TheBirthmark Standard Foundation

The Birthmark Standard is designed to never need investigations. Camera compromise requires ~$100K-$1M per device. But we need a response plan for state-level attacks and credibility challenges. This documents our contingency—transparent safeguards for Coalition members, privacy advocates, and journalists evaluating the system.

Financial Barriers

$500 claim fee, forfeited if rejected. $1,000 total return if camera blacklisted ($500 refund + $500 bounty). Makes frivolous claims expensive while rewarding legitimate concerns. Any Coalition Member can waive fees for credible cases.

Technical Evidence Required

Coalition contracts professional photography forensic analysts (e.g., Bellingcat). Claims require claimant to submit the image file. Analysts examine images for specific measurable anomalies: noise pattern inconsistencies, impossible lighting geometry, metadata violations, sensor artifact mismatches. "This looks suspicious" gets rejected immediately. Foundation never sees submitted images—only image hashes if committee approves action.

Enhanced Protections for High-Risk Contexts

Regions on CPJ's Global Impunity Index or active conflict zones require:

• Unanimous vote (3 of 3, not 2 of 3)
• Mandatory consultation with press freedom organizations (RSF, CPJ)
• Higher evidence threshold (multiple independent anomalies)
• Expedited appeals (7 days vs. 14 days)
• Escalation rights to full Coalition vote if consultation ignored

Distributed Control

Submission servers encrypt transaction logs after posting to blockchain. Decryption keys are stored on different geographic submission servers with rotating key schedules—each time window requires a different server for decryption. This prevents any single server compromise from revealing historical transaction data and requires sequential attacks within rotation windows.

Limited Consequences

Only Transaction ID is posted to Public Revocation List. Manufacturers handle device blacklisting internally by referencing the PRL against their own logs. Foundation and Coalition never see camera serial numbers. Historical images remain authenticated—blacklist blocks future submissions only. Successful appeals completely remove Transaction ID from PRL (no "reversed" notation).

Transparency & Sunset

Annual public reports (claims, blacklists, appeals, geographic distribution). Any Coalition Member can access investigation materials. Five-year recurring review with option to sunset investigations if Coalition determines capability has become harmful or unnecessary.

1. Claim Submission: Claimant submits $500 fee + suspicious image + technical justification
2. Forensic Analysis: Coalition-contracted photography forensics analyst examines the submitted image for technical anomalies (noise patterns, lighting geometry, metadata violations). Delivers verdict to committee. Foundation never sees the image.
3. Committee Review: 3-member committee reviews forensic analysis. Rejected if no specific technical indicators.
4. Committee Vote: 2 of 3 (standard contexts) or 3 of 3 (high-risk contexts requiring unanimous approval)
5. Transaction ID Lookup: If approved, committee sends only the image hash to Foundation. Foundation decrypts relevant transaction log to identify Transaction ID.
6. Public Revocation List: Foundation posts Transaction ID to PRL with technical justification. No camera identification revealed.
7. Manufacturer Blacklisting: Manufacturers reference PRL against their own internal logs and blacklist associated device fingerprints. This happens independently—Foundation and Coalition never learn camera serial numbers.
8. Appeal: Device owner (if they learn of blacklist from failed submissions) can appeal. Independent expert review, committee vote. During appeal, owner can submit hashes of critical images for immediate authentication.
9. If Appeal Succeeds: Transaction ID completely removed from PRL, no public "reversed" notation.

Can investigations identify photographers?

No. Investigations only reveal Transaction IDs posted to the Public Revocation List. Manufacturers handle device blacklisting internally by referencing the PRL against their own logs. The Coalition, Foundation, and submission servers never learn camera serial numbers. Manufacturers may not have purchaser records (secondhand sales, gifts). System designed so no entity correlates "this person took this photo" without already possessing the image.

What protects photographers in dangerous regions?

CPJ Index regions and conflict zones get unanimous vote requirement, mandatory press freedom org consultation, higher evidence threshold, expedited appeals, and escalation rights. Investigations never reveal photographer identity, specific camera serial numbers, content, or location—only Transaction IDs on the PRL. Manufacturers handle blacklisting internally based on their own logs.

Investigation and editorial freedom

Images can only be investigated if shared with claimants who submit them for forensic analysis. At that point, risk equals existing forensic services (anyone can submit to FotoForensics today). Investigation doesn't reveal photographer identity or specific camera—only posts Transaction ID to PRL for manufacturer reference.

What prevents governments flooding with false claims?

$500 non-refundable fee per rejected claim. Claims need professional forensic evidence before reaching committee. "This makes us look bad" gets rejected at preliminary review, fee forfeited.

Device blacklist appeals

Device owners who discover blacklisting (via failed future submissions) can appeal. Submit hashes of critical images immediately (authenticated while appeal proceeds). Provide technical explanation. Independent expert reviews forensic evidence. Committee votes (2 of 3, max 14 days; 7 days for high-risk contexts). If successful, Transaction ID completely removed from PRL with clean records. Coalition Members can expedite for photographers in high-risk contexts.

What prevents scope creep?

Coalition consists of journalism/press freedom orgs (NPPA, CPJ, RSF, IFCN) whose mission is protecting against surveillance expansions. Using investigations for non-technical purposes is explicit grounds for removal per Governance Charter. Annual public reports enable external monitoring. Five-year sunset reviews acknowledge this may not always be necessary.

Can governments compel cooperation?

Manufacturers handle device blacklisting internally—they can reference the PRL but Coalition never learns camera identities. Accessing encrypted transaction logs requires compromising multiple geographically distributed submission servers within key rotation windows. Government compulsion of Coalition nodes triggers removal, not compliance (per Governance Charter). Transaction IDs on PRL don't reveal photographer identity or which specific camera without manufacturer cooperation.

Why is this necessary?

If compromised cameras can mint valid certificates for AI-generated images indefinitely, the system becomes worthless. The alternative is accepting a single breach authenticates unlimited fakes forever. Question isn't "should investigations exist?" but "how do we make them as safe as possible while maintaining integrity?" This framework balances system credibility with photographer protection.

Transparency: Annual public reports enable external monitoring.

Accountability: Any Coalition Member can access materials and escalate decisions.

Adaptability: Five-year reviews with sunset option as threats evolve.

Trust: Journalism orgs govern this system. If they determine investigations have become surveillance tools, they can vote to sunset the capability.

Questions? contact@birthmarkstandard.org