Cloudflare becomes the first major content delivery network to implement Content Credentials
If you use the internet, chances are that Cloudflare’s services have touched your experience. A major content delivery network (CDN), Cloudflare functions a bit like an air traffic controller and a security guard: it’s the reason that many sites and apps can run quickly, efficiently, and reliably, and makes sites safer by protecting them from malicious attacks. Millions of internet properties, comprising about 20% of the web, utilize Cloudflare’s services.
In an enormous step forward for Content Credentials ubiquity, Cloudflare’s service for image optimization and delivery, Cloudflare Images, will now be supporting the Coalition for Content Provenance and Authenticity (C2PA) standard. Cloudflare will also be joining the Content Authenticity Initiative (CAI) as a member.
The journey from when a Content Credential is applied to a file to when it reaches the viewer can be complex. For example, a photographer can use a Content Credentials-compliant camera to attach the digital signature at image capture, and preserve the chain of provenance through the editing process, but the metadata can still be stripped away if it’s transformed by a CDN at publication. Cloudflare Images’s implementation will ensure the last-mile delivery of Content Credentials to the end user when a site owner or content creator opts to preserve them.
“When I joined Cloudflare, this was one of the things I was excited about, because I knew that it was one of the missing ingredients needed to make this system work,” said Will Allen, Head of AI Control, Privacy, and Media Products at Cloudflare. Allen has a deeper relationship than most with the movement for content provenance—before Cloudflare, he was a VP at Adobe, where he helped establish the C2PA and the Content Authenticity Initiative (CAI).
I spoke with Allen about his journey from Adobe and his work in content authenticity to his current role, and what Cloudflare’s precedent-setting implementation means for the CAI’s mission to make the internet a more transparent and trustworthy place for all.
This interview has been edited for length and clarity.
Tell me a bit about yourself, your past life at Adobe, and your transition to Cloudflare.
In 2018, I was at Adobe, and I reported to Scott Belsky when he was the Chief Product Officer at the time. He urged me to look at some initial work from many incredible folks on the Adobe Research team about what was happening with deepfakes, deepfake detection, and easy video creation. We were all blown away, and we knew the world wasn't ready for when these things would become widely available. He said, “We should be doing something here.”
Since then, I’ve had this personal drive to help create a way to establish content provenance. Fast forward to where we are today, and we've seen generative AI transform the world. Through the incredible work of many folks at Adobe and people across industries around the globe, we have aligned on this vision that we can establish and cryptographically verify some level of truth—from photons to pixels, to how they travel across the web. I've never stopped being obsessed with it, because it feels like unfinished business.
We now have cameras from hardware manufacturers, editing tools and software, and digital asset managers with Content Credentials baked into them. That last mile where it actually gets to the user across the web, whether they're on their phone or on their browser—that was missing. Before I even joined Cloudflare, I was pitching them on why they should implement the C2PA standard. Dane Knecht, the SVP of Emerging Technology and Incubation finally said, “Why don't you just come build it?” So that's what I did.
You helped launch the CAI and establish the C2PA. What was that like, and how does your vision for the CAI from 2019 compare with where we are today?
It was an incredible experience, and an incredible amount of work, as it always is when you build something new.
Our first two partners were the New York Times and X, what was then called Twitter. From the day we were able to announce the CAI, we knew that it had legs and it would make an impact. It was just so exciting to see the response that was out there, and to feel like we were peeking into the future that the rest of the world was going to catch up on.
I'd like to think that I fully anticipated everything that would happen with generative AI, and that we saw this coming. But the volume and speed at which the technology is being adopted caught everyone by surprise. Seeing that today just makes me even more passionate about the mission, and more confident in the need for it.
Will Allen speaks at the Adobe Live Symposium Creative Keynote in 2019. Photo credit: Adobe
How does Cloudflare Images implement Content Credentials?
When you deliver an image or video across the internet, there are all sorts of transformations that happen. Maybe you're changing the file format or you're resizing it to accommodate someone on a slow bandwidth. Maybe someone has a huge browser window or they’re using six different monitors. These are common issues that every company has to deal with. But every time you resize an image or transform it from a PNG to a JPG to a WebP or any other format, that is a different transformation that needs to be categorized and signed with Content Credentials. That just hadn't been done, until now.
Our service recognizes the Content Credentials that were attached to the file when it came in, before any transformations are applied. Cloudflare Images users can simply toggle “Preserve Content Credentials” and any embedded Content Credentials will be preserved. What we did in some ways is very straightforward. We basically just provide the option to not strip the metadata away.
This is a major step forward for journalism and media companies, which have a vested interest in maintaining the highest standard of integrity and trustworthiness. What implications could this have for other kinds of industries?
When I was at Adobe, I was fortunate to lead the Behance team. I still love that team and love that product, and thinking about how to empower creators around the globe. Something I always used to say was, “Exposure for your work as a creator, plus attribution so the world knows that it was yours, equals opportunity.”
To me, the potential to provide an attribution solution for creators, and anyone who works with creators, is incredibly exciting. That's something that I have been passionate about for a long time.
Our customers run the gamut from individual developers to the largest of companies, and governments. You can imagine so many interesting future cases: how do you know an official document actually came from a government agency? How do you express your preferences for your content to be used for AI training in a way that stays with the content? How do you ensure a celebrity endorsement of a product really came from that celebrity?
What will this mean for the average person accessing websites and apps in Cloudflare’s network?
That end user experience is really critical, and it’s a key part of our value proposition. We tell customers that their website should be fast *and secure* for users anywhere in the world. Now, you can pair that experience with digital content provenance.
For the average person, imagine seeing a photo of a UFO on a website – and the creator of that image had attached Content Credentials. They can pull that image straight from their browser into Adobe Content Authenticity’s Inspect and find out for themselves if it was taken with a camera or created in Firefly.
There’s no value judgment about that content from us. It’s just about establishing the facts of where an image came from, and it's an opt-in for the website owners and the content creators.
What challenges did you encounter in implementation, if any?
Scale is always an interesting thing when you're working with Cloudflare. Twenty percent of the internet runs through our network, so anytime you're building any system, you need to think big, big, big.
How do you really make this work for not just a couple of people, but across the globe, and incredibly quickly, with all the security baked in? How do you make sure it is opt-in, so media companies and content creators can be in full control of what data gets attached?
So you have to take into account privacy, security, performance and scale. I’m fortunate I get to work with some amazing engineers.
What precedent does your implementation set for others in the CDN space? Do you think your implementation will inspire others in the CDN space to follow suit?
I'm sure it will. One thing that was important to me was that we actually got our implementation live into production so that anyone using Cloudflare Images can toggle this option on. That’s how we’ll learn and continue to refine the product.
I’m constantly asking myself: What are the other features that our users want to see? What features are we missing?
I'm particularly excited about hearing the feedback from more folks about what works well with it and what doesn't, and how we can make it better.
What are your next steps?
We’ve already got a great roadmap for making our implementation work for video. We've already heard from some of our customers asking how we can help them build this earlier into their image pipeline. There’s lots of exciting stuff coming, but if anyone has suggestions for what we should be doing or incorporating, I would personally love to hear about it so we can accelerate it on the roadmap. I’m @williamallen on X and you can also find me on LinkedIn.
Anything else you’d like to share?
Initiatives like the CAI take an enormous amount of effort from an enormous number of people pushing forward together. Like with a lot of standards work, it's done quietly, without a bunch of pomp and circumstance.
I want to recognize the incredible work of the team at Adobe, and people across industries who are working on this. It makes me excited and hopeful that we can help more creatives and artists get credit for their work, and help establish some level of secure provenance.
We have SSL for website certificates and we have DKIM for e-mail. Cryptographic verification of information is a cornerstone of the internet. It hadn't existed for content, and now it does. Now it's just up to all of us to help drive adoption.