Why C2PA Isn't Enough | Elacity Labs
C2PA tells you where a file came from. It does not tell you who can use it, on what terms, or who gets paid when an AI ingests it. Provenance without property rights is just a more efficient indexing pipeline for scrapers — and a surveillance loop for creators.
Why C2PA Isn't Enough: Provenance Without Property Is Just Surveillance
Adobe, Microsoft, the BBC, OpenAI, and every major camera maker have signed on to C2PA — the standard that stamps every digital file with a cryptographic record of where it came from.
It is a real achievement. It is also dangerously incomplete.
Provenance tells the world where a file originated. It says nothing about who can use it, on what terms, or who gets paid when an AI ingests it. Strip out property rights, and content authenticity becomes the most efficient indexing pipeline AI scrapers have ever had.
The Trust Crisis Is Not a Detection Problem
We have entered the post-truth era. Deepfakes double every six months. Half of all web traffic is non-human. The line between recorded events and synthetic hallucinations is gone. We covered the underlying dynamic in The Post-Truth Internet.
The industry's reflex has been detection — build models that catch other models, watermark images, scan for artifacts, rely on platforms to label "manipulated media."
This is structurally doomed. Generators improve faster than detectors. Centralised arbiters of truth are just another form of editorial bias. C2PA was built precisely to escape both traps — and it solves half the problem brilliantly.
Why C2PA Stops Halfway
The C2PA 2.0 specification, finalised in late 2025, is the most rigorous content authenticity framework ever shipped. It creates a tamper-evident chain of custody from camera capture to display, signed by hardware roots of trust.
What it does not do — and explicitly does not try to do — is enforce a licence. C2PA records authorship. It does not record permission.
A scraper can read the C2PA manifest, learn that an image was shot by a working photojournalist, classify it as high-quality verified content, and ingest it into a training set. The manifest does not stop the scrape. It makes the scrape more efficient.
The Surveillance Loop
There is a second, quieter failure: the chain of trust breaks the moment content hits a consumer platform.
A March 2026 platform audit confirmed that Facebook, Instagram, Threads, TikTok, YouTube, and X all strip or re-encode C2PA manifests on ingestion. Some display an "AI info" icon. None preserve the cryptographic credential needed to verify the chain. By the time content reaches the people who need to trust it, the signature is gone.
The result is a surveillance loop:
- Creators sign their work to prove it is real.
- Scrapers use those signatures to index it.
- Platforms strip the signatures so consumers cannot verify them.
- Every player benefits except the creator and the viewer.
The Missing Half: Property Rights
Authenticity without economics is half a protocol. The other half is property. A photograph is not just a fact — it is an asset. An asset needs an owner. An owner needs a way to set terms, refuse access, and get paid.
Elacity exists to ship the half C2PA cannot. The Wealth Capsule wraps a verified file in three layers that C2PA was never designed to carry.
1. The Capsule That Holds the Asset
Inside an Elacity Capsule, the asset is encrypted at rest on the creator's Personal Cloud Compute node. The C2PA manifest can sit alongside it — but it is the cryptographic shell, not the metadata, that controls access. A scraper cannot read what it cannot decrypt.
2. The Contract That Enforces the Terms
Each Capsule binds an Elacity dDRM smart contract that codifies the licence. Commercial use vs personal. One-time vs perpetual. Human reader vs AI training run — priced separately, enforced uniformly, recognised globally. The licence is the file.
3. The Settlement That Routes the Royalty
When the Capsule is used — by a human reader, an LLM training pipeline, a downstream agent — payment routes on-chain to every rights-holder atomically. No invoicing. No three-month collection cycle. No platform skim.
Provenance That Pays
The European Union AI Act's Article 50 becomes enforceable on August 2, 2026. The draft Code of Practice on Transparency names C2PA as the default benchmark for synthetic-media labelling. Non-compliant generative providers face fines up to 15 million EUR or 3% of global turnover.
Every model trainer on Earth is about to need a verifiable source for the data they ingest. They need it for Brussels. They need it for the discovery process in the great AI training data re-licensing. They need it for their own boards.
C2PA tells them where a file came from. It does not tell them what they are allowed to do with it. That is the empty room Elacity is built to occupy.
Verified provenance is necessary. Provenance that pays is sovereign.
Make your work a Capsule on Elacity.