Three Tiers of Credibility

Capture Integrity Score (CIS)

Every verified capture gets one. Score from 0–100, derived from device attestation, sensor coherence, location verification, and timestamp freshness. This is the daily-driver shareable badge.

Label: CAPTURE INTEGRITY 87/100

Claim: "This was recorded on a real phone, in a real place, at the time the witness says."

Parallax Confirmed

Awarded when two or more independent devices captured the same moment from different angles within the cluster window (100m / 10 minutes). This is the journalism-grade upgrade.

Label: PARALLAX CONFIRMED — 3 INDEPENDENT WITNESSES

Claim: "Multiple unaffiliated devices recorded this from different positions. Staging would have required coordinating across independent witnesses."

Consequence Verified

Awarded when consequence checks pass at +6h, +24h, +72h after capture. This is the slow-cooked, evidence-grade tier.

Label: CONSEQUENCE VERIFIED — CORROBORATED OVER 72H

Claim: "The moment captured was real enough to leave traces in other independent records — news reports, parallel captures, official acknowledgments."

The tiers nest: every Parallax Confirmed capture also has a CIS. Every Consequence Verified capture is also Parallax Confirmed.

The verification pipeline

Most platforms ask one question about a video or photo: “Did this come from a real camera?” The honest answer is “I can’t tell” — anyone can hold a phone up to a screen.

Parallax verifies four things instead: genuine device, sensor coherence, location verification, timestamp freshness. Each capture immediately gets a Capture Integrity Score (CIS 0-100). Individual captures are first-class and immediately shareable.

When multiple independent witnesses capture the same event, those videos automatically get Parallax Confirmed status. When the world responds over 72 hours as it should, captures earn Consequence Verified status. Higher credibility, no extra work.

The five layers

Layer 1 — Device Gate

The question: Did this come from a real, unmodified phone running the real Parallax app?

When you record in Parallax, your phone signs the video at the moment of capture using a private key only your phone has. Apple and Google both provide systems (App Attest, Play Integrity) that prove your phone is genuine and your app hasn’t been modified. Layer 1 verifies all of that on the server.

What can it catch? Captures from emulators, modified clients, software fakes, or phones running tampered versions of the app. None of these can produce a valid signature.

What can it NOT catch? A real phone running the real app, pointed at a TV screen. The signature is genuine; what was filmed isn’t. (That’s what Layers 2–5 are for.)

Three outcomes: - PASS — signature valid, attestation good, timestamps coherent. Capture proceeds normally. - QUARANTINE — something’s off but not a hard failure. Maybe Apple’s attestation servers are slow, or the device clock is 15 minutes off (legitimate when the phone was offline briefly). The capture is allowed in but capped at moderate composite — it can’t reach Frontline until attestation can be re-verified. - REJECT — positive failure. Invalid signature. Key mismatch. Timestamps that suggest abuse. The capture never enters the system. Logged for fraud analysis.

Why three states instead of two: A binary PASS/REJECT throws out real captures whenever Apple’s infrastructure has a hiccup. The quarantine pool means a real witness during a transient outage doesn’t get silently discarded.

Layer 2 — Sensor Coherence

The question: Does the capture’s own data make internal sense, given a real phone in a real situation?

Every capture comes bundled with a small constellation of sensor readings recorded at the same instant: GPS, accelerometer (motion), gyroscope (rotation), magnetometer (direction), ambient light, microphone background level, barometric pressure. These are like fingerprints of the physical moment.

Layer 2 is the internal check — the data has to cohere with itself, even before we ask whether it matches the world.

What it actually checks:

Timestamp coherence — the capture’s claimed time matches when the server received it (within minutes, not hours).
GPS sanity — the coordinates are real (not the “null island” 0,0 default), the accuracy is reasonable (< 100m), the position isn’t stuck repeating.
IMU jitter — real phones held by real people have micro-vibration. A perfectly motionless accelerometer signal is suspicious — phones don’t actually do that, even on a tripod. Some variance is healthy. Zero variance = score zero.
Sensor completeness — the bundle has the keys we expect; missing entire sensors is a yellow flag.

Why this matters: Faking one sensor stream is easy. Faking all of them so they’re internally consistent is much harder. A spoofed video has to invent a believable accelerometer pattern that’s neither too still nor too random, that rises and falls in plausible places. Most fakers don’t bother.

What this layer can NOT do: prove that the GPS coordinate matches the real-world location. That’s Layer 4’s job.

Layer 3 — Cluster (the credibility multiplier)

The question: Did multiple independent attested phones see the same event from different angles, at the same place and time?

This is the automatic upgrade tier — individual captures are first-class, but when multiple witnesses document the same moment, those captures get Parallax Confirmed status for higher credibility.

How it works:

When a new capture arrives, the system looks for other captures within a configurable radius of GPS distance (default 200 meters; tightens to 50m in dense urban areas where there’s lots of competing activity) and within a time window (default ±15 minutes). If it finds none, the capture is solo — it gets its CIS score and is immediately shareable. If it finds others, those captures get upgraded to Parallax Confirmed status automatically.

If it finds others, it calculates how strong the corroboration is using a formula that has three parts:

tanh(effective_size / 3) — number of independent devices, with diminishing returns. 1 device = low score. 3 devices = ~0.9 (most of the credit). 5+ devices approaches 1.0. We don’t want a flash mob with 200 phones to score infinitely better than 5 — at some point you have enough corroborators.
coherence — how tightly clustered the captures are in space. Five captures within 30 meters score higher than five captures spread across 200m. A group filming the same thing from different angles will cluster tightly.
reputation_weight — average of the participating devices’ reputations. Brand new devices contribute, but established devices that have been corroborated many times before count for more.

The three values multiply together. The result is a number between 0 and 1.

The independence check. This is the layer’s most important defense. Five phones on the same WiFi network, or five phones whose accelerometers show identical motion patterns (because they’re all in the same vehicle), or five phones uploading from the same /24 IP block — these get collapsed into one for the purposes of “unique device count.” A group of co-conspirators doesn’t get the full corroboration multiplier just by counting heads.

Diversity-weighted reputation. Reputation alone can be farmed. Two attackers could repeatedly corroborate each other in benign clusters and build up reputation, then deploy that reputation to fake an event. To close this attack, reputation is multiplied by a diversity factor — how many DIFFERENT independent devices a given device has ever co-clustered with. A long-history device that’s only been seen with the same 2 partners has lower effective reputation than a similar device that’s co-clustered with 50 different partners.

Density-adaptive radius. In a busy city center, 200m might capture three unrelated events all happening on the same block. So if more than 5 candidates are found at 200m, the system tightens to 100m and re-tests. Above 15 candidates, tighten to 50m. This prevents urban noise from inflating clusters.

Retroactive scoring. A capture that arrived solo doesn’t stay solo forever. When a later capture shows up that corroborates an earlier one, both captures get re-scored against the new bigger cluster. The earlier capture’s composite is updated. If the cluster crosses the Frontline threshold, both get elevated together.

Why this matters: Multiple independent witnesses create stronger evidence than any single capture can provide. When witnesses don't know each other and aren't coordinated, yet their devices produce consistent sensor readings from the same event, that consistency is hard to fake. Staging requires coordination across unaffiliated witnesses — possible, but expensive.

Layer 4 — Residue (the world’s passive record)

The question: Does the rest of the world’s data corroborate that something happened at this place, at this time?

The previous layers ask the witness to prove themselves. Layer 4 asks the world. These are signals that existed whether or not anyone was filming, and they don’t require the witness’s cooperation. You can’t fake them by filming a TV.

What’s wired so far:

Atmospheric pressure match — the device’s barometer reading is compared to historical weather records (Open-Meteo) at the GPS coordinate, the date and hour. Real handheld pressure varies with altitude, so the system applies the standard barometric correction. A capture that says it happened in Atlanta but reads 950 hPa when Atlanta was at 1015 hPa that hour gets a low score.
Solar illumination — the system computes where the sun was in the sky at the GPS coordinate at the captured instant (NOAA solar position algorithm). It then compares the device’s ambient light reading to what’s possible at that solar elevation. A capture claiming to be outdoors at noon that reports near-zero light is impossible. A capture claiming to be at midnight that reports 50,000 lux is impossible. The check tolerates indoor captures (low light at any sun angle is fine).

What’s planned:

WiFi BSSID geoanchor — when the phone reports the MAC address of the access point it’s connected to, cross-reference against Wigle.net’s global WiFi map. A phone in Brooklyn doesn’t connect to a router in São Paulo.
Cell tower geoanchor — Android exposes cell tower IDs; OpenCelliD has a global tower map.
Satellite PRN visibility — when the phone reports which GPS satellites it saw, those PRNs should match what NASA/ESA ephemeris says was overhead at that GPS coordinate at that instant.
Network path fingerprint — server-side latency/routing analysis can detect VPNs and tunneling that would be inconsistent with the claimed location.
Magnetic anomaly — local magnetic field strength varies by location; the WMM (World Magnetic Model) gives expected values. Phone magnetometer should approximately match.

iOS vs Android difference: iOS exposes fewer of these signals than Android. Layer 4 normalizes — a perfect iOS score isn’t penalized for what Apple has locked down. The score is the average of available sub-checks.

What this layer guarantees: that the place and time claimed by the capture have a passive shadow in the world’s data. A complete fabrication of place + time would have to invent a consistent reality across a dozen independent global datasets simultaneously.

Layer 5 — Consequence (time-delayed, asynchronous)

The question: Did the world change in the ways it should have, if this event actually happened?

This is the slowest layer and the most epistemologically important. It runs not at capture time but at +6 hours, +24 hours, and +72 hours after the capture. Real events leave downstream marks: dispatch logs, news coverage, regulatory filings, social signal, satellite thermal anomalies, air quality spikes, road closures, hospital admissions. Staged events usually don’t.

What’s wired so far:

USGS Earthquake feed — for any capture, query whether USGS recorded a tremor within 50km of the GPS coordinate within ±2 hours. Score reflects magnitude and proximity. A capture tagged “earthquake” near Mexico City that USGS confirms = high score. A capture tagged “earthquake” with no USGS record = score zero.
Open-Meteo historical weather — used as a generic place-and-time-existed check. A coordinate that the weather model can return data for is a real place; one that returns nothing is suspicious (mid-ocean, off-grid).

What’s planned (each maps to a tagged event type):

Event type	Expected consequence signals
Vehicle accident	police dispatch log, road closure feed, insurance claim density, hospital admission spike
Protest / rally	news article density, permit filings, arrest record updates, counter-coverage
Fire	fire department dispatch, NOAA satellite thermal, AirNow PM2.5 spike
Police action	dispatch log, arrest records, agency incident report
Medical emergency	EMS dispatch, hospital intake
Environmental	air quality APIs, water quality, USGS seismic

Per-event weighting: the system reads the capture’s user-applied tags to figure out the event type, then weights the relevant sources higher. A capture tagged “wildfire” weights AirNow heavily; a capture tagged “earthquake” weights USGS heavily.

The hard part — absence as a signal: The spec calls this out and Witnyss enforces it: at the highest credibility tier, absence of expected consequence signals is itself a strong signal. If a capture clears Layers 1–4 with high scores but at +24 hours there’s still zero news, zero dispatch, zero anything — something is wrong. Witnyss requires at least one completed Layer 5 check before any capture can reach Consequence Verified status. Captures that score high on the early layers but show no downstream world-reaction get held in the pool, not surfaced.

The Layer 5 retroactive promotion. When a capture’s Layer 5 score arrives hours later and pushes its composite over the Frontline threshold, the capture is elevated to a separate Frontline lane called “verified-late.” This keeps the main “live” Frontline feed feeling fresh — old captures don’t suddenly leap to the top of the feed when their consequences materialize. Two lanes, one for what’s happening now, one for what’s been newly verified from the recent past.

How the layers combine — the composite formula

Each layer contributes a weighted slice to a single number between 0 and 1:

composite = (sensor × 0.20) + (cluster × 0.45) + (residue × 0.15) + (consequence × 0.20)

Cluster gets the highest weight — it’s the credibility multiplier and the hardest to fake.

If a layer reports unavailable (we couldn’t get an answer), it’s excluded from the calculation entirely (both the numerator and the denominator drop). A capture isn’t penalized for what we can’t yet check.

The caps applied AFTER the weighted sum:

REJECT cap: Layer 1 hard-rejected → composite = 0. Capture never surfaces anywhere.
QUARANTINE cap: Layer 1 quarantined → composite ≤ 0.55. Pool only, never Frontline.
SOLO cap: No cluster yet → composite ≤ 0.55. Solo captures never elevate. (If a cluster forms later, the capture is re-scored and the cap lifts.)

Credibility tiers

CIS 70-100        →  High-confidence individual capture (immediately shareable)
CIS 40-69         →  Moderate-confidence capture (shareable with caveats)
CIS 0-39          →  Low-confidence capture (investigation needed)

Parallax Confirmed →  Multiple independent witnesses (journalism grade)
Consequence Verified → World response confirmed (evidence grade)

Individual captures with CIS above 70 are immediately shareable with high confidence. This is your daily-driver verification for single-witness documentation.

Parallax Confirmed requires: Two or more independent attested devices, same event, different positions. Automatic upgrade when conditions are met.

Consequence Verified requires: Parallax Confirmed status plus consequence signals at +6h, +24h, or +72h. The evidence grade for legal and accountability contexts.

What we verify and what we don't

What Parallax verifies: The recording came from a genuine app instance on a genuine device. The sensor data is internally coherent. The claimed location at the claimed time is physically plausible. The capture's timestamp is fresh.

What Parallax does not verify: What the witness is depicting. A real iPhone in a real place at a real time can still record a misleading scene. We verify the capture is authentic; the witness is responsible for the framing.

Individual captures are first-class. A CIS score above 70 represents high confidence that the recording is genuine. Whether it accurately depicts what was happening is a separate question that multi-witness corroboration helps address, but single-witness documentation has value on its own.

Reputation, briefly

Each device builds reputation based on participation. Captures that formed clusters → reputation up. Anomalous sensor data → reputation down. GPS claims contradicted by Layer 4 residue → reputation down sharply.

Reputation feeds back into Layer 3: a long-history device with diverse co-cluster partners gets more weight when it corroborates a new event. A brand-new device contributes the floor. A device with reputation built only by always corroborating the same handful of others has its effective reputation capped (the diversity penalty), so cliques can’t bootstrap themselves into authority.

What’s done, what’s pending

Done and live: - All five layers wired through the orchestrator - Layer 1 (3-state Device Gate) - Layer 2 (sensor coherence: timestamp, GPS sanity, IMU jitter, completeness) - Layer 3 (cluster with density-adaptive radius, IMU-correlation independence check, diversity-weighted reputation, retroactive re-scoring) - Layer 4 (Open-Meteo pressure matching, solar elevation illumination check) - Layer 5 (USGS earthquake + Open-Meteo conditions, per-event-type weighting, scheduled worker every 5 minutes, re-dispatch on completion) - Composite + caps + Frontline gating including L5-non-optional clause - Live and verified-late lane assignment

Stubbed (returns “unavailable” — doesn’t penalize, but doesn’t contribute): - Real App Attest (Apple) verification — currently accepts everything - Real Play Integrity (Google) verification — currently accepts everything - Real C2PA cryptographic signature verification — currently accepts non-empty - Layer 4: Wigle WiFi BSSID lookup (needs API key) - Layer 4: Cell tower lookup - Layer 4: Satellite ephemeris check - Layer 4: Magnetic anomaly check - Layer 5: NewsAPI / similar (needs API key) - Layer 5: dispatch log integrations (jurisdiction-by-jurisdiction)

The gap from “live and working” to “fully shippable”: primarily the real attestation + C2PA wiring on the iOS and Android native side, which require Apple Developer + Google Cloud project setup and meaningful native code in the Parallax app. The architecture is in place to receive those signals; the device side just needs to start sending them.