The Proof's in Your Pocket: Proofmode inside Signal
The Proof’s In Your Pocket
What could authentication data look like in your favorite messaging app? We built an easy-to-deploy secure camera for crowdsourcing documentation of Ukrainian schools by integrating ProofMode with the popular Signal messaging app.
Basile SimonReading Time: 5min
Prototypes
Share
Contents
Background
Background
In response to the large-scale invasion of Ukraine by Russia, the collective response of the Lab was to start a broad project cutting across all of our three research areas: Journalism, Archiving, and Law. Under the project called Dokaz (“Доказ”, Ukrainian for proof), a loose coalition of organizations have shared material and ideas related to the support of Ukraine against aggression. In the context of this new large-scale conflict, documentation has been a cornerstone concern of our research into the creation of stronger digital material:
- The Lab’s law program led the submission of originally-collected field and remote evidence to the International Criminal Court;
- On the journalism side, we have supported the first demonstration of at-source cryptographic authentication, directly in-camera, for Reuters photojournalists;
- And we have prototyped the integration of metadata-rich, authenticated photography in Signal Messenger, most notably for the use case of crowdsourced citizen documentation.
Quite a few of these projects were aimed at professionals and specific uses of information. However, as the specter of deepfakes gives way to the arrival of mainstream photorealistic generative AI, we are faced with even faster-moving challenges that require us to consider how new camera hardware, software, standards, and user experience (UX) can help establish what is an accurate depiction of the real world. This challenge concerns everyone, extending to our day-to-day consumption of media. Simply put, in the near future, just seeing digital photos may not be a reliable means of believing them.
In order to make digital proof more accessible, we set out to incorporate a powerful authenticity tool called ProofMode with a popular communications tool likely already in your pocket – Signal Messenger.
Our collective thanks go to the project partners:
- The team at Guardian Project (makers of ProofMode), who work tirelessly to bring their ideas to the world from the ground up, driven by the “right” approach and choices, with free and open software.
- Our collaborators and Dokaz <link> members Hala Systems, who provided the operational framework ensuring the support of the photographers, notably by red-teaming the risk assessment.
- Our local photographers in Kharkiv who once again went out to document their city.
- The Forté Group, who provided ad-hoc engineering resources for the integration delivery.
- The Signal team, who kindly heard our pitch for adopting this approach, and makes their code open-source for others to build on.
- And finally, the entire Starling Lab team, involving notably Basile Simon on project direction, engineering management and in-country deployment; Alisha Seam on technical advice to the prototype; and Yurko Jaremko on operating the preservation pipeline.
Contents
Context
FrameworkTechnologyLearningsArchive
Context
The first investigations Starling Lab supported in Ukraine were related to attacks against schools in the city of Kharkiv. With our grounding in higher education, we found the words of residents and witnesses especially disturbing:
“Where will the kids go to learn? Can they actually bomb these places?”
To address potential disinformation by Russia, the work of our legal team was to investigate and confirm that facilities had not been co-opted by Ukrainian military personnel – an after-the-fact task fraught with challenges.
In support of the Safe Schools Declaration, an initiative joined by over 100 countries, we sought to empower local communities to lead or crowdsource their own preventative documentation of schools. This entailed frequently visiting campus surroundings in order to document the absence of armed forces and thus the schools remain protected under international humanitarian law.
As a pilot, we organized two weeks of regular “rounds” at several schools in Kharkiv by designated photographers, who were tasked to document the surroundings and insides of the schools. This approach followed recommendations of the Declaration to “make every effort at a national level to collect reliable relevant data on attacks on educational facilities, on the victims of attacks, and on military use of schools and universities during armed conflict,” as well as its numerous guidelines, which in short recommend that armed forces of a country at war never use schools or educational facilities.
However, broadening the pool of documenters poses questions regarding how easily they can adopt technologies with robust authentication features. Our research questions turned to tool ease of use and accessibility with minimal training – important as we seek to understand the burdens placed on both the viewer of authenticated media and the creator.
The pilot deployment of this prototype was trialed in January 2023 in Kharkiv, where Starling engaged with two local photographers. They were able to go in the field only with their Android smartphones. Our prototype app was side-loaded into the phone through a custom APK. This setup permitted them to both preserve their message history and contacts, as well as to file their photographs with the Starling Lab.
The field work was completed in time to present the Lab’s findings and methodologies in a joint submission with Hala to the United Nations Special Rapporteur on the right to education, as well as in thematic presentations at the World Economic Forum 2023.
Contents
Framework
Framework
The Challenge
This project’s aims were two-fold:
- Can we devise a lightweight solution permitting the secure capture and transport of authenticated photos and videos?
- What could a user interface presenting contextual and authentication information look like, inside a social messaging application? What data points, if any, further a person’s trust in what they’re seeing?
These questions demonstrate our commitment to approach information systems with the perspective of Authenticity-by-Design.
Contents
Framework
The Prototype
ProofMode is a software and smartphone app for authenticated media capture, developed by the Guardian Project, Okthanks and WITNESS. It was already used in several of our Lab’s projects when they released it as a software library for integration into any app. This spurred us to build a proof-of-concept combining its technology with a fork of the code for Signal Messenger. Signal is a popular global messaging service known for offering end-to-end encryption and open source code, and has also been used in Lab projects for secure communications and media transport.
At its core, ProofMode reverses a common approach to combating misinformation and deepfakes. Rather than identifying and debunking the authenticity of fake content, ProofMode promotes trust in what is genuine by providing a means to strongly authenticate the multimedia it generates. It accomplishes this by backing up numerous records of metadata, which come in as corroborating pieces of information supporting media captured in the field. In short, ProofMode helps users to trust the real rather than questioning the fake.
By incorporating the recently-released libProofMode library, we were able to introduce a streamlined experience natively within Signal to create verifiable, provenance-laden media using the app’s camera function.
The resulting app enabled us to deliver strongly-authenticated photographs with industry-leading privacy for both sender and recipient. As a system, multimedia content could be authenticated at the point of capture on a smartphone, then later verified by a recipient. It utilizes enhanced sensor-driven metadata, hardware fingerprinting, cryptographic signing, and third-party notaries to enable a pseudonymous, decentralized approach to the need for chain-of-custody and “proof” by both activists and everyday people alike.
Contents
Technology
Technology
Capture
Strongly-authenticated photographs are captured directly in the custom Signal app. Tapping the in-app camera icon opens the camera, and the resulting captured media is co-located with surrounding metadata through the integration of ProofMode.
Ahead of capture and upon loading the app on the phone, a digital identity was created through the generation of an OpenPGP key pair unique to the app / device combination. This key pair is used to sign the ProofMode data files, and this signature in turn permits later attribution of a ProofMode bundle to a person who would have custody of an OpenPGP key pair.
By default, ProofMode collects the following surrounding metadata at the moment of capture: hash of the capture media, information about the phone / device used, information about the device connectivity including nearest cell tower environment, device IP address, GPS coordinates and accuracy thereof, timestamp of the geolocation, and a Google SafetyCheck signature of the media attesting the integrity of the Android environment which ran the app.
The media hash is cryptographically registered on OpenTimestamps (a process ProofMode also calls “notarization”). The resulting anchoring on the ledger permits the demonstration that “this media existed at this time.”
After capture, the photograph and its associated ProofMode bundle are shared with a contact or group on Signal, following the app’s native UI and workflow. The resulting bundle of data is, at the moment of consisting of the photograph and its surrounding metadata, including the above timestamping receipt,is hashed and cryptographically signed
Each media shared this way is followed by an automated MobileCoin transaction, with a memo field containing the first 16 digits of the hash value of the ProofMode bundle (called “proof hash”). This permits the recipient to confirm that the ZIP shared with them is the one the sender meant to send, by comparing the hash of the data received with the hash registered on MobileCoin by the sender. MobileCoin is a micro-payments system and cryptographic ledger natively available in Signal Messenger.
For the specific purposes of this project and prototype, these features can complete Signal’s feature set: to not only encrypt, but also authenticate self-generated assets using cryptographic hashes and signatures. By embedding these road-tested tools natively in the app, they can protect and notarize photos at their source so they have a better chance of being trusted as they move through chaotic information environments.
Store
This project focused on the Capture and Verify phases, without requiring integration of a long-term preservation strategy for the multimedia assets. Beyond proof of concept and prototype however, routine storage considerations were addressed:
The files shared by the in-country team with Starling were automatically validated upon receiving them by our Signal signald client. Custody of the files was asserted and matched to the photographer’s previously-provisioned JSON Web Token (JWT). After these authenticated bundles were validated, they were preserved and encrypted at rest in Starling’s storage pools.
Non-critical metadata (hash values of the media and bundles) was registered on cryptographic ledgers, acting as immutable third-party record holders and timestamp anchors. This included the Numbers blockchain, Avalanche, and the International Standard Content Number through LikeCoin.
Verify
We designed a bespoke user interface inside Signal’s conversation view to demonstrate what surfacing contextual metadata about photos shared in-app could look like for all users. This data comes from Proofmode’s own surrounding environment metadata snapshots, as well as from several third-party record holders (called notaries by ProofMode).
A key element of the demonstration of non-tampering of the files is the aforementioned distribution of integrity data on third-party distributed (and immutable) ledgers, thus permitting verification of hash values and signatures at a later stage by means of comparing the present file hash with expected values registered with third parties.
While our use case involved communicating with an automated Signal client, we designed a rich verification and inspection UI into Signal Messenger. Both sender and receiver are presented with metadata in their normal conversation thread. Further metadata, including hashes and cryptographic signatures are displayed in a separate “See more” screen.
This visual layer of verification, and the inclusion of the micro-transaction on MobileCoin, provides an accessible, very present tool presenting background information about the shared media.
Contents
LearningsArchive
Learnings
Ease of use
Leveraging the widely tested and familiar user experience of Signal resulted in a prototype that was intuitive for users. The response was dramatic. Investigators in the field, lawyers, and in particular, leaders at the Department of State, indicated to us that direct Signal integration could be transformative for non-governmental organizations and citizen journalists.
Nathan Freitas, Director of Guardian Project and the ProofMode team, has over twenty years of experience providing digital security tools and training for human rights defenders around the world. He said: “Activists and journalists are already burdened with intense physical and digital threats through their work. Asking them to learn a whole new app often can be too much, or put them at more risk. Integrating provenance and authentication features into Signal means they get more benefit from an audited, vetted app most of them already have and rely upon everyday. Less is more!”
A best practice?
Starling Lab made a submission to officials at the UN’s Human Rights Council which outlined the work enabled by this prototype. The Special Rapporteur on the Right to Education<internal link> noted to the Council that our efforts, along with collaborator Hala Systems, was an emerging good practice for documenting evidence.
At the World Economic Forum in January 2023, Starling presented the project as a means to illustrate the need for the continuation of this documentation effort – itself made possible partly by the easy deployment of a top-tier documentation tool.
Cost of maintenance
There are rolling costs to keeping the fork up-to-date with Signal changes and potentially ProofMode itself. Lagging behind means being shut out of the Signal main network. These are important factors to consider when starting an initiative beyond the prototype stage.
Contents
LearningsArchive
Archive
Materials related to this case study are under review and kept private for now.
Evidence Collection & Consent
Law
A verifiable ingestion framework designed to transform multimedia submissions from secure messaging apps into court-admissible evidence.
By integrating decentralized chatbots with platforms like Signal and Telegram, it establishes a tamper-evident chain of custody that cryptographically binds media to the explicit, informed consent of the source.
This approach bridges the gap between high-risk field documentation and the rigorous evidentiary standards of international justice mechanisms, ensuring that humanity’s most critical records remain legally robust and ethically sound.
YEAR
2022
PARTNERS
Guardian Project
ProofMode app
Signal
Telegram
The Problem
Digital media captured in high-stakes environments, such as war zones or human rights crises, may be required to meet the evidentiary standards required for criminal trials. While photos and videos are persuasive, they often lack a verifiable “chain of custody”. Traditional messaging services routinely strip critical metadata to protect privacy; however, this decontextualization makes it nearly impossible for investigators to prove origin or authenticity once the file leaves the original device.
Furthermore, without documented, informed consent from the source, such records are often deemed inadmissible, leaving critical survivor testimonies legally invisible.
The Solution
Starling developed a chatbot, integrating with secure messaging services like Signal and Telegram, to automate the authenticated collection of digital evidence. When a source sends media to the bot, the system instantly generates a cryptographic fingerprint (SHA-256 hash) and seals the file alongside its associated metadata in a tamper-evident archive.
Crucially, the bot leads the documenter through an interactive back-and-forth to record the informed consent of the sender at the moment of ingestion. This consent is cryptographically bound to the media’s unique hash, creating an immutable record of usage permissions. This authentication layer ensures that crowdsourced evidence can be prioritized, processed, and examined by international prosecutors with its legal and ethical integrity fully intact.
GOING FURTHER
Case Study: Building ProofMode as a Library in a custom, bespoke Signal build
Secure Enclave Signing
Law
This prototype establishes a hardware-based root of trust for digital media by cryptographically sealing assets inside a device’s protected silicon environment. It shifts the security boundary from vulnerable software to dedicated cryptographic processors, ensuring that signing keys remain inaccessible to external threats and that every asset is tied to an immutable hardware identity.
By anchoring provenance at the absolute point of capture, it creates a foundational “proof of origin” that is resilient against both digital manipulation and systemic distrust.
YEAR
2022
PARTNERS
HTC
Numbers and the Numbers Protocol
LINKS
– HTX Exodus 1S Phone
– The Starling Framework
The Problem
The ideal environment to manage digital signing is a cryptographic processor within the capture device, where the keys are never revealed and the system will only sign data within a predefined pathway. This ensures all authenticated data carrying a signature by those keys are unambiguously originating from the capture device. Unfortunately, hardware secure enclaves and similar technology, are not widely included in professional capture devices, or implemented with sufficient firmware that supports these digital signing use cases.
JOURNALISM
Anchors in hardware rather than software support shielding reporters from deepfakes accusations, and gives them a digital “negative” as an origin record of their work.
HISTORY
By binding historical records to the unique physical identity of the capture device, it creates a resilient, verifiable archive that ensures the “first draft of history” cannot be silently altered by future actors.
LAW
Hardware-level signing establishes an airtight digital chain of custody and ensures cryptographic keys are physically isolated and never exposed, aiming to meet the most rigorous standards for legal admissibility.
The Solution
Starling Lab’s prototype utilizes Secure Enclaves (isolated cryptographic processors) to generate and store signing keys where they can never be revealed. This implementation creates a tethered workflow, pairing a digital camera with a secure-element-equipped device (such as the HTC Exodus 1S).
As media is captured, the system generates a cryptographic hash that is signed within the hardware’s protected environment, creating a tamper-evident record from the first millisecond of the asset’s existence.
This prototype serves as a technical blueprint for hardware vendors, advocating for a decentralized framework where privacy-respecting key management and data authentication are baked into the physical design of professional tools.
Document Redaction
Law
Establishing a cryptographic seal of transparency for sensitive digital records, moving beyond traditional “black-box” redaction.
Zero-Knowledge Proofs (ZKP) allow investigators to obscure personally identifiable information (PII) while providing a mathematical guarantee that no other part of the document has been altered.
This concept shifts the trust model from requiring blind faith in a publisher’s edits to providing affirmative proof of a document’s integrity, ensuring that critical primary sources remain both ethically protected and legally robust
YEAR
2022
PARTNERS
Stanford Applied Cryptography Group
LINKS
– Case Study: The DJ and the War Crimes
– Presentation from Trisha Datta and Dan Boneh
The Problem
Accountability investigations often rely on digitized primary sources – such as the UN payroll records unearthed in our Bosnia war crimes probe – that contain sensitive PII of individuals not central to the investigation. While redacting this information is a journalistic and ethical necessity, it creates a “trust gap”. In an era of widespread denialism and “cheapfakes,” any manual modification to a source document can be weaponized by bad actors to claim the entire record is a forgery, undermining the evidentiary weight of critical testimonies.
The Solution
In partnership with our principal investigator’s Professor Dan Boneh’s students from the Stanford Applied Cryptography Group, Starling developed a workflow that integrates forensic ingestion with cryptographic proof systems, and managed redactions.
It relies on a Zero-Knowledge Proof that certifies the relationship between the original and the redacted file. This technology generates a mathematical proof that the only changes made to the published PDF were the addition of black boxes over specific pixels. This allows third parties, such as expert witnesses, to “check the math” and verify that no text was altered or deleted, maintaining the document’s integrity while fulfilling privacy obligations
JOURNALISM
Verifiable Redaction allows newsrooms to protect the privacy of vulnerable bystanders without sacrificing the credibility of their reporting. By providing a cryptographic guarantee that only specific PII was obscured, journalists can defend their primary sources against bad-faith accusations of manipulation.
HISTORY
This technology safeguards the sanctity of historical records by ensuring that “anonymized” archives remain verifiable links to the past.
LAW
Verifiable Redaction establishes a court-admissible chain of custody for documents containing sensitive material. ZKPs benefit can facilitate the verification of proprietary forensic software, complex discovery datasets, and sensitive testimonial claims without compromising the underlying trade secrets or personal privacy that often create insurmountable disclosure dilemmas.
Distributed Storage
Law
A decentralized infrastructure designed to ensure the long-term persistence and auditability of digital records by stripping centralized platforms of their outsized control over information.
Moving beyond fragile cloud silos, it cryptographically seals media and metadata across independent, multi-jurisdictional networks .
This framework shifts the preservation paradigm from blind trust in a single provider to a “proof of existence” model, where automated audits continuously verify that data remains untampered, replicated, and accessible .
YEAR
2021-25
PARTNERS
Filecoin
IPFS
Storacha
USC Libraries
The Problem
Traditional storage models rely on centralized cloud providers and social media platforms that exercise absolute authority over the availability and integrity of digital content. This creates a single point of failure: critical historical records can be silently modified, deleted due to shifting terms of service, or lost in jurisdictional disputes.
Standard databases also lack the transparency required for “chain-of-custody” documentation, making it difficult for archivists to prove that a file has not been altered since its initial preservation .
LINKS
– Case Study: Preserving 70 Years of Testimony with the USC Shoah Foundation
– Preserving Armenian Cultural Heritage on the Decentralized Web
– “Mom, I See War”, a collection of drawings from Ukrainian children, preserved on decentralised storage
The Solution
Starling Lab leads the world’s first academic center dedicated to using decentralized tools to advance human rights, backed by a multi-million dollar commitment from Protocol Labs and the Filecoin Foundation. We have moved beyond theoretical prototypes to large-scale implementations that safeguard humanity’s most sensitive digital records.
Our collaboration with the USC Shoah Foundation permanently preserves an archive of 55,000 video testimonies from genocide survivors. In tandem with the USC Digital Repository, a service of the USC Libraries, we run a 22-petabyte Filecoin node at USC – just one part of the Libraries’ deep expertise in preservation and archiving.
By housing this node within a leading research university, we combine the innovation of Web3 protocols with the rigorous preservation standards developed over decades by archivists and librarians.
Witness Servers
Law
Establishing institutional trust and technical corroboration for web evidence through decentralized, simultaneous crawling and cryptographic signatures.
YEAR
2024
PARTNERS
Webrecorder
FFDW
Harvard Library Innovation Lab
LINKS
– Concept note and Call for Contributions
– Our whitepaper on best practices in web archiving
The Problem
Minute, technical, cosmetic errors plague efforts of open source monitors who scour the Web and archive its content. In the context of legal investigations, these minor defects are considerable challenges to the reliability of the artifacts, and thus to the facts they aim to prove. Moreover, small organizations and individual investigators face a greater burden in arguing the probative weight of the material they collect than large, reputable, and established institutions.
The Solution
We are developing the Witness Server prototype To replicate social trust in digital capture by involving reputable institutions as simultaneous observers of the web.
In short: a Witness Server is a service hosted by an institution that conducts on-demand web crawls. When a researcher initiates a local capture, a request is simultaneously dispatched to several partner Witness Servers (such as Harvard LIL or the Atlantic Council). Each institution performs its own crawl independently using its own infrastructure, creating a multi-perspective record of the same web content at that exact moment.
The prototypes follow all our learnings about web archives, Including the use of the WACZ open source format which bundles signed and hashed files.
By comparing multiple institutional archives, investigators can explain away non-material “cosmetic” defects (like pop-up banners) and provide overwhelming proof of the core content’s authenticity.
REFERENCE IMPLEMENTATION
On Github →
Still Photogrammetry
Law
Still Photogrammetry integrates authenticated metadata with 3D spatial reconstruction to provide a verifiable record of physical environments and historical sites.
By utilizing a decentralized framework where every source image is treated as an independently verifiable “atom” of fact, this prototype allows investigators to build unalterable, three-dimensional timelines of evidence. It anchors complex digital twins to a cryptographic “proof of existence,” proving that the spatial data has not been tampered with since the moment of capture and restoring trust in digital primary sources for law and journalism.
YEAR
2022-26
PARTNERS
Mike Caronna
Pixelrace
Artem Ivanenko
LINKS
The New Horizon Lab
Starling Lab’s Spatial Digest
The Problem
Techniques such as photogrammetry (and more recently, NeRF and Gaussian Splatting) permit the reconstruction of a space in 3D, from stitching together 2D photographs. These tools are key to both extended reality environments and to investigations driven by architectural practices. However, integrity and provenance data is lost in the computing that renders the 3D models.
The Solution
Starling experiments with capture techniques supportive of 3D reconstruction while including provenance and integrity markers. From using smartphones to professional DSLRs, we test the technical constraints against the needs of photogrammetry workflows, which require a large amount of photographs of the scanned location.
Furthermore, we are also prototyping virtual UIs in virtual reality aiming to bridge the gap between what the viewer can see (the 3D model) and the original location (as per the 2D photographs). The viewer can navigate the space and select these authenticated “anchors” to interrogate the model, furthering their trust in the reconstruction.
SELECTED WRITING
Our 2025 paper: Verifiable Reality: Contrasting Approaches to Photorealistic VR Using NeRF Streaming and Gaussian Splatting Technologies
SD Card Encryption
The Problem
Losing control of data can happen when journalists, historians, or legal experts least expect it. SD cards can be seized during border crossings, left behind in a taxi, or stolen from a hotel room. Evidence that has been captured on an SD card, and which has not yet been anonymized, might carry geolocation or identity information that can lead authorities or militants to vulnerable people being photographed or interviewed. Another risk to unencrypted data on an SD card is that it could be manipulated undetected when not in one’s possession, with files erased or modified.
Prototypes are being tested by Starling Lab that both encrypt and hide important data captured by those in the field.
The Solution
Starling Lab is collaborating with industry partners including Swissbit, a leader in secure storage, to deploy hardware-encrypted SD cards that protect media the moment it is written to disk. This prototype ensures that digital assets are secured independently of the camera’s software vulnerabilities.
The solution creates an “encrypted tunnel” between the camera lens and the storage medium. Swissbit’s hardware-based encryption automatically protects image and video data without requiring additional software on the capturing device, ensuring that media cannot be manipulated or viewed in transit.
To protect the safety of practitioners in the field, the prototype relies on hidden partitions on the SD card. Sensitive files are stored in a manner that makes them impossible for unauthorized parties to discover or decrypt (even if the physical card is seized and inspected), while providing a critical layer of plausible deniability.
ProofMode Authentication
Law
Experimenting with the integration of lightweight, forensic-grade verification into secure messaging workflows.
YEAR
2022-23
PARTNERS
Guardian Project
Hala Systems
Signal Messenger
LINKS
– Case Study: The Proof’s in your Pocket
– From the Guardian Project team: Integrating libProofMode
The Problem
Citizen-captured photos and videos are becoming powerful reporting tools. But faked footage, or footage with missing crucial context, threatens to break the trust between a newsroom and its audience. Professional journalists thus need to be able to vet the footage captured by citizens to ensure that the files sent in by citizen journalists are authentic and accurate representations of the depicted event.
The Solution
ProofMode (developed by the Guardian Project) promotes trust by providing a means to strongly authenticate multimedia at the point of capture.
We were the first to experiment with its distribution as a software library, under the name libProofMode. Starling Lab developed a bespoke fork of Signal Messenger that embeds authentication as a native feature. Users of this custom app can snap photographs directly within the app, which automatically generates a unique OpenPGP key pair to sign the media and its surrounding sensor metadata, including location, time, and cell tower environment.
At capture, media hashes are automatically registered on OpenTimestamps to create a “proof of existence” on the Bitcoin ledger. To ensure secure transport, every file sent via Signal triggers an automated MobileCoin micro-transaction; the first 16 digits of the “proof hash” are embedded in the transaction memo, allowing the recipient to cryptographically verify that the file received exactly matches the file captured in the field.
To reduce the burden on legal and journalistic investigators, the prototype features a visual layer of UI inside the Signal conversation view. Both sender and recipient can instantly surface contextual metadata snapshots and check them against immutable third-party record holders, such as the LikeCoin or Avalanche blockchains. This “glass-to-glass” approach ensures that technical authenticity markers are accessible and legible to the field practitioners who need them most.
HIGHLIGHT
In response to the shelling of Kharkiv’s schools, Starling Lab launched Project Dokaz (“Proof”). Local photographers were equipped with the custom Signal app to conduct “preventative documentation” in support of the Safe Schools Declaration. By capturing regular rounds of authenticated imagery, the team was able to verify the absence of military co-option at these sites, confirming their protected status under international law.
Read mode about Project Dokaz →
Companion Secure Enclave Authentication
Law
Companion Secure Enclave Authentication provides a “secure bridge” for professional photojournalism by tethering standalone cameras to mobile devices with hardware-level security. By pairing a professional camera with a smartphone’s secure enclave (such as the HTC Zion Vault), this prototype establishes a root-of-trust for images that traditional cameras cannot natively sign.
This method ensures that every photo is cryptographically sealed with a unique digital signature and sensor-rich metadata at the exact location and time of capture, creating an unalterable record of reality.
YEAR
2020-24
PARTNERS
HTC
Inside Climate News
Bay City News
Numbers
The Problem
Most professional cameras used in the field lack the internal hardware necessary to cryptographically sign assets or protect signing keys. Without a tamper-evident seal, digital photographs and their metadata (such as GPS and timestamps) are vulnerable to manipulation by AI tools or bad actors.
As these unverified images circulate, they lose their essential context, making it nearly impossible to determine the original version or defend against cheap- or deepfake allegations that distort the facts reported by photojournalists.
The Solution
Starling Lab pioneered a workflow that utilizes the hardware secure enclave of a companion smartphone to sign media from high-end cameras.
By tethering a professional camera (such as a Canon R5) to an HTC Exodus 1S phone via WiFi or USB, the Starling Capture app (co-developed with Numbers) instantly receives captured media. The phone’s Zion Vault hardware-secured signer then generates a cryptographic hash of the image and its associated sensor data (barometer, gyroscope, and GPS), sealing it with a private key that never leaves the device’s protected silicon.
CASE STUDIES
Stockton Homelessness: In 2022, Bay City News photojournalists documented the homelessness crisis in Stockton, CA, using Canon R5 cameras paired with HTC devices. These “authenticated time capsules” provided a verifiable record that challenged official statements and misinformation surrounding local funding disparities.
Brazil Pantanal: Photographer Felipe Albarenga documented the 2020 wildfires in the world’s largest wetland. By using the companion secure enclave, Albarenga created a tamper-evident archive of the devastation that could withstand the propaganda and denialism prevalent during the Brazilian presidential election.