How to prove a picture was taken before a certain date?

Question

I need to prove that all my pictures were taken before a certain date. Is uploading them to Picassa, Flickr or a similar service a good way to achieve such timestamping?

Answer 1

In general, the problem of Secure Timestamping is actually a complex topic with no single right answer. There are two general approaches: 1) a trusted "Timestamping Authority" keeps logs of when stuff happened and everybody believes them because that's literally their job. 2) Using cryptography in some way. In general the crypto approaches don't work very well and can only prove that photo A was logged before photo B, but not the exact time.

There are lots of companies on the market who offer timestamping services based on one of these two approaches. How much you want to trust them depends on how transparent the company is with their practices, and what local law apply.

So, for your situation: it sounds like somebody is requiring you to do this (maybe for legal reasons?). You should find out level of trust they need in the timstamping authority. What you have come up with is to use Picassa or Flickr as a trusted Timestamping Authority. Depending on what you need the timestamp for, that might be ok. For example, if it's your friend to win a bet, then the upload time on Picassa or Flickr is probably fine. If this is to prove ownership of multi-billion dollar real estate holdings, then you may want to involve a notary.

Basically, ask yourself this question: is the dollar value that you stand to gain or lose greater than what it would cost to hack or bribe Picassa into changing a timestamp? If no then you're fine. If yes, then you need a more official timestamping service.

Answer 2

You can use the Bitcoin (or similar) blockchain for that.

Create a file with both your original file (in case of text it can be inline, otherwise use a container like a ZIP archive) as well as a message stating who you are and that you have a copy of the file. Take the SHA1 of the resulting file/container and use it as a Bitcoin address to send some coins to. This will permanently store the hash in the blockchain with a timestamp precise up to a few hours.

This is anonymous and doesn't reveal anything about the file, but when the time comes you can just reveal the hashed file as well as the hash and anyone can verify the timestamp independently.

There are easy to use services for that which you may want to check out, though I haven't used them personally and I can't vouch for them.

Answer 3

Yes - if the person you want to prove it to trusts the service not change the timestamps.

This is an excellent question - one that has been asked and answered, in various forms, since at least Galileo's time:

Early astronomers used anagrams [...] to lay claim to new discoveries before their results were ready for publication. Galileo used smaismrmilmepoetaleumibunenugttauiras for Altissimum planetam tergeminum observavi ("I have observed the most distant planet to have a triple form") for discovering the rings of Saturn.

Nowadays, this process is usually called trusted timestamping, and usually works with a commitment scheme, very much like Galileo's anagram. On digital media (text, pictures, video), the commitment is usually the result of applying a hash function to the original.

While the process of deriving a commitment is very much a solved problem, it's only a part of the process. Often, the difficult part is knowing to whom do you want to prove the timestamp.

For example, let's say you want to prove to a person P that you've taken a picture at time T. If you know that ahead of time, it's trivial: just derive a commitment C at time T and send it to P directly.

However, if you only learn who the person is after you've taken the picture, this is much harder - because you need to know, ahead of time, who (or what) the person trusts without knowing who the person is.

If you have absolutely no idea who P is, a good compromise is to send your commitment to entities a lot of people trust

---

Now let's put all that we've learned to practice!

Step 1 - derive a commitment

• 1.1 - Choose a cryptographic hash function. SHA-512 is as popular and secure as it gets for 2016.

• 1.2 - Get software for your computer that enables you to calculate the hash. Quick Hash GUI is open source and works on Windows, Mac and Linux. If you're a command line user, you can just type sha512sum.

• 1.3 - Calculate the file hash, and save both the hash and a copy of the file. Be aware that many tools for viewing pictures can corrupt the file, making the hash change. The same is true for (non-plain) text and, to a lesser degree, video.

• 1.4 - You'll need to keep the original copy until you make the proof. This is easier said than done - see this article

Step 2 - distributing the commitment

If you want to be as safe as possible, just go for a shotgun approach:

• Send it over a reputable email service (where you can't edit your messages after sending them).
• Publish it on a reputable blog or forum service (that doesn't allow silent editing of posts)
• Publish it on a blockchain, such as Bitcoin, if you suspect P will be technically able to read it (or willing to get someone they trust to do it)
• Ask a notary

Obviously, if you don't care about the confidentiality of the photo itself, you can send the photo instead of the commitment - use a reputable photo hosting service, like you mention.

Answer 4

Send the photos via email to gmail and another mail service provider using your mobile phone. The IP address of your mobile phone and timestamp embeded in the emails should be good enough as a proof.

Answer 5

From the other answers: you need a timestamping authority. Whatever you decide you use, keep in mind that the first requirement is that it has to survive until the time when you need to prove your claim. If they pull a Geocities and disappear, you are out of luck.

From this point of view, I would consider Bitcoin to be the most reliable long-term solution. Even if it were to disappear, there are good chances that the blockchain will be available for download somewhere.

Answer 6

The standard approach for doing this in pre digital era was to mail a sealed copy of the picture to yourself. The postal office now works as a timestamp authority for you. Its a pretty cheap way of doing so and was a often used method for asserting copyright instead of a copyright register. As a bonus this has been proved to work in the court of law many times and will probably remain so for quite a while yet.*

Now a digital timestamp authority would probably do much the same for digital files and have a more convenient frontend. But nothing stops you from sealing a memory card in a sealed a physical capsule and get a third party sign authenticating the date of the seal, like the postal office example.

* its fine if the court unseals it it becomes permanently documented in this case.

Answer 7

You should be able to use your bank as a trusted timestamp provider. Create archive with all your files and calculate hash for it. Then send some money from one account to another, and use calculated hash as a description for this money transfer. By doing this you will have this hash printed on your bank statement. You should also be able to get statement with this single transfer only, so you could present it to someone without revealing other activities on your account.

Update: transfer and accounting may need few extra days, so take this into account (pun intended).

Answer 8

Besides all the high-tech approaches suggested above, I'd like to add a very low-tech but reliable one: make sure that something that can be accurately dated is in the picture itself. Best for this purpose is that day's newspaper, either in physical or electronic form (ex. displayed on a tablet). You can even zoom in and display a single headline, but make sure it's something that couldn't be predicted in advance in order to dispel any doubt. Obituaries are good, stories about Mardi Gras are not.

Obviously, this only proves the picture was taken before and not after the date in question, but that does seem to fit your purposes.

Answer 9

Make a git repository on github (even though you can date back commits, it wont let you date back pushes in any way), upload either the pictures or their hashes if you don't want to share them yet. Anybody can see exactly when the commits were pushed from that point.

echo 1 > time
touch time --date="1999-01-01 10:10:10"
git add -A
git commit -m "getting ready for apocalypse" --date="1999-12-30 08:40:21"
git push origin master --force