C2PA Attaches Provenance to Content. The Content Itself Has No Identity.

Vendor and Product Reality

The C2PA was formed in 2021 through the merger of Adobe's Content Authenticity Initiative and Project Origin, the BBC- and Microsoft-led effort focused on news media authenticity. Its specification, currently at the 2.x series, defines a binary format for signed manifests, a claim-generator identity model, an ingredient graph for tracking derivation across edits, and a hard-binding mechanism that ties the manifest cryptographically to the content's binary hash. The manifest is itself a structured document containing assertions about capture device, time, location (where consented), edit history, ingredients (prior media used to derive the current asset), and the identity of the signing claim generator under an X.509 certificate chain rooted at a recognized trust anchor.

The standard has moved decisively from paper to deployment. Adobe Photoshop and Lightroom emit Content Credentials on export, with the manifest carrying the full edit graph from the original ingredient through every transformation applied. Leica's M11-P and Sony's Alpha 1 II ship with on-sensor C2PA signing, producing a manifest at the moment of capture that cryptographically attests to the camera serial, capture timestamp, and image hash before the file ever leaves the device. Truepic's controlled-capture SDK, integrated into insurance, supply-chain, and humanitarian-reporting workflows, produces manifests with capture-environment attestations spanning device integrity checks, network-time-source binding, and operator-identity assertion. OpenAI tags DALL-E and Sora outputs with C2PA manifests indicating synthetic origin, model version, and generation parameters. Microsoft has embedded Content Credentials display in Bing, LinkedIn, and Edge, surfacing the manifest contents to end users at the point of consumption.

The institutional weight is real. The BBC, the New York Times, the Wall Street Journal, Agence France-Presse, and Reuters have all run C2PA pilots in newsrooms, with some moving to production deployment for wire-photo distribution. The U.S. Department of Defense's Chief Digital and Artificial Intelligence Office has explored the standard for provenance in operational imagery, and parallel work in the intelligence community is tracking C2PA as a candidate for source-attribution in open-source intelligence pipelines. The European Commission's AI Act references content-provenance mechanisms compatible with C2PA's design, and the U.S. Executive Order on AI directs agencies toward provenance-bearing watermarks and metadata for federally-produced and federally-consumed synthetic media.

This is not a niche standard. It is on a trajectory to become the default provenance layer for the regulated media stack, and the structural critique below is offered with that adoption baseline explicitly in mind. The question is not whether C2PA succeeds at what it specifies — it does, and increasingly will. The question is what remains unaddressed once C2PA is universally deployed. The architectural gap described in the next section is precisely the surface that universal C2PA deployment leaves exposed, and it is the surface adversarial laundering of synthetic and tampered content most reliably exploits.

The Architectural Gap

C2PA's architectural choice is to attach a signed manifest to a media file's metadata container and to bind that manifest to the content through a hard binding — a cryptographic hash of the file's pixel or sample data. The choice is principled. It allows the manifest to be created, signed, verified, and chained without modifying the content itself, preserving artistic and journalistic fidelity and avoiding the watermarking artifacts that have historically made invasive provenance schemes unacceptable to publishers. It also produces three structural fragilities that no amount of cryptographic strength inside the manifest can repair, because the fragilities are not inside the manifest; they are at the boundary between the manifest and the content.

The first fragility is that the manifest is metadata, and metadata is routinely stripped. Every major consumer platform — Instagram, X, TikTok, WhatsApp, Facebook, Reddit, Discord, YouTube, Snapchat — strips or rewrites image and video metadata as a normal part of upload, transcoding, and delivery. Some of this stripping is privacy-driven (removing GPS EXIF tags that would expose user location), some is bandwidth-driven (re-encoding to platform-standard codecs at platform-standard quality levels), some is policy-driven (uniform format presentation across heterogeneous user uploads), and some is incidental to format conversion (JPEG to WebP, HEIC to JPEG, MP4 to platform-internal segment formats). The result is uniform: the manifest does not survive the platform layer. C2PA acknowledges this and has proposed soft bindings — perceptual hashes registered with a discovery service that can be queried to recover a stripped manifest — as a recovery mechanism, but soft bindings are an external lookup pattern dependent on the verifier's connectivity to and trust in the discovery service. They are not an intrinsic property of the content. A user receiving a downloaded image on a disconnected device cannot perform soft-binding lookup, and a verifier in an adversarial network environment cannot trust that the discovery service has not been spoofed.

The second fragility is that the hard binding is brittle to lossless and visually-lossless transformation. A C2PA manifest signs a hash of the specific binary representation of the asset. Re-encoding that asset at a different quality level, converting it from JPEG to WebP, transcoding HEVC to AV1, or even rewriting container chunks in a different order all produce different hashes. The content is, by any human or perceptual standard, the same content. The manifest's view is that it is unrelated content. Cropping, resizing, color correction, frame extraction from video, and audio normalization — all routine editorial and platform operations — invalidate the hard binding entirely. The manifest's verification status flips from valid to broken not because the content has been tampered with in any meaningful sense, but because the bytes are no longer the same bytes, even when the content they encode is essentially unchanged.

The third fragility is that adoption is opt-in along the entire chain. A C2PA signature is only present if the capture device, the editor, and every intermediate tool support emission and chose to emit. A screenshot of a verified image carries no manifest, because the screenshot tool is not C2PA-aware. A camera-of-a-screen recapture carries no manifest, because the recapturing camera was not the capturing camera. Content originating outside the C2PA-aware toolchain — the overwhelming majority of internet imagery, including most user-generated content, most archival material, and most content produced by tools that have not yet integrated the standard — is structurally indistinguishable, in C2PA terms, from content that has had its manifest stripped. The standard cannot distinguish "never signed" from "signed and stripped," which is precisely the distinction adversarial laundering exploits: a synthetic asset can be passed through any metadata-stripping platform and emerge indistinguishable from authentic content that simply was not in the C2PA-aware pipeline at capture.

Each of these fragilities is, in isolation, manageable. Combined, they describe a verification surface that holds inside the cooperating supply chain and dissolves at the boundary. The cooperating supply chain is necessary; it is not sufficient. The boundary — where content leaves the cooperating chain and enters the adversarial environment of public distribution — is where identity must continue to function, and it is precisely where attached-manifest provenance cannot reach.

What the Content Anchoring Primitive Provides

Content anchoring approaches the problem from the opposite direction. Instead of attaching identity to content as metadata, it derives identity from the content's own structural properties — the variance distribution of its pixel or sample data, its spatial-frequency signature, its perceptual-hash neighborhood, and the residual statistics that survive standard transformations. The anchor is not a thing the content carries. It is a thing the content is. There is nothing to strip because there is nothing attached. There is no container dependency because the computation operates on the decoded media regardless of how it was encoded. There is no claim-generator certificate dependency because the anchor is a function of the content rather than an assertion by an external party.

The properties this gives the system are different in kind from what an attached-manifest model can offer. Re-encoding does not break the anchor, because the structural features the anchor uses are designed to be preserved through perceptually-lossless transformation. Format conversion does not break the anchor. Resolution change within reasonable bounds does not break it. A screenshot of a verified image retains anchorable structure, because the structure is in what the image looks like, not in the file that delivered it. Cropping degrades the anchor gracefully — the retained region carries the structural signature of the retained region, which can be matched to a sub-region of the original. The model survives the transformations the real content economy actually performs, because the structural features it tracks are precisely the features those transformations are engineered to preserve.

Critically, content anchoring does not require universal upstream adoption. An anchor can be computed retroactively, by any party, against any media asset, at any time. A newsroom verifying a piece of citizen footage does not need the citizen's camera to have been C2PA-aware. A platform investigating a claim of synthetic origin does not need the generator to have cooperated. The anchor is computable from the bytes that arrived, not from a chain of cooperation that may or may not have occurred upstream. This inverts the deployment economics of provenance: where C2PA's value scales with the fraction of upstream tooling that participates, anchor-based identity can be deployed by any single verifier and produce immediate value against the content it sees.

The anchor also exposes a different kind of evidence. C2PA's manifest answers an authorship question: who claims to have produced this, and what edit history do they assert? The anchor answers a sameness question: is this content the same content as some referenced original, or a derivative thereof, or unrelated? Both questions matter. Neither subsumes the other. A platform investigating coordinated inauthentic distribution needs to know whether ten thousand visually-similar images are derivatives of a single source — a question the manifest cannot answer when the manifest has been stripped, and one the anchor answers directly from the bytes.

Composition Pathway with C2PA

Content anchoring and C2PA are not substitutes. They are complementary layers that address different questions. C2PA answers "who made this and how was it edited?" when the manifest survives. Content anchoring answers "what is this content, and have we seen it before?" regardless of whether any manifest survives. The composition is straightforward and is the deployment pathway we expect to see in production over the next eighteen months.

At capture, a C2PA-aware device emits a signed manifest as it does today. In parallel, an anchor is computed over the captured media and registered, either in a public anchor registry or in a private one operated by the publisher. The manifest carries a reference to the anchor. The anchor carries no reference to the manifest, because the anchor must remain valid after the manifest is gone. At verification time, three flows are possible. If the manifest is intact, C2PA verification proceeds as specified, and the anchor provides a redundant identity check that confirms the bytes presented are the bytes the manifest claims to describe. If the manifest is missing but the asset is unmodified, anchor lookup recovers the registered identity and exposes the linked manifest from the registry, restoring the provenance chain that the platform layer destroyed. If the manifest is missing and the asset has been transformed, anchor matching identifies the asset as a derivative of a known original, recovering provenance through the structural linkage even when no metadata survived the journey and the bytes themselves are no longer identical to the registered reference.

The composition is also the defensible deployment pattern for organizations that have already invested in C2PA. The anchor layer is additive. It does not require re-tooling the capture pipeline, replacing existing manifests, or migrating to a different signature scheme. It runs alongside, providing identity recovery for the cases — the majority of cases, in practice — where the manifest does not reach the verifier. For newsrooms and wire services, this means the existing C2PA investment continues to do what it was deployed to do, while the anchor layer extends that investment's reach into the post-platform environment where most consumers actually encounter the content. For platforms operating verification surfaces, anchor lookup becomes the fallback path that converts a stripped-manifest verification failure into a recovered-identity verification success, preserving the user-facing trust signal even when the upstream platform layer destroyed the manifest in transit.

The composition extends naturally to generative-content provenance as well. A generative model emitting a C2PA manifest with synthetic-origin assertion can simultaneously register the anchor of its output. When that synthetic asset is laundered through screenshot or recapture or platform re-encoding into a stripped form, the anchor lookup still surfaces the synthetic-origin assertion. The laundering pathway that converts manifest-bearing synthetic content into manifest-stripped content indistinguishable from authentic capture — the central adversarial vector that opt-in provenance leaves open — is closed at the verification layer rather than left to depend on the cooperation of every intermediate platform.

Commercial and Licensing Posture

Adaptive Query's content-anchoring primitive is patent-positioned and available for licensing on terms compatible with C2PA-ecosystem deployment. The licensing model is structured around composition rather than competition: the primitive is intended to run as an additive layer beneath C2PA-aware tooling, not as a replacement for it, and the commercial terms reflect that posture. For C2PA member organizations and tool vendors, licensing is available on a per-tool or per-product basis with terms that recognize existing investment in Content Credentials infrastructure, with field-of-use grants aligned to the vendor's existing product surface and pricing structured to incentivize broad anchor emission rather than to gate it. For platforms operating at the verification layer — search engines, social platforms, news aggregators, and provenance-display surfaces — licensing is structured around verification volume rather than capture volume, aligning cost with the value the platform realizes from anchor-based identity recovery.

For newsroom and wire-service deployments, where the operational economics differ substantially from consumer-platform economics, licensing is available through institutional terms that recognize the public-interest dimension of provenance recovery in journalistic contexts. For regulator-facing deployments — provenance pipelines feeding the AI Act's transparency obligations, or the U.S. Executive Order's federal-content provenance requirements — licensing accommodates the procurement structures those deployments require, including the source-availability and audit-access provisions regulator-facing infrastructure typically demands.

The intended outcome is a media stack in which provenance and identity are separable concerns, each addressed by the layer best suited to it. C2PA continues to do what it does well: attest to authorship, edit history, and tooling lineage when the chain of cooperation holds. Content anchoring fills the structural gap underneath: identity that is intrinsic to the content, that survives the boundaries C2PA's manifest cannot cross, and that closes the laundering pathway opt-in provenance leaves open. The two together are the provenance-plus-identity layer the regulated media economy actually needs. Either alone is incomplete; together, they describe a verification surface that holds across the cooperative and adversarial environments where modern content actually circulates.