Content Authenticity Initiative

The Content Authenticity Initiative (CAI) is an association founded in November 2019 by Adobe, The New York Times and Twitter. The CAI promotes an industry standard for provenance metadata (also known as Content Credentials) defined by the Coalition for Content Provenance and Authenticity (C2PA). The CAI cites curbing disinformation as one motivation for its activities.

Together with Arm, BBC, Intel, Microsoft and Truepic, Adobe co-founded the Coalition for Content Provenance and Authenticity (C2PA) in February 2021. The C2PA is tasked with the formulation of an open, royalty-free technical standard that serves as a basis for the C2PA member's efforts against disinformation. While the C2PA's work applies to the technical aspects of implementing a provenance metadata standard, the CAI sees its task as the dissemination and promotion of the standard.

The procedures proposed by CAI and C2PA aim to address the widespread occurrence of disinformation with a set of additional data (metadata) containing details about the provenance of information displayed on a digital device. Such information can be, for example, a photo, video, sound or text file. The C2PA metadata for this information can include, among other things, the publisher of the information, the device used to record the information, the location and time of the recording or editing steps that altered the information. To mitigate risks that the C2PA metadata might be changed unnoticed, it is secured with hashcodes and certified digital signatures. The same applies to the main information content, such as a picture or a text. A hash code of that data is stored in the C2PA metadata section and then, as part of that metadata, secured with the digital signature.

Securing metadata and the main content with certified signatures helps users to identify the provenance of a file they are currently viewing. If the C2PA metadata names, for example, a certain TV station as the publisher of a file, it is supposed to be very unlikely that the file originated from another source.

Files with C2PA-compliant metadata that are copied from a publisher's website and then published unaltered on social media (or elsewhere) still retain the provenance information. Users seeing that content on social media can examine such a file with an online tool offered by the CAI or, if present, with C2PA-compliant inspection tools of their own or those offered by the social media site. Standard-compliant tools are designed to detect whether there were any unauthorized modifications to the file or the metadata.

The methods proposed by CAI and C2PA do not allow for statements whether a content is "true", i.e., contains authentic information that faithfully reflects reality. Instead, C2PA-compliant metadata only offers reliable information about the origin of a piece of information. Whether users want to trust this information depends solely on their trust in its sources and the C2PA approach.

One criticism of C2PA is that it can compromise the privacy of people who sign things with it, due to the large amount of metadata in the digital labels it creates.

Experts have also documented ways in which attackers can bypass C2PA’s safeguards, by altering provenance metadata, removing or forging watermarks, and mimicking digital fingerprints.

Besides the fact that C2PA doesn't address the question of whether the content is accurate, another shortcoming is that typical signing tools don't verify the accuracy of the metadata either, so users can't rely on the provenance data either unless they have reason to trust that the signer properly verified it.

Adoption is also lacking. As of 2025, very little internet content uses C2PA.

As of August 2022, the list of CAI members includes more than 200 entries. In addition to the three founding members Adobe, the New York Times and Twitter, these include Arm, BBC, Microsoft, Nikon, Qualcomm and The Washington Post.

• Official website
• C2PA Verify web app, referenced by the official website