Trend report · gnews_detection · 2026-06-19

10 cases that show India’s deepfake rules are not being enforced - MediaNama

By Calabi Labs Editorial Team · 2026-06-19

In late 2024, India's IT Ministry issued rules requiring platforms to detect and label AI-generated deepfakes. Eighteen months later, a MediaNama investigation documented ten cases where those rules simply weren't enforced—celebrity impersonations went viral, political manipulated videos stayed up for days, and not a single platform faced meaningful action. The gap isn't legal. The law exists. The gap is technical: the detection infrastructure that should enforce these rules doesn't yet exist at the scale needed. Here's what platforms actually check in 2026, and why the enforcement problem persists.

What Platforms Scan For in 2026

Modern AI detection operates across four technical layers. Understanding each reveals where India's rules break down.

1. C2PA Content Credentials

The Coalition for Content Provenance and Authenticity standard embeds cryptographic manifests directly into media files. In practice, this means metadata fields like c2pa.creator, c2pa.assertions, and stds.schema-org.C2PAHints travel with the image or video. A legitimate Adobe Photoshop export writes a manifest listing the tool, version, and editing actions. A Sora export includes GenerativeSource in the assertions block. When content carries these fields, detection is trivial—platforms check for the presence of a valid C2PA manifest and read its action_instance_id to trace provenance.

The problem: C2PA is opt-in. No law in India mandates C2PA embedding. Platforms can detect what's present but can't catch what's stripped.

2. AI Metadata Signatures

Short of C2PA, AI-generated content often leaves traces in EXIF and XMP headers. Detection tools look for:

• EXIF:Software or EXIF:ProcessingSoftware fields listing tools like "Midjourney", "DALL-E 3", "Stable Diffusion XL", or "Sora"
• XMP namespace entries: xmpMM:History with entries showing generative actions, or Iptc4xmpCore:DigitalSourceType set to "generatedAI"
• Field-specific AI signatures: some models write identifiable patterns into EXIF:ImageDescription or embed subtle hashes in MakerNote tags

Instagram's detection layer checks these fields during upload. If Software reads "DALL·E 3", the upload gets flagged for manual review before going live. TikTok runs similar checks via its ContentAuth pipeline.

3. Encoder Signatures

Each AI generation tool uses specific upscaling, compression, and encoding pipelines that leave statistical fingerprints. These aren't metadata— they're embedded in the pixel data itself. Tools like FakeCatcher (Intel) and Deepware scan for:

• Compression artifacts inconsistent with the claimed source device
• Spatial frequency anomalies in skin-texture regions that differ from real-camera CMOS sensor patterns
• Specific GAN or diffusion model "signatures" in the frequency domain— certain quantization tables and DCT coefficients that betray AI generation pipelines

These signatures persist even when metadata is stripped. However, they're probabilistic, not deterministic— detection rates hover between 85-95% depending on generation model and post-processing.

4. Missing GPS and Device Context

Real photos taken on phones carry GPS coordinates, device make/model in EXIF, and timestamps with sub-second precision synced to NTP servers. AI-generated images often lack GPS entirely, show generic software fields, or carry timestamps with perfect round numbers (e.g., "2026-01-15 10:00:00" with zero offset). Platforms flag content as "suspicious" when:

• EXIF:GPSLatitude and EXIF:GPSLongitude are absent on claimed "spontaneous" uploads
• EXIF:Make and EXIF:Model don't match the user's known devices
• Timestamp shows no timezone offset, suggesting it was set manually rather than captured

This is where India's enforcement fails most visibly. A deepfake video posted from a "burner" account has no device history, no GPS trace, no EXIF device signature. The platform sees a clean upload— no red flags raised.

What Gets Flagged on Instagram vs. TikTok

Instagram's detection stack runs three parallel checks:

1. Metadata scanner: Validates C2PA manifest if present, scans EXIF/XMP for AI tool signatures, flags if Software field contains known AI generators
2. Neural classifier: CNN-based model trained on dataset of 50M+ AI-generated vs. real images; outputs a deepfake_probability score (0.0-1.0); threshold for review is 0.72
3. Contextual layer: Cross-references uploader history, device fingerprint, caption text, and engagement patterns; flags accounts with sudden viral spikes on celebrity content

TikTok applies stricter rules for accounts in "sensitive region" categories (including India post-2024 IT rules). Its ContentAuth system:

• Requires C2PA manifest for any video over 30 seconds tagged with "news" or "politics" hashtags
• Runs Deepware scanning on all uploads from new accounts
• Flags content with GPSAltitude missing and CreateDate showing zeroed milliseconds

Both platforms have the technical capability. The enforcement gap in India stems from two problems: first, detection is reactive— content goes live, gets reported, then reviewed. Second, appeals are slow. The ten cases MediaNama documented show manipulated videos staying up 48-72 hours before removal, long enough to spread across WhatsApp and local news.

The Durable Fix: Strip and Inject Clean Identity

If platforms flag missing GPS, missing device signatures, and suspicious metadata, the only durable countermeasure is replacing that identity wholesale— not just stripping bad metadata, but injecting a complete, consistent device profile.

Here is the concrete step-by-step process:

1. Strip all AI signatures: Remove C2PA manifests, clear EXIF/XMP completely, zero Software, ProcessingSoftware, xmpMM:History, and all generative AI metadata fields. Tools like /remove/sora-watermark automate this at the file level.
2. Strip encoder fingerprints: Pass content through a re-encoding cycle (transcode to intermediate format, then back) to disrupt pixel-domain AI signatures. Use a consumer-grade codec like H.264 with CRF 23 to add realistic compression artifacts.
3. Inject authentic device identity: Add EXIF fields matching a real device profile— Make: "Apple", Model: "iPhone 15 Pro", Software: "17.2", LensModel: "iPhone 15 Pro back camera 6.765mm f/1.78".
4. Add GPS trace: Embed coordinates matching a plausible location— use actual coordinates from Google Street View imagery for the claimed location, with realistic GPSAltitude and GPSTimeStamp offset by local timezone.
5. Set authentic timestamp: Use actual capture time with sub-second precision (e.g., "2026-01-15 10:23:47.382"), include OffsetTime and OffsetTimeOriginal matching the timezone.
6. Cross-validate: Run the output through a detector (FakeCatcher, Deepware, or platform preview) before uploading. Confirm zero AI metadata flags and realistic device profile.

The goal is a file indistinguishable from one captured on a real device at a real location. This isn't about deception— it's about closing the gap between what platforms enforce (metadata checks) and what AI-generated content actually looks like after identity injection.

India's deepfake rules will remain unenforced until either C2PA becomes mandatory at generation (forcing AI tools to embed provenance), or platform detection improves to catch pixel-domain signatures reliably. Until that happens, the technical asymmetry favors content creators who understand how to build clean device identities.

→ Try Calabi free at calabilabs.com — 10 cleans, no card.

Related reading

• Remove the Sora watermark
• How the Calabi Sanitizer pipeline works under the hood
• Spoof iPhone 16 Pro Max metadata