War compresses everything, including the truth. The moment the first missile lands, demand for images spikes, while the supply stays thin. Photographers can only be in so many places, and the most newsworthy places are the hardest and most dangerous to reach. Editors need pictures in minutes, not hours. In that gap between high demand and scarce supply, the channels that normally verify an image quietly loosen. There is no time. The first credible frame to reach the desk is usually the one that runs.
To understand how a fake slips through, it helps to follow the path a news image actually travels. A photographer shoots it. An agency takes it in, captions it, and files it. Often, a second agency, operating in another territory, picks it up from the first under a partnership deal and redistributes it to its own market. A news outlet licenses it from there. Finally, it reaches the reader. Sometimes the photographer at the front of that chain is replaced by what the French call a récup, an image acquired from a third party: an amateur, a social account, a screengrab, an institution, an NGO, a government press office.
At each of these handoffs, there is supposed to be a verification step. Two questions, really. Is this image real and unmodified? And is it showing what it claims to show?
No agency can answer those two questions for every image in real time. The Dutch national wire ANP processes around 60,000 images a day from 129 partner agencies, far more than can be manually verified at every link. At that scale, human per-image verification is impossible at every link in the chain. So agencies do something more efficient. They vet the source once. They build networks of trusted photographers, stringers, and partner agencies around the world, and once a source is inside that network, everything that flows from it is treated as already verified. The check happens at the door, not on every item that passes through afterward. Under the pressure of breaking news, this is enormously useful. It lets a picture move at the speed the story demands.
And on paper, it is nearly foolproof, because the responsibility does not sit with any single link. It is distributed across the entire chain. The photographer vouches for the frame. The first agency vouches for the photographer. The second agency vouches for the first. The outlet vouches for the agency. Each one is supposed to check before passing the image forward. For a fake to reach the reader, it would have to defeat every checkpoint in sequence. For about 99.9% of images, that is exactly what happens. The chain holds.
Until it doesn’t.
In late February and March of 2026, during the war between Iran and the US–Israeli coalition, a series of images began appearing in the German press: an Iranian aircraft carrier seen from above, an explosion in a Tehran street, a portrait of the supreme leader Ali Khamenei with his son Mojtaba. They had traveled a textbook chain. They originated with an Iranian agency called SalamPix, passed to the established French agency Abaca Press, and from there into the databases of dpa Picture Alliance, ddp, and Imago, before landing in Der Spiegel, Süddeutsche Zeitung, Stern, German Broadcaster like RTL, ARD or ZDF, and others. Every link was real. Every institution did roughly what it was supposed to. In Germany, this arrangement has a name and a legal status: Agenturprivileg, agency privilege, the principle that publishers can rely on recognized wire agencies without independently verifying every image.
Read more on what is Agenturprivileg by clicking here
Agenturprivileg is not a statute. The doctrine has been developed through German case law over the past fifty years and affirmed by the Federal Constitutional Court. The principle: a publisher who runs material from a recognized, reputable news agency, dpa, Reuters, AP, AFP, and similar, without independent verification, is shielded from liability for false content in that material, provided ordinary journalistic care is met ( Best Effort). The courts have grounded this in press freedom and practical necessity. The Constitutional Court’s reasoning was that publishers cannot fulfill their duty to report comprehensively and in real time if they must independently verify every piece of content. The doctrine is, in effect, a legal recognition of the volume problem. It has clear limits. Once a publisher has concrete reasons to doubt a story, the privilege ends. Once an agency issues a correction or kill notice, the duty to remove kicks in fast. And the underlying journalistic duty of care never disappears: the more reputational harm at stake, the higher the bar, even with an agency byline.
The images were not real. Several had been generated or manipulated, some with AI; one explosion image carried the digital traces of an AI image tool. An Iranian photographer later admitted he had fed pictures from a platform run by the Revolutionary Guards into the agency stream without flagging them. The verification that was supposed to happen at the door had happened; SalamPix was a known source, already inside the network, but the door had been propped open from within. Once the source itself was compromised, the chain’s great efficiency became its great weakness. Every downstream link trusted the one before it, exactly as designed, and carried the fakes along.
What eventually broke the cycle came from inside the network. A tip from the Belgian agency Belga raised doubts about the SalamPix material. ANP, the same Dutch wire processing those 60,000 images a day, ran its own metadata and forensic checks, found multiple signals that the images weren’t authentic, and blocked the entire supplier, around a thousand images in one move. ANP warned Dutch broadcaster RTL Nieuws, which pulled the affected images from its war coverage. The warning rippled outward. Der Spiegel commissioned the German forensics firm Neuramancer, which classified three of five suspect images as likely AI-generated and found traces of the AI tool Flux 2 in a fourth. Fakes ran, and then they were caught, named, and withdrawn, by the same chain that had moved them in the first place. Hold on to that, because it matters for everything that follows.
Before AI
SalamPix is not a freak event. Brian Walski merged two frames into one on the front page of the LA Times in 2003 and was fired within a day. Adnan Hajj cloned the smoke heavier over Beirut in 2006; Reuters pulled all 920 of his photographs and cut him loose. And in 2008, already, Iran’s Revolutionary Guards slipped a doctored missile photo, a fourth rocket added to hide a misfire, through Agence France-Presse and onto front pages worldwide, before the New York Times unpicked it within a day. The same source, the same trick, eighteen years before SalamPix. The chain has always leaked. It has also, almost always, caught itself.
Publishing a fake by accident is no longer rare, and it grows less rare every year. SalamPix itself is, in one sense, an unusual case: a failure on the agency side, in a market where the agency side turns out to be the cleanest part of the chain. The doors most fakes walk through are elsewhere. That makes it a useful story precisely because it is the hard case; if the chain can fail even where it is strongest, the question of who answers for the failure becomes unavoidable.
The obvious lesson is that the chain needs faster, better verification: a way to ask Is this real? At machine speed, at every handoff, without slowing the story down. I’ve sketched the agent-based version elsewhere. But it is not the direction every part of the industry has taken.
Who is responsible?
In Germany, some magazines have reportedly begun asking their providing agencies to sign letters accepting full liability if a fake gets through. On its face, this looks like accountability. In practice, it is something else: the publisher, the last link in the chain, pushing its responsibility back up to the supplier rather than carrying its share. It also asks agencies to underwrite the very cushion that Agenturprivileg provided to publishers in the first place.
And it is ironic: the people pushing the liability are the ones publishing the fakes. A 2026 study by Prof. Lars Bauernschmitt of the Hochschule Hannover, who ran the photo agency VISUM for fifteen years and chaired the German image-providers’ association before that, surveyed 534 people across the industry and found that 23.6 percent of media outlets had unintentionally published AI-generated content, up from 18.6 percent the year before.
There is a deeper unfairness in it, too. The same study found that the two ends of the chain are now pulling in opposite directions. More than half of media outlets, 56.6 percent, up from 46.2 percent a year earlier, now plan to purposely use AI-generated images or video, and two-thirds already publish them. While photographers and agencies are going the other way. Of the twelve German agencies that disclosed their holdings, only two offered any AI imagery, and across all of them, AI made up 0.015 percent of their catalog. More than 90% of both photographers and agencies refuse to let their work be used to train AI. What the study calls a “deep rift” runs straight through the middle of the chain. Publishers are reaching for the synthetic flood; the suppliers who guarantee the verified, real moment are backing away from it. Which makes the liability letter not just unfair but misdirected: it asks the cleanest link in the chain to answer for an AI problem the publisher is the one embracing.
This is why the old, diffuse arrangement is worth defending. When responsibility is shared across the whole chain, every link has a reason to check, and no single party carries a burden it cannot bear. Concentrating the liability in one entity does not make the system more honest. One party simply becomes more exposed, while everyone else loses their incentive to look closely. The distributed model is what makes the other 99% work.
How to fix it
So perhaps the answer is to stop trusting people and start trusting signals. This is the promise of C2PA and content credentials: a machine-readable, cryptographic record attached to the file itself that states where an image came from and what was done to it. No handshakes, no networks of trust, just math.
It is a genuine advance, but incomplete. For one thing, it only works when it is everywhere, embedded at capture, preserved through every edit, and read at every platform. We are years from that, and many of the platforms where images actually circulate strip the credentials on upload. Think of it like self-driving. We are not even at assisted driving yet, let alone full autonomy. For another, even a fully implemented system would not settle the question SalamPix raised. A credential can prove that an image came from a given camera or source. It cannot prove that the scene in front of that camera was real, or that the caption is true. A perfectly signed photograph of a staged event is still a lie, carrying a valid certificate. Somewhere, you still need to trust the humans.
And there is a quieter cost. A world that trusts only credentialed images is a world that starts discarding every image without one. That includes the entire photographic past: the historical record, the evidence shot on devices that will never carry a content credential. Make the credential the only price of admission, and you not only block the fakes. You block a vast amount of real, irreplaceable visual history along with them.
Which leaves us somewhere less tidy than a technical fix, and probably more honest. We may simply have to accept that trust channels are imperfect, that responsibility is best shared rather than dropped on whoever is easiest to reach, and that no system will catch every fake before it runs. Especially when authenticity is gaining value of its own. Where there is a price on real, there is an incentive to make the chain that delivers it work better. That might be where the answer lies.
In the meantime, here is the part worth remembering about SalamPix: we found out. The images were exposed, traced, and pulled. The system did its job, not in prevention, which is the part everyone fixates on, but in correction, after publication. That is a weaker guarantee than we would like. It may also be the most realistic one we have.
