AI Ws. GNUPG PKI

January 18, 2024

INTRODUCTION

I recently listened to a radio broadcast warning about AI and deepfake for spreading "misinformation" around elections. This caused me to think about how to potentially protect against "bad" information from being misattributed to individuals and how to ensure "good" information is attributed correctly to the individual(s) creating and sharing their thoughts and content online. Any data being shared ought to be able to be verifiable in a decentralized and liberty respecting way, as opposed to being implemented "top-down" by an organization or a government. Enter the application of the use of GNU Privacy Guard Public Key Infrastructure into my mind. I highly recommend reading and following along with the Free Software Foundation's information about GNUPG for emailselfdefense¹. So here's a test of concept of sorts. A plain text draft of this "musing" was written and I recorded a video about it. Both the text draft and the video are available here for download along wiht digital signatures to enable anyone using GNUPG to verify the data integrity of those files as having come from me.

I've been using GNU PRIVACY GUARD (a.k.a. GNUPG or GPG/gpg) since around 2007. GPG is omnipresent in the GNU/Linux operating systems ecosystem by necessity and is available to anyone as software that is cross-platform gratis as it is Free/Libre Open Source Software (FLOSS). Public Key Infrastructure enable a decentralized "Web of Trust" to be established around a "Key Pair" of which the "Public Encryption Keys" of individuals are exchanged and shared. The identities of the individuals claiming ownership of the public keys are verifiable and the validity or trust assigned to them may be individually determined and signed, with the signatures shared online in a decentralized manner. Data may thereby be clear signed by the owner's "Private Key" and afterward verified by anyone who downloads a copy of the Private Key's corresponding Public Key. My public key will be linked below and anyone can install a copy of GPG on their computer and import my public key to verify data that I have shared and signed with the corresponding Private Key (private keys are never shared). Additionally, data may be secured with encryption to a public key that can only be read by the public key owner's corresponding private key and the benefit of their secret passphrase (passphrases are also never shared, but instead kept secure, usually by memorization and ought to be very long and thereby very strong).

In this infrastructure, any data, text, software program, script, audio file, or video file, really anything digital may be shared along with a digital signature for that data file made by the file's creator/owner/originator. If a single bit of data information is altered or changed then the signature for the changed file will be broken and reported as being "bad" when verified whereas if the entire data file is intact and unaltered then the exact data will be verifiably "good" upon examination with GPG software with the creator/signatory's public key.

I created a draft of this webpage in plain text (saved as an EMACS .org file) and made a video of me talking about it. I am attaching both the plain text file and the video to this webpage for download along with my public encryption key and a signature file for the video. The text document is also digitally signed ending in .asc but is essentially a plain text document. One could verify the signature of the entire document with GPG, and also a subset region of text that was also signed at a slightly earlier time. The video shows me doing this process within the text editor EMACS (set-up with GPG capabilities and on my computer that has my public/private keypair).

If someone were to make an AI generated likeness of my appearance and/or voice and creates something, they will never be able to make a downloadable copy that has been signed by my GPG Key. If I create anything and want to verify that I approve of it, then I can digitally sign a copy of the file that I want others to be able to verify to provide them with proof of authenticity.

My video whos this within the actual text file (the draft of this website). I use GNU EMACS, which has the ability to highlight regions of text to sign/verify as well as encrypt/decrypt built in as a "tool" within it's menu system. Below I will copy what ought to be a verifiable piece of text that is also in the draft.

A REGION OF TEXT THAT CAN BE VERIFIED WITH GPG AND MY PUBLIC KEY

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This region of text within this document has been digitally signed by GPG Key 788FE5E668F2C7EB770CA5A5A9669C4B9954E56A belonging to Steven C. Morreale, M.D./M.P.H. .

© 2024 ŝčϻ, (ÐɌ⚕ ŠŦɆɅɆ ⚜ӍʘɌɌɆѦŁɆ) Steven C. Morreale, M.D./M.P.H.  All Rights Reserved. Excerpts and modifications are prohibited.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEeI/l5mjyx+t3DKWlqWacS5lU5WoFAmWpdSYACgkQqWacS5lU
5WoK6g/9FHLtFw4VhfXu9PMJFuVz/5zFiyGA9uevOibqP3iFD9Q53LsRAhPceZFr
zAbLd6TpdzR/NLMrHmUb7vwdKmvTWVj7pBaKoZF4tNSVrhUZv+VA9OZrfNDQV3ny
DtBxezatyCccfz4TiIDw0Cu/F5mCOLL5aUIcr2yb0KkyE6lQNUWQs5WPQNgQTlHn
LlmwKTFiqq0oWN96BJVDfMh8UUExG/oujb2iN5RpU1mYD8Ou4MGTIKq1PeaML5kj
FrZUB4mzqkRYDYKbsEj+Cu2WRX46I+o6yNt2K+vThxDi6u9LlrfgdVV30ZUkJalV
qGEyVGcBCaU2A+uNj4qXgfsEk9uusDMPG0LFNnXJPVPPkA5GaRbgWtWq9QP8Eq7i
lhRNrd5dmXsP5I+hnCnCX4T3UiX9V3Hw/iClLMDsopiW5rnv5SWcWuUFFzlb6tNW
+568dY/EbINdTazv3NJHXA/+iZcqKvfRjm8pClLWQa+HqxTh8a8lZkjGTb5E3n/k
fgkcmaw/X3fKPCw+0dNuKAzzBVlshk97Lz8O5CClwe1f97F0MuQ+DWv7ZJAaa36X
bcqW/qLpNIqI+7FSJz7ov9cm/JgwDZ1s0jRWpUl3WmWbwt1p3T/4xXjZb4Nu+8oI
EuE7sAL7v5/TN/hq7OnO9h9tsmIEBVx3yPznhWVzgS8HWtihlgM=
=P+n/
-----END PGP SIGNATURE-----

One would simply copy that entire block of text including every "-----" from the beginning and at the ending of the code block. If properly done, this can be interpreted by GPG for verification as "good."

LINK TO FILES (ZIP ARCHIVE):

AI_Vs_PKI_ARCHIVE.zip (DOWNLOAD THIS FILE)

Files included in Archive:

AI_GPG_PKI.org.asc (SIGNED PLAIN TEXT FILE DEMONSTRATED IN VIDEO)
2024-01-18_13-40-41.mkv (FULL VIDEO)
video_2024-01-18_13-40-41.mkv_signature.sig (DETACHED SIGNATURE FOR VIDEO)
2021_788FE5E668F2C7EB770CA5A5A9669C4B9954E56A_Steven_C_Morreale_MD_MPH.asc (PUBLIC ENCRYPTION KEY)

Simply download the Archive file and UNZIP it which will create a new folder on your computer, install GNUPG, make your own KEY PAIR with a STRONG PASSPHRASE, import my Public Key (2021_788FE5E668F2C7EB770CA5A5A9669C4B9954E56A_Steven_C_Morreale_MD_MPH.asc) then practice using GNUPG (gpg) to verify the data as I did in the video.

When you verify the video you will likely see this:

gpg: Signature made Thu Jan 18 19:56:45 2024 UTC
gpg:                using RSA key 788FE5E668F2C7EB770CA5A5A9669C4B9954E56A
gpg: Good signature from "Steven C. Morreale, M.D./M.P.H. (Encrypte Even The Mundane!) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 788F E5E6 68F2 C7EB 770C  A5A5 A966 9C4B 9954 E56A

Detached Signatures

This is how to create and verify detached signatures with gpg. This was not performed in the video.

Links:

NOTES:
¹ emailselfdefense.org - A great introduction to using GNUPG with Email

YOUTUBE VIDEO (click image)

AI Vs. GNUPG PKI