At VeilStream, we’ve been thinking a lot about data security and authenticity in the era of AI.

If you see a video of someone online, how do you know if it is authentic or a deepfake?

As far as I know, this is the first ever video in which a time-based token is shared to help confirm authenticity. The time is of the video was 2:37pm and the token is 784189.

Below, I'll explain how you can visit https://videoverify.stevej.ca/ to receive a guarantee that this video really featured myself.

Today, we rely on two methods for determining if we can trust a video. First, there are sources that we trust such as AP News or Reuters. Second, we may rely on the subject of the video confirming its authenticity through their own website or through a verified profile on social media.

As deepfakes begin to flood the internet, those two methods alone are not great. Let's think about what that might mean for a politician. On one hand, we don't want to limit ourselves to only being able to trust interviews with that politician that are broadcast by a handful of our most trusted sources; that would consolidate power in a few large media companies. On the other hand, if a politician is interviewed by dozens of journalists and independent media outlets in a day, it's impractical for the politician to have to post on their social media profile later to confirm that each and every interview really happened.

With that in mind, I propose a new method. The subject of a video can share a one-time token at the time it is filmed which can then be verified by anyone on the internet.

The technology that enables this is called a time-based one-time password or TOTP. A secret key is shared between a smart phone and a server. From that point forward, software combines the secret key with the current time to calculate a unique six digit token that changes every 30 seconds. This is commonly used today as a secondary method for confirming your identity when logging into software.

We can use that same idea to enable anyone on the internet to confirm the authenticity of a video but some tweaks are needed. For starters, we want an unlimited number of people to verify that the token is valid but we can't trust those people so we can't give them the secret key. To solve that problem, we'll make a website that displays the token without revealing the underlying key. This leads to the next challenge. If anyone can see the tokens, they could just use them to make a deepfake video. To solve that problem, we will implement a 15 minute delay. That gives me 15 minutes in which I am the only person in the world with this token and I can post this video online.

As long as this video is posted online within 15 minutes, you can be assured that no one else had access to my token. The time stamp of the upload on this video is shown as 2:43 pm which is less than 15 minutes after the timestamp of the token provided in the video of 2:37 pm.

You can then visit my verification page and enter the time of the token that I provided in the video. If the token matches, then you can trust that I'm the one in the video.

What's neat about this approach is that it can work in an environment where the subject of the video is not in control of the recording or distribution of the video and it can work in a live streaming situation. If a politician is giving a press conference and being recorded by many cameras from many accredited and unofficial news outlets, they can read out their code at any point during the announcement and anyone on the internet can confirm the authenticity of that token as soon as the verification delay period expires.

What do you think? Can you see this being used as a method in the future?

Steve

steve@stevej.ca