Disinformation

In an age of disinformation and deepfakes, how will we know the authenticity of things we see on the web? Disinformation is a key civilisational risk that could threaten stability, peace, and democracy amongst other things.

The problem

I see something on the web, and I want to know whether certain parties I trust attest to its authenticity. This could be the party that originated the information, or others that verify it.

The solution

I think cryptography offers a simple solution. What follows could probably be tweaked and improved a bit, but the basic concept remains the same.

People posting something on the internet, whether it’s text/audio/image/video, and whether it’s on social media or a website, simply display the following information below it (or behind the scenes in the html for example):

Signatures:

Entity: bbc.co.uk
Content signature: [cryptographic hash of content with entity's private key]

Entity: bobthebuilder.com
Content signature: [cryptographic hash of content with entity's private key]

...

On their end, the entities host a [url]/public-key.txt file on their website, which contains nothing but their public key. This constitutes what some would call a “Public Key Infrastructure (PKI)”, using the domain name system which is already widespread. E.g.

// public-key.txt
[public key e.g. 0xfdsfdfdsfds]

You know that whoever controls the given url, asserts they control the given public key. That entity can then sign any content using their private key, and publish the content signature, for instance alongside the originial content.

On the client side (on the viewer’s end), you simply run trusted software that scans for signatures of content you see, and puts a green tick or a red cross next to content, as well as the entity names that attest to the content.

This could simply be a browser plugin for example, that hashes the content with the entity’s provided public key, and compares it against the content signature.

Illustrative example

Some additional points to consider

In reality, entities are large groups of people, so they’ll probably want to have some sort of multisig system to sign content. For example a system where various groups in the organisation have a separate key, and where some rules are in place for how these keys can be used (e.g. k out of n keys required for any given content signature).

For the public-key.txt file, an entity may wish or need to change its public key over time. Thus this file could also contain older keys and when they changed, so that old signatures can be verified. This would need some standardisation. The file could also list out keys that have been compromised, or even specific content signatures that shouldn’t be considered valid for some reason. There may be more scalable mechanisms for this.

The system relies on the domain name paradigm. This security model probably needs more scrutiny and development.

Furthermore, nothing guarantees signed content is “Truth”. All you know is that a given entity has attested to it.

Concluding thoughts

I’ll be reaching out to various folks to litmus test the basic concept. If things check out, it should be straightforward to whip up a client side browser extension. I suppose the hardest part may be to encourage adoption, which I’ll have a think about.

With increasing amounts of fake information online, not to mention the power of generative AI, it is imperative we design methods to identify truth well into the future, for the sake of humanity.

If you find this topic interesting, please do not hesitate to get in touch!

Acknowledgments