In a world where seeing is no longer believing, Truepic is a pioneer in image authenticity. With its industry-leading Controlled Capture technology, Truepic ensures the integrity of digital photos and videos from the instant they are captured. Founded in 2015, the technol-ogy company experienced hyper-growth with growing adopton of image provenance technology and a $26 million Series B funding round led by M12, Microsoft’s venture fund.
Truepic delivers next-generation
trust technology with Keyfactor
San Diego, California
EJBCA Enterprise, SignServer
Infrastructure required for blockchain became a roadblock
People rely on what they see to make important decisions. But in a world where digital photos and videos can easily be manipulated, spoofed, or even AI-generated, seeing isn’t always believing. That’s where Truepic enters the picture.
Truepic is on a mission to restore trust to the internet. With its patented Controlled Capture technology, the platform acquires “provenance” data (such as origin, contents, and metadata) about photos and videos and uses cryptography to protect the images from tampering before they reach the intended recipients. The software can authenticate where photos were taken and prove that they were not manipulated.
The first generation of Truepic’s Controlled Capture technology serves as the backbone of their flagship product, Truepic Vision. The platform establishes a chain of custody for photos and videos from the instant they are captured to their immutable storage on Truepic servers, then notarizes them on the Bitcoin blockchain.
In 2022, the company launched a new iOS and Android Software Development Kit (SDK) called Truepic Lens. This new product allows any company to integrate Truepic’s secure image capture technology directly into their own mobile applications. The product was an enormous step forward for the company.
There was just one problem: the scalability required by the SDK. The engineering team quickly realized that the current model would not support the anticipated scale required to drive image verification across the internet. It became clear that public key infrastruc-ture (PKI) technologies leveraging on-device processing to securely capture high-integrity self-authenticating photos and videos would ensure maximum user privacy and prepare the technology to scale widely without centralized bottlenecks.
“The first generation of Controlled Capture requires us to process every image file and its hash in our Truepic vault, then store the hash in the Bitcoin blockchain as the anchor of immutability,” says Jason Slack, Director of Engineering at Truepic. “This creates a bottle-neck that doesn’t have the scalability and flexibility we need to support our SDK customers. At the scale that we are building toward, it would also require significant infrastructure and resources from our team.”
In search of a better solution, the Truepic team quickly realized that public key infrastructure (PKI) technologies were far more sustainable, flexible, and more widely adopted: exactly what they needed.
PKI is an absolute foundational piece to what we’re building. Without EJBCA, we couldn’t have what we have. It is a key pillar to the future of our products.
Jason Slack, Director of Engineering
Building it better with PKI as the foundation for digital trust
Every engineer knows that using the right tools is essential to building a successful product. Slack says moving from blockchain to PKI technology made more sense for the future of Controlled Capture, but his team wasn’t sure exactly where to start.
“We knew that PKI was the right fit, but leveraging a third-party public certificate authority (CA) would not work,” says Slack. “We process hundreds of millions of photos, so paying a fee for every certificate we provision to authenticate and sign each image did not make sense. Standing up our own CA infrastructure would be much less expensive, but getting it right was absolutely critical to our success.”
Truepic explored several PKI solutions, but none matched the flexibility and performance offered by Keyfactor’s EJBCA Enterprise. The Truepic team needed a best-of-breed PKI without the effort and expense of running it in their data center, so the ability to deploy and scale EJBCA in the cloud was critical.
More importantly, Slack says they didn’t just need software; they needed a vendor with deep domain expertise to accelerate the PKI learning curve, eliminate knowledge gaps on his team, and deliver a truly state-of-the-art implementation that could support their long-term needs for massive scalability and availability.
It would have taken at least 2 or 3 people to stand up our own PKI. With Keyfactor, we cut our expected deploy-ment time in half, and with fewer resources.
Jason Slack, Director of Engineering
Delivering the next-generation of image provenance
Advanced scalability, privacy and security
Truepic’s next-generation Controlled Capture 2.0 technology forgoes blockchain as the anchor of trust in favor of PKI with EJBCA. The new platform architecture leverages EJBCA and SignServer to securely authenticate and digitally sign high-integrity photos and videos, all without having to upload them to Truepic’s servers or notarize them in a blockchain. The result is significantly less complexity in their IT infrastructure and maximum privacy for Truepic Lens customers.
Slack’s team deployed several instances of EJBCA in their AWS production and development environments to support certificate-based authentication for third-party developers, mobile devices, and other machine-to-machine communications. They also leverage SignServer to create a verifiable cryptographic seal for the contents and provenance metadata of every image using digital signatures.
“With EJBCA running in AWS, we can provision millions of certificates in our development and production environments,” says Slack. “Add to that the ability to digitally sign and timestamp every image with SignServer and keep that cryptographic seal with the image itself, and it was really a simple decision for us.”
Accelerated time to market
To meet a tight delivery timeline, the Truepic team decided the fastest and most efficient path forward was to work with the Keyfactor professional services team.
“We have an incredibly talented engineering team here at Truepic,” says Slack, “but PKI design and implementation are a unique skill set. Of course, the products had all the features and functionality we needed, but professional services and support were the biggest factors in making the project successful.”
The engineering team worked with Keyfactor professional services to architect PKI and signing capabilities into the new Controlled Capture 2.0 pipeline. Slack says that it simply wouldn’t have been possible without the great documentation, ease of use, and most importantly, the expertise from Keyfactor to help them every step of the way.
“We could have attempted it on our own, but to get this right and prevent delays in project delivery, we determined early on that professional services were a must,” says Slack. “Having the Keyfactor team help us through implementation made it much easier and tightened our delivery schedule significantly. More importantly, they provided guidance and recommendations to ensure that our PKI aligned with industry best practices.”
Ready for global expansion
Slack says that while the immediate time and cost savings of working with Keyfactor have been huge accomplishments for Truepic, he sees the partnership as essential to the long-term success of future products and expansion into global markets beyond North America.
“We’ve built an industry-leading photo and video verification platform, with Keyfactor at its core,” he notes. “Now we’re ready to take it to the world, and that brings new challenges, such as the need to comply with GDPR, WebTrust, and other regulations. It’s important to have a trustworthy partner like Keyfactor to help us navigate this new landscape and achieve our goals for global expansion.”