Contents
Yes, C2PA can be removed, and it is not hard: stripping the manifest from a file leaves no trace a verifier can detect. That sounds damning, but it is a known and deliberate consequence of the design. C2PA is built to be tamper-evident, not tamper-proof, which means it is strong against one threat and weak against another. It resists forgery almost perfectly, and it resists removal barely at all. Sorting which is which is the whole of reading C2PA security correctly, on audio files as much as images.
Two ways a credential goes away
There are two distinct outcomes, and a verifier reports them very differently. Edit the pixels or samples and the content hash no longer matches the signed manifest, so the binding is invalidated: the manifest is still present, and the mismatch is positive evidence the file changed after signing. Remove the manifest block instead and the file simply reads as having no Content Credentials, indistinguishable from one that never carried any. The first case is loud, the second is silent. That asymmetry is the crux of the security model: tampering with a signed file is detectable, but removing the signature entirely is not. The practical diagnostic for both is in Content Credentials not showing?.
What C2PA is secure against: forgery
Where C2PA is genuinely strong is counterfeiting. A Content Credential is a SHA-256 content hash inside an x509-signed manifest (C2PA Specification v2.4), and that signature cannot be forged. A crypto-binary scheme like C2PA carries roughly a 2^128 forgery bound, so you cannot fabricate a valid, trusted credential for a file you did not sign with a recognised key, and you cannot alter a signed file without invalidating its binding, because a hash has no inverse, which is 100 percent invalidation on any real edit (C2PA Specification v2.4). So an intact, verifying, trusted credential is hard evidence that a signed history has not been quietly rewritten. Against the “someone faked a provenance record” threat, C2PA works.
What it is weak against: removal
The weakness is the mirror image. Because the manifest rides in the file container as metadata, taking it off is no harder than clearing any other metadata, and the verifier cannot tell a stripped file from one that never had a credential. You do not even need intent: any pixel-touching or sample-touching edit invalidates the binding by mechanism, and the large majority of ordinary signal-domain processing, a resize, a re-compress, a format conversion, breaks it incidentally. Platforms that re-encode on upload strip or invalidate credentials as a side effect of ordinary processing, and the verifier cannot distinguish a platform re-encode from adversary tampering. So absence of a credential is nearly neutral: most files never had one, and many that did lost it in transit, a point developed in Do Content Credentials survive social media or a screenshot?.
The independent security verdict
This gap is not just a practitioner’s observation. The first comprehensive, independent security analysis of the standard, including “the first formal-methods analysis of C2PA’s core protocols”, concluded bluntly that “the current C2PA specifications fail to achieve their claimed security goals”, and that “C2PA provides provenance signals, not proof of authenticity” (Golaszewski, Krawetz, Sherman, 2026). Their practical guidance follows directly: C2PA “should not yet be relied upon for high-stakes uses such as financial disclosures, journalism, or legal evidence”. The same authors make the institutional context plain, “Major companies including Adobe, Google, Microsoft, Meta, and Amazon participate and have endorsed its adoption”, so industry backing does not erase the security boundary. A valid credential proves the record is intact, never that the content is true, and never that a file without one is suspect.
The durable-credential hedge, and its limit
The standard’s answer to silent stripping is durable Content Credentials, which add “one or more soft bindings that enable discovery in a manifest repository” (Content Credentials Technical Whitepaper, 2025). A soft binding is a fingerprint or an embedded watermark, so a stripped manifest can be looked up again from the content. This genuinely helps against accidental loss, but it relocates trust onto the watermark layer, which is exactly the layer the removal literature targets: Zhao, Zhang and Wang prove pixel-level invisible watermarks are removable by generative regeneration (NeurIPS 2024), and the SynthID team concede metadata is “often stripped accidentally and can also be trivially removed” (Gowal, Bunel, Stimberg, 2025). A durable credential is durable against accident, not against intent.
The practical response: layered signals
The working response in 2026 is not to make C2PA unremovable but to pair it with a signal that survives when metadata does not. As of May 2026 OpenAI applies both C2PA Content Credentials and Google DeepMind’s SynthID watermark to images from ChatGPT, its API and Codex, on the stated reasoning that “C2PA helps content carry detailed context; SynthID helps preserve a signal when metadata does not survive” (OpenAI, 2026). Two independent signals raise the cost of removing provenance without a trace, though neither is unbreakable. The posture is defence in depth, not a single tamper-proof seal.
How to read it
Read C2PA for what its security model actually delivers. It is strong evidence when present and verifying, because forgery is hard; it is close to meaningless when absent, because removal is trivial and silent. Treat a valid credential as a record that is intact, not proof the content is true, and never treat a missing one as suspicion. If your goal is the reverse, keeping your own file from being traced back to you by stripping provenance or a watermark, that is a privacy task, covered in can you remove SynthID from your file?.
Sources
- Zhao, Zhang, Wang (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. NeurIPS.
- Gowal, Bunel, Stimberg, et al. (2025). SynthID-Image: Image Watermarking at Internet Scale. arXiv:2510.09263.
- Golaszewski, Krawetz, Sherman, et al. (2026). Verifying Provenance of Digital Media: Why the C2PA Specifications Fall Short. arXiv:2604.24890.
- Coalition for Content Provenance and Authenticity (C2PA) (2025) Content Credentials: C2PA Technical Whitepaper. Available at: https://c2pa.org/wp-content/uploads/sites/33/2025/10/content_credentials_wp_0925.pdf (Accessed: 3 July 2026).
- Coalition for Content Provenance and Authenticity (C2PA) (2026) C2PA Technical Specification, version 2.4. Available at: https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html (Accessed: 3 July 2026).
- OpenAI (no date) C2PA and SynthID in OpenAI-generated images. Available at: https://help.openai.com/en/articles/8912793-c2pa-and-synthid-in-openai-generated-images (Accessed: 3 July 2026).