Your ‘AI Watermark’ Probably Doesn’t Survive a Screenshot — The Provenance Trick Platforms Are Betting On Instead (and why it can still fail)
Most “AI watermarks” aren’t in the pixels—they’re cryptographically signed provenance attached to a file. Screenshots and platform re-encodes don’t break the label; they bypass it.
By TheMurrow Editorial
May 17, 2026
Key Points
- 1Recognize the split: most “AI watermarks” are C2PA provenance manifests attached to files, not invisible marks embedded in pixels.
- 2Expect fragility: screenshots, re-encodes, and platform pipelines can strip credentials, leaving viral copies unverifiable even when originals were labeled.
- 3Use provenance correctly: valid credentials strengthen origin claims, but missing labels prove nothing—and neither provenance nor AI tags can verify reality.
A single screenshot can turn a “verified” AI image into an orphan.
That sounds like a cheap gotcha, the kind of line people toss around to dismiss the tech industry’s latest fix for misinformation. Yet it’s also a clear description of how much of today’s “AI watermarking” actually works—especially the kind the biggest companies are rolling out in public.
The most widely deployed approach is not a hidden stamp baked into pixels. It’s a cryptographically signed record attached to the file, the digital equivalent of a tamper-evident label. When you take a screenshot, you don’t copy the label. You make a new object entirely.
“A screenshot doesn’t ‘break the watermark.’ It often sidesteps it—because the watermark was never in the picture to begin with.”
— — TheMurrow Editorial
The uncomfortable truth is that provenance systems can be both technically strong and socially fragile. They succeed when platforms preserve and display them. They fail when content moves the way content actually moves: compressed, reposted, cropped, stripped, screenshotted, and re-encoded by default.
The “watermark” people argue about is usually two different things
Public debates keep collapsing two distinct technologies into one word: watermarking. The result is confusion—and a lot of talking past each other.
One camp is often arguing about labels and manifests that travel with a file. The other is imagining an invisible signal that lives inside the pixels (or audio) themselves. Both get called “watermarking,” but they behave differently under sharing, editing, and platform processing.
The difference matters because the most common dunk—“screenshots kill watermarks”—is frequently accurate for one approach and not necessarily for the other. When you’re trying to understand whether “AI labeling” will actually show up where the public encounters content (feeds, reposts, chats, re-uploads), you need to know which mechanism is being used.
That’s especially true now that major companies are standardizing around provenance credentials as a cross-industry disclosure layer, while research and some product teams pursue robust in-content watermarking as a more transformation-resistant signal.
Below are the two systems people conflate, and why they fail in different ways.
One camp is often arguing about labels and manifests that travel with a file. The other is imagining an invisible signal that lives inside the pixels (or audio) themselves. Both get called “watermarking,” but they behave differently under sharing, editing, and platform processing.
The difference matters because the most common dunk—“screenshots kill watermarks”—is frequently accurate for one approach and not necessarily for the other. When you’re trying to understand whether “AI labeling” will actually show up where the public encounters content (feeds, reposts, chats, re-uploads), you need to know which mechanism is being used.
That’s especially true now that major companies are standardizing around provenance credentials as a cross-industry disclosure layer, while research and some product teams pursue robust in-content watermarking as a more transformation-resistant signal.
Below are the two systems people conflate, and why they fail in different ways.
1) Provenance metadata: the C2PA / Content Credentials model
One approach is file-attached provenance. The Coalition for Content Provenance and Authenticity (C2PA) standard uses a cryptographically signed manifest embedded with the media. It can record who created the file, which tool touched it, and what edits happened, in a tamper-evident chain. The C2PA spec describes this model as a signed set of “assertions” bound to the content (spec.c2pa.org).
In plain terms: it’s a verifiable paper trail, packaged with the file.
That paper trail can be powerful because it is publicly verifiable. Any compatible verifier can check signatures without trusting a platform’s secret “AI detector.” C2PA’s explainer emphasizes interoperability and verifiability as core goals.
Still, the model depends on the file staying intact as it travels. A screenshot, a re-encode, or an upload pipeline that strips metadata can separate the media from its manifest.
In plain terms: it’s a verifiable paper trail, packaged with the file.
That paper trail can be powerful because it is publicly verifiable. Any compatible verifier can check signatures without trusting a platform’s secret “AI detector.” C2PA’s explainer emphasizes interoperability and verifiability as core goals.
Still, the model depends on the file staying intact as it travels. A screenshot, a re-encode, or an upload pipeline that strips metadata can separate the media from its manifest.
2) Signal-in-the-content: robust invisible watermarking
A second approach hides information inside the content itself—in pixel patterns, audio characteristics, or generation signatures. Google DeepMind’s SynthID is an example of an invisible watermark designed to be detectable after common transformations like compression or resizing (deepmind.google).
This is the version many people think they’re discussing when they say “watermark.” Unlike provenance metadata, a robust watermark aims to survive editing and resharing.
The nuance matters: the “screenshot kills watermark” critique is often a critique of file-attached provenance, not of robust in-content watermarking. The two can complement each other, but they fail in different ways.
This is the version many people think they’re discussing when they say “watermark.” Unlike provenance metadata, a robust watermark aims to survive editing and resharing.
The nuance matters: the “screenshot kills watermark” critique is often a critique of file-attached provenance, not of robust in-content watermarking. The two can complement each other, but they fail in different ways.
“Provenance is a label on the package. Robust watermarking is a mark in the product.”
— — TheMurrow Editorial
Why screenshots (and reposts) so often erase provenance
The screenshot problem isn’t magic. It’s file physics.
C2PA manifests are attached to a particular file. When someone takes a screenshot, they create a new image—new pixels, new container, new metadata fields, and usually no carryover of the original signed manifest. The C2PA guide is blunt about how credentials can be lost when content is shared through workflows that don’t preserve metadata (c2pa.ai).
Even without screenshots, the sharing pipeline itself can be hostile to provenance.
This is the key practical point: provenance systems can be cryptographically rigorous and still be fragile in the real world, because real-world media distribution is a chain of transformations. Each transformation is an opportunity to drop, strip, or fail to carry forward the signed manifest.
In other words, a provenance label can be “strong” as long as it stays attached—but staying attached is the hard part when the default internet behavior is to copy images by saving, re-uploading, compressing, cropping, and re-encoding.
The sections below show how this happens even in ordinary, non-malicious use.
C2PA manifests are attached to a particular file. When someone takes a screenshot, they create a new image—new pixels, new container, new metadata fields, and usually no carryover of the original signed manifest. The C2PA guide is blunt about how credentials can be lost when content is shared through workflows that don’t preserve metadata (c2pa.ai).
Even without screenshots, the sharing pipeline itself can be hostile to provenance.
This is the key practical point: provenance systems can be cryptographically rigorous and still be fragile in the real world, because real-world media distribution is a chain of transformations. Each transformation is an opportunity to drop, strip, or fail to carry forward the signed manifest.
In other words, a provenance label can be “strong” as long as it stays attached—but staying attached is the hard part when the default internet behavior is to copy images by saving, re-uploading, compressing, cropping, and re-encoding.
The sections below show how this happens even in ordinary, non-malicious use.
Platform pipelines: the quiet credential shredder
Many services resize and re-encode uploads to save bandwidth and standardize display. During that process, platforms may discard or fail to preserve embedded manifests. The same C2PA guidance warns that upload/transcoding workflows can remove credentials.
A concrete example surfaced in academic work: an April 2026 dataset paper reports that Twitter/X’s CDN systematically stripped C2PA credentials on upload, making cryptographic checks infeasible on reposted images (arxiv.org/abs/2604.25370). That’s not a theoretical weakness. It’s a measurable behavior in a major sharing environment.
This matters because provenance is only as durable as the weakest link in the distribution chain. If a platform’s pipeline drops manifests by default, the content that emerges on the other side may look identical to the human eye but become unverifiable by design.
And because these pipelines are optimized for speed, cost, and consistency—not for preserving authenticity metadata—the “credential shredder” can operate silently, with users never realizing anything was lost.
A concrete example surfaced in academic work: an April 2026 dataset paper reports that Twitter/X’s CDN systematically stripped C2PA credentials on upload, making cryptographic checks infeasible on reposted images (arxiv.org/abs/2604.25370). That’s not a theoretical weakness. It’s a measurable behavior in a major sharing environment.
This matters because provenance is only as durable as the weakest link in the distribution chain. If a platform’s pipeline drops manifests by default, the content that emerges on the other side may look identical to the human eye but become unverifiable by design.
And because these pipelines are optimized for speed, cost, and consistency—not for preserving authenticity metadata—the “credential shredder” can operate silently, with users never realizing anything was lost.
April 2026
An academic dataset paper reports Twitter/X’s CDN systematically stripped C2PA credentials on upload (arxiv.org/abs/2604.25370).
The strip-and-repost playbook is trivial
Removing provenance can be as simple as:
- Taking a screenshot
- Saving “for web” or exporting through a tool that drops metadata
- Uploading to a platform that re-encodes and strips credentials
- Cropping and re-saving through an image editor
None of that requires malice. It’s normal internet behavior. The hard part is designing systems that survive normal behavior—not ideal behavior.
The crucial observation is that the most common actions people take to share content are exactly the actions most likely to separate a file from its attached provenance. Even careful users can erase credentials accidentally, because the tooling and the platforms often treat metadata as expendable.
So the failure mode isn’t “attackers are too clever.” It’s “the default UX of the internet is hostile to file-bound labels.”
- Taking a screenshot
- Saving “for web” or exporting through a tool that drops metadata
- Uploading to a platform that re-encodes and strips credentials
- Cropping and re-saving through an image editor
None of that requires malice. It’s normal internet behavior. The hard part is designing systems that survive normal behavior—not ideal behavior.
The crucial observation is that the most common actions people take to share content are exactly the actions most likely to separate a file from its attached provenance. Even careful users can erase credentials accidentally, because the tooling and the platforms often treat metadata as expendable.
So the failure mode isn’t “attackers are too clever.” It’s “the default UX of the internet is hostile to file-bound labels.”
“If your verification system can’t survive the default ‘share’ button, it won’t govern the internet. The internet will govern it.”
— — TheMurrow Editorial
Common ways provenance gets lost
- ✓Take a screenshot instead of sharing the original file
- ✓Export “for web” or through tools that drop metadata
- ✓Upload to platforms that re-encode and strip credentials
- ✓Crop and re-save via editors that don’t preserve manifests
What platforms are betting on: C2PA plus verification user experience
Despite these fragilities, major companies are committing to C2PA and “Content Credentials” as the backbone of disclosure. Not because it’s perfect, but because it offers something rare in tech policy: a shared, public standard.
That standardization pitch is strategic. A provenance system that can be verified independently—without trusting any single platform’s proprietary detector—has an advantage in credibility and governance. It also creates a common language across tools, from creation to editing to publication.
But there’s a catch embedded in the bet: even a public, interoperable standard is only socially effective if platforms preserve the manifests and present them to users in a comprehensible way. Provenance isn’t just a cryptographic artifact; it’s a product experience.
The companies below are aligning around this model at the creation layer—images and video—while also positioning verification as something users can see via credential panels or external verification tools.
That’s the heart of the “provenance trick” platforms are betting on: make a verifiable record, then build UI and ecosystem hooks so it shows up when and where people need it.
That standardization pitch is strategic. A provenance system that can be verified independently—without trusting any single platform’s proprietary detector—has an advantage in credibility and governance. It also creates a common language across tools, from creation to editing to publication.
But there’s a catch embedded in the bet: even a public, interoperable standard is only socially effective if platforms preserve the manifests and present them to users in a comprehensible way. Provenance isn’t just a cryptographic artifact; it’s a product experience.
The companies below are aligning around this model at the creation layer—images and video—while also positioning verification as something users can see via credential panels or external verification tools.
That’s the heart of the “provenance trick” platforms are betting on: make a verifiable record, then build UI and ecosystem hooks so it shows up when and where people need it.
OpenAI: C2PA in ChatGPT images and DALL·E 3 API outputs
OpenAI’s Help Center documentation states that images generated with ChatGPT and images created via the API serving DALL·E 3 include C2PA metadata. The same documentation points users to verification through a public “Content Credentials Verify” experience (help.openai.com).
That’s a meaningful claim because it ties provenance to mainstream creation tools, not niche experiments. It also reflects a strategic choice: OpenAI is leaning on interoperability rather than a proprietary badge that only OpenAI can validate.
In practical terms, this approach tries to make “origin information” travel with the file and remain checkable by any compatible verifier. It’s an attempt to move disclosure upstream—into the generation pipeline itself—so downstream platforms don’t have to rely entirely on after-the-fact detection.
But as the rest of the ecosystem demonstrates, embedding provenance at creation time doesn’t guarantee it survives distribution. It does, however, make the first-copy artifact verifiable in a way that can matter for investigations, audits, and some forms of journalistic due diligence.
That’s a meaningful claim because it ties provenance to mainstream creation tools, not niche experiments. It also reflects a strategic choice: OpenAI is leaning on interoperability rather than a proprietary badge that only OpenAI can validate.
In practical terms, this approach tries to make “origin information” travel with the file and remain checkable by any compatible verifier. It’s an attempt to move disclosure upstream—into the generation pipeline itself—so downstream platforms don’t have to rely entirely on after-the-fact detection.
But as the rest of the ecosystem demonstrates, embedding provenance at creation time doesn’t guarantee it survives distribution. It does, however, make the first-copy artifact verifiable in a way that can matter for investigations, audits, and some forms of journalistic due diligence.
OpenAI’s Sora: provenance in video, too
In a safety write-up dated March 23, 2026, OpenAI says Sora videos embed C2PA metadata and mentions internal tracing mechanisms akin to reverse-search for investigation and enforcement (openai.com/index/creating-with-sora-safely/).
Video is the higher-stakes arena. If provenance is going to matter in elections, conflicts, or breaking news, it can’t stop at still images.
Embedding provenance in video also pressures the ecosystem to support credential retention at scale. Video platforms are aggressive about transcoding, generating multiple renditions, and stripping metadata to optimize playback. If the industry wants video provenance to function as more than a lab demo, the preservation problem becomes even more central.
OpenAI’s mention of internal tracing underscores another reality: provenance as a public standard is one layer, but platforms will also rely on private enforcement tools. The interplay between open, verifiable manifests and internal investigative systems may shape how “trust signals” are used in practice.
Video is the higher-stakes arena. If provenance is going to matter in elections, conflicts, or breaking news, it can’t stop at still images.
Embedding provenance in video also pressures the ecosystem to support credential retention at scale. Video platforms are aggressive about transcoding, generating multiple renditions, and stripping metadata to optimize playback. If the industry wants video provenance to function as more than a lab demo, the preservation problem becomes even more central.
OpenAI’s mention of internal tracing underscores another reality: provenance as a public standard is one layer, but platforms will also rely on private enforcement tools. The interplay between open, verifiable manifests and internal investigative systems may shape how “trust signals” are used in practice.
March 23, 2026
OpenAI’s Sora safety write-up says Sora videos embed C2PA metadata and references internal tracing mechanisms (openai.com/index/creating-with-sora-safely/).
Microsoft: Content Credentials in Azure OpenAI
Microsoft’s documentation describes Content Credentials in Azure OpenAI, including that verification can display issuance by Microsoft and a timestamp (learn.microsoft.com). The emphasis is enterprise-grade auditing: not merely “is it AI,” but “who issued it” and “when.”
That distinction matters for business and institutional use, where governance questions often center on accountability and recordkeeping. If an organization is generating large volumes of synthetic media, provenance becomes a compliance and policy tool—not just a consumer-facing badge.
It also reflects why C2PA appeals to platforms: cryptographic signatures and manifest chains are legible to auditors and security teams. They can be inspected, logged, and validated in ways that are hard to replicate with opaque detector scores.
Still, the same durability issues apply. The strongest enterprise provenance record can become irrelevant if the media is later exported, transformed, or shared in environments that strip the manifest.
That distinction matters for business and institutional use, where governance questions often center on accountability and recordkeeping. If an organization is generating large volumes of synthetic media, provenance becomes a compliance and policy tool—not just a consumer-facing badge.
It also reflects why C2PA appeals to platforms: cryptographic signatures and manifest chains are legible to auditors and security teams. They can be inspected, logged, and validated in ways that are hard to replicate with opaque detector scores.
Still, the same durability issues apply. The strongest enterprise provenance record can become irrelevant if the media is later exported, transformed, or shared in environments that strip the manifest.
Adobe: creator attribution as a first-class feature
Adobe announced a public beta of its Content Authenticity app on April 24, 2025, positioning Content Credentials as a way for creators to secure attribution, including identity verification via LinkedIn and linking social accounts (blog.adobe.com).
That’s a different angle than “AI safety.” Adobe is selling a workflow for professional creators: credit, authorship, and provenance as part of the creative economy.
This is an important clue about how provenance may normalize: not only as a misinformation countermeasure, but as a creator incentive. If credentials help photographers and designers get recognized, prove authorship, and link to portfolios, adoption can be pulled by market demand rather than pushed by policy.
But that incentive structure only works if credentials survive distribution. Attribution that disappears the moment an image is reposted is like a signature that smudges whenever someone shares your work.
That’s a different angle than “AI safety.” Adobe is selling a workflow for professional creators: credit, authorship, and provenance as part of the creative economy.
This is an important clue about how provenance may normalize: not only as a misinformation countermeasure, but as a creator incentive. If credentials help photographers and designers get recognized, prove authorship, and link to portfolios, adoption can be pulled by market demand rather than pushed by policy.
But that incentive structure only works if credentials survive distribution. Attribution that disappears the moment an image is reposted is like a signature that smudges whenever someone shares your work.
April 24, 2025
Adobe announced a public beta of its Content Authenticity app, positioning Content Credentials for attribution and identity-linked creator workflows (blog.adobe.com).
The UX problem: credentials exist, but users rarely see them
Provenance doesn’t help if nobody can find it. C2PA can embed richly structured information, but most people won’t inspect raw metadata or run verification tools. Platforms have to surface credentials in a readable way—often through an “info” panel or badge.
The C2PA ecosystem itself acknowledges this: users typically rely on a UI disclosure layer that reads and displays the manifest (c2pa.ai). Without that layer, credentials are functionally invisible.
That’s the paradox. The industry is building sophisticated cryptographic packaging, but in everyday use the difference between “verifiable” and “not verifiable” may come down to whether an app shows a small badge, whether tapping it reveals a panel, and whether the panel is understandable.
Even worse, the UX layer shapes public inference. If the UI is inconsistent across platforms—or only appears for some content—users can learn the wrong lessons. The success of provenance is not just technical; it’s educational and behavioral.
The next sections describe why absence-of-badge is not a verdict, and why that nuance is difficult to communicate at scale.
The C2PA ecosystem itself acknowledges this: users typically rely on a UI disclosure layer that reads and displays the manifest (c2pa.ai). Without that layer, credentials are functionally invisible.
That’s the paradox. The industry is building sophisticated cryptographic packaging, but in everyday use the difference between “verifiable” and “not verifiable” may come down to whether an app shows a small badge, whether tapping it reveals a panel, and whether the panel is understandable.
Even worse, the UX layer shapes public inference. If the UI is inconsistent across platforms—or only appears for some content—users can learn the wrong lessons. The success of provenance is not just technical; it’s educational and behavioral.
The next sections describe why absence-of-badge is not a verdict, and why that nuance is difficult to communicate at scale.
Verification is a “positive signal,” not a universal verdict
C2PA’s framing is careful: the presence of valid credentials can provide strong evidence of origin and editing history, but the absence of credentials does not mean “fake.” C2PA calls it a positive signal—useful when present, non-diagnostic when missing (c2pa.ai/what-is-c2pa).
That creates a messy public education challenge. A badge that appears only sometimes can train people into the wrong inference: “no badge equals suspicious.” In reality, “no badge” often means “stripped in transit” or “created before adoption.”
In other words, provenance is asymmetric. When it’s there and intact, it can be powerful. When it’s not there, the system often cannot tell you why. The absence could indicate anything from benign technical loss to deliberate evasion.
This asymmetry is why provenance can’t be treated like a universal authenticity stamp. It’s closer to a receipt: if you have it, you can check details; if you don’t, you can’t conclude much without other context.
That creates a messy public education challenge. A badge that appears only sometimes can train people into the wrong inference: “no badge equals suspicious.” In reality, “no badge” often means “stripped in transit” or “created before adoption.”
In other words, provenance is asymmetric. When it’s there and intact, it can be powerful. When it’s not there, the system often cannot tell you why. The absence could indicate anything from benign technical loss to deliberate evasion.
This asymmetry is why provenance can’t be treated like a universal authenticity stamp. It’s closer to a receipt: if you have it, you can check details; if you don’t, you can’t conclude much without other context.
Case study: the screenshot repost cycle
Consider the most common path for an image today:
1. A creator publishes an image with credentials.
2. A viewer screenshots it to share it in a group chat.
3. The screenshot is uploaded to a social platform that compresses it again.
4. The new copy goes viral without any attached manifest.
Even if the original had perfect provenance, the viral version may not. The result is a two-tier internet: the “first copy” can be verified; the “popular copies” often can’t.
This is not a niche edge case. It’s the dominant pattern for how images travel across apps and contexts, especially when people are moving fast or sharing across platform boundaries.
The implication is sobering: provenance can work best in controlled, first-party contexts—original posts, linked sources, or direct file shares—while failing precisely where misinformation spreads fastest: derivative, decontextualized reposts.
1. A creator publishes an image with credentials.
2. A viewer screenshots it to share it in a group chat.
3. The screenshot is uploaded to a social platform that compresses it again.
4. The new copy goes viral without any attached manifest.
Even if the original had perfect provenance, the viral version may not. The result is a two-tier internet: the “first copy” can be verified; the “popular copies” often can’t.
This is not a niche edge case. It’s the dominant pattern for how images travel across apps and contexts, especially when people are moving fast or sharing across platform boundaries.
The implication is sobering: provenance can work best in controlled, first-party contexts—original posts, linked sources, or direct file shares—while failing precisely where misinformation spreads fastest: derivative, decontextualized reposts.
How provenance disappears in everyday sharing
- 1.A creator publishes an image with credentials
- 2.A viewer screenshots it to share in a chat
- 3.The screenshot is uploaded and compressed again
- 4.The viral copy spreads without the original manifest
The other failure mode: provenance can’t tell you what’s true
Even if C2PA survives sharing, it does not solve the hardest epistemic problem: a verified origin is not the same thing as verified reality.
C2PA can attest that a file was produced by a specific tool or device and list edits in a tamper-evident chain. It cannot tell you whether the scene depicted is authentic, staged, misleadingly framed, or contextually false.
This boundary is important because it’s easy—especially in policy conversations—to treat provenance as a proxy for truth. It isn’t. It’s a record of handling and transformation.
In practice, many of the most successful misinformation incidents use real media presented with false context. Provenance can help track where a particular file came from, but it cannot automatically validate the claims people attach to it.
So even a world where every file carries perfect credentials would still require human judgment, corroboration, and contextual verification. Provenance is an aid, not an oracle.
C2PA can attest that a file was produced by a specific tool or device and list edits in a tamper-evident chain. It cannot tell you whether the scene depicted is authentic, staged, misleadingly framed, or contextually false.
This boundary is important because it’s easy—especially in policy conversations—to treat provenance as a proxy for truth. It isn’t. It’s a record of handling and transformation.
In practice, many of the most successful misinformation incidents use real media presented with false context. Provenance can help track where a particular file came from, but it cannot automatically validate the claims people attach to it.
So even a world where every file carries perfect credentials would still require human judgment, corroboration, and contextual verification. Provenance is an aid, not an oracle.
“Made by a camera” doesn’t mean “not misleading”
A real photograph can still be deceptive:
- A real event shown out of time and place
- A cropped frame that changes meaning
- A staged scene presented as candid
- A true image paired with a false caption
Provenance helps answer “where did this file come from?” It does not fully answer “what does this prove?” That limitation isn’t a flaw in cryptography. It’s a boundary of what metadata can represent.
This is why media literacy and verification practice don’t become obsolete with provenance. They become more targeted: credentials can narrow the search space—who published, what tool chain, what edits—but they can’t evaluate semantics, intent, or contextual truth.
Even with perfect provenance, the interpretive layer remains. The same image can be used honestly in one context and misleadingly in another, without altering the pixels at all.
- A real event shown out of time and place
- A cropped frame that changes meaning
- A staged scene presented as candid
- A true image paired with a false caption
Provenance helps answer “where did this file come from?” It does not fully answer “what does this prove?” That limitation isn’t a flaw in cryptography. It’s a boundary of what metadata can represent.
This is why media literacy and verification practice don’t become obsolete with provenance. They become more targeted: credentials can narrow the search space—who published, what tool chain, what edits—but they can’t evaluate semantics, intent, or contextual truth.
Even with perfect provenance, the interpretive layer remains. The same image can be used honestly in one context and misleadingly in another, without altering the pixels at all.
“Made by AI” doesn’t mean “untrustworthy,” either
The flip side also matters. AI-generated content isn’t automatically misinformation. Some AI images are clearly labeled illustrations. Some are harmless creative work. Some are used responsibly in journalism as explanatory graphics.
A provenance system that simply shouts “AI!” without context risks becoming a blunt instrument—one that stigmatizes legitimate creative uses while still failing to stop malicious actors who strip metadata.
This is the policy and design tension: disclosures need to be informative without becoming a scarlet letter. They need to help audiences calibrate trust appropriately, not collapse all synthetic content into a single category.
If the ecosystem treats “AI-generated” as equivalent to “deceptive,” it could encourage creators to hide their process and discourage transparent labeling—undercutting the very adoption provenance needs to be useful.
A provenance system that simply shouts “AI!” without context risks becoming a blunt instrument—one that stigmatizes legitimate creative uses while still failing to stop malicious actors who strip metadata.
This is the policy and design tension: disclosures need to be informative without becoming a scarlet letter. They need to help audiences calibrate trust appropriately, not collapse all synthetic content into a single category.
If the ecosystem treats “AI-generated” as equivalent to “deceptive,” it could encourage creators to hide their process and discourage transparent labeling—undercutting the very adoption provenance needs to be useful.
Key Takeaway
Provenance can verify origin and edits when intact—but it can’t verify reality, and it often vanishes when content is screenshotted or re-encoded.
Where robust watermarking fits—and what it can and can’t promise
The screenshot critique often underestimates a different class of tooling: robust invisible watermarks that embed a detectable signal in the pixels. DeepMind’s SynthID is presented as a watermark designed to remain detectable through common transformations (deepmind.google).
That’s attractive for a simple reason: if the marker is in the content, not attached to the file, it’s harder to lose through everyday sharing.
But robust watermarking has its own tradeoffs. A watermark that survives heavy transformation can be harder to remove, but also harder to make imperceptible or resistant to adversarial attacks. And many robust watermarking schemes still require a detection system, which can be centralized and harder to audit than public cryptographic signatures.
So robust watermarking isn’t a replacement for provenance; it’s a complementary tool that addresses a different failure mode. One tries to make labeling travel with the file. The other tries to make labeling stick to the media itself.
The sections below outline the limits of robustness and why platforms still like provenance despite its fragility.
That’s attractive for a simple reason: if the marker is in the content, not attached to the file, it’s harder to lose through everyday sharing.
But robust watermarking has its own tradeoffs. A watermark that survives heavy transformation can be harder to remove, but also harder to make imperceptible or resistant to adversarial attacks. And many robust watermarking schemes still require a detection system, which can be centralized and harder to audit than public cryptographic signatures.
So robust watermarking isn’t a replacement for provenance; it’s a complementary tool that addresses a different failure mode. One tries to make labeling travel with the file. The other tries to make labeling stick to the media itself.
The sections below outline the limits of robustness and why platforms still like provenance despite its fragility.
Robust doesn’t mean indestructible
No watermark is invincible. The more robust a watermark is to distortion, the more it risks affecting quality or being susceptible to adversarial removal attempts. The research here doesn’t offer performance statistics, and responsible writing shouldn’t invent them.
Still, the design goal is clear: survive compression, resizing, and other typical edits—potentially including workflows that resemble “screenshotting,” depending on implementation and detection.
This is the core promise: resilience under common transformations. But “common” is doing a lot of work. Attackers can attempt targeted removal, and the internet generates endless edge cases—filters, overlays, crops, memetic edits—that can challenge detectors.
So robust watermarking should be understood as raising the cost of stripping signals, not guaranteeing permanence. It may make it harder to casually remove a label, but it won’t eliminate evasion, especially by determined actors.
Still, the design goal is clear: survive compression, resizing, and other typical edits—potentially including workflows that resemble “screenshotting,” depending on implementation and detection.
This is the core promise: resilience under common transformations. But “common” is doing a lot of work. Attackers can attempt targeted removal, and the internet generates endless edge cases—filters, overlays, crops, memetic edits—that can challenge detectors.
So robust watermarking should be understood as raising the cost of stripping signals, not guaranteeing permanence. It may make it harder to casually remove a label, but it won’t eliminate evasion, especially by determined actors.
Why platforms still like provenance
Even if robust watermarking improves, platforms have reasons to prioritize C2PA:
- Public verifiability: signatures can be checked independently, without secret models.
- Interoperability: cross-industry standards reduce fragmentation.
- Human-readable context: manifests can show tools, edits, timestamps, and attribution.
Robust watermarking often relies on detectors and governance frameworks that may be more centralized. Provenance offers a more open audit trail—if it survives.
This is why the current “bet” looks like a layered approach: provenance for an auditable record, plus (potentially) watermarking for resilience. But if distribution channels continue stripping manifests, the open audit trail risks being available only to first-party copies, while the public mostly encounters orphaned derivatives.
The tension isn’t just technical; it’s institutional. Open standards are politically attractive, but only if platforms commit to preserving them end-to-end.
- Public verifiability: signatures can be checked independently, without secret models.
- Interoperability: cross-industry standards reduce fragmentation.
- Human-readable context: manifests can show tools, edits, timestamps, and attribution.
Robust watermarking often relies on detectors and governance frameworks that may be more centralized. Provenance offers a more open audit trail—if it survives.
This is why the current “bet” looks like a layered approach: provenance for an auditable record, plus (potentially) watermarking for resilience. But if distribution channels continue stripping manifests, the open audit trail risks being available only to first-party copies, while the public mostly encounters orphaned derivatives.
The tension isn’t just technical; it’s institutional. Open standards are politically attractive, but only if platforms commit to preserving them end-to-end.
2-tier internet
First-copy posts may retain verifiable provenance; viral screenshots and reposts often lose manifests and become unverifiable by default.
Practical takeaways: how to read AI provenance without being fooled by it
Readers need tools, but they also need mental models. Provenance and watermarking are aids to judgment, not replacements for it.
The public conversation often swings between two extremes: “provenance will solve misinformation” and “screenshots make it useless.” The reality is more practical. Provenance can be genuinely informative when present and intact. It can also be missing for reasons that have nothing to do with deception.
So the goal is calibrated interpretation. Treat provenance like one signal among many: origin and edit history, source reputation, corroboration, and contextual plausibility.
This section lays out what to do with credential panels if you encounter them, how creators can publish in ways that preserve credentials, and what platforms must do if they want provenance to function at scale.
The strongest systems won’t just embed credentials—they’ll make them visible, durable, and legible to non-experts.
The public conversation often swings between two extremes: “provenance will solve misinformation” and “screenshots make it useless.” The reality is more practical. Provenance can be genuinely informative when present and intact. It can also be missing for reasons that have nothing to do with deception.
So the goal is calibrated interpretation. Treat provenance like one signal among many: origin and edit history, source reputation, corroboration, and contextual plausibility.
This section lays out what to do with credential panels if you encounter them, how creators can publish in ways that preserve credentials, and what platforms must do if they want provenance to function at scale.
The strongest systems won’t just embed credentials—they’ll make them visible, durable, and legible to non-experts.
For everyday readers: treat credentials like nutrition labels
A credential panel can answer questions worth asking:
- Who (or which tool) created this file?
- Has it been edited, and by what software?
- Does the chain look intact and tamper-evident?
When credentials are present and valid, that is useful evidence. When they’re missing, it’s often a logistics problem, not a smoking gun.
The analogy is helpful because it frames credentials as informative but incomplete. A nutrition label can tell you what’s in a product; it can’t tell you whether you should eat it. Similarly, provenance can show creation and edit history; it can’t tell you the broader truth of the claim.
So “read the label” when you can—and avoid over-interpreting its absence. Missing credentials should trigger curiosity and further checking, not instant conclusions.
- Who (or which tool) created this file?
- Has it been edited, and by what software?
- Does the chain look intact and tamper-evident?
When credentials are present and valid, that is useful evidence. When they’re missing, it’s often a logistics problem, not a smoking gun.
The analogy is helpful because it frames credentials as informative but incomplete. A nutrition label can tell you what’s in a product; it can’t tell you whether you should eat it. Similarly, provenance can show creation and edit history; it can’t tell you the broader truth of the claim.
So “read the label” when you can—and avoid over-interpreting its absence. Missing credentials should trigger curiosity and further checking, not instant conclusions.
For creators: publish in ways that preserve credentials
If you want your work to retain Content Credentials as it spreads:
- Export using workflows that preserve metadata
- Favor platforms and file formats known to retain manifests
- Share original files or links when possible, not screenshots
Adobe’s emphasis on attribution—linking credentials to identity verification and social accounts—signals where creator tools are heading (Adobe announcement, April 24, 2025). That only works if credentials survive distribution.
This is where creator incentives and platform implementation collide. Creators can do everything “right” in their export workflow and still lose credentials when an audience reuploads through a stripping pipeline. But creators can still improve the odds by sharing originals, using supported formats, and educating audiences about how to preserve verification.
In a world where screenshots are the default, even small nudges—like “share link to original” instead of “post screenshot”—can preserve provenance for the next hop.
- Export using workflows that preserve metadata
- Favor platforms and file formats known to retain manifests
- Share original files or links when possible, not screenshots
Adobe’s emphasis on attribution—linking credentials to identity verification and social accounts—signals where creator tools are heading (Adobe announcement, April 24, 2025). That only works if credentials survive distribution.
This is where creator incentives and platform implementation collide. Creators can do everything “right” in their export workflow and still lose credentials when an audience reuploads through a stripping pipeline. But creators can still improve the odds by sharing originals, using supported formats, and educating audiences about how to preserve verification.
In a world where screenshots are the default, even small nudges—like “share link to original” instead of “post screenshot”—can preserve provenance for the next hop.
For platforms: disclosure must be durable, not decorative
The April 2026 report about Twitter/X’s CDN stripping credentials is a warning flare (arxiv.org/abs/2604.25370). Provenance cannot become a niche feature available only on the first upload and nowhere else.
If platforms want provenance to matter, they have to:
- Preserve manifests through transcoding
- Display credentials consistently and clearly
- Offer verification UX that doesn’t require technical literacy
Without that, “verified” media will remain a boutique feature in a mass-sharing world.
Durability is the product requirement here. It’s not enough to support C2PA in principle; platforms need to ensure their pipelines retain manifests, that their UI surfaces them, and that the experience is consistent across reposts, downloads, and embeds.
Otherwise the ecosystem teaches the public a damaging lesson: “authenticity labels are unreliable,” when the real issue is that the labels were dropped by design choices in distribution.
If platforms want provenance to matter, they have to:
- Preserve manifests through transcoding
- Display credentials consistently and clearly
- Offer verification UX that doesn’t require technical literacy
Without that, “verified” media will remain a boutique feature in a mass-sharing world.
Durability is the product requirement here. It’s not enough to support C2PA in principle; platforms need to ensure their pipelines retain manifests, that their UI surfaces them, and that the experience is consistent across reposts, downloads, and embeds.
Otherwise the ecosystem teaches the public a damaging lesson: “authenticity labels are unreliable,” when the real issue is that the labels were dropped by design choices in distribution.
Editor’s Note
C2PA works best when platforms preserve manifests end-to-end and make credentials visible; otherwise, verification becomes limited to original uploads.
Conclusion: the internet doesn’t need perfect provenance—it needs survivable provenance
C2PA and Content Credentials represent a serious attempt to make media origin verifiable across companies and tools. OpenAI’s documentation for ChatGPT and DALL·E 3 outputs, its March 23, 2026 note that Sora videos embed C2PA metadata, Microsoft’s Azure OpenAI credentials documentation, and Adobe’s 2025 push for attribution all point in the same direction: provenance is becoming a default expectation, at least at the creation layer.
But creation is only half the story. Distribution is where truth claims get made, contested, and weaponized. A system that breaks under screenshots and upload pipelines will not be a social standard; it will be a technical footnote.
The more constructive framing is also the more honest one. Provenance can tell you something real: where a file came from, and how it changed. It cannot tell you what the world looked like when the shutter clicked—or whether the scene was ever real at all.
The task ahead is not to promise certainty. It’s to build signals that survive ordinary sharing, and to teach the public to read those signals without mistaking them for truth.
But creation is only half the story. Distribution is where truth claims get made, contested, and weaponized. A system that breaks under screenshots and upload pipelines will not be a social standard; it will be a technical footnote.
The more constructive framing is also the more honest one. Provenance can tell you something real: where a file came from, and how it changed. It cannot tell you what the world looked like when the shutter clicked—or whether the scene was ever real at all.
The task ahead is not to promise certainty. It’s to build signals that survive ordinary sharing, and to teach the public to read those signals without mistaking them for truth.
T
About the Author
TheMurrow Editorial is a writer for TheMurrow covering technology.
Frequently Asked Questions
Are “AI watermarks” the same thing as Content Credentials?
No. Content Credentials usually refers to C2PA provenance metadata: a cryptographically signed manifest attached to the file describing origin and edits. “AI watermarking” can also mean a robust invisible signal embedded in the content itself (pixels/audio). People often use one term for both, but they behave differently under sharing and editing.
Why does a screenshot remove AI labeling so easily?
A screenshot typically creates a new file that does not carry over the original file’s embedded C2PA manifest. C2PA is attached to a specific file container, so the “label” doesn’t automatically transfer to a newly captured image. Many sharing platforms also strip metadata during upload and transcoding, compounding the loss.
If Content Credentials are missing, does that mean the image is fake?
No. C2PA is designed as a positive signal: if valid credentials are present, they provide strong provenance evidence. If they are absent, that does not prove anything by itself. Credentials might be missing because the content predates adoption, because a platform stripped metadata, or because someone reposted a screenshot.
Which companies are actually using C2PA today?
According to publicly available documentation: OpenAI says ChatGPT-generated images and images via the DALL·E 3 API include C2PA metadata, and OpenAI’s Sora safety write-up dated March 23, 2026 says Sora videos embed C2PA metadata. Microsoft documents Content Credentials in Azure OpenAI, and Adobe announced a public beta of its Content Authenticity app on April 24, 2025.
Do social media platforms preserve C2PA credentials reliably?
Not always. C2PA guidance warns that upload and transcoding pipelines can drop credentials. An April 2026 academic dataset paper reports Twitter/X’s CDN systematically stripped C2PA credentials on upload, preventing cryptographic provenance checks on reposted images. Preservation depends on platform implementation choices.
Can C2PA prove whether a scene is true?
No. C2PA can show origin and editing history for a file, but it cannot prove that the depicted event happened as claimed or that the context is accurate. A genuine photo can still be misleading, and an AI-generated image can be responsibly used. Provenance supports evaluation; it doesn’t replace it.
