on top of an AI generated image to make it appear more legitimate at a passing glance.

I really don’t know a good answer to your question right now, but I’m definitely interested in whatever useful answers others might offer…

I didn’t think this is really feasible.

I’ve heard of efforts (edit: this is the one https://c2pa.org/ - I haven’t read it at all so I don’t know if it overlaps with my ideas below at all) to come up with a system that digitally signs images when they are taken using a tamper resistant TPM or secure enclave built into cameras, but that doesn’t even begin to address the pile of potential attack vectors and challenges.

For example, if only cameras can sign images, and the signature is only valid for that exact image, then editing the image in any way makes the signature invalid. So then you’d probably need image editors to be able to make signatures or re-sign the edit, assuming it’s minor (crop, color correct) but you’d need a way to prevent rogue/hacked image editors from being able to re-sign an edit that adds AI elements. So unless you want image editors to require you to have a TPM that can verify your edit is minor / not adding AI, then the image editor would be able to forge a signature on an AI edit.

Assuming you require every image editor to run on a device with a TPM in order to re-sign edits, there’s also the problem of how you decide which edits are ok and which are too much. You probably can’t allow compositing with external images unless they are also signed, because you could just add an AI image into an originally genuine image. You also probably couldn’t stop someone from using macros to paint every pixel of an AI image on top of a genuine image using the pencil tool at 1px brush size, so you would need some kind of heuristic running inside the TPM or TEE that can check how much the image changed - and you’d have to prevent someone from also doing this piecewise (like only 1/10 of overlaying an AI image at a time so that the heuristic won’t reject the edit), so you might need to keep the full original image embedded in the signed package so the final can be checked against the original to see if it was edited too much

You might be able to solve some of the editing vulnerabilities by only allowing a limited set of editing operations (like maybe only crop/rotate or curves), if you did that then you could not require a TPM to edit if the editing software doesn’t actually create a new signature but just saves the edits as a list of changes along side the original signed image. Maybe a system like this where you can only crop/rotate and color correct images would work for stock photos or news, but that would be super limiting for everyone else so I can’t see it really taking off.

And if that’s not enough, I’m sure if this system was made then someone would just mitm the camera sensor and inject fake data, so you’d need to parts pair all camera sensors to the TPM, iPhone home button style (iiuc this exact kind of data injection attack is the justification for the iPhone home button fingerprint scanner parts pairing).

Oh, and how do you stop someone from using such a camera to take a picture of a screen that has an AI image on it?

Perhaps a trusted certificate system (similar to https) might work for proving legitimacy?

Yes, several large AI companies themselves are “watermarking” their images. https://www.nytimes.com/2024/02/08/business/media/google-ai.html