AWS for M&E Blog

ARD ensures content provenance with C2PA and AWS

This blog post was co-authored by Martin Grohme, Streaming Architect, WDR.

The digital age has brought unprecedented challenges in verifying the authenticity of media content. ARD, Germany’s leading public broadcaster, faced a critical challenge: how to guarantee the authenticity of their video content in an era where digital manipulation and misinformation are rampant. The broadcaster recognized the urgent need for a robust verification system that could maintain public trust and ensure content integrity. Through collaboration with Amazon Web Services (AWS), ARD developed an innovative solution: a serverless media supply chain that implements the Coalition for Content Provenance and Authenticity (C2PA) standard.

This technological advancement represents a significant step forward in the commitment ARD has made to deliver verified, trustworthy content to their audiences. By leveraging the serverless architecture of AWS, this automated pipeline secures content at its source and makes authenticity verification seamlessly accessible to viewers. The solution integrates AWS Key Management Service (AWS KMS) for secure key management, while bringing content verification directly to audiences through an innovative frame-by-frame provenance check in web players.

This seamless fusion of cloud technology, security, and user experience demonstrates how public broadcasters can lead the charge in combating digital misinformation, while maintaining the trust of their audiences.

“In today’s world of widespread digital manipulation, ensuring the authenticity of our content is crucial for maintaining public trust. The implementation of C2PA for our VOD assets will represent a significant step forward for ARD. Our goal is, giving our viewers with complete transparency about content origins and modifications, while maintaining the seamless viewing experience they expect from public broadcasting,” says Martin Grohme, Streaming Architect at WDR.

Understanding C2PA

The C2PA represents a response to our era’s growing challenge of digital misinformation. Born from a powerful partnership between technology leaders (including Arm Limited, Intel Corporation, Microsoft, and Truepic) the initiative has since expanded to include major media organizations (such as the BBC, Amazon, and Austrian Broadcasting Services (ORS Group)).

At its core, C2PA is a complete, open media provenance standard that acts like a digital passport for media content. When content is created, C2PA attaches what’s known as Content Credentials—a cryptographically sealed manifest that contains vital information about the content’s origin, creation date, creator, and any subsequent modifications. Think of it as an unbreakable chain of custody for digital media along the entire glass-to-glass journey, where each edit or change is permanently logged and traceable.

The beauty of this system lies in its accessibility and transparency. Anyone can verify a piece of content’s authenticity using C2PA-compatible players with a single click on the content credentials pin. For instance, when a broadcaster receives user-generated footage of a breaking news event, they can instantly verify its source, creation time, and modification history before broadcasting. Verifiable content credentials are a powerful tool in maintaining journalistic integrity.

ARD use case

ARD needed to implement content authentication for their video on-demand (VOD) platform. Their requirements centered around maintaining viewer trust through transparent content verification, while ensuring operational efficiency.

The proof-of-concept ARD implemented leverages their existing AWS infrastructure, with Amazon Simple Storage Service (Amazon S3) serving as the storage backbone. When content arrives in the VOD platform, an Amazon S3 event notifications trigger AWS Lambda functions that automatically handle C2PA signature generation. This serverless approach facilitates cost-effective scaling, while minimizing maintenance overhead.

Viewer transparency was achieved through enhanced player functionality. The web player performs verification during playback, clearly indicating content authenticity status. In cases where provenance cannot be verified, detailed information is readily available to viewers, maintaining transparency without disrupting the viewing experience.

The C2PA conformance guidelines recommend using either a local platform keystore service or a hosted key management service (such as AWS KMS). Since private keys should generally not be directly accessible, we describe an enhancement to the Guidance for Media Provenance with C2PA on AWS. The enhancement replaces the original AWS Secrets Manager approach with AWS KMS for improved key management.

Serverless solution for content provenance

The solution utilizes a serverless event-driven pattern based on:

  • Amazon S3 functioning as a highly durable object storage system. It stores data in buckets, scales automatically, and enables direct file access through HTTP/HTTPS protocols. Amazon S3 handles millions of requests each second and maintains high data durability.
  • AWS Lambda executing code without server management. It responds to events from other AWS services, scales automatically based on workload, and charges only for the compute time used. Lambda supports major programming languages and executes functions with up to 15 minutes runtime.
  • AWS KMS managing cryptographic keys for data encryption. It operates using FIPS 140-2 validated hardware security modules, integrates with AWS services, and provides centralized key control. AWS KMS logs all key usage in AWS CloudTrail and supports both symmetric and asymmetric encryption.
There are 3 icons viewable, from left to right there is an S3 bucket, a Lambda function and an AWS KMS store. There are 5 different arrows indicating process flow. The process flow is outlined by numbers and more thoroughly explained in the following paragraph in the blog body.

Figure 1: Schematic diagram of the signature process.

Following is a high-level walk-through:

  1. A trigger is set up on an S3 bucket. When an object is created in the specified bucket it initiates a call to a Lambda function.
  2. The Lambda function is invoked with details about the newly created Amazon S3 object. The lambda function downloads the object from the S3 bucket to its local temporary storage.
  3. The Lambda function starts the signing process using a predefined manifest definition. It prepares the claim bytes that need to be signed. These claim bytes are sent to AWS KMS for signing. AWS KMS uses a stored configuration with a private key to sign the claim bytes. The process of how to convert a private key and store it in AWS KMS is described in the GitHub Repository.
  4. AWS KMS utilizes a specified custom signer. This integration follows the approach described in the c2patool documentation. The custom signer processes the claim bytes and returns the signed version to the Lambda function. It incorporates these signed bytes into the original object, creating a signed version.
  5. The newly signed object is uploaded back to the S3 bucket.

The Lambda function implements error handling at each step of the process. It logs important events and any errors for monitoring and troubleshooting. After successful processing, the function also cleans up any temporary files created during execution.

The code utilizing the AWS Serverless Application model (AWS SAM) is released under an MIT license on this GitHub repository.

Verification of signed VOD content

Following the serverless signing process, the ARD solution implementation focuses on delivering transparent content verification to viewers. The verification system analyzes each fragment of on-demand streaming video, acknowledging the critical importance of authenticity in news content.

The ARD platform utilizes a customized version of the hls.js player, enhanced with a C2PA verification plugin. During playback, each fragment undergoes near real-time verification, with results displayed through an unobtrusive status indicator in the upper right corner of the video player. This continuous verification process confirms viewers can trust the authenticity of every moment of the content they consume.

When the solution detects verification issues, it immediately alerts viewers through visual cues. The status indicator turns red, and an explanatory pop-up appears (Figure 2), providing detailed information about the verification failure. This approach facilitates complete transparency, while maintaining a smooth viewing experience.

The image is a screenshot from a video player interface, specifically the ARD-Player demonstrator with Content Credentials, playing a news program. At the top of the screen, there are logos for EBU and WDR (German public broadcaster). The interface shows a content verification system, with a blue notification box containing text about content credentials. The Content Credentials pop-up states: We were unable to verify the signature of the current playback portion. There is a potential risk that the video or audio content may have been tampered with. For more information, please visit our Help page. You may choose to continue playback at your own risk. (Blue Continue Playback button) There's also a timestamp, or date reference, to June, 26, 2024.

Figure 2: Player highlighting at actual playing position credential status.

Conclusion

The challenge of digital misinformation in today’s fast-paced media landscape demands innovative solutions that are both powerful and practical. We have demonstrated that combining AWS serverless architecture with C2PA standards can create a robust, cost-effective approach to content authentication that meets this challenge head-on.

This proof-of-concept solution ARD has implemented proves that confirming content provenance doesn’t require massive infrastructure investments or complex management systems. Instead, by leveraging cloud-native services and automated workflows, the solution is both scalable and economically viable, making it accessible to broadcasters and content providers of all sizes.

The integration of provenance checking of on-demand streaming videos in web players represents more than just a technical achievement—it’s a blueprint for the future of trusted media distribution. While detecting manipulated content across the internet remains a daunting challenge, this implementation shows how C2PA can be practically applied to create a more transparent and trustworthy digital media ecosystem.

Ready to transform your media operations with serverless media supply chains on AWS? Contact our AWS Media & Entertainment specialists to discuss how our services and solution guidance can address your specific workflow challenges.

Further reading

About ARD

ARD (Arbeitsgemeinschaft der öffentlich-rechtlichen Rundfunkanstalten der Bundesrepublik Deutschland) is Germany’s largest public-service broadcasting network. Founded in 1950, it’s a consortium of nine regional public broadcasters and one global channel, that work together to provide television, radio, and digital media services throughout Germany and abroad. ARD operates under a public mandate to deliver independent, comprehensive, and objective programming that includes news, education, culture, and entertainment.

Jakob Rosinski

Jakob Rosinski

Jakob Rosinski is a Principal Solutions Architect at AWS with 18 years of experience in the Media & Entertainment industry. Jakob leverages his expertise to help European customers successfully migrate their media workloads to the cloud. He specializes in media supply chain and archival solutions and serves as the global technical lead for this solution area at AWS.

Felix Schörner

Felix Schörner

Felix Schörner is a Senior Enterprise Account Manager at AWS, bringing more than a decade of experience in the Public Sector. He has extensive expertise in guiding large-scale public organizations through their digital transformation journeys.