I’m a little late writing about the Z6III’s addition of C2PA (content authentication). Though Adam Horshack shared his early results with me last week, I’m still in catch-up mode coming off my summer sabattical.
The short version: images taken with Multiple exposure that use Select first exposure [raw] don’t check for authenticity of that raw image, meaning that you could create a raw file that’s not authenticated, use it as the base exposure, then use Multiple exposure to add nothing except for certifying the authenticity of the image.
Obviously, that’s a convoluted thing that most people wouldn’t attempt. However, for content authentication to work, it needs to be 100% secure from edge cases that break the integrity of the system.
The real problem here is one Nikon has been asking for, over and over again. By not having a reliable set of non-Nikon employees involved in true beta testing, you end up with what happened here: both Petapixel and dpreview wrote headline articles about the “Significant Security Vulnerability” [Petapixel headline wording]. That’s exactly the type of problem Nikon never wants the public to hear about, because people read headlines more than they do detailed marketing messages.
And yet, this isn't the first instance of that problem, even this summer. The original Z8 3.00 firmware update produced the following Petapixel headline: "Nikon Z8’s New Firmware Borked Tamron Z-Mount Lenses”. (Yes, I’m aware that Petapixel’s headline tendency is fully click-baiting, but they are also one of the few timely sources of digital camera news, so Nikon will always have to deal with that.)
I could dig out even more examples, but just those two alone point to the problem: Nikon is delivering firmware updates before technical experts like Adam or myself have a chance to even test them. And test them, we will. Moreover, we’re not the only two doing that, so if there’s a real problem with a camera’s firmware, someone outside of Nikon is likely to find it.
Nikon’s fears, of course, are that having an external review step would (a) slow the update process; and (b) add to leaks about upcoming plans. That Nikon has chosen to trust their own, clearly working at highest possible speed, engineers says to me that Nikon views time-to-market and complete secrecy are more beneficial than having to deal with any resulting negative messages.
As I’ve written before, juggling all the variables in keeping tech up to date and looking innovative while doing it is a balancing act. And as I’ve also written before, negative press is a friction against sales. Sometimes a strong friction.
The “fix” for the C2PA “bug” is probably pretty simple: don’t authenticate Multiple exposure images that use a Select first exposure [raw] image that isn’t already authenticated. However, because of the now visible press on the issue, this becomes a “must fix now” bug that will generate yet another firmware update in the near future, and it’s taking engineering resources off other things as Nikon makes the emergency fix.
Nikon did this more correctly with the original Z9. They put pre-release cameras in the hands of people who’d actually put them through all their paces and do technical deep dives, including me. That’s different than putting a pre-release camera in the hands of someone who makes their money off influencing in order to get a positive release video: those folk aren’t going to point out real issues lest they lower their money making abilities and access to Nikon.
Another problem is there isn’t a formal process by which Adam, others, or myself, can report these things when we do find them. When I identify bugs, I have to count on those being accurately relayed via a chain that starts with a product manager at NikonUSA. Moreover, in two cases, I’ve simply had to send my camera to NikonUSA to be forwarded to Nikon Japan with no direct communication between me and those assigned to look into it.
While I wrote about how Nikon was doing recently (short answer: strong growth above that of the market), imagine what that might have been without things like multiple recalls (Z8), multiple firmware problems, mismatching firmware, and more negative press.
My view is that Nikon is hustling a little too fast while not having an external process for making sure that this won’t cause public perception issues. The Z6III problem, like all the previous problems, will be fixed, probably soon (Nikon removed the certification upon learning of the issue). But nevertheless the current headlines are a friction Nikon has to overcome. Moreover, they have to overcome them here in the US where all the prices were just reset about 10% higher than before, which is another friction.
Given what Adam reported and the depth and breadth of his report, my response had I been in charge at Nikon would have been to immediately put him under NDA to fully test and stress the firmware fix that’s coming, and to look for other security issues.
