Provenance Certification for Human Authors:
A Dual-Frame Case for Process-Based Authorship Attestation

👤 Human Author Provenance Project
📅 2026  ·  🏷 Publishing · Cryptography · Digital Humanities
Developed with: Claude (Anthropic)
The human author declares no competing financial interest or funding from any commercial AI tool provider.

"It's like the new McCarthyism. It's just crazy. People are demanding proof of something that can't be proven."[1] — Sarah Suzuki, copywriter, quoted in Te-Ping Chen, The Wall Street Journal, May 6, 2026. By spring 2026, writers were deliberately introducing typos, casual language, and em dash avoidance to evade armchair AI detectors — the arms race this paper argues is structurally unwinnable.
"I watched a freshman I knew sign the declaration that he'd done his homework without A.I. as ChatGPT was still open in the next window"[2] — Theo Baker, Stanford senior, The New York Times, May 17, 2026. In April 2026, Stanford reinstated in-person proctored exams after a century-long ban — abandoning an honor system that AI had made structurally untenable.

These two scenes — a professional writer unable to prove her own innocence, and a student signing a declaration he knows to be false — are not separate problems. They are the same problem seen from opposite sides of the same broken system. There is no way to tell who did what. This paper proposes a remedy.

The remedy is a small free desktop app. If you want to skip the paper and try it, the download page has per-OS installers and a first-run walkthrough.
↓ Download AuthorAware

The Problem — Part A: The Author's Dilemma

Large language models can now write — and write convincingly. A user can generate a plausible manuscript with minimal creative input, or produce text in the style of a real author and attribute it to them. The technology is a remarkable invention; it is also, for publishing, a genuine credibility problem. Post-hoc detection tools have emerged to address this, and they do useful work — but they operate probabilistically, are sensitive to writing style and native language, and cannot be made reliable — the error rate is a structural property, not an engineering problem to be solved. More fundamentally: the author owns none of it. The detector is someone else's black box. Its verdict is someone else's output. If your work is flagged, you have no record of your own, no counter-evidence, no standing. They answer a question about the output — and they answer it unreliably. Detection cannot see inside the writing session, and attest to what the actual process was. It can only guess from the finished page.

Things have now escalated substantially to the point where the entire ecosystem of authorship and attribution is imploding, and fast. The previous attempts to solve the problem, based on detection, are fighting a losing battle in an arms race they cannot win. AI was born to simulate a human. Any author can easily purchase tools from opportunistic adversarial entrepreneurs who correctly see an economic opportunity, regardless of the ethics or morality considerations, and without considering the impacts on honest authors and the entire economic and creative ecosystem. AI also gives such an entrepreneur the ability to engineer and update these products without years of technical training, in almost real time. Barring some breakthrough in AI contribution detection, a completely new approach may be needed.

The Problem — Part B: The Institutional Collapse

The author's problem — being unable to prove innocence — has a mirror image on the institutional side: an inability to assume guilt is absent. For a century, Stanford University maintained an honor system premised on trusting students not to cheat. In April 2026, the university reinstated in-person proctored exams for the first time in that century, returning to handwritten blue books as the only reliable guarantee of authorship.[2] The honor system did not collapse because students became less honorable between 2022 and 2024. It collapsed because the cost-benefit of cheating inverted overnight. AI made cheating easier than not cheating — faster, better, available at 2am in a dorm room, completely undetectable by existing systems — while the reward (grade, credential, competitive advantage) stayed the same. That is not a moral failure. It is a rational response to an irrational incentive structure.

The institutional response — in-person proctoring — is expensive, unscalable, and returns to a nineteenth-century solution. It treats a structural problem with a logistical patch. More importantly, it does nothing for the professional context: publishers, prize committees, grant agencies, and platforms cannot fly every author in for a supervised writing session. The institutional side of this problem has no current solution that works at the scale and asynchrony at which human creative labour actually operates.

What both sides share is an absence: there is no record of the writing process. Detection operates on output. It cannot see inside the session. An author who sat down and wrote 3,000 words over four hours, revised them seventeen times, and consulted an AI for two factual queries produces a document that is indistinguishable — to any post-hoc detector — from a document generated entirely by a language model and pasted into a submission form. The credential that would distinguish them does not exist. This paper proposes to create it.

Our Solution

The resulting credential is a verifiable record of the process: that a human sat at a keyboard, typed this text, revised it in this sequence, over this much time. It makes no claim about quality, and it does not preclude AI assistance being noted separately. The system is opt-in and asks something real of authors — they must write in a specific environment. AuthorAware is designed to make that ask as light as possible: browser-based, no account, no server, nothing transmitted. We present the system architecture, discuss threat models and limitations, and propose an open credential standard.

AuthorAware is free, available to all, and requires minimal OpEx to remain effective — there is no server to maintain, no infrastructure to scale. That changes only if fundamental advances in computing require migration to post-quantum hash standards, which SHA-256 is, among common cryptographic primitives, relatively well-positioned to survive.

The Architecture A Self-Verifying Credential, Cosigned by GitHub

The whole product rests on one move: a SHA-256 hash chain of every keystroke session, anchored to GitHub at attestation time. The chain is self-verifying — the math either resolves or it doesn't — and the timestamp is borrowed from infrastructure neither author nor publisher can rewrite. No server. No account at AuthorAware. No trust placed in us. The credential travels with the manuscript.

What a basic-tier credential produces — self-verifying, GitHub-cosigned
Manuscript attest AUTHOR AWARE Any browser Recording Attestation { chain: a3f9…c12e 7d2a…88bf } credential.json commit GitHub Timestamped commit Unalterable record Cloud record PUBLISHER ✓ verify AI usage if · how much · for what AUTHOR ◎ rebut false accusations tamper-evident process log
The credential travels with the manuscript — email it, QR-code it on the copyright page, submit it alongside your work. Connecting a GitHub account delivers two things at once: rapid publisher verification — a clear record of whether, how much, and for what purpose AI was used as a creative aid, readable by any editor or committee in any browser; and a foolproof defense against false AI detector accusations — a tamper-evident process log that cannot be constructed after the fact, giving authors standing to contest any automated verdict.
For the Writer

What you actually get

AuthorAware exists because a new standard is being imposed on writers — not one they asked for. We built the compliance layer to be invisible. Everything around it is designed to be genuinely delightful.

A writing surface that feels like yours.
  • We have been stuck with things like this.
  • Ditch the toolbars and functions and formatting.
  • This is just creativity.
  • Make your writing surface your own.
A typical word-processor screen — toolbars, ribbon, formatting options crowding the page
↓ try it
The Writing Environment — live. This is the actual application running in your browser: every keystroke is logged, SHA-256 attestation chains are computed locally, and no data leaves your machine. Click into the editor and begin writing. Use the ◈ Visual menu to adjust appearance — font, theme, background, and frame — and the ⋯ Tools menu to access AI chat, backups, and guides. Click Attest Checkpoint at any time to seal the current session into the provenance ledger.

Trust Tiers — Scaling the Evidentiary Standard

A single credential standard cannot serve every context. A blogger establishing that they wrote a post under their own name requires far less evidentiary weight than a doctoral student defending a dissertation or a journalist submitting investigative work to a prize committee. AuthorAware therefore implements a three-tier model that scales the evidence captured to the stakes of the claim.

Basic tier records keystroke timing and produces a composition authenticity score — a 0–1 measure derived from four signals in the keystroke record: the coefficient of variation of inter-keystroke intervals (high variance indicates thinking pauses characteristic of live composition, rather than the steady rhythm of transcription); the revision ratio (the proportion of keystrokes that are deletions and rewrites); the frequency of thinking pauses longer than three seconds; and non-linear cursor repositioning (jumping back to revise earlier text). Genuine composition and careful transcription of AI-generated text produce measurably different process signatures — a finding supported by two decades of writing process research.[3] The score travels with the credential; it is evidence, not a gate.

Verified tier adds continuous screen capture via the browser's native getDisplayMedia API — no software installation, no server. A SHA-256 hash of each video segment is sealed into the checkpoint chain and committed to GitHub at attestation time, providing a server-side timestamp on the visual record. The video stays local. Only the hash is exported — the author retains control of the footage, presenting it only if a claim is challenged. This tier directly closes the "other tab" attack: screen capture would visibly record any AI assistant open alongside the writing environment.

Proctored tier adds webcam capture alongside screen recording, at 1fps encoded as H.264 — the functional equivalent of in-person proctoring, but asynchronous, self-administered, and privacy-preserving (camera footage never leaves the author's machine without explicit export). A full year of four-hour daily writing sessions produces approximately 6GB of video, compressible to roughly the cost of a coffee via services such as Backblaze B2. Both video hashes are committed to GitHub; the files can optionally be stored to GitHub LFS or any S3-compatible bucket.

Critically, none of these tiers require a server, an account, or any trust placed in AuthorAware or its authors. The credential is self-verifiable: the math either checks out or it does not, and checking it requires nothing but arithmetic. The tier is sealed into the session signature at the first keystroke of each session and cannot be changed retroactively.

Future Directions

Relative contribution analysis — a standard for measuring how much was human vs AI

The present system certifies human presence and effort during composition. It does not quantify the relative contribution of human versus AI to the final text — the fraction of words typed versus generated, the fraction of ideas originated versus prompted. This is a harder problem, and one that requires not just a tool but a standard: agreed definitions of what constitutes AI contribution, how hybrid authorship is measured, and how to express the result in a form that consumers, institutions, and regulators can interpret consistently. Meaningful disclosure along these lines is analogous to nutritional labelling — the value comes not from any individual label but from the standardisation that makes comparison possible. We propose this as a priority for an open standards process, noting that the evidentiary infrastructure AuthorAware already provides — a timestamped record of every AI exchange alongside the keystroke log — is precisely the data such a standard would require.

Consumer protection and disclosure — an author-side credential that platforms can accept

Recent empirical work documents the scale of the downstream problem: the number of new e-books published weekly has nearly tripled since November 2022, with more than half of all new titles now containing AI-generated text; roughly a third of new web content in a given month is partly or wholly machine-generated; AI-generated tracks now constitute over forty percent of daily music uploads on major streaming platforms.[4] The platforms responding to this — Spotify with "real artist" badges, Deezer removing AI-generated tracks from curated playlists, arXiv tightening submission requirements — are doing so through detection, which this paper argues is structurally insufficient. Author-side credentials provide an alternative foundation: a publisher, platform, or regulator accepting HAP credentials could offer verified human-authorship certification without relying on post-hoc detection at all. This creates a market for the credential independent of any specific dispute — and addresses not only fraud but the ambient consumer anxiety that AI content, unannounced, is displacing the human effort that was the assumed basis of value in the transaction.

Cross-domain application — the same infrastructure, in law, science, finance, policy

The present paper focuses on literary and academic authorship, but the credentialing problem is not domain-specific. Legal documents — the surge in AI-assisted self-represented litigation has already begun straining federal court systems[4] — carry an implicit claim of human advocacy that is increasingly unverifiable. Scientific papers, financial analyses, policy submissions, and regulatory filings share the same structure: an authority claim premised on human intellectual effort that AI can now simulate at scale. The technical architecture of AuthorAware generalises to any of these contexts. Domain-specific attestation standards would be required, but the underlying infrastructure — keystroke chain, cryptographic hash, trusted timestamp, exportable credential — is identical.

Author Contribution Statement

The author used AI extensively in this project and this communication. The author declares no financial support from any company.


References

  1. Chen, T.-P. (2026, May 6). Writers Are Going to Extremes to Prove They Didn't Use AI. The Wall Street Journal.
  2. Baker, T. (2026, May 17). What A.I. Did to My College Class. The New York Times.
  3. Leijten, M., & Van Waes, L. (2013). Keystroke logging in writing research: Using Inputlog to analyze and visualize writing processes. Written Communication, 30(3), 358–392.
  4. Schaul, K. (2026, May 20). These 5 charts show how ChatGPT is flooding our lives. The Washington Post. Data sources cited include: Waldfogel et al. (NBER) on e-book publication rates; Shah & Levy (MIT/USC) on self-represented litigation; Deezer internal data on AI-generated music; Imperial College London / Internet Archive / Stanford on AI web content.

Appendix — The Attestation Chain Protocol

The diagram below details the cryptographic chaining protocol underlying the Human Author Provenance credential. Each attested checkpoint seals a SHA-256 hash of the current content alongside session statistics and the previous entry's signature, forming an immutable chain that cannot be reordered, truncated, or modified without breaking verification.

The diagram below details the cryptographic chaining protocol underlying the Human Author Provenance credential. Each attested checkpoint seals a SHA-256 hash of the current content alongside session statistics and the previous entry's signature, forming an immutable chain that cannot be reordered, truncated, or modified without breaking verification.

1. Compose 2. Attest (repeat) 3. Final checkpoint 4. Verify AUTHORCONSOLE Records: · keystrokes + timing · edits / pastes / idles · author attestations attest Checkpoint #1 content_hash: sha256(text) session_stats: keystrokes, duration… prev_hash: signature: H(c+s+prev) chains Checkpoint #n content_hash: sha256(text) session_stats: keystrokes, duration… prev_hash: H(#n-1) signature: H(c+s+prev) export Credential JSON file + tool attribution + full chain self-verifiable Publisher Verifier recomputes chain ✓ VALID Any modification breaks chain integrity — altering one entry invalidates all subsequent entries

Click to enlarge

Appendix Figure. The Human Author Provenance attestation protocol. Authors compose in AuthorAware; each attested checkpoint seals a SHA-256 hash of the current content alongside session statistics and the previous checkpoint's signature. The resulting chain cannot be reordered, truncated, or modified without breaking verification. The exported credential JSON is self-verifiable by any party — no server required.
🌐 Translate this paper
Sections Expand all