Blockchain against deepfakes and disinformation: Provenance, evidence and compliance

Brief overview: Deepfakes are not just a recognition problem, but a question of proof of origin, verifiability and reliable procedures. Blockchain-supported verification and register models can document content provenance (“Who created or changed what, when, how?”), freeze it in a legally binding manner and archive it in a way that is legally binding. The connection to applicable law is crucial: copyright, personality and competition law, DSA obligations for platforms, eIDAS evidence (qualified time stamp, qualified electronic seal) and the transparency requirements of the AI Act for synthetic content. This article sets out the starting points, limits and a robust implementation roadmap.

Technology modules: Provenance, watermarks, signatures and blockchain registers

Provenance standards. In practice, a two-stage model has proven its worth: firstly, technical provenance metadata (e.g. based on C2PA/content credentials) directly on the asset, and secondly, a forgery-resistant, externally verifiable record in a register. C2PA specifies how a signed provenance “manifest” block can be bound to the file when an image, video or audio is created or edited and how it can be extended each time it is edited. This creates a history of changes (Who? When? Which software? Which processing steps?) that is updated with few gaps.

Watermarking. Invisible watermarks (e.g. synthesis watermarks in image/audio/video or probabilistic token signatures in text) mark AI outputs without affecting the user experience. They facilitate the scale detection of synthetic media, but are technically vulnerable: strong compression, cropping, re-sampling, noise or translations can weaken detectability. Robustness increases when watermarks are systematically combined with provenance signatures and trust cascades.

Cryptographic signatures. Digital signatures link provenance data and hashes of the asset to a clearly identifiable issuer (e.g. publisher, sender, camera manufacturer, authority). The use of recognized trust services makes legal sense: qualified electronic seals (for organizations) or qualified time stamps according to eIDAS. This turns a mere “technology trace” into proof with legally presumed integrity and temporal accuracy.

Blockchain/distributed ledger. A chain is not an end in itself. Its added value lies in a neutral, unchangeable reference register: hashes and verification data are written on-chain in real time so that any subsequent manipulation of the file is noticeable as hash divergence. Three patterns are practicable: (1) public ledger as a global, auditable time anchor; (2) permission-based company/industry ledger with governance rules; (3) hybrid models (public time anchor, private detailed storage). The decisive factor is the binding nature of time and identity, not the choice of “public vs. private chain” as a question of faith.

Verification. Consumer and editorial workflows need simple checks: Upload file or submit URL, tool reads C2PA manifest, verifies signature chain, compares hash with blockchain, checks timestamp and seal. Result: “occupied”, “occupied, but after processing” or “not occupied”. API-based ingest checks are useful for platforms before virally distributed content is algorithmically “promoted”.

Legal framework: Copyright, personal rights, DSA, AI Act and eIDAS

Copyright law. Deepfakes often infringe exploitation rights (reproduction, making available to the public) and ancillary copyrights. Restrictions such as quotation or parody apply narrowly. Provenance helps with the assessment in two ways: (a) legitimization of own distribution with a documented chain of rights; (b) invalidation of unjustified takedown claims if chains of manipulation can be proven. When drafting contracts, the following applies: clearly regulate rights and processing clauses (including AI processing, remixes, training), record obligations to provide evidence and logging.

Personal rights and KUG. Non-consented deepfakes can violate the general right of personality and the right to one’s own image (Sections 22 ff. KUG). Provenance makes it easier to quickly draw the line: if a video is demonstrably synthetically produced, the legal assessment shifts from image rights to infringement of personality rights through manipulation. Reputational and injunctive relief claims remain unaffected; evidence accelerates measures.

DSA obligations. Very large platforms/VLOPs must assess and effectively mitigate systemic risks (e.g. disinformation, manipulative content) on an annual basis. Provenance/label signals are suitable mitigation components: upload filters alone are not enough; transparency and proof of origin support complaint and classification processes, reduce overblocking and underblocking and increase auditability.

AI Act transparency. Transparency obligations apply to synthetic or manipulated media: Affected parties must be clearly informed that content has been artificially created or modified; general purpose models are subject to separate copyright compliance and documentation obligations. A standardized “synthetic content” signal in metadata and the user interface is therefore recommended for products, ideally with double protection: Watermark at output level and proof of provenance/signature with time anchor.

eIDAS, qualified evidence and electronic ledgers. Qualified electronic time stamps enjoy the legal presumption of temporal accuracy and data integrity; qualified electronic seals establish the presumption of integrity and correct origin of an organization. In the consolidated eIDAS version, electronic ledgers are also addressed more strongly as a legally relevant evidence infrastructure; a presumption of correct, unambiguous chronological order is provided for qualified electronic ledgers. For media companies, authorities or platforms, this can form the bridge between the technology standard (C2PA) and court-proof evidence.

Evidence and procedural law: from technical evidence to reliable evidence

Evidential value. A hash on a blockchain only abstractly proves that “something” existed at a certain point in time. The evidential value increases considerably if the chain consists of (1) a file hash, (2) a signed provenance manifest, (3) a qualified timestamp and, if applicable, (4) a qualified electronic seal of an identified organization. This creates multi-layered evidence: Who created the recording? Who edited it? When was it published? What edits were made? Has the file been changed since then?

Civil procedural classification. In practice, the path leads via the free assessment of evidence. Qualified eIDAS evidence enjoys legal presumptions; although they can be rebutted, they raise the burden of presentation and proof on the other party. A standard operating procedure is recommended for mass evidence (e.g. thousands of editorial photos/clips): continuous signature and timestamp pipelines, audit-proof logs, emergency key rotation, documentation of tool versions. Notarial or expert confirmations are a useful means of preserving evidence in sensitive cases, but are not always necessary.

Compromised keys and chain forks. Every signature chain is only as strong as its key management. A compromised private key spoils provenance. Therefore: HSM-based key management, role-based approvals, multi-sig for particularly trust-relevant steps, CRLs/OCSP mechanisms for revocation lists, fast key rotation. For public blockchains, fork scenarios and finality (confirmations) must be documented in evidence notes.

Implementation 2025: Roadmap for media, platforms, brands and authorities

Governance. Define responsibilities: Who signs? Who provides time stamps? Who writes on-chain? Who reviews complaints? Who provides third-party access for fact-checkers? Define guidelines for recording devices, editorial systems and release pipelines. Training is required so that editorial teams interpret provenance correctly (e.g. “no manifesto” does not automatically mean “fake”, but “unsubstantiated”).

Technology stack.

1. Select recording/editing tools with C2PA support, store standardized signature profiles of the organization.
2. Automatic hash/sign/timestamp run during export; “first publish on chain” with transaction ID written back to CMS.
3. Operate registries/resolvers: Verification links and public verification services that prove signature chain + chain hash.
4. Activate watermarks (where available) and include them in the QA; test robustness regularly (compression, cropping, re-encoding).
5. Provide interfaces to platforms/fact check networks to make provenance signals usable as a ranking/trust indicator.

Platform integration. Platforms can check provenance signals in the upload process, give preferential treatment to content with a proven origin, route uploads suspected of manipulation to review queues, prominently display “synthetic” notices and automatically activate stricter check profiles in the event of mass events (elections, crises). DSA risk assessments document why which mitigation measure (provenance check, label, attenuation of reach, context panels) was selected and how basic rights are safeguarded.

Contracts. C2PA/signature obligations, watermark policies, eIDAS timestamps and on-chain registration should be contractually stipulated with producers, agencies and influencers. For platform T&Cs, regulations are recommended that prohibit the submission of manipulative deepfakes, promote the provision of correct provenance and make sanctions transparent. Service contracts with tool providers must contain audit, security and interop clauses.

Data protection. Provenance may contain personal data (e.g. device IDs, location, creator IDs). Data minimization, purpose limitation and pseudonymization apply. Journalistic exceptions must be observed for editorial contexts; there are special standards for official use. Transparency layers for data subjects and clear retention periods must be planned.

Limits, targets and disincentives

Technical limitations. Watermarks can be weakened or removed; C2PA metadata can be lost during re-encoding; hash comparisons fail with the smallest changes if no robust perceptual hashes are used. Artificial “provenance forgeries” are possible if attackers use compromised keys or set up a fake workflow before the first anchoring.

Ecosystem boundaries. Provenance is only useful if it is widely verified. Lack of end device and platform support slows things down. Interoperable standards, broad manufacturer integration (cameras, smartphones, editing software) and neutral, trustworthy verification services are needed. One-sided, proprietary solutions create lock-in and undermine credibility.

Governance gaps. Without uniform label and provenance semantics, there is a risk of “label proliferation”. Legally, there is a risk of selective or discriminatory moderation. Transparent guidelines, comprehensible review processes and documented balancing of fundamental rights provide a remedy. Independent audits and external observers should be provided for high-risk phases (elections).

Economic disincentives. If reach is exclusively linked to “proven provenance”, investigative or sensitive content without technical evidence will fall behind. Platforms must therefore not automatically devalue “unsubstantiated”, but also allow context modules and factual counter-evidence.

Practical guide: eight steps to resilient content authenticity

1. Define target image: What proportion of the content should be published with Provenance? Which product areas show the label?
2. Select devices and tools: C2PA-enabled cameras/apps, signature profiles, HSM support.
3. Automate signature and timestamp pipelines; integrate qualified trust services.
4. Select on-chain anchor: public time anchor + internal ledger; write transaction IDs back to CMS.
5. Provide verification: internal QA, public check page, API for partners.
6. Add watermarks, measure robustness continuously; combination with detectors for unused content.
7. Document DSA, AI Act and data protection compliance; annual reviews with audits.
8. Prepare incident response: Key compromise, corrections in manifest, revocation/block lists, communication plan.

Conclusion

Blockchain does not solve deepfakes on its own. It will only be effective in combination with provenance standards, signatures, time stamps, watermarks, platform processes and clear legal obligations. Those who rely on C2PA manifests, eIDAS-supported proofs and a traceable on-chain register in 2025 will improve the evidential value, moderation quality and trustworthiness – without stifling legitimate content. The key is interoperability: a mix of technologies that can be verified, legally docked and actually used in editorial offices and on platforms.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.