C2PA stands for the Coalition for Content Provenance and Authenticity. Adobe, Microsoft, Intel, and the BBC all back it. It's becoming the standard for proving who made something, when they made it, and whether it's been altered since. But what it actually means for artists is quieter and more important than the corporate support suggests.
It means your work can have a receipt. A cryptographic one. Not the kind you can strip away with a JPEG save. Not the kind you can forge in an afternoon with open-source tools. The kind that proves ownership in a way that matters.
The real question isn't whether C2PA will matter. It's when. And whether you'll have prepared by then.
why your metadata is worthless
You already know about EXIF. Creation dates, camera models, artist credits embedded in every digital image. It looks like provenance. Until you realise how laughably easy it is to remove.
Download an image from the web and the metadata stays behind. Repost it to Instagram and it vanishes. Save it as PNG and only some of it survives. Want to fake it? A single tool. A few seconds. Anyone can claim to be the creator.
EXIF is text. Just text. There's no authority behind it. No signature. No way to know if someone changed it or if it was ever true. Artists find their work online with completely different artist names attached and entirely different metadata. The original creator's name, stripped. Replaced. Gone.
This is why metadata alone isn't provenance. Provenance requires proof. And proof requires cryptography.
the anatomy of C2PA
C2PA has three moving parts. A manifest. Assertions. Signatures. Together they create something EXIF never could: tamper-evident proof.
The manifest is a standardised structure attached to your image file. It contains provenance information. This includes who created the image, when, what tools were used, what edits were made, and what claims are present. It travels with the image. It survives format changes. And crucially, it's signed.
Assertions are individual claims inside the manifest. They're specific. They're measured. For artists, the important ones are: c2pa.created (who made this and when), c2pa.training-mining (this shouldn't be used for AI training), c2pa.edited (who changed this and when). Each one is independently signed. Each one is individually tamper-evident.
And then there's the signature itself. C2PA uses ES256, which is ECDSA on the P-256 elliptic curve. This isn't experimental cryptography. It's the same standard securing HTTPS, banking systems, blockchain networks. It's proven. It works.
When you sign a manifest, your private key (which only you possess) mathematically signs every byte of data. If a single byte changes, the signature becomes invalid. Anyone can verify the signature was genuine. Anyone can see when it's broken. This is what tamper-evidence means.
how tamper-evidence actually works
You create a painting. Add a C2PA manifest saying you created it on March 1st. Sign it with your certificate. Upload it to ArtStation. The manifest is embedded in the file. It's cryptographically sealed.
Someone takes that image, changes the creator name to theirs, saves it, uploads it elsewhere. Now the data has changed. But the signature is still the old one. Any C2PA-aware tool immediately sees the mismatch. Forgery detected. Provably false.
Or they strip the manifest entirely and upload a clean version. This is technically possible. But it's conspicuous. As galleries and institutions begin requiring C2PA validation, artwork with no provenance becomes suspicious. It's not that you can't remove C2PA. It's that removing it eventually costs you more than keeping it.
This is why C2PA's power is institutional. One artist using it means nothing. Bad actors just delete it. But when 10% of professionals have it. When 20% require it. When galleries ask for it as standard. Then the incentive structure flips. Keeping C2PA becomes the default. Removing it becomes the exception.
The infrastructure builds slowly. But once it builds, it's permanent.
what's already happening
Art competitions now require C2PA proofs of human creation. The AI submission problem got so severe that competitions started mandating: prove you made this. Cryptographically. Recent additions from Adobe mean C2PA markers in Creative Cloud automatically note whether AI was involved. Galleries can see at a glance whether work claims to be human-created or AI-assisted.
Gallery curators are beginning to ask. Not demanding yet. But asking. Do you have C2PA provenance? For expensive works or collaborative pieces, the question is becoming standard. Licensing platforms need it. If you're selling your work to a client, you need proof you own the copyright. C2PA provides that proof in a format that's cryptographically auditable.
Stock platforms are implementing C2PA checks. Unsplash and Shutterstock now prefer artists with C2PA because it reduces their legal liability. They're protecting themselves by accepting only work with verifiable provenance.
The adoption curve is shallow but steady. In two years, it accelerates.
what C2PA does not do
C2PA doesn't stop AI from scraping your work. It doesn't prevent someone from downloading and using your image for training. It doesn't create a legal shield that makes unauthorised use impossible.
What it does is create evidence. Cryptographic evidence. If someone trains an AI model on your work, and you can prove with a signed manifest that you created it on date X and the model was trained on date Y, that's powerful in court. That's leverage.
It also creates future pressure. When institutions begin verifying C2PA before accepting work, artwork without provenance becomes lower-value. Not worthless. But diminished. Artists then have strong incentive to use C2PA. Work created without permission or without proper attribution faces friction.
This is how standards work. Not through force. Through incentives. Through institutions slowly, quietly making one choice more expensive than another.
Art Vault's implementation
Some companies claim to "support" C2PA by embedding markers saying "this is AI-generated." This is performance. They're using the standard's language. They're not creating real cryptographic proof.
Art Vault creates actual manifests. When you protect work with Art Vault, we embed a genuine C2PA structure with your identity, creation date, protection date, and a clear statement that your work is defended from training use. The manifest is signed with a certificate proving the assertion came from Art Vault. Timestamped on the blockchain for additional permanence.
The manifest survives what destroys EXIF. Image reprocessing. Social media reupload. Format conversion. It's cryptographically verifiable. A gallery in 2029 can check that image, read the manifest, verify the signature, and know with certainty that you protected this work on this date.
The signature doesn't stop copying. But it makes "I created this" provably false if the manifest says otherwise. Over time, as institutions adopt verification, that becomes worth more than technical defence ever could.
building the infrastructure now
C2PA is early. Most artists have never heard of it. Most platforms don't check it yet. But the direction is clear. As AI becomes ubiquitous, proof of human creation becomes more valuable. Not just technically. Institutionally.
Your work from March 2026, signed with C2PA today, becomes historical evidence. Undeniable proof of when you created it. No AI model trained after this date can claim to have made what you made before it.
This matters because cryptographic signatures don't degrade. Adversarial perturbations might be defeated in five years by better AI filtering. But signatures can't be faked. They can't be stripped without being noticed. They're permanent in a way defences never are.
Provenance is the slow, quiet answer to the question nobody wanted to ask: how do we know who made this? C2PA doesn't answer it through lawyers or courts. It answers it through mathematics. Through cryptography that can be verified by anyone, anywhere, forever.
That's not a small thing.