Trust Tiers Explained (GOLD / SILVER / UNTRUSTED)

Effective date: [2025-12-20] Audience: Users, investigators, institutions, integrators Purpose: Explain what device trust tiers mean—and what they do not mean

1) What is a “Trust Tier”?

A Trust Tier is a device integrity classification derived from cryptographic and attestation signals associated with capture.

Trust tiers help answer:

• “Was this captured on a device that appears to be in a secure state?”
• “Is there evidence the capture device was compromised (rooted, tampered OS, emulator, etc.)?”

Trust tier is typically recorded in the capture manifest and surfaced during verification.

> Important: Trust tier is about device integrity, not about truth, intent, or legality.

2) Trust tiers at a glance

Below is the intended meaning for common tiers:

GOLD

• Intended meaning: Strong device integrity signals at capture time; hardware-backed keys and higher assurance attestation signals.
• What you can infer: The provenance claims have strong device integrity backing.
• What you cannot infer: Nothing about truth, legality, staging, coercion, or completeness.

SILVER

• Intended meaning: Acceptable device integrity signals at capture time; hardware-backed signing with baseline attestation confidence.
• What you can infer: The capture likely occurred on a real, non-compromised device meeting baseline requirements.
• What you cannot infer: Nothing about the event’s reality or the recorder’s identity.

UNTRUSTED

• Intended meaning: Device integrity could not be established, failed policy checks, or the device environment is considered high-risk.
• What you can infer: You can still verify file integrity and detect tampering, but device integrity is not strong enough for higher confidence provenance claims.
• What you cannot infer: UNTRUSTED does not mean “fake” or “tampered” by itself.

Some deployments may also surface additional labels such as FAIL (verification failed) or UNKNOWN (insufficient data). Your organization’s policy may map these differently.

3) What causes tier changes or downgrades?

Trust tiers can change between recordings, and even on the same device over time. Common causes include:

• OS state changes (updates, rollback, integrity failures)
• Bootloader state or device security posture changes
• Root / hooking / tamper indicators
• Emulator or virtualization environments
• Attestation provider availability or policy updates
• Local security configuration changes (e.g., debug/testing settings in development builds)

This is expected behavior: trust tiers are designed to be conservative.

4) UNTRUSTED does not mean “altered”

There are two separate questions:

1. Integrity: “Has the file been altered since capture?”
2. Device integrity: “Was the capture device in a trusted state?”

An asset can have PASS integrity (hashes/signatures match) while still being UNTRUSTED (device did not meet the trust-tier policy).

This is why verification outputs typically separate:

• Integrity (PASS/FAIL)
• Provenance confidence (trust tier + attestation status)

5) How to use trust tiers responsibly

Recommended guidance (non-legal, non-binding):

• Use GOLD/SILVER tiers for workflows that require high confidence in device integrity signals (e.g., sensitive evidence intake, high-risk newsroom submissions).
• Treat UNTRUSTED as: “Integrity may still be verifiable, but device integrity is not strong enough for high-assurance provenance.”
• Always combine trust tiers with:

- corroboration from additional sources, - situational context, - organizational chain-of-custody procedures.

6) Related documents

• What Epistemic Vault Verification Means
• What Verification Does Not Mean
• Proof Bundles & Receipts Explained (recommended for institutions)