There are a few practical guides to future-proofing and protecting against nation-state-level deepfakes. While deepfakes are now available on consumer or commercial hardware and software, making them easily accessible today, many do not know what to do when they encounter a nation-state deepfake. When we define nation-state-level deepfakes, we mean near-fidelity that no human, either visually or auditorily, will quickly detect as fake. These are not basic deepfakes; nothing you can easily detect, even with the best AI detection software, unless you're using trusted hardware communication. Digital transmissions should never be fully trusted, and in-person checks are sometimes the next best verification for advanced threats. Any AI model that claims to be able to detect these is selling false hope. We define the nation-state deepfakes as currently a limited set of people have access to them, but in the next decade, they may become ubiquitous. Deepfakes at a nation-state level require datasets obtained through mass surveillance and data proliferation, then combined with computing power ranging from millions to billions to stream.
The Dangers and Risks of Deepfake Exploration
In the past, we taught students about the dangers of deepfakes, and the lesson was well received by the class. Using commercial hardware worth less than $10,000, we were able to fool the classroom and explain the dangers of deepfakes. Unfortunately, the time will come when many people will have access to deepfake technologies that are indistinguishable from a real person. One of the questions asked during our demonstration was how to do deepfakes, and that will be a precarious situation, as there are always curious individuals who want to learn about new ideas. It is important to remind readers that while deepfakes are easy to create and use, there is a significant risk to the user and the person who is deepfaked. One might assume that by committing the deepfake, you are operating safely out of touch, but in reality, we have seen these deepfakes create a worse situation for the deepfake operator than the person tricked. Many users do not fully understand the dangers until it is too late, and they dive deeper into a hole they cannot get out of, which hopefully counts as another warning about using it carelessly. Nevertheless, it is an important learning point to understand and experiment with deepfake technology and focus on its limitations to better protect yourself.
Rethinking Detection for the Most Advanced Threats
To start, when dealing with perfect deepfake technology, you must discard all past techniques. There is no point in asking the person to do common detection methods, such as waving a hand in front of their face or using another technique, to break the face-swapping logic. Instead, you will have to connect various patterns that appear subliminally throughout the interaction. The simple act of asking the deepfaker to make random movements will put them at an advantage, as they can sense you are skeptical, and will prevent later techniques from having their maximum effect. When creating these deepfakes, multiple models run milliseconds ahead of the device's output to ensure no transmission can be detected as a deepfake. This ensures that any real-time actions or inconsistent oscillations don’t ever make it through to the actual application, whether it is FaceTime, Google Meet, Teams, Zoom, or more. There is an injection to verify the stream. Most people are used to common delays or bandwidth constraints that can easily mask an artifact issue. Instead, the voice and the person seen in the video will be exactly the same as you expect when communicating with a real person.
The first technique for detection is through basic human conversation. Sound and voice can be mimicked, but there are tones and variables in a conversation that might not match up, which is why it's key to listen for anything that sounds out of band. There is no fancy technology to sell or use, but conversing with the person will eventually lead you to a better decision point. There is a reason NIST set level 3 verifications to require human supervision, and this will continue to be the differentiator from the most advanced deepfakes. Deception and lying are difficult techniques to maintain in the long term, and through a video call, you can begin your initial analysis of the person to determine their intentions. An important concept is to pay attention to the questions the individual asks and to allow them to believe they are fully in control of the situation with their greater information. When dealing with a nation-state deepfake, you can assume they have a complete understanding of your own information, but that shouldn’t distract you from basic verification checks to follow. Typically, when someone is using a deepfake, it’s for a malicious act, and that alone can help you identify the case since they may try to extract certain information from you or try to direct you to do specific actions.
Human-Controlled Deepfakes vs AI Avatars
In the next section, we will cover the differences between human-controlled deepfakes and AI avatars. First, there are likely limited AI-operated deepfakes at a nation-state level that we described earlier, as they would only work on individuals with little technical experience. Human deepfakes are still better at leveraging the situation, as they can operate and respond in ways that AI still lacks sufficient data to replicate. Instead, with avatar AI deepfakes, the system is optimized to usually achieve its goal efficiently and directly. Understanding how an AI avatar operates is critical, as the line of questioning, the conversation, and more will feel very different from those of a human deepfake operator. Programming and using AI agents is a way to practice and get better at detecting AI's thought processes. AI deepfakes usually hit a wall on a certain conversation piece, which then should activate your uncanny response to the situation. However, one key aspect is not to spend too long with these AI avatars, as there is a limit beyond which you will eventually be giving the model more data for training, which will make future encounters more difficult to manage. It’s also important to write down or remember some key aspects of the encounter, as you can instantly recall them if you suspect another AI avatar. It is again not best practice to overtly express your suspicions and treat the person the same way you would any other human, whether the person is a deepfake or not. The key to successfully managing these encounters is to treat them like any other interaction and not overthink them, as that can lead to mistakes. Becoming flustered or agitated is exactly the response deepfake operators want, and the best way to avoid it is to stay relaxed and amazed by your own capabilities, which will eventually outwit the other person.
The Ultimate Defense: Trusted Hardware Workflows
The next best option for detection starts with physically trusted hardware. Trusted hardware could be a separate camera or device locked down to a secure enclave, which could theoretically be hacked with the right tools, but it requires precision similar to neural surgery. This is why recurring hardware check-ups are critical if you plan to trust the hardware in the long term. Unfortunately, only so much can be done virtually, and ultimately, physical hardware is the only way to detect a remote deepfake. One key understanding of current nation-state deepfakes is that training is mostly based on frontal views of people. Also, it's mainly trained on the visual spectrum, and if we start looking at thermal and infrared, the models don't have enough data to train deepfakes that look consistent across different wavelengths. Current deepfake systems only need to swap out one camera feed to produce a stream that looks real. However, this can be an advantage as systems that incorporate multiple viewpoints make it much harder to keep the deepfake in sync. For example, an integrated system and kiosk with everything attached will be a much easier target for producing predictable deepfake outputs. If a system is fixed and unable to create nonlinear permutations that the deepfake technology cannot account for, then it will completely fail. This is why current nation-state deepfakes can be easily defeated using multiple cameras on trusted hardware. The separate cameras can each get their own view of the situation and reach the same conclusion about whether the stream is deepfaked. Even if partially compromised, a system is not in sync with the angle a camera captures, meaning that a single failure results in the complete disqualification of a video session to maintain maximum feed integrity. Also, using microphones to synchronize expected speech with sound vibrations will typically reveal any latency in deepfakes. An important check when using hardware is to ensure latency is minimal, as deepfake operators are still slower to respond if you speed up a conversation. As more deepfakes of this caliber come online, there will be even more techniques people can leverage, as we have only scratched the surface in these examples. In summary, there are already tools and techniques to handle any nation-state deepfake, and leveraging a multifaceted, adaptable verification toolset will help detect these attacks earlier.