About Sign My Data!

Secure Evidence Attribution Llabel (SEAL) is an open solution for assigning attribution with authentication to media. It can be easily applied to pictures, audio files, videos, documents, and other file formats.

The basic concept is that you can create a file and digitally sign it. (The full technical details are available on GitHub.)

What does it mean to "attest" to a file?

Why use SEAL?

What is Sign My Data!?

The SEAL process supports local signing and remote signing: Sign My Data! provides an external notary service that is not associated with your content. We don't validate the media or metadata. Rather, we sign a digital fingerprint of your data. Our signature says that the content existed at the time of the signing and identifies the account of the user who authorized the signing.

To put this into perspective:

Anyone can take a photo with a camera. But how can you show that you took the photo?

Does Sign My Data! keep a copy of the file?

Sign My Data! never needs to see the file that you are signing. Instead, you generate a digest of the file (e.g., a SHA256 or similar hash) and then provide the digest for signing. The digest identifies your file without distributing your file, while the signature ensures that the digest is correct.

Even if your file is many gigabytes in size, a digest like SHA256 summaries the file into 32 bytes. (That's really tiny.) The digest cannot be used to regenerate the file, and the likelihood of any two different files having the same SHA256 value is about 1 in one hundred fifteen quattuorvigintillion (1 followed by 77 zeros). (Or for you math gurus who want to include the birthday paradox, then it's about 1 in three hundred forty undecillion, or 340 followed by 36 zeros.) In any case, the likelihood of two files coincidentally having the same SHA256 digest value is so remote that the SHA256 digest is effectively unique. If two files have the same digest, then they are likely the same file, and if two files have different digests then they are definitely different files.

Sign My Data! must receive a copy of your computed digest for signing. However, that digest cannot be used to recreate your file. (This ensures privacy.) Moreover, Sign My Data! does not retain a copy of your file's digest.

In addition to the signing, the Sign My Data! service is not needed to validate the signature. We never know who or when the signature is being evaluated.

Is Sign My Data! free?

The SEAL specifications are free, open source, and public domain.

The signing tools used by SEAL are also free and open source. Because they are provided by different developers, they have different licenses. Some are public domain, while others use GPL, MIT, BSD, or other public licenses.

This Sign My Data! online service is provided by Hacker Factor, the same company that provides FotoForensics, Hintfo, and other forensic services. Sign My Data! requires account registration but does sell that information and does not collect other data. In addition, we don't use ads or other web services that could track you. (There's a jaded view of free online services: "if you're not paying for the service then you are the product." With this service, you are not the product, you are the customer.)

Sign My Data! is currently offered as a free service. However, hosting, bandwidth, and maintenance are not free. If users begin abusing the service (like when a Google employee tried to send every image at Imgur through FotoForensics; I'm still miffed about that), then we may have to limit the number of free signatures per month.