PROVE THE
HUMAN
ORIGIN.

TrackOrigin is not claiming that synthetic music cannot move people. It can. Pitch, rhythm, timbre, tension and repetition can still activate human perception and reward systems. The real issue is origin: whether the sound can be connected to a human creative act.

The biological case is simple. Acoustic communication is ancient. Mammalian hearing and vocal signals are not neutral channels; they are systems shaped around survival, identity, arousal, contact and social meaning. Human music uses that older machinery and adds culture, memory, craft and intention.

That is why TrackOrigin tests process, performance, memory, identity continuity and authorship congruence. We are not asking an audio classifier to guess whether a waveform feels human. We are testing whether the named person can demonstrate a credible human relationship to the exact file.

The public scientific basis includes peer-reviewed work on acoustic communication in vertebrates, mammalian vocal/hearing co-evolution, music reward, infant-directed singing, cross-cultural song and music as social bonding.

Streaming has crossed the point where distribution alone proves almost nothing.

The IFPI's Global Music Report 2026 placed global recorded music revenue at USD $31.7 billion in 2025, with 837 million paid streaming subscribers globally. Luminate tracked 5.1 trillion music streams over the year, with new ISRCs arriving at roughly 99,000 to 107,000 every 24 hours.

Most of that catalogue barely moves. Nearly half of all tracks on streaming services received fewer than ten streams in 2025; almost nine in ten failed to cross 1,000 annual streams. The modern catalogue is no longer just competitive. It is saturated, automated, and increasingly unauditable.

AI has accelerated the problem. Deezer reported in April 2026 that it now receives nearly 75,000 fully AI-generated tracks per day — 44% of its daily delivery. The platform has detected and tagged more than 13.4 million AI tracks since January 2025, and reports that 85% of streams on AI-generated music are fraudulent and demonetised.

The industry problem is no longer only discovery. It is provenance.

A label, distributor, DSP, sync agency, rights body, brand, or fan can hear the finished audio — but the audio file alone cannot prove who made it, how it was made, whether the named artist performed it, or whether the declared creative process matches the work.

Audio-only detection is already the wrong battlefield. A November 2025 Deezer × Ipsos study of 9,000 listeners across eight countries found that 97% could not reliably distinguish AI-generated music from human-made music. Spotify has separately removed more than 75 million spam tracks in the twelve months before September 2025 as generative tools made mass-upload abuse easier.

The evidence is not just the file. The evidence is the act of making it.

A successful verification produces an artefact: the TrackOrigin Certificate. It is a cryptographically signed manifest, bound to the exact audio master you uploaded, recorded against the version of the methodology in force at the time. It is the document a label, DSP or rights body checks against.

The certificate contains:

• cert_idA globally unique identifier you can share.
• master_sha256The hash of the audio file the cert is bound to.
• verdictVerified · Conditional · Declined.
• issued_atISO 8601 timestamp with timezone.
• declarationsGenre, BPM, key, DAW, AI tools used, recording context, time invested.
• evidencePer-declaration verdict and supporting evidence artefacts.
• key_idIdentifier of the issuer key in force at signing.
• signatureEd25519 signature over the canonical manifest, verifiable against the published TrackOrigin public key.

A TrackOrigin certificate is a provenance artefact. It verifies that a human author credibly demonstrated authorship of a specific audio master under the methodology in force at the time of verification.

It is not a copyright registration, a royalty split agreement, a sample clearance document, a publishing claim, a distribution licence, or proof that every collaborator has granted commercial permission.

This distinction matters. The certificate answers one narrow but increasingly urgent question: did the named human demonstrate credible authorship of this exact file?

Rights ownership, contractual authority, sample clearance, neighbouring rights, publishing splits, and label obligations remain separate legal and commercial questions.

A TrackOrigin certificate is bound to one audio file, identified by its SHA-256 hash. Provenance binds to the artefact, not to the artist. This is intentional.

The implications are strict.

This is the same logic that makes a notarised document a notarised document: it certifies this exact text, signed at this exact moment. Edit it, and the notarisation is void.

TrackOrigin does not rely on any single signal. A single signal is a single thing to spoof. Every verification session triggers independent verification engines running in parallel, each operating on different evidence drawn from the same session.

The categories of evidence in play simultaneously:

• AAcoustic — the audio master, fingerprinted and structurally decomposed.
• BBehavioural — how you respond, hesitate, correct yourself, recall.
• CVisual — your face, your instruments, your DAW, your environment.
• DLinguistic — transcription, vocabulary, technical specificity.
• ECryptographic — chain of custody on every chunk of every recording.
• FAdversarial — questions only the author can answer, generated per-session.

A verdict requires evidence convergence: multiple independent engines, looking at different evidence, all reaching the same conclusion. This is the property that makes the standard hard to game.

To spoof a TrackOrigin certificate you would need to defeat acoustic analysis, behavioural analysis, visual analysis, linguistic analysis, cryptographic chain-of-custody, and probe-set adversarial generation — simultaneously, in real time, for a probe set you cannot see in advance. The cost of doing this for one track is greater than the cost of simply making the track yourself.

We designed it that way on purpose.

Verification systems must be strict, but they cannot be careless. A failed or conditional result can be disputed. Disputes are reviewed against the original audit trail: the uploaded master, declarations, session recording, transcript, probe sequence, scoring output, and cryptographic chain of custody.

A dispute does not rewrite the original result. It creates a second review event attached to the certificate history.

The pattern across major jurisdictions is consistent. Regulators require disclosure of AI involvement in machine-readable format. Some additionally require explicit visible labels. Platforms and distributors require credit metadata. The TrackOrigin certificate provides a single, cryptographically verifiable artefact that satisfies all of these requirements through one signed record.

It is not a substitute for legal counsel on jurisdiction-specific compliance. It is the evidentiary layer those compliance regimes assume but do not, by themselves, provide.

The mapping below covers the major in-force or pending frameworks. The full compliance specification — including audit interfaces, regulator access modes and data-residency options — is available to industry partners and regulators under NDA.

TrackOrigin's verifiable layer rests on open, well-studied cryptographic primitives. The audio master is identified by its SHA-256 hash (FIPS 180-4). The signed manifest is canonicalised using the JSON Canonicalization Scheme (RFC 8785), then signed with Ed25519 (RFC 8032) under the issuer key in force at the time of issuance.

The issuer's public key is published at /.well-known/trackorigin-public-key. Keys rotate on a published schedule; each manifest embeds the key_id of the signing key, so old certificates remain verifiable indefinitely against the historical key set.

Manifests are canonical JSON and verifiable offline. Any third party — a label's compliance team, a DSP's ingestion pipeline, a court of competent jurisdiction — can confirm authenticity without contacting TrackOrigin.

The verification procedure is straightforward: fetch the public key for the embedded key_id, canonicalise the manifest body, verify the Ed25519 signature, confirm the master_sha256 matches the audio file in hand. Implementations exist in Python, Go, Rust and TypeScript reference libraries available to industry partners.