Note: A big discussion topic of 2013 was about how hard cryptography and security is for average people, journalists and others. With that in mind, we’d like to sub-title this post “Making Mobile Crypto Easy for Eyewitnesses”, as the InformaCam software and process described below includes the full gamut of security and cryptography tools all behind a streamlined, and even attractive application user experience we are quite proud of….
One of the primary goals of the InformaCam project (now in public beta!) is to create an environment where, when it comes to photos and video captured on smartphones, people and organizations can trust what they see. Faked photos and videos, whether intended to be humorous or malicious, are all too common online, especially in times of crisis. Thus, the software that been developed works to ensure the full, complete original photo or video captured of an event, can safely reach the people who need to see it, without it first being filtered, modified, cropped, trimmed or otherwise manipulated.
There are four ways this is achieved:
- At point of capture, secure storage and analysis of the media file itself to begin a chain of custody, create a means of verifying media pixel values directly, and defend against tampering by malicious apps.
- Gather corroborating metadata points using the device’s built-in sensors to establish an environmental context.
- Use a secure method of transmission to a secure repository to continue chain of custody, and to defend against network surveillance, intrusion and filtering.
- Provide a means, using open tools, to verify media was not tampered with and to view and analyze corroborating metadata.
Let’s dig deeper into each of these links of the verification chain.
Secure Storage and Analysis
When InformaCam is activated, it begins to actively monitor the device for any new photos or videos captured by the built-in camera software. InformaCam does not support importing already captured photos or videos. It must actively detect a new photo or video is captured by the active camera software on the device. As soon as it detects a new capture, it begins the following ingest process:
- Import the media file into an encrypted storage system, on the device, but only accessible by the InformaCam app. This ensures the file is not modified by any other application on the device.
- Generate and securely store a cryptographic hash value, or checksum, of the pixels of the media file, either the single photo or collectively for all the frames of the video. Any change to the pixels of the media files (“photoshopping”, removal of frames, editing, or other modifications) would result in a change to the hash value.
- Delete the source photo or video from its original location on the device’s shared storage, to keep it hidden from plain view in high-risk situations. Since it has been imported to encrypted storage, this version is no longer needed, and not trustworthy, ultimately.
With this three step process we have, as near as possible to the time and place of capture, ensured we have the media file in a secure storage location, and have generated a unique hash value to verify the file against later.
The hash value, which is just a short series of hexadecimal characters, can also be immediately shared to a third-party using email, text messaging, Twitter or other public notary system. The sooner it can be in the “public record” the better, to establish that the media file existed in this exact state at this time. This concept of a notary is important, and one we seek to develop more, to ensure the notary is also a trusted, tamper-proof service.
Corroborating Sensor Metadata
Secure Repository Submission
When the owner of the device running InformaCam with the media file on it decides to share it with an organization for verification and use, they can send it using InformaCam’s built-in Secure Share mechanism. This enables the media file and embedded metadata to be directly sent to an InformaCam Repository over a secure connection. While the connection uses the public internet, it is sent directly between the device and the repository inside of a secure, tamper proof tunnel powered by software known as Tor. This connection is configured using an InformaCam Trusted Definition configuration file which contains the necessary network addresses and credentials.
The secure repository is expected to be run on a Linux server that is properly secured with strong access controls, firewalls, encrypted disk storage, and all other available mechanisms well known for securing desktop or server systems. It should not be placed on the public Internet, but only exposed through the Tor network connection. It should be hosted in a location that can be physically secured by the organization, as much as possible, and that could not be accessed without the organization being aware. This means that third party data centers should not be used, as access to these machines by law enforcement or malicious hackers can be accomplished without notice to the customers.
However, as long as the media hash value itself is maintained in a secure manner, possibly even printed out and stored in an offline physically secure system, the state of the media file itself can be easily verified using common tools.
Open Verification and Analysis Tools
Once the media and metadata have been received in the secure repository, the organization managing it can used the InformaCam Analyzer and Dashboard software to process and verify the media file. All of the steps below are automatically done by the software, but can also be manually done by a competent, trained technician. These are the steps taken:
- Export the J3M corroborating metadata from the media file. It will be encrypted to the organization’s public cryptographic key, so it will first need to be decrypted, and also the signature of the data verified against the sender’s public key, which the organization previously obtained. This step is accomplished using the free and open-source GnuPG software tools.
- Run the media verification process on the photo or video file. This is accomplished using a tool in the InformaCam Analyzer software, which also includes the free and open-source FFMPEG media engine software. The cryptographic hash function is run again, this time on the server-side on not on the device, and the resulting hash value from the pixel values is displayed. This must match the hash value generated on the device, which should have been shared via private or public notary (SMS, email, Twitter, etc), and is also stored in the J3M metadata obtained in step #1.
- View the J3M metadata directly or import into the InformaCam Dashboard system for verification. The metadata will include information such as GPS location, cellular network location, nearby bluetooth and wifi devices, compass headings, altitude, temperature and more. This data can be used to match against the time and place the media claims to be from.
Four Ways, In Summary
Through the four ways described above, the InformCam system works to capture and safeguard both media and metadata at all points along the way, between the device and the repository. Cryptographic functions and features provide much of the power behind this, but relying on mathematics alone does not tell the whole store. By combining the corroborating metadata and open tools for analysis, we ensure that the context of the photo or video, and the means to verify the entire package are also readily available as part of the verification process.