Why journalism needs provenance
Journalism faces a two-sided authenticity crisis. On one side, AI-generated images and deepfake videos are being used to fabricate events that never happened - synthetic media passed off as journalism. On the other side, legitimate reporting is being dismissed as "fake news" by people who find it inconvenient - real journalism discredited with no evidence required.
C2PA Content Credentials address both problems. They provide a mechanism for newsrooms to cryptographically prove that their photographs were captured by their photojournalists, with their cameras, at the scene they depict. And they provide audiences with a way to verify those claims independently, without trusting the newsroom's word alone.
This isn't theoretical. Major news organisations have already adopted the standard, and their experience provides a practical roadmap for newsrooms of any size.
Which newsrooms are using C2PA
| Organisation | Implementation | Since |
|---|---|---|
| BBC | Founding member via Project Origin. Content Credentials on news imagery and video. Full capture-to-publication pipeline. | 2021 |
| CBC / Radio-Canada | Content Credentials on published news photography and digital content. | 2023 |
| The New York Times | Content Credentials on photojournalism. Participant in News Provenance Project. | 2024 |
| AFP | Content Credentials attached to wire photographs distributed globally. | 2024 |
| Reuters | Engaged with C2PA ecosystem. Implementation in progress. | 2025 |
The BBC's implementation is the most mature, which makes sense - the BBC co-led Project Origin with Microsoft, which merged into C2PA. Their workflow covers the full chain from capture through editing, production, and publication. The New York Times and AFP have focused initially on photojournalism, where the impact of provenance is most immediately tangible.
The newsroom workflow: capture to publication
Here's how Content Credentials flow through a typical news production workflow:
Capture. A photojournalist in the field shoots with a C2PA-enabled camera (Nikon Z9 or Z8, Sony a9 III, etc.). Each image is signed at the moment of capture with Content Credentials recording the camera, time, and optionally location. The image now carries cryptographic proof of its origin.
Transmission. The photographer transmits images to the newsroom - via FTP, cloud storage, or wire service. The Content Credentials travel with the file. If the file is transmitted without conversion or re-encoding, the credentials remain intact.
Editing. A photo editor opens the image in Adobe Photoshop or Lightroom. C2PA-aware software chains a new manifest to the existing one. Standard newsroom adjustments - cropping, exposure correction, colour balance - are recorded as assertions. The original capture credential is preserved as an ingredient. The provenance chain grows but never breaks.
Editorial review. An editor reviews the image and approves it for publication. At this stage, the Content Credentials provide an internal verification function - the editor can confirm the image was captured by the assigned photographer, at the expected time and location.
Publication. The image is published on the organisation's website, app, or distributed via wire service. If the CMS preserves metadata (which requires configuration - many CMSes strip metadata by default), the Content Credentials are available to readers. On platforms that support C2PA display (Google Search, some social platforms), the credentials are surfaced automatically.
Audience verification. A reader who wants to verify the image can upload it to contentcredentials.org/verify and see the complete chain - captured on this camera, edited in this software, published by this organisation. Independent, cryptographic verification without trusting anyone's word.
Many content management systems strip embedded metadata during image processing (resizing, format conversion, CDN distribution). If your CMS does this, Content Credentials won't reach your audience even if they're intact through editing. Audit your publication pipeline and configure it to preserve C2PA manifests. WordPress, for example, strips metadata by default - plugins and configuration changes are needed to preserve it.
Source protection and privacy
This is the question every journalist asks first, and it's the right question. Content Credentials that identify a photographer, a camera serial number, and a GPS location could compromise a source, endanger a journalist, or reveal operational details that should remain confidential.
The C2PA standard was designed with this concern in mind. Here's what you need to know:
All identity information is optional. The standard's guiding principles require that identity fields (photographer name, organisation) are opt-in. You can sign images with Content Credentials that prove they were captured on a specific camera model at a specific time without identifying the photographer by name.
Location data is configurable. GPS coordinates are an optional assertion. Cameras that support C2PA allow you to enable signing while disabling location embedding. If you're working in a conflict zone or covering a sensitive story, turn location off in the camera's C2PA settings.
Camera serial numbers can be controlled. Some camera implementations allow you to configure whether the device serial number is included in the manifest. If serial number exposure is a concern, check your camera's C2PA settings.
The signing entity can be the organisation, not the individual. A newsroom can configure its workflow so that the signing certificate identifies the organisation (e.g. "BBC News") rather than the individual journalist. This provides provenance (this image came from the BBC) without identifying the specific photographer.
You don't have to sign everything. C2PA is opt-in, story by story, image by image. If a particular assignment involves source-sensitive material where any metadata is a risk, don't enable Content Credentials for that assignment. The standard is a tool, not a mandate.
Before enabling Content Credentials on an assignment, consider: Could identifying the photographer endanger them? Could location data reveal a source's position? Could timing data narrow down who provided information? Could the camera serial number be traced to a specific journalist? If the answer to any of these is yes, configure Content Credentials to exclude that information - or disable them for that assignment entirely.
Verifying incoming content
Content Credentials aren't just for proving your own work is authentic. They're also a verification tool for incoming content - user-submitted photos, wire service imagery, social media content that your newsroom wants to use.
Checking wire photos. If your newsroom receives images from AFP, Reuters, or other agencies that sign with Content Credentials, you can verify the provenance chain before publication. Upload the file to contentcredentials.org/verify and confirm the signing entity matches the expected agency.
Checking user-submitted content. If a reader or source sends you a photograph, check it for Content Credentials. If the image was captured on a C2PA-enabled camera and the credentials show a capture time and location consistent with the claimed event, that's a strong authenticity signal. If there are no credentials, that doesn't mean the image is fake - but it means you need to rely on traditional verification methods.
Detecting AI-generated content. Content Credentials from AI generators (OpenAI, Adobe, Google) explicitly identify content as AI-generated. If someone submits an image to your newsroom claiming it shows a real event, and the Content Credentials say it was generated by DALL路E, you've caught a fabrication immediately. See our guide on how to check if an image is AI-generated for the full verification workflow.
Defending against "fake news" accusations
One of the most corrosive dynamics in modern journalism is the weaponisation of "fake news" accusations against legitimate reporting. A politician doesn't like a photograph of a protest? "It's AI-generated." A government doesn't want a massacre documented? "The images are fake."
Content Credentials provide a factual, technical response to these accusations. When a photograph carries a cryptographic provenance chain showing it was captured on a specific Nikon camera, at a specific time, at specific GPS coordinates, and edited only with standard adjustments - that's not an editorial claim. It's a mathematical proof. The accuser would need to break SHA-256 encryption to fake it.
This doesn't make the accusations go away. People who want to disbelieve will always find reasons. But it shifts the burden of evidence. Without Content Credentials, a newsroom can only say "trust us." With them, a newsroom can say "verify it yourself" - and point to independently auditable proof.
For newsrooms operating in adversarial information environments - covering conflict, political unrest, human rights abuses - this capability is not a nice-to-have. It's becoming essential infrastructure for credible journalism.
User-generated content and citizen journalism
Not all journalism comes from professional newsrooms. Citizen journalists, activists, and witnesses document events that no professional photographer is present to capture. C2PA has implications for this ecosystem too.
Mobile capture apps. Apps like Truepic Lens and ProofMode allow citizen journalists to capture C2PA-signed photos and videos on their smartphones. ProofMode, developed by the Guardian Project and WITNESS specifically for human rights documentation, adds additional sensor data (accelerometer, light levels) alongside C2PA provenance to strengthen the evidentiary chain.
Evidentiary value. For citizen-captured content that may be used as evidence - in court proceedings, human rights investigations, or accountability processes - Content Credentials provide a chain of custody that traditional smartphone photos lack. While the legal admissibility of C2PA evidence is still developing (see our photographers guide for more on this), the cryptographic provenance chain is significantly stronger than any previous metadata-based approach.
Newsroom verification of citizen content. When a newsroom receives user-generated content with Content Credentials, the verification is faster and more reliable. The credentials provide technical data points (capture device, time, location) that complement traditional verification methods (contacting the source, cross-referencing with other reporting, geolocation analysis).
Editorial policy considerations
Adopting C2PA is a technical decision, but it has editorial implications that newsroom leadership should consider:
Transparency standard. If you sign some of your journalism with Content Credentials but not all of it, audiences may ask why. Consider establishing a clear policy: "We attach Content Credentials to all original photojournalism" or "We use Content Credentials when our editorial judgment determines it adds value to the audience's ability to verify our reporting."
Edit disclosure. Content Credentials record edit actions. If your newsroom's photo policy allows certain adjustments (cropping, exposure, colour balance) but prohibits others (compositing, content removal, AI enhancement), Content Credentials provide an audit trail that demonstrates compliance. This can be valuable for defending editorial standards.
Retraction and correction. If an image with Content Credentials is later found to be misleading (staged scene, misidentified location), the credentials don't protect against editorial failure - they only document the technical chain. Your editorial policy should address how corrections are handled for content with provenance.
Training. Photographers, editors, and producers need to understand what Content Credentials do and don't prove, how to configure privacy settings, and how to maintain the provenance chain through the production workflow. A one-day training session is typically sufficient for most newsrooms.
How to get started
Step 1: Audit your cameras. Check whether your newsroom's cameras support C2PA. Nikon (Z9, Z8, Zf, Z6III), Sony (a9 III, a1, a7R V), Canon (EOS R1, R5 Mark II), and Leica (M11-P, SL3, Q3) all have native support. See our camera guides for setup instructions: Nikon, Sony, Canon, Leica.
Step 2: Audit your editing pipeline. Ensure you're using C2PA-aware editing software (Adobe Creative Cloud is currently the most complete). Configure your tools to preserve and chain Content Credentials through the edit process.
Step 3: Audit your CMS. Check whether your publication platform preserves embedded metadata. If it strips metadata during image processing, work with your engineering team to configure it for C2PA preservation.
Step 4: Develop editorial policy. Decide when and how Content Credentials will be used. Establish guidelines for privacy-sensitive situations. Document the policy and train staff.
Step 5: Pilot on a single desk. Start with one team - photojournalism is the natural starting point. Run the full workflow from capture to publication. Verify the results at contentcredentials.org/verify. Iterate before expanding to other desks.
Journalism has always depended on trust. In a world where any image can be fabricated and any report dismissed as fake, the ability to provide cryptographic proof of your work's authenticity isn't just a technical upgrade. It's the future of editorial credibility.
This guide is maintained by the C2PA.ai editorial team. Last updated March 2026. Contact us with corrections or newsroom case studies.
Related: C2PA for Photographers 路 How to Check If an Image Is AI-Generated 路 What Is C2PA? 路 Newsroom Implementation Services