Removal, Replacement, and Structural Weakness

One of the most consistent properties of C2PA manifests is that they are removable. The data lives in metadata structures that many editing pipelines already strip or ignore for other reasons. Re-saving a file through common desktop software, uploading it through certain web services, or converting formats is often enough to discard the manifest.

Replacement is also possible. Anyone in possession of a file and a signing key can attach a new manifest that makes different claims. The new manifest will verify cleanly. Earlier manifests are not automatically preserved unless the signer deliberately references them as ingredients.

The time information inside a manifest is self-attested. The when field records whatever moment the signer wrote down. It carries no independent proof that the file existed at that moment. Stronger time assertions require external anchoring, such as OpenTimestamps, which is outside the core C2PA specification.

These properties matter for claims about priority. A manifest can demonstrate that a particular sequence of actions was signed at a certain point. It cannot easily demonstrate that no earlier version of the same visual content existed elsewhere. When two conflicting manifests appear, the one with the earlier anchored timestamp has an advantage. The absence of any manifest leaves the question open.

For an artist whose work circulates without a manifest, the system offers little protection against later claims. For an artist who attaches a manifest, the protection is only as durable as the next re-encode or platform policy change. The format is better at making certain kinds of later tampering detectable than at establishing original artistic origin in the first place.