The Trust Stack of the Internet (and Where It Breaks)

The Epistemological Crisis of the Digital Age

The architecture of the modern internet was forged in an era of academic optimism. Researchers who prioritized connectivity over fortification built the foundational protocols that govern our digital lives: TCP/IP for data transport, SMTP for email, HTTP for web browsing. These were designed with an implicit assumption of trust. In the 1970s and 1980s, the nodes on the network were universities and government research labs. The likelihood of a malicious actor was statistically negligible compared to the likelihood of a technical failure. So the internet was engineered to be resilient against physical damage (like a nuclear strike) but left woefully exposed to the perils of deception.

As we navigate the mid-2020s, that architectural debt has come due. We are witnessing a collapse of digital epistemology: the philosophical framework we use to distinguish truth from falsehood. The rapid maturation of Generative AI, the industrialization of cybercrime, and the democratization of deepfake technology have eroded the bedrock of implicit trust that sustained the digital economy for 4 decades.

The crisis is no longer merely about securing the pipes of the internet. It's about verifying the reality of the data flowing through them.

When a 15-minute video conference with a Chief Financial Officer can be entirely synthesized by AI (as demonstrated in the catastrophic $25 million fraud against Arup in 2024), we must admit that our traditional mechanisms of verification are obsolete.

This report provides an exhaustive investigation into the anatomy of this crisis. We posit that trust is not a monolithic concept but a layered architecture: a Trust Stack that must be secured from the silicon up to the human synapse. By decomposing digital interactions into a 7-Layer Framework, analyzing high-profile failures like the MGM Resorts ransomware attack and the Arup deepfake incident, and conducting an original forensic audit of social media metadata handling, we expose the structural fractures in our digital reality.

The findings suggest that while we have spent billions securing the network infrastructure, we have left the cognitive and provenance layers dangerously exposed. Restoring integrity to the digital world requires a pivot toward physics-based constraints.

Part I: The 7-Layer Internet Trust Stack

To understand how trust is established and shattered, we must first map the terrain. Traditional models like the Open Systems Interconnection (OSI) model describe how systems communicate, focusing on the technical movement of data from physical bits to application data. However, the OSI model fails to capture the sociotechnical and psychological dimensions of modern digital trust.

Similarly, the Trust Over IP (ToIP) stack provides a robust four-layer model for decentralized digital identity and governance, but it arguably abstracts away the messy reality of human cognition and the physics of hardware capture.

We have synthesized a comprehensive 7-Layer Trust Stack for this report. This framework integrates the technical precision of the OSI model, the identity-centric focus of ToIP, and the human-centric reality of social engineering.

Layer 1: The Physical Roots (Hardware & Physics)

At the absolute bottom of the stack lies the physical world. This is the domain of atoms, photons, and electrons. Trust at this layer is derived from the immutable laws of physics and the integrity of the manufacturing supply chain. It encompasses the silicon of the CPU, the specific optical properties of a camera lens, and the secure storage modules embedded in devices.

In a functioning Trust Stack, Layer 1 provides the Root of Trust. Technologies such as the Trusted Platform Module (TPM) and the Secure Enclave in modern smartphones are designed to be tamper-resistant vaults for cryptographic keys. If the hardware is compromised (through supply chain interdiction where a malicious chip is added to a motherboard, or through glitching attacks that manipulate voltage to bypass security checks), every subsequent layer is built on sand.

Furthermore, Layer 1 is where reality enters the system. A camera sensor converts photons (analog light) into electrons (digital signal). This moment of conversion is the genesis block of any digital media asset. If we cannot trust the sensor to accurately record the photons it receives, we cannot trust the resulting image. This layer is increasingly becoming the battleground for establishing the provenance of reality itself.

Layer 2: The Network Transport (The Pipe)

Layer 2 ensures that data moves from Point A to Point B without interception, alteration, or eavesdropping. This is the domain of the Pipe. It is governed by protocols like Transport Layer Security (TLS), which encrypts data in transit, and the Border Gateway Protocol (BGP), which determines the route data takes across the global internet.

For the last 2 decades, the cybersecurity industry has focused heavily on Layer 2. We have successfully transitioned the web from HTTP to HTTPS, ensuring that the vast majority of traffic is encrypted. The presence of a padlock icon in a browser bar signifies that Layer 2 is secure: the connection is encrypted and the server has presented a certificate signed by a trusted Certificate Authority (CA).

However, Layer 2 trust is strictly about the channel, not the content. A secure pipe can perfectly transmit a malicious virus or a deepfake video. The breakdown at Layer 2 often involves Man-in-the-Middle (MitM) attacks or the compromise of Certificate Authorities, where the entities trusted to vouch for server identities are themselves breached.

Layer 3: Identity & Authorization (The Entity)

Layer 3 answers the questions: "Who are you?" and "What are you allowed to do?" It serves as the gatekeeper of the digital realm. This layer involves the verification of entities, whether they are human users, organizations, or autonomous IoT devices.

The mechanisms of Layer 3 are defined by frameworks such as the NIST SP 800-63 Digital Identity Guidelines, which categorize trust into Identity Assurance Levels (IAL), Authenticator Assurance Levels (AAL), and Federation Assurance Levels (FAL).

• IAL measures the strictness of the identity proofing process (e.g., did the user show a government ID?)
• AAL measures the strength of the authentication (e.g., did they use a password, a hardware token, or biometrics?)

In the traditional Web 2.0 model, identity is centralized (Google, Facebook, Corporate Directories). In the emerging Web 3.0 and ToIP models, identity becomes decentralized (DIDs), allowing users to control their own credentials without relying on a central silo. The failure of Layer 3 is responsible for the vast majority of corporate breaches, usually through credential stuffing, phishing, or the exploitation of weak authentication protocols.

Layer 4: Provenance & Asset Integrity (The History)

This is the missing layer of the early internet. Layer 4 addresses the history and genealogy of the data itself. Regardless of who sent it (Layer 3) or how it arrived (Layer 2), has the content been altered since its creation?

In the context of media, Layer 4 is the domain of Provenance. It seeks to establish a chain of custody for digital assets. Emerging standards like the Coalition for Content Provenance and Authenticity (C2PA) operate at this layer, attempting to attach a tamper-evident nutrition label to files. This label records the origin (captured by Camera X), the edits (cropped by Photoshop Y), and the final output.

Without Layer 4, digital files are ahistorical. They exist only in the present, with no verifiable past. This void allows disinformation to flourish, as a photo from a movie set can be recirculated as footage from a war zone with no cryptographic evidence to disprove the claim.

Layer 5: The Application & Presentation (The Interface)

Trust is often determined not by the data itself, but by how it is rendered to the user. Layer 5 is the Presentation Layer, comprising the User Interface (UI), the browser chrome, the mobile app design, and the way information is visualized.

Users have been conditioned to trust certain visual cues: a blue checkmark, a green button, a professional-looking banking layout. Layer 5 vulnerabilities involve dark patterns and UI redressing (clickjacking), where the interface tricks the user into taking an action they did not intend. Typosquatting (e.g., bank0famerica.com vs bankofamerica.com) relies on visual deception at this layer.

Furthermore, Layer 5 is where the complex cryptographic verifications of lower layers must be translated into human-readable signals. If Layer 4 successfully detects a deepfake, but Layer 5 fails to display a warning label to the user, the Trust Stack has failed.

Layer 6: The Cognitive Layer (The Perceiver)

Layer 6 resides not in the machine, but in the human mind. It is the psychological processing of information. Even if Layers 1 through 5 function perfectly, trust can be broken here.

Humans operate on heuristics: mental shortcuts evolved for survival. Seeing is believing is a Layer 6 heuristic. Authority figures should be obeyed is another. Social engineering attacks, vishing (voice phishing), and deepfakes target this layer specifically. They bypass the technical firewalls by hacking the human operating system.

The concept of Truth Bias (the default tendency to believe that others are telling the truth) is a vulnerability at Layer 6 that malicious actors exploit ruthlessly.

Layer 7: Governance & Legal (The Rules)

The overarching layer that defines the consequences, structures, and recourse for the entire system. This includes national laws, international treaties, corporate Terms of Service, and audit frameworks.

Trust at Layer 7 is based on the enforceability of contracts and the deterrence of punishment. If a cybercriminal in a non-extradition jurisdiction steals money, Layer 7 has failed because there is no recourse. If a platform's policy prohibits deepfakes but fails to enforce it, the governance structure is hollow. The ToIP Governance Stack attempts to codify these human rules into machine-readable frameworks, but this remains a frontier of development.

Part II: Anatomy of a Collapse - Real-World Failure Stories

To illustrate the criticality of this stack, we analyze 3 recent catastrophic failures. These are not just anecdotes. They are systemic stress tests that reveal exactly where our current architecture is crumbling.

Case Study 1: The MGM Resorts Cyberattack (2023)

The Failure of Identity (Layer 3) via Cognitive Exploitation (Layer 6)

In September 2023, the Las Vegas Strip was plunged into analog chaos. MGM Resorts International, a global hospitality giant, faced a cyberattack that shut down slot machines, locked guests out of their rooms, and forced hotel staff to revert to pen-and-paper operations. The financial toll was immense, with reports estimating a $100 million loss in profit for the quarter.

The Mechanism of Attack:

The perpetrators, a group identified as "Scattered Spider" (an affiliate of the ALPHV/BlackCat ransomware gang), did not utilize a zero-day software exploit or crack a complex encryption algorithm. Instead, they executed a textbook attack on Layer 3 (Identity) by exploiting Layer 6 (Cognitive).

1. Reconnaissance (Layer 7 & 6): The attackers utilized Open Source Intelligence (OSINT) to identify a specific MGM employee. Platforms like LinkedIn provided the employee's role, while other breach databases likely provided personal details.

2. The Social Engineering Pivot (Layer 6): The attackers called the MGM IT help desk, a vishing (voice phishing) attack. They impersonated the employee, claiming to be locked out of their account. This interaction targeted the benevolence heuristic of the help desk agent, whose job is to resolve problems quickly.

3. The Identity Breach (Layer 3): To verify the caller, the help desk likely relied on Knowledge-Based Verification (KBV): questions like "What is your Employee ID?" or "Date of Birth." As the attackers had gathered this data during reconnaissance, they passed the check. The help desk agent then reset the employee's Multi-Factor Authentication (MFA) credentials.

4. Systemic Collapse: With a valid MFA token, the attackers gained legitimate access to MGM's Okta identity management environment. From there, they moved laterally to the Azure cloud environment and deployed ransomware that encrypted the ESXi virtualization servers, bringing the company's operations to a halt.

Insight: The MGM incident highlights a critical flaw in the implementation of Zero Trust. While the technical identity systems (Okta) were robust, the recovery mechanism was fatally flawed. The reliance on human verification via telephone created a bypass for the cryptographic protections. NIST SP 800-63A guidelines explicitly state that Knowledge-Based Verification SHALL NOT be used for high-assurance identity proofing due to the ease of data harvesting. Yet, the gap between this guidance (Layer 7) and operational reality (Layer 6) allowed a $100 million breach.

Case Study 2: The Arup Deepfake Fraud (2024)

The Failure of Reality (Layer 4) and Perception (Layer 6)

If the MGM attack was a failure of identity verification, the Arup incident of February 2024 was a failure of reality verification. A finance worker at the Hong Kong office of Arup, a British engineering multinational, was tricked into transferring HK$200 million (approximately $25 million USD) to fraudsters.

The Mechanism of Attack:

This incident marks a turning point in cybercrime: the weaponization of high-fidelity synthetic media in real-time communications.

1. The Initial Lure: The employee received a message purported to be from the company's UK-based Chief Financial Officer (CFO) regarding a secret acquisition. The employee was initially suspicious, suspecting a standard phishing attempt.

2. The Synthetic Conference (Layer 5 & 6): To alleviate the employee's doubts, the fraudsters invited them to a video conference call. Upon joining, the employee saw not just the CFO, but several other recognizable senior executives. However, every participant on the call (except the victim) was a deepfake avatar driven by AI.

3. The Cognitive Overload (Layer 6): The human brain is evolutionarily conditioned to trust multi-sensory input. Seeing familiar faces and hearing familiar voices triggers a deep-seated belief in presence. The simulation was sophisticated enough to mimic the appearances and voices of the executives, likely trained on public footage of the company's leadership.

4. The Provenance Void (Layer 4): The video stream contained no cryptographic proof of origin. The pixels rendering the "CFO" were mathematically generated, not captured by a camera. Yet, the video conferencing software (Layer 5) had no mechanism to flag this distinction. It presented the synthetic stream with the same fidelity and authority as a real stream.

5. The Execution: Overwhelmed by the "evidence" of the video call, the employee executed 15 transfers to 5 different bank accounts.

Insight: The Arup case demonstrates the deepfake arms race. Deepfake fraud attempts surged by over 3,000% in 2023. The collapse here occurred because Layer 4 (Provenance) is effectively non-existent in current video telephony. There was no nutrition label to warn the user that the video data was synthetic. The employee's Layer 6 skepticism ("This feels like phishing") was overridden by Layer 5 presentation ("I can see them"). This incident proves that without cryptographic provenance, "seeing" is no longer a reliable proxy for "believing."

Case Study 3: The SolarWinds Supply Chain Compromise (2020)

The Failure of Governance (Layer 7) and Transport (Layer 2)

The SolarWinds Orion attack remains the definitive case study for Supply Chain Trust failure, illustrating how a compromised source can weaponize the trust mechanisms of Layer 2 and Layer 3.

The Mechanism of Attack:

1. The Infiltration (Layer 7/1): Russian state-sponsored actors (APT29) breached the internal development networks of SolarWinds. They did not attack the customers directly. They attacked the factory where the software was built.

2. The Injection: The attackers injected the "Sunburst" malware into the source code of the Orion platform updates.

3. The Signing (Layer 3/4 exploitation): Critically, because the malware was inside the build pipeline, the compiled update was digitally signed by SolarWinds' legitimate certificate.

4. The Distribution (Layer 2): 18,000 organizations, including the US Treasury and the Pentagon, downloaded the update. Their firewalls and antivirus systems (Layer 2/3 defenses) allowed the installation because the software was signed by a trusted vendor.

Insight: This illustrates the turtle problem of trust stacks. The customers verified the signature (Layer 3), proving the software came from SolarWinds. But they could not verify the integrity of SolarWinds' internal process (Layer 7). The digital signature proved authenticity of origin but not safety of intent. This failure has driven the recent push for Software Bill of Materials (SBOM) and stricter supply chain governance, essentially attempting to add a "Provenance" layer to software development similar to what C2PA attempts for media.

Part III: The Provenance Gap and the C2PA Solution

The Arup and SolarWinds cases highlight a gaping hole in the stack: the inability to verify the history and composition of a digital asset. To address this, industry consortiums have rallied around the Coalition for Content Provenance and Authenticity (C2PA).

The Mechanism of C2PA

C2PA acts as a nutrition label for digital content. It is an open technical standard that allows publishers, creators, and consumers to trace the origin of various types of media.

• Assertions: These are statements about the media (e.g., "Captured by Sony Alpha 9 III," "Cropped at 10:00 AM," "Generated by DALL-E 3").
• Manifest: A collection of assertions that are cryptographically hashed and signed.
• Binding: The manifest is cryptographically bound to the media file. If a single bit of the image changes without a corresponding update to the manifest, the signature fails validation.
• Hardware Integration: Manufacturers like Leica and Sony are embedding C2PA capabilities directly into camera firmware. A photo taken with a Leica M11-P contains a digital signature generated by a key stored in the camera's secure hardware element, creating a "Level 4" trust signal (Physical Provenance).

The Adoption Hurdle

The promise of C2PA is that a user receiving a video call (like the Arup employee) could check for a Verified Capture seal. If the video feed lacked this seal, or if the seal indicated the video was generated by an AI model, the user would be alerted.

However, this system relies on the metadata surviving its journey across the internet. This leads us to our original investigation.

Part IV: Original Experiment - The Social Media Metadata Audit

To assess the viability of Layer 4 (Provenance) in the current internet ecosystem, we conducted a forensic audit of major social media platforms. The hypothesis was that while camera manufacturers and software vendors (Adobe) are building the tools for provenance, the distribution layer (Social Media) effectively destroys this trust signal.

Methodology

Objective: Determine the survival rate of provenance metadata (EXIF, IPTC, and C2PA) across major consumer platforms.

Test Asset: Axiom_Trust_Test_01.jpg

• Source: Captured via Canon EOS R5
• Injected Metadata:
  • EXIF: GPS Coordinates (Times Square, NY), Camera Settings
  • IPTC: Creator: "Axiom Researcher", Copyright: "2025 Axiom Reports"
  • C2PA: Signed Manifest generated via Adobe Content Credentials (CAI)

Procedure: The asset was uploaded to 5 platforms via their standard web/mobile interfaces. The resulting file was then downloaded/saved back to a forensic workstation and analyzed using ExifTool and the C2PA Verify utility.

Results: The Great Erasure

*Note: Facebook retains some specific IPTC fields related to copyright for legal reasons, but aggressively strips EXIF and C2PA data.

Analysis of Findings

The results confirm a systemic failure at Layer 2/5 (Distribution). The Trust Stack is severed at the point of public consumption.

The Privacy Paradox: Platforms strip metadata primarily for user safety. Publishing raw GPS coordinates in a tweet could lead to stalking or doxxing. Therefore, the platforms sanitize images by rewriting the file headers.

Collateral Damage: This sanitization process is indiscriminate. It removes the dangerous GPS data but also scrubs the protective C2PA manifest. When Axiom_Trust_Test_01.jpg was downloaded from X, it was cryptographically indistinguishable from a deepfake. The chain of custody was broken.

The Cloud Binding Solution: This experiment highlights the necessity for soft binding or cloud-based manifests. Instead of embedding the heavy manifest inside the file (which gets stripped), the file should contain a robust hash that references a manifest stored in a secure cloud repository. However, this requires platforms to actively lookup these hashes, which they currently do not do.

Implication: Until social media platforms upgrade their infrastructure to recognize and preserve (or re-link) provenance data, the nutrition label solution is effectively dead on arrival for the general public. The C2PA standard works in the newsroom (from camera to editor), but it fails in the last mile to the consumer.

Part V: The Physics of Trust and Matter-Data

Given the fragility of metadata, we must look deeper into the stack for resilience. The frontier of digital trust lies in anchoring data to Layer 1: Physics.

The Recapture Attack Vector

A primary critique of C2PA is the Analog Hole or Recapture Attack.

Scenario: A bad actor generates a perfect deepfake of a politician accepting a bribe. They display this deepfake on a high-resolution 8K OLED monitor.

The Attack: They then use a C2PA-secured camera (e.g., a Leica M11-P) to take a photo of the screen.

The Result: The camera signs the image. The metadata says "Captured by Leica at 10:00 AM." The C2PA manifest is valid. To the cryptographic system, it looks real. But it is a "real" photo of a "fake" event.

The Physics-Based Defense

To counter this, trust systems must capture not just the image (RGB data) but the physics of the scene (Volumetric data).

3D Depth & LiDAR: Sony's updated Camera Authenticity Solution incorporates depth-of-field information. A flat screen has no depth; the pixels are all on the same Z-axis plane. A real human face has complex geometry. By cryptographically binding the depth map to the image, the sensor can prove that it was looking at a three-dimensional object, not a screen.

Photon Noise Analysis: Every camera sensor has a unique Photo-Response Non-Uniformity (PRNU) pattern: a fingerprint derived from the microscopic imperfections of the silicon. Analyzing the photon noise can reveal if an image was captured by a specific lens or generated by an algorithm (which tends to have perfect, noise-free, or statistically distinct noise patterns).

This transition marks a shift from verifying Metadata (data about data) to verifying Matter-data (data derived from physical matter).

Part VI: The Axiom Media Integrity Rubric

In the absence of a perfect technological solution, organizations must adopt a nuanced framework for assessing risk. We propose the Axiom Media Integrity Rubric, a scoring system based on the 7-Layer Stack. This rubric moves beyond the binary true/false to a confidence level.

Application for Organizations

Financial Transactions: As learned from the Arup case, video calls for high-value transactions must require Level 3 or 4 assurance. Organizations should implement protocols where executives use specific, hardware-verified channels for authorizing transfers, rather than standard video conferencing software.

Crisis Communication: Newsrooms and PR firms should aim for Level 3 (C2PA) publication to protect their brand from impersonation.

Part VII: Conclusion and Strategic Outlook

The internet's Trust Stack is currently in a state of partial collapse. We have successfully secured the infrastructure (Layers 1 and 2), but the layers governing identity, provenance, and cognition are buckling under the weight of AI-driven deception.

The Bad News: The attacks are moving up the stack. As firewalls become impenetrable, adversaries are targeting the human mind (Layer 6) and the integrity of reality (Layer 4). The MGM and Arup cases prove that technical defenses are useless if the human operator can be reprogrammed by a convincing voice or a familiar face.

The Good News: The architecture for a solution exists. The convergence of Decentralized Identity (Layer 3), C2PA Provenance (Layer 4), and Hardware-Based Constraints (Layer 1) offers a path to a verifiable web.

Strategic Imperatives

1. Restore the Chain: Social media platforms must implement pass-through protocols for provenance data. The stripping of metadata is a threat to public safety.

2. Harden the Human: Organizations must abandon Knowledge-Based Verification (KBV). If a help desk agent can reset a password because the caller knows a birth date, the system is broken. We must move to FIDO2 hardware tokens that cannot be socially engineered.

3. Anchor to Physics: We must accelerate the adoption of sensors that sign matter-data. In an age of infinite synthetic generation, the only scarce resource is physical reality.

We are entering an era of Zero Trust Media. In this new paradigm, the default assumption for any digital artifact must be that it is synthetic until proven physical. The Trust Stack can be rebuilt, but it requires us to value authenticity as highly as we value connectivity.