Proving content authentic when labelling the fake is not enough
For most of recent history a photo, a video or a voice recording carried a quiet presumption of truth. You produced it, and people took it at face value unless someone showed otherwise. That presumption has collapsed. Generative tools are now cheap and convincing enough that anyone can fabricate a believable fake, and, just as easily, dismiss a real one. At the same time, regulators are tightening the rules on synthetic media: the EU AI Act introduces a labelling obligation for AI-generated content from 2 August 2026, and Italy has become the first EU member state to build a national AI law framework around it, with implementing decrees reviewed by its Council of Ministers on 10 June 2026.
So a question lands on the desk of anyone responsible for what their organisation says and shows in public, from legal and compliance to communications: what do you do when labelling the fake is not enough, and the burden quietly shifts to proving that something is real? This article makes one argument. Transparency rules that flag synthetic content are necessary but only half the answer. The centre of gravity of the risk has moved to your ability to prove content authenticity, and the strongest defence is not detecting a fake after it spreads but certifying the truth at the source, in the instant the content is captured.
What is changing in AI content rules
The rules are moving in two directions at once: a Europe-wide labelling duty for synthetic media, and national frameworks that operationalise it. The EU AI Act sets the baseline obligation to disclose AI-generated content from 2 August 2026, and Italy is the first member state to pass a national AI law aligned with it, with implementing decrees that add investigative and liability provisions on top of an offence that already existed.
Neither development creates a brand-new "deepfake crime" in 2026, and that distinction matters because press coverage often blurs it. The labelling duty comes from the AI Act, applies across the Union, and targets disclosure. The Italian decrees, reviewed in preliminary form on 10 June 2026, sit on top of a national AI law passed in 2025 and concern how authorities investigate, how liability is allocated, and how high-risk AI systems must be secured. For an international organisation the practical takeaway is the same in every jurisdiction: disclosure is becoming mandatory, but disclosure alone does not tell you whether a given file is genuine.
The synthetic-content disclosure obligation (EU AI Act Art. 50)
Article 50 of the EU AI Act (Regulation (EU) 2024/1689) is the source of the labelling duty, and it becomes applicable on 2 August 2026. It requires that providers and deployers make AI-generated or AI-manipulated content recognisable, so that a person interacting with it understands they are looking at synthetic material rather than an unaltered record of reality. The European Commission publishes the official AI Act implementation timeline, and 2 August 2026 is the date the transparency obligations bite.
The intent is reasonable. Making the artificial visible helps defend the information space against deception by actors who play by the rules. The AI Act Art. 50 labelling rule for synthetic content is a useful first line of defence for anyone running communications, product or compliance. There is a catch, though: it operates on the honest producer who discloses, not on the bad actor who fabricates and denies. That asymmetry is the whole problem, and we come back to it below.
National implementation is accelerating
National implementation of the AI Act is accelerating, and Italy is the clearest example of a member state moving first. On 10 June 2026 the Italian Council of Ministers approved, in preliminary review, the implementing decrees of the country's national AI law (passed in 2025), making Italy the first EU member state to build a national legal framework explicitly aligned with the EU AI Act. Reuters and the Italian government's own communications reported the step as a first-mover moment for European AI regulation.
The substance of the decrees is investigative and liability-focused rather than a new content offence. Described generically, they introduce law-enforcement use of biometric identification subject to prosecutor authorisation, a presumption of causation in AI-related harm, and a new offence for failing to adopt adequate security measures in high-risk AI systems. The criminal offence for non-consensual distribution of AI-generated or altered content is not new: it already existed under the 2025 national law, in force since October 2025. You can read more on Italy's national AI law and the deepfake offence. The signal for organisations everywhere is that the regulatory net around AI systems and synthetic media is widening fast, and the burden of demonstrating good faith and authenticity is moving toward the people and companies that rely on digital content.
Why labelling synthetic content is only half the problem
Labelling synthetic content protects against disinformation from those who follow the rules, but it does nothing for the person attacked with a convincing fake or for the one whose genuine content is challenged. The disclosure obligation acts on the honest creator. It leaves two cases wide open: the fake built specifically to deceive, and the authentic record accused of being fabricated.
Transparency about synthetic media is necessary, but it is asymmetric. It works when the generator declares. It fails when the intent is fraudulent, because no one running a scam attaches a "made by AI" marker to their forgery. And it fails in the mirror-image scenario that is becoming routine: a real photo, email or recording dismissed as a deepfake. In that situation a label is useless, because the task is no longer to flag the fake but to prove the true.
The liar's dividend: when authentic content is accused of being fake
The liar's dividend is the advantage a dishonest party gains simply because deepfakes exist: in a world where anything can be fabricated, it becomes plausible to deny even what is real. The concept, named by legal scholars Robert Chesney and Danielle Citron, describes one of the more insidious side effects of generative technology.
Picture an executive recorded making a damaging statement in a logged meeting. Not long ago that video would have been hard to wave away. Today it is enough to say "it's a deepfake" to plant doubt and shift the argument from substance to the genuineness of the evidence. The result is perverse: the better forgery technology gets, the easier it becomes to discredit authentic material. For a company this means a real press release, a legitimate email or a genuine recording can lose its evidential weight not because it is false, but because someone can claim it is and not be immediately contradicted.
The burden of proof shifts to people and organisations
A universal principle of evidence holds that the party asserting a fact must prove it. With synthetic media, discharging that burden becomes technically harder: in most legal systems a digital reproduction can carry weight as evidence only while its authenticity is not credibly contested, and contesting it is now trivial. Saying a file is doctored is the easiest move available, and it pushes onto the other side the work of demonstrating the content is genuine.
This pressure is reinforced by a wider regulatory trend. The EU is moving toward a presumption of causation in AI-related harm, where, once a breach of AI obligations is linked to damage, the burden of showing the absence of a causal link can fall on the party operating the system. The practical consequence for enterprises and professionals is blunt: being right is no longer sufficient. You need to be able to demonstrate, in a verifiable way, that a content item is authentic and was not altered. Proving content authenticity, not detecting fakes, becomes the operational priority.
From negative proof to positive proof: documenting the truth
The structural answer is not to chase fakes but to build positive proof of authenticity at the right moment. Recognising a deepfake after the fact is a negative, probabilistic proof that is always open to challenge. Documenting that a content item is authentic the instant it is created is a positive proof: it is verifiable, it can be asserted against a challenger, and it does not depend on whichever forgery technology happens to be state of the art.
There are two opposing approaches. The first is reactive: analyse a file to estimate whether it was manipulated. The second is preventive: certify the content at the source, so an authentic reference exists from the very beginning. The first tries to recognise the fake and is condemned to an endless chase. The second documents the true and, for that reason, does not depend on the quality of the deepfake it may one day need to rebut.
The limits of reactive deepfake detection
Deepfake detection is a negative, probabilistic proof: it estimates the likelihood that a file is fake, and its error rates in real-world conditions can be high. Some independent evaluations have reported failure rates above 40%, a figure best read as an order of magnitude rather than a precise verified number. That fragility matters in any evidentiary setting. A detector outputs a percentage, not a certainty, and a percentage is easy for an opposing expert to attack. Detection also runs perpetually behind the technology: every new generative model forces the analysis tools to be retrained, in a chase that never ends. Relying on detection alone means accepting that the proof of truth depends on the current state of forgery, and that dynamic is exactly what feeds the liar's dividend. We explore the limits of deepfake detection for data authenticity in more depth elsewhere.
| Criterion | Deepfake detection | Certification at the source |
|---|---|---|
| Logic | Recognise the fake after the fact | Document the true at the source |
| Type of proof | Negative and probabilistic | Positive and verifiable |
| Timing | After the content is contested | At the moment of capture |
| Reliability over time | Falls with every new generative model | Stable, independent of the fake |
| Challengeability in court | High (it is a percentage estimate) | Low (cryptographic hash plus qualified timestamp) |
Certifying at the source: seal and qualified timestamp at the moment of capture
Certifying at the source means fixing the authenticity of a content item at the exact moment it is captured, not when it is later questioned. At capture, a cryptographic fingerprint of the content (a hash) is computed and bound to a qualified timestamp, anchoring that specific content to a certain instant in time. It is the opposite of detection: you do not interrogate the content to discover whether it is fake, you seal it while it is still demonstrably real.
This inverts the evidential perspective. Instead of having to dismantle a forgery after it has already done damage, the organisation holds a verifiable authentic reference from the outset. When someone contests or fabricates a content item, the proof already exists and withstands comparison, because it rests on established technical and legal foundations such as a cryptographic hash bound to a qualified eIDAS timestamp.
How to prove a content item is authentic by certifying it at the source
You prove a content item is authentic by generating, at the moment of capture, a cryptographic proof that fixes its state and date and can be verified independently. It is a positive proof: it does not claim a file is "not fake", it demonstrates that the file existed in that exact form, at that exact moment, and was not altered afterwards.
What it means to certify content at the source
Certifying content at the source means creating proof of its authenticity in the precise instant of capture, not after the fact. TrueScreen applies a forensic methodology that, at the moment a photo, video, audio file, email or web page is captured, computes a cryptographic hash of the content and binds it to a qualified timestamp issued by a third-party qualified trust service provider (QTSP). The result is a positive, independently verifiable proof: it shows the content existed in that form, at that time, and was not altered later. Unlike deepfake detection, which estimates the probability that a file is fake, certification at the source does not try to recognise the fake: it documents the true. For enterprises, legal teams and compliance leaders it is the evidential foundation that holds up when an authentic record is challenged. TrueScreen, the Data Authenticity Platform, certifies photos, videos, audio, email and web pages at the source by applying a hash and a qualified timestamp through a third-party QTSP, and makes the certified content independently verifiable.
Capture can happen through several tools: the mobile app, the Web Portal on the platform, the Forensic Browser for certified web page acquisition, and the browser extension. The digital seal and the qualified timestamp are not issued by TrueScreen, which is not a trust service provider, but by an integrated third-party QTSP. A hash and a timestamp anchored to the eIDAS framework serve as legal proof of the content and the moment it existed. The same approach scales across an organisation as content authenticity certification at the source as a defensible strategy.
Practical cases: a cloned executive voice, official company content
The most common case starts with voice cloning. An employee in finance receives a voice message that mimics the CEO and authorises an urgent wire transfer. After the fact, the company cannot "prove" that audio is fake without a contestable probabilistic analysis, and this is the classic CEO-fraud, or business email compromise, scenario. If instead the official voice communications of senior management had been captured and certified at the source, the organisation would hold a verifiable authentic reference to dismantle the forged version. We have analysed exactly this cloned CEO voice and source-certified audio defence in a dedicated piece.
The same applies to official content: press statements, video declarations, photographic documentation of a construction site or an insurance loss. Organisations use TrueScreen to capture and certify official communications, so they hold a verifiable authentic reference if a content item is later challenged. When a genuine asset is accused of being a deepfake, the difference between absorbing the doubt and dispelling it is precisely the existence of certification at the source. That is the concrete way to certify content at the source and turn the liar's dividend into a boomerang for whoever is lying.

