Skip Links

Network World

Paul McNamara

A defense against Photoshop funny business

By Paul McNamara on Tue, 09/25/07 - 3:16pm.
Newsletter Signup

Given the ease with which digital photos are manipulated and faked, they are often viewed with great suspicion by courts and consumers - at least those uninterested in naked celebrities.

Into this credibility breach steps a French company called CodaSystem and its product called "Shoot & Proof," which will make its American debut on Wednesday at DEMOfall07 here in San Diego.

Shoot & Proof is software plus a service that allows customers to use a variety of phones and cameras to take and store digital photographs that are watermarked, time-stamped, localized and signed, thus assuring their authenticity and protecting the owner against fakes.

Once a photo is in the system, Shoot & Proof system can determine that a copy has been doctored "if you change only one pixel in the picture," says Frederic Vanholder, managing director of CodaSystem. If a change is found, the customer receives a message that reads: "Warning: This picture is not a certified picture."

Shoot & Proof is being targeted at government entities and businesses that might benefit from reliable photographic documentation, including law enforcement, private investigators, lawyers, bailiffs, insurance companies, engineers, real estate agents, package delivery companies and even cleaning services.

The company says that its authenticated pictures have passed legal muster in European courts and it expects the same on U.S. soil, although most clients use the system more for the inherent credibility it produces in photo documentation than as a legal instrument.

The service costs under a dollar per picture, Vanholder says, and comes with a guarantee that photographs will be stored for 10 years. A free five-picture trial is available on the company's Web site, which also includes a list of supported phones and cameras.

You can see a PowerPoint presentation here. And, for those who speak French, there is this YouTube interview with CEO Frederic Levaux.

Vanholder didn't mention them as a potential customer, but can't you see this proving useful to the better paparazzi - at least the honest ones?

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

Fresh off video spy scandal, Patriots owners invest in "media discovery."

How much does the computer store owe this PC buyer?

Steve Jobs, serial finger-flipper?

Ameritrade leak looks to have started in late '05, much earlier than reported.

Fire, smoke, raw sewage, and, hey, do you smell gas? Yup, Verizon's here again.

The next 5 items that Google might buy from NASA.

'Hello, you have reached my iPhone.'

Rove resigning to spend more time with his iPhone.

When a cell phone goes through the washer.

A weak defense against Photoshop funny business?

0
By Daniel Halber (not verified) on Tue, 09/25/2007 - 6:34pm.

Disclaimer: What I write here is solely based on this NetworkWorld article and the linked PowerPoint presentation and the linked YouTube interview, which may or may not be enough to have a valid opinion of this product.

My understanding is that one part of the value of CodaSystem's "Shoot & Proof" is to port to cameraphones (with localization) what already exist to high-end camera system: digitally signing photo+GPS coordinates+timestamping. See for instance Canon Data Verification Kit, or Nikon Image Authentication Software.
Apparently CodaSystem is providing that feature via software only.
My experience is that, even hardware-based security can be challenging (i.e., defeated), so I doubt a software-based solution would bring that much value.

The second part of their value proposition is to host the pictures, which leads to two issues to my eyes. One, looks like to need network connectivity at the time of capture, which may or may not be a showstopper; and two, you must trust CodaSystem, whereas separation of duty calls for either trusting them for the digital signature part, or for the safekeeping part, but not both. Not to mention the fact that you may not want to send CodaSystem your sensitive photos, think "BlackBerrys banned over fears of US intelligence snooping".

That being said, I love this "Shoot & Proof" idea. I am just criticizing its current implementation.

Best regards,

Daniel Halber, CISSP

Not so weak defense

0
By Frederic Levaux (not verified) on Tue, 09/25/2007 - 11:27pm.

I just want to react on Daniel Comments which seems to me perfectly legitimate and brings up valid points . And I agree that as far as IT security solutions go, nothing is 100% safe.

But let me add some clarification about what we do.

Daniel is comparing us to the nikon and Canon solution which consist, if my understanding is correct, in the creation of a footprint (or code) of the jpeg created. This footprint is then compared to other footprints you make of the modified picture with the same algorithm, and if the footprint is different, then the picture has been modified....
1. This type of solution only adresse the traceability of the pic, not its authenticity.
2. In those software this is all taking place after the jpeg is created and depends on the user
3. The time stamping and localization come from the camera clock info and GPS info stored in the EXIF header of the file. And everybody knows how easy it is to change exif header, any photo software does it.

My point is that we go way beyond these systems, because
1) We watermark the picture before it is a jpeg, we use steganography (watermarking) to encode the raw data of the picture with geospatial and time stamping information that comes from an official timestamping authority.
2) Once you have an encrypted jpeg then we also use footprint but compute 2 differents with 2 different algorithms
3) We include the storage which in terms of legal value is absolutely necessary. We have to show to the judge that the picture we show him has been stored in secure condition (legal digital archiving)for the last x years.

On Daniel's second point, yes we do need network connectivity at capture time but only if you want officiel timestamping and carrier positionning (GPS could be used without connexion). But the encryption for the authenticity remains the same.

As I said we have the platform for the legal aspect of storage, it is true that you need to access the platform to retrieve your picture.

On the responsability part, that's an interesting point, because, what gives us legal value today is the fact that we are the independent third party who controls the digital photograph value chain for our client.

To conclude, but I'll be happy to discuss it in details with you, I will mention that we have been successfully audited in Europe various IT security organisation (fntc, fetc, tufts, Louvain university..),that the solution is patented and already used daily by hundreds of mobile phones in Europe and finally that we are a priviliged partner with Canon and that our solution is compatible with their camera range and according to them clearly different from what they offer.

Regards

Frederic, CEO, Codasystem

Speaking of authentication …

0
By Paul McNamara on Wed, 09/26/2007 - 7:15am.

Here at Buzzblog we use a combination of tarot cards, tea leaves and a Ouija board to determine the authenticity of a comment poster's proffered identification, and, while we have only preliminary results available at this moment, it does appear as though the previous exchange has indeed been between Daniel Halber, CISSP, and Frederic Levaux, CEO of Codasystem. We'll let you know for certain once the planchette stops skittering.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Welcome, visitor. Register Log in
Advertisement:
About Buzzblog