The Parallax Pipeline — In Plain Language
A non-technical explanation of how Witnyss decides whether a capture is real enough to trust.
The core idea
Most platforms ask one question about a video or photo: “Did this come from a real camera?” The honest answer is “I can’t tell” — anyone can hold a phone up to a screen.
Witnyss asks five questions instead. Each one is independent. Each one gives a score. The scores combine into a single number: the composite verification weight. Only captures that score above a high bar — and from independent witnesses who corroborate each other — get promoted to Frontline, the feed of “this is happening, here’s the proof.”
Five layers. Each one closes a different way to fake reality. Together, they make truth expensive to fake — not impossible, but expensive enough that fakes can’t compete with real events most of the time.
The five layers
Layer 1 — Device Gate
The question: Did this come from a real, unmodified phone running the real Witnyss app?
When you record on Witnyss, your phone signs the video at the moment of capture using a private key only your phone has. Apple and Google both provide systems (App Attest, Play Integrity) that prove your phone is genuine and your app hasn’t been modified. Layer 1 verifies all of that on the server.
What can it catch? Captures from emulators, modified clients, software fakes, or phones running tampered versions of the app. None of these can produce a valid signature.
What can it NOT catch? A real phone running the real app, pointed at a TV screen. The signature is genuine; what was filmed isn’t. (That’s what Layers 2–5 are for.)
Three outcomes: - PASS — signature valid, attestation good, timestamps coherent. Capture proceeds normally. - QUARANTINE — something’s off but not a hard failure. Maybe Apple’s attestation servers are slow, or the device clock is 15 minutes off (legitimate when the phone was offline briefly). The capture is allowed in but capped at moderate composite — it can’t reach Frontline until attestation can be re-verified. - REJECT — positive failure. Invalid signature. Key mismatch. Timestamps that suggest abuse. The capture never enters the system. Logged for fraud analysis.
Why three states instead of two: A binary PASS/REJECT throws out real captures whenever Apple’s infrastructure has a hiccup. The quarantine pool means a real witness during a transient outage doesn’t get silently discarded.
Layer 2 — Sensor Coherence
The question: Does the capture’s own data make internal sense, given a real phone in a real situation?
Every capture comes bundled with a small constellation of sensor readings recorded at the same instant: GPS, accelerometer (motion), gyroscope (rotation), magnetometer (direction), ambient light, microphone background level, barometric pressure. These are like fingerprints of the physical moment.
Layer 2 is the internal check — the data has to cohere with itself, even before we ask whether it matches the world.
What it actually checks:
- Timestamp coherence — the capture’s claimed time matches when the server received it (within minutes, not hours).
- GPS sanity — the coordinates are real (not the “null island” 0,0 default), the accuracy is reasonable (< 100m), the position isn’t stuck repeating.
- IMU jitter — real phones held by real people have micro-vibration. A perfectly motionless accelerometer signal is suspicious — phones don’t actually do that, even on a tripod. Some variance is healthy. Zero variance = score zero.
- Sensor completeness — the bundle has the keys we expect; missing entire sensors is a yellow flag.
Why this matters: Faking one sensor stream is easy. Faking all of them so they’re internally consistent is much harder. A spoofed video has to invent a believable accelerometer pattern that’s neither too still nor too random, that rises and falls in plausible places. Most fakers don’t bother.
What this layer can NOT do: prove that the GPS coordinate matches the real-world location. That’s Layer 4’s job.
Layer 3 — Cluster (the philosophical core)
The question: Did multiple independent attested phones see the same event from different angles, at the same place and time?
This is the layer that gets the most weight (45% of the composite, more than any other) because it’s the hardest to fake at scale.
How it works:
When a new capture arrives, the system looks for other captures within a configurable radius of GPS distance (default 200 meters; tightens to 50m in dense urban areas where there’s lots of competing activity) and within a time window (default ±15 minutes). If it finds none, the capture is solo — it stays in the pool but cannot reach Frontline. Solo captures never elevate. This is intentional and unchangeable: one witness cannot supply their own corroboration.
If it finds others, it calculates how strong the corroboration is using a formula that has three parts:
-
tanh(effective_size / 3)— number of independent devices, with diminishing returns. 1 device = low score. 3 devices = ~0.9 (most of the credit). 5+ devices approaches 1.0. We don’t want a flash mob with 200 phones to score infinitely better than 5 — at some point you have enough corroborators. -
coherence— how tightly clustered the captures are in space. Five captures within 30 meters score higher than five captures spread across 200m. A group filming the same thing from different angles will cluster tightly. -
reputation_weight— average of the participating devices’ reputations. Brand new devices contribute, but established devices that have been corroborated many times before count for more.
The three values multiply together. The result is a number between 0 and 1.
The independence check. This is the layer’s most important defense. Five phones on the same WiFi network, or five phones whose accelerometers show identical motion patterns (because they’re all in the same vehicle), or five phones uploading from the same /24 IP block — these get collapsed into one for the purposes of “unique device count.” A group of co-conspirators doesn’t get the full corroboration multiplier just by counting heads.
Diversity-weighted reputation. Reputation alone can be farmed. Two attackers could repeatedly corroborate each other in benign clusters and build up reputation, then deploy that reputation to fake an event. To close this attack, reputation is multiplied by a diversity factor — how many DIFFERENT independent devices a given device has ever co-clustered with. A long-history device that’s only been seen with the same 2 partners has lower effective reputation than a similar device that’s co-clustered with 50 different partners.
Density-adaptive radius. In a busy city center, 200m might capture three unrelated events all happening on the same block. So if more than 5 candidates are found at 200m, the system tightens to 100m and re-tests. Above 15 candidates, tighten to 50m. This prevents urban noise from inflating clusters.
Retroactive scoring. A capture that arrived solo doesn’t stay solo forever. When a later capture shows up that corroborates an earlier one, both captures get re-scored against the new bigger cluster. The earlier capture’s composite is updated. If the cluster crosses the Frontline threshold, both get elevated together.
Why this layer is the philosophical core: The position underneath all of Witnyss is that the atom of truth is the cluster, not the single witness. No piece of footage drives a narrative alone. What surfaces is what multiple independent anonymous witnesses agree they’re seeing. Layer 3 is where that position becomes math.
Layer 4 — Residue (the world’s passive record)
The question: Does the rest of the world’s data corroborate that something happened at this place, at this time?
The previous layers ask the witness to prove themselves. Layer 4 asks the world. These are signals that existed whether or not anyone was filming, and they don’t require the witness’s cooperation. You can’t fake them by filming a TV.
What’s wired so far:
- Atmospheric pressure match — the device’s barometer reading is compared to historical weather records (Open-Meteo) at the GPS coordinate, the date and hour. Real handheld pressure varies with altitude, so the system applies the standard barometric correction. A capture that says it happened in Atlanta but reads 950 hPa when Atlanta was at 1015 hPa that hour gets a low score.
- Solar illumination — the system computes where the sun was in the sky at the GPS coordinate at the captured instant (NOAA solar position algorithm). It then compares the device’s ambient light reading to what’s possible at that solar elevation. A capture claiming to be outdoors at noon that reports near-zero light is impossible. A capture claiming to be at midnight that reports 50,000 lux is impossible. The check tolerates indoor captures (low light at any sun angle is fine).
What’s planned:
- WiFi BSSID geoanchor — when the phone reports the MAC address of the access point it’s connected to, cross-reference against Wigle.net’s global WiFi map. A phone in Brooklyn doesn’t connect to a router in São Paulo.
- Cell tower geoanchor — Android exposes cell tower IDs; OpenCelliD has a global tower map.
- Satellite PRN visibility — when the phone reports which GPS satellites it saw, those PRNs should match what NASA/ESA ephemeris says was overhead at that GPS coordinate at that instant.
- Network path fingerprint — server-side latency/routing analysis can detect VPNs and tunneling that would be inconsistent with the claimed location.
- Magnetic anomaly — local magnetic field strength varies by location; the WMM (World Magnetic Model) gives expected values. Phone magnetometer should approximately match.
iOS vs Android difference: iOS exposes fewer of these signals than Android. Layer 4 normalizes — a perfect iOS score isn’t penalized for what Apple has locked down. The score is the average of available sub-checks.
What this layer guarantees: that the place and time claimed by the capture have a passive shadow in the world’s data. A complete fabrication of place + time would have to invent a consistent reality across a dozen independent global datasets simultaneously.
Layer 5 — Consequence (time-delayed, asynchronous)
The question: Did the world change in the ways it should have, if this event actually happened?
This is the slowest layer and the most epistemologically important. It runs not at capture time but at +6 hours, +24 hours, and +72 hours after the capture. Real events leave downstream marks: dispatch logs, news coverage, regulatory filings, social signal, satellite thermal anomalies, air quality spikes, road closures, hospital admissions. Staged events usually don’t.
What’s wired so far:
- USGS Earthquake feed — for any capture, query whether USGS recorded a tremor within 50km of the GPS coordinate within ±2 hours. Score reflects magnitude and proximity. A capture tagged “earthquake” near Mexico City that USGS confirms = high score. A capture tagged “earthquake” with no USGS record = score zero.
- Open-Meteo historical weather — used as a generic place-and-time-existed check. A coordinate that the weather model can return data for is a real place; one that returns nothing is suspicious (mid-ocean, off-grid).
What’s planned (each maps to a tagged event type):
| Event type | Expected consequence signals |
|---|---|
| Vehicle accident | police dispatch log, road closure feed, insurance claim density, hospital admission spike |
| Protest / rally | news article density, permit filings, arrest record updates, counter-coverage |
| Fire | fire department dispatch, NOAA satellite thermal, AirNow PM2.5 spike |
| Police action | dispatch log, arrest records, agency incident report |
| Medical emergency | EMS dispatch, hospital intake |
| Environmental | air quality APIs, water quality, USGS seismic |
Per-event weighting: the system reads the capture’s user-applied tags to figure out the event type, then weights the relevant sources higher. A capture tagged “wildfire” weights AirNow heavily; a capture tagged “earthquake” weights USGS heavily.
The hard part — absence as a signal: The spec calls this out and Witnyss enforces it: at the Frontline threshold, absence of expected consequence signals is itself a strong signal. If a capture clears Layers 1–4 with high scores but at +24 hours there’s still zero news, zero dispatch, zero anything — something is wrong. Witnyss requires at least one completed Layer 5 check before any capture can elevate to Frontline. Captures that score high on the early layers but show no downstream world-reaction get held in the pool, not surfaced.
The Layer 5 retroactive promotion. When a capture’s Layer 5 score arrives hours later and pushes its composite over the Frontline threshold, the capture is elevated to a separate Frontline lane called “verified-late.” This keeps the main “live” Frontline feed feeling fresh — old captures don’t suddenly leap to the top of the feed when their consequences materialize. Two lanes, one for what’s happening now, one for what’s been newly verified from the recent past.
How the layers combine — the composite formula
Each layer contributes a weighted slice to a single number between 0 and 1:
composite = (sensor × 0.20) + (cluster × 0.45) + (residue × 0.15) + (consequence × 0.20)
Cluster gets the highest weight — it’s the philosophical core and the hardest to fake.
If a layer reports unavailable (we couldn’t get an answer), it’s excluded from the calculation entirely (both the numerator and the denominator drop). A capture isn’t penalized for what we can’t yet check.
The caps applied AFTER the weighted sum:
- REJECT cap: Layer 1 hard-rejected → composite = 0. Capture never surfaces anywhere.
- QUARANTINE cap: Layer 1 quarantined → composite ≤ 0.55. Pool only, never Frontline.
- SOLO cap: No cluster yet → composite ≤ 0.55. Solo captures never elevate. (If a cluster forms later, the capture is re-scored and the cap lifts.)
Frontline thresholds
composite ≥ 0.82 → Frontline eligible (live or verified-late lane)
composite 0.55–0.81 → In the regular feed, normal weight
composite 0.25–0.54 → In the pool, flagged
composite < 0.25 → Suppressed
Three conditions must all be true to elevate to Frontline:
- composite ≥ 0.82
- cluster_id non-null (solo never elevates)
- at least one Layer 5 consequence check has completed
Why 0.82 is high: Witnyss makes truth expensive to fake rather than helping people feel heard. A false positive (something fake gets verified) costs more than a false negative (something real that didn’t clear). Same bet that journalism and courts make.
The honest gap
This architecture systematically under-serves events that happen in isolation: intimate partner violence, police misconduct without bystanders, private care settings, anything where the only witness is the victim. The cluster-required structure means a single witness — even with perfect sensor coherence and consequence signals — cannot reach Frontline alone.
This gap falls along lines of vulnerability and isolation. The high bar is still the right bar. The gap is the cost of the integrity choice — Witnyss does one thing well: makes truth expensive to fake in public and semi-public events. It does not solve the private-event problem, and it does not pretend to.
Solo captures are never discarded. They: - Enter the pool with their sensor and residue scores intact - Build the device’s reputation over time - Upgrade retroactively if a cluster forms later - Can participate in pattern convergence (planned): multiple solo captures from different anonymous device keys, same actor or location across time, treated as indirect cluster
Reputation, briefly
Each device builds reputation based on participation. Captures that formed clusters → reputation up. Anomalous sensor data → reputation down. GPS claims contradicted by Layer 4 residue → reputation down sharply.
Reputation feeds back into Layer 3: a long-history device with diverse co-cluster partners gets more weight when it corroborates a new event. A brand-new device contributes the floor. A device with reputation built only by always corroborating the same handful of others has its effective reputation capped (the diversity penalty), so cliques can’t bootstrap themselves into authority.
What’s done, what’s pending
Done and live: - All five layers wired through the orchestrator - Layer 1 (3-state Device Gate) - Layer 2 (sensor coherence: timestamp, GPS sanity, IMU jitter, completeness) - Layer 3 (cluster with density-adaptive radius, IMU-correlation independence check, diversity-weighted reputation, retroactive re-scoring) - Layer 4 (Open-Meteo pressure matching, solar elevation illumination check) - Layer 5 (USGS earthquake + Open-Meteo conditions, per-event-type weighting, scheduled worker every 5 minutes, re-dispatch on completion) - Composite + caps + Frontline gating including L5-non-optional clause - Live and verified-late lane assignment
Stubbed (returns “unavailable” — doesn’t penalize, but doesn’t contribute): - Real App Attest (Apple) verification — currently accepts everything - Real Play Integrity (Google) verification — currently accepts everything - Real C2PA cryptographic signature verification — currently accepts non-empty - Layer 4: Wigle WiFi BSSID lookup (needs API key) - Layer 4: Cell tower lookup - Layer 4: Satellite ephemeris check - Layer 4: Magnetic anomaly check - Layer 5: NewsAPI / similar (needs API key) - Layer 5: dispatch log integrations (jurisdiction-by-jurisdiction)
The gap from “live and working” to “fully shippable”: primarily the real attestation + C2PA wiring on the iOS and Android native side, which require Apple Developer + Google Cloud project setup and meaningful native code in the Witnyss app. The architecture is in place to receive those signals; the device side just needs to start sending them.