Image provenance in public procurement: how authorities verify BIM renderings and site photos
Public administrations across Europe receive thousands of technical bids every year from companies that attach photographs of previous construction sites, BIM renderings of proposed works and equipment images to demonstrate qualification requirements. Until 2023 the trust placed in those files was taken for granted: the procurement officer looked at a photograph of a completed jobsite and accepted it as proof of the company's track record.
Since 2024 the spread of text-guided image generation tools has broken that assumption. A bidder can now generate photorealistic pictures of works that were never built, alter the EXIF metadata of a real photograph to shift its date, edit a BIM rendering to hide design flaws. The verification problem moves to the centre of every tender, and digital evidence in public procurement becomes the friction point between the pace required by EU recovery programmes and the documentary integrity public authorities must preserve.
The answer is not to refuse digital images. It is to write into the tender specifications how images must be produced and verified: qualified electronic time stamp applied at the source, cryptographic hash computed on the binary file, provenance declared at the moment of acquisition. When these three elements are present, a procurement officer can verify independently that a construction site photograph or a BIM rendering is authentic, intact and attributable to the moment claimed.
This insight is part of our guide: Digital public procurement: how to certify evidence with legal value
European framework: what contracting authorities can require
The EU regulatory frame for tender digitalisation rests on three pillars. Directive 2014/24/EU on public procurement sets the principle of equivalence between paper and electronic documents, provided that the electronic version meets requirements of authenticity, integrity and time attribution. Regulation eIDAS (910/2014, updated by eIDAS 2.0 in 2024) defines the legal value of qualified trust services: qualified electronic signatures, qualified electronic seals, qualified electronic time stamps. EBSI and the European Single Procurement Document (ESPD) extend interoperability across member states.
For images, the leverage point is in the qualification requirements. Article 58 of Directive 2014/24/EU lets the contracting authority demand evidence of professional and technical capacity, including photographic documentation of analogous works. The tender specifications can require that this documentation arrive in a verifiable form. A technically sound clause aligned with eIDAS can ask bidders to:
- capture photographs with applications that apply qualified time stamping at the source, so that the declared date cannot be altered after the fact;
- submit the original binary file with intact EXIF metadata and a cryptographic hash computed at acquisition time;
- declare the digital provenance of each image through an informatic report signed by the operator who performed the acquisition.
These requirements are already permitted by EU procurement law. What is still missing in many tender notices is a shared technical clause language. Many tender documents still accept plain JPG files with no authentication element, not because EU rules forbid otherwise, but because the standard wording has not yet propagated through procurement teams.
BIM renderings: the interoperability requirement
For BIM renderings the framework is tighter. Annex VIII of Directive 2014/24/EU on technical specifications, combined with ISO 19650 on information management for the built asset, defines how BIM models must be exchanged in public works above the EU threshold. The open IFC format is the de facto standard for model interchange, and the EU BIM Task Group has issued handbooks that contracting authorities can adopt directly.
The operational gap is that a rendering exported from a BIM model (PNG or JPG) loses the cryptographic link to the source IFC file. To close this gap, leading procurement units in the Netherlands, Finland and Germany have started asking, alongside the rendering, the SHA-256 hash of the corresponding IFC file and a qualified time stamp covering the moment of export. The rendering stops being an isolated image and becomes a verifiable projection of an authenticated information model.
What a procurement officer can verify today
A procurement officer who receives a construction site photograph in a bid has three families of controls available, in increasing order of evidentiary strength:
EXIF metadata inspection
EXIF metadata in a digital photograph contain the device model, capture date and time, GPS coordinates if enabled. They are the first verification layer and can be checked with open source software such as ExifTool, freely available on every operating system used by contracting authorities. A photograph generated by a synthetic model or re-exported from an editor usually shows inconsistent metadata: creation date later than the declared shooting date, device model missing or replaced, GPS coordinates wiped.
The limitation of EXIF is mutability: these are plain text fields that anyone can rewrite. They work as a negative signal (strange metadata equals suspicion) but they are not sufficient as positive proof of authenticity.
Cryptographic hash check
A SHA-256 hash is a digital fingerprint of the binary file: it changes even if a single pixel is altered. If at the moment of acquisition the bidder computed the hash of the photograph and registered it in a public ledger (notarial blockchain, national registry or a certified platform), the procurement officer can recompute the hash on the received file and compare them. If the two values match, the photograph received is bit-for-bit identical to the one that existed at the registration date.
Qualified electronic time stamp
A qualified electronic time stamp, under eIDAS, proves to third parties that a file existed with a given content at a given date. When a photograph or a BIM rendering is born already qualified time stamped by a qualified Trust Service Provider, the contracting authority has the guarantee that the declared date is real and that the content has not been altered afterwards. Verification can be done with free tools made available by national supervisory bodies and by accredited QTSPs.
TrueScreen for source certification: what changes for bidders and procurement officers
TrueScreen is the data authenticity platform that lets construction companies, BIM designers and economic operators pre-certify photographic documentation and renderings from the moment of acquisition, producing an immutable report that the contracting authority can verify independently. TrueScreen is not a QTSP and does not issue qualified certificates: it integrates a qualified QTSP's seal via API to close the legal value chain.
When a bidder runs a site survey of a previous jobsite and uses the TrueScreen App to capture photographs, every shot is immediately paired with SHA-256 hash computation, qualified time stamping applied through the integrated QTSP, and an electronic seal binding the file to the acquisition report. The output is a signed PDF that the procurement officer downloads and verifies in one click, with no technical tooling needed.
For BIM renderings the flow is symmetrical: from the source model the rendering is exported through the Forensic Browser or the Chrome Extension, and the platform certifies in one acquisition the IFC file hash, the exported rendering hash and the export moment. The cryptographic link between information model and visual representation is preserved.
What the procurement officer receives, what the procurement officer verifies
In the technical envelope the procurement officer does not receive just a JPG or PNG. They receive a certified dossier containing the original file, the informatic report with qualified time stamp and electronic seal, and a public verification link. By clicking the link, the procurement officer gets immediate confirmation that the file is authentic, that the declared date is the real acquisition date and that the operator who performed the acquisition is identifiable. Verification is instant, free and traced: no parallel procedure to open, no technical consultants to engage to inspect EXIF data.
FAQ: provenance and image authenticity in public procurement
FAQs are in the dedicated block.
