AWS for M&E Blog
CBC/Radio-Canada documents video authenticity with Content Credentials on AWS
The CBC/Radio-Canada is Canada’s national public broadcaster, providing a range of programming through its websites, streaming services, podcasts, television and radio. With the rising danger of AI-created deepfakes and the erosion of trust in media, CBC/Radio-Canada needed a way to demonstrate the authenticity of its videos to maintain the confidence of the Canadian public.
The Content Credentials specification, published by the Coalition for Content Provenance and Authenticity (C2PA), is rapidly emerging as an important tool to document the authenticity of digital assets. The specification provides a method to associate provenance metadata with videos, images, audio files, and other digital assets. Content Credentials does this by creating a signed manifest that is bound to a specific version of an asset through a digital hash.
The hash value is generated by a mathematical algorithm that uniquely represents the input data and ensures that it has not been altered. All of the provenance metadata (creation date, title, description, and so on) can be included in the manifest and hashed to prevent the information from being altered. Even if a single bit is changed in the data, the computed hash will be different. Figure 1 provides a high-level depiction of a C2PA manifest, showing the metadata assertions, hash values stored in a claim, and the digital signature.
As a C2PA member and a proponent of Content Credentials, CBC/Radio-Canada wanted a process to add C2PA manifests to its videos. For help, CBC/Radio-Canada turned to the Amazon Web Services (AWS) Prototyping team, whose mission is to catalyze innovation by working closely with customers and partners to apply emerging technology to pressing business challenges. They bring together key ingredients for innovation: a focus on solving real-world challenges, a bias for speed, and competencies in emerging technology.
AWS has extensive experience developing Content Credenitials solutions. It joined the C2PA in 2024 and has published a Guidance for Media Provenance with C2PA on AWS containing an open-source solution for running Content Credentials workloads in the cloud. The AWS guidance solution produces a Content Credentials sidecar file to document each asset’s origin.
However, the guidance solution does not support fragmented MP4 (fMP4) video files. This is the format used by CBC/Radio-Canada, and the industry standard for video on demand (VOD) and live streaming.
Technical challenges handling fMP4
An fMP4 package consists of an initialization segment and multiple media fragments containing video data. Video players read the initialization segment and then load the fragments for playback. fMP4 provides a better user experience than downloading the entire file because each fragment is small and can be retrieved quickly—reducing latency.
Applying Content Credentials to fMP4 presents several challenges. The specification requires validators to calculate a hash value for each fragment and to compare it against a pre-calculated value stored in the manifest. The validator also needs to regenerate the signature stored in the manifest to make sure that nothing has been changed. All these validation checks occur during playback, so the process must be completed quickly to avoid delays that would degrade the user experience.
This new AWS Content Credentials solution performs validation using an open-source toolkit provided by the Content Authenticity Initiative (CAI), a nonprofit organization that provides tools to support Content Credentials implementations.
AWS solution overview
The AWS solution, developed for CBC/Radio-Canada, is a significant upgrade to the version described in a previous blog. The updated solution provides an AWS Amplify frontend for users to upload digital assets, view Content Credentials metadata and relationships, and manage Content Credentials workloads. The frontend also includes a dynamic adaptive streaming over HTTP (DASH) video player so users can view and validate the integrity of fMP4 videos.
On the backend, the solution employs a dual compute strategy using AWS Lambda and AWS Fargate. Users may select which compute architecture to use based on their needs. Lambda is a serverless technology that is best for intermittent workloads because users are charged based on the number of requests for your functions and the duration it takes for your code to execute. AWS Fargate is a serverless compute engine for containers that runs continuously for low-latency processing. Since users pay for Fargate even when it is not generating a manifest, it is best suited for larger, continuous workloads.
Architecture and deployment
Figure 2 depicts a high-level view of the solution architecture. Users authenticate to the AWS Ampify frontend using Amazon Cognito. Amazon Simple Storage Service (Amazon S3) buckets store all uploaded and processed assets. The Amplify frontend sends messages to an AWS Lambda function, which serves as middleware that has permission to invoke backend processing. If the user wants to use Lambda to process assets, the middleware triggers an AWS Lambda function URL that is not accessible to the frontend. If the user wishes to use Fargate for processing, the middleware sends messages to an internal Application Load Balancer (ALB) that connects to the Fargate task.
An open-source repository contains all the solution code, documentation, and deployment scripts. Be sure to check the prerequisites noted in the documentation.
In particular, you must install the:
- AWS Command Line Interface (AWS CLI),
- AWS CDK Command Line Interface (AWS CDK CLI)
- Docker
- Node
- pnpm
Once you have performed all deployment steps, you can launch a local version of the solution frontend. You must manually add a username and password to the Amazon Cognito user pool in order to login. You must also update your local .env config file, so the solution can connect to the resources created during deployment.
The command to launch the Amplify frontend is: pnpm dev
The command will start a local web server and return the application URL.
Note: The solution is not intended for production use. It is a prototype that supports common use cases so you can experiment with the Content Credentials specification and jumpstart your development of a production system.
We will walk through the following use cases:
- Adding Content Credentials metadata to an image
- Viewing existing Content Credentials metadata in an asset
- Adding Content Credentials metadata to fMP4 videos
Use case 1: Adding Content Credentials metadata to an image
The Content Credentials specification provides users the ability to store any type of metadata inside a manifest. A common need is to record how an image has been edited after it was initially captured by a camera. To demonstrate this use case, login to the solution and click Upload Asset in the left sidebar (see Figure 3).
Select an image on your system, upload it, and then click Edit Asset in the lefthand sidebar. A dropdown menu will list all the assets you have uploaded. Select the image you want to revise and then click the Next button (see Figure 4).
The application will display a set of editing tools to revise the image (see Figure 5). Once you’ve made changes, click Next to see a JSON representation of how the edits will be recorded in the manifest.
Based on the Content Credentials specification, edits are recorded as action assertions (see Figure 6). If the changes look correct, click Next. The system will create a new version of the image with a signed manifest and add it to the asset library.
Note that the Content Credentials specification allows you to record any metadata in a manifest file such as descriptions, keywords, copyright, and so on. The solution only supports recording edit actions, but you can extend this logic to meet your specific use case. The underlying API used by the solution will accept any metadata you supply.
Use case 2: Viewing Content Credentials metadata
To check an asset for Content Credentials metadata, login to the solution and navigate to the Library under the Media Manager (see Figure 7).
Click an asset link and the application will display the asset detail. At this time, the solution will check whether the asset contains a manifest and run validation tests (Figure 8).
Click the Manifests tab to see a JSON representation of the manifest embedded in the asset (Figure 9).
Click the Interactive Map tab. In this view, a tree showing how the current asset is related to earlier versions that served as ingredients is viewable (Figure 10).
To read and validate manifests, the solution relies on a Javascript framework that runs completely within the browser. The CAI developed the framework as an open-source project you can incorporate into your own applications.
The CAI also maintains a separate website to validate Content Credentials metadata. You can access the CAI validation site by clicking View in Verify Tool. The solution will provide the Verify Tool with a signed Amazon S3 URL so that it can access and validate the asset you created. By default, the Amazon S3 URL will expire in 15 minutes.
Use Case 3: Adding Content Credentials metadata to fMP4 videos
The fMP4 section of the Amplify frontend supports managing, uploading, editing, and signing fMP4 files. Use a service such as AWS Elemental MediaConvert or a third-party tool like ffmpeg to transcode your video into fMP4. An adaptive bitrate streaming format like DASH is recommended because the solution includes built-in support for a DASH player. This enables adaptive playback across different devices and network conditions. When using DASH, the output consists of an initialization segment (.mp4), multiple media segments (.m4s), and a manifest file (.mpd) containing metadata and segment information.
Create a JSON file that will contain additional metadata you want to place inside the manifest. This JSON will need to conform to the format used by the CAI c2patool. For details on the format of this file, refer to the CAI documentation. An example providing keywords and a creation date is shown in the following code snippet.
Once you have created the files, launch the solution and select Upload fMP4 Asset. The solution will ask you to specify a folder name, which it will use to hold assets in Amazon S3 (see Figure 11).
Click Save Folder Name. You can now upload all the fMP4 files and the JSON file containing the manifest metadata (Figure 12).
After upload, click Sign fMP4 in the lefthand sidebar. You can now reselect the folder where you placed all the assets. As shown in Figure 13, you will then name identifiers:
- New folder name for the output containing Content Credentials metadata
- Name of the initialization segment file
- Pattern that matches the fragment files
- Name of the JSON file with C2PA manifest metadata
You can specify whether processing should be done using AWS Lambda or AWS Fargate. As mentioned previously, Lambda is more suitable for intermittent workloads, while Fargate is better for continuous workloads. You should experiment to determine which compute resource works best for your needs.
Click Submit, the solution will create, sign, and embed a C2PA manifest into a new fMP4 video package. To find the final video, click the Library option under the Fragmented MP4 area of the sidebar. When you click one of the links, the web application will display the video in a DASH video player. The player has been customized to perform Content Credentials validation of segments during playback (Figure 14).
If the player detects a manifest, it will display a Cr icon in the lower lefthand corner of the user interface. Click the icon to view an overlay that lists the Content Credentials metadata and validation status (Figure 15).
Common questions
When planning your own production system, you can experiment with the AWS solution to better understand how Content Credentials will affect your workloads.
Common questions include:
- What is the latency when generating and validating manifests, especially for assets of different sizes and formats?
- What metadata does your workload require and how will you collect and manage that information without unnecessary complexity or processing time?
- Which vocabularies will you use to capture your provenance metadata?
- How will you provision and manage the digital certificates needed to sign manifests? The AWS solution stores the certificate and private key in AWS Secrets Manager—will that be scalable in your production environment?
- Can you embed C2PA manifests inside your assets, or does that make the files too large? Should you store manifests as sidecar files or limit the number of assertions or ingredients recorded?
Being able to answer all of these questions will help you understand how to implement a Content Credentials workload for production use.
Conclusion
The AWS Content Credentials solution gives CBC/Radio-Canada a quick way for it to apply provenance metadata to its fMP4 videos. This is a critical requirement for the public broadcaster. “At CBC/Radio-Canada, a cornerstone of our mandate is to accurately inform Canadians with trusted news and verified information,” says Sebastien Testeau, Media Technology Architect, CBC/Radio-Canada. “The C2PA specification and our work on this project will ultimately help audiences to verify the provenance and authenticity of the content they’re consuming.”
To learn how Content Credentials might help your organization, familiarize yourself with the C2PA specification and download the AWS solution to get firsthand experience running Content Credentials workloads in your own environment. If you need help driving innovation or adopting emerging technology, such as Content Credentials, contact an AWS Representative to discuss whether a prototyping engagement could help you innovate and migrate your workloads to the cloud.
Further reading
- AWS Elemental MediaConvert User Guide, Content authenticity with C2PA manifests
- Announcing Content Credentials for Amazon Titan Image Generator
- Content Authenticity Initiative open source SDK