A Post Mortem Of Russia's Claim That Crucial MH17 Video Evidence Was Falsified

During day two of the MH17 criminal court proceedings in the Netherlands, the prosecution team disclosed that the Russian Federation had challenged the authenticity of a video recording of the BUK Telar, made on 17 July 2014, near the presumed launch site at Snizhne. This video is a crucial piece in the chain of evidence showing the contiguous movement of the BUK Telar convoy from its permanent base in Kursk, Western Russia, all the way to the launch site. Based on the information from the Dutch prosecutor, Russia made this claim in its written defense in the legal case of MH17 victims’ next of kin vs. the Russian state, which is ongoing in parallel at the European Court of Human Rights. This disclosure can be heard in the video below.

According to the Dutch prosecutor, the Russian Federation argued to the ECHR that the video showing the Russian BUK Telar near the launch site, which was posted on YouTube on 17 July 2014, is not authentic. In particular, Russia claims that an analysis of the metadata of the uploaded video file shows that its creation date was 16 July 2014, i.e. one day before the shoot-down. Russia went on to argue that the video pre-dated the shoot-down and therefore could not have shown the BUK Telar that caused the downing.

“The Russian Federation’s written statement in the ECHR proceedings claims that a YouTube version of the video of the TELAR in Snizhne gives 16 July 2014 as its ‘encoded date’, i.e. one day before the downing of flight MH17 and the making of the other images of the TELAR. The Russian Federation argues that the encoded date can never be earlier than the date on which the video is actually uploaded, and consequently the video must already have been uploaded on 16 July 2014.”

Below is one version of the video of the Buk in Snizhne that the Russian Federation refers to in its defense. This concerns one of the earliest videos uploaded to YouTube which the uploader quickly deleted afterwards; however it was re-posted on that same day by a number of other users, including Bellingcat founder Eliot Higgins, who in 2014 operated a YouTube account under the alias Brown Moses. Below is Higgins’s re-post of this early video. Later it turned out that this was not the original video, as a higher-resolution copy surfaced one year later.

Analysis Of Russia’s Claim

Russia’s claim is based on its analysis of an undefined YouTube posting of the video in question, and not of the original file (whether the JIT has managed to obtain the original file remains unclear). Thus Russia’s claims relate to a secondary copy of the file, but given that Russia asserts that the secondary copy contains markers that pre-date the shoot-down, its allegations deserve to be looked at.

While the original YouTube upload that appears to be the focus of Russia’s non-authenticity claim is no longer available, Russia’s assertion that its metadata had a time-stamp from an earlier date is not only plausible but unavoidably true. This happens to be so, because at the time of the video’s uploading in 2014, a glitch in an open-source video format conversion algorithm used by Google structurally caused videos to be uploaded with a timestamp preceding the actual upload time by approximately 24 hours. In fact, up until 2019, all videos uploaded to YouTube on 17 July 2014 carried a metadata timestamp of 16 July 2014.

Bellingcat’s investigator, Christo Grozev, blogged about this same bug one day after the shoot-down of MH17, when a number of Russian conspiracy websites had claimed that the telephone intercepts published by Ukraine’s security service were fake, citing the post-dating clues gleaned from metadata on YouTube videos.

On 18 July 2014, at 12:55 p.m., Christo recorded and uploaded to YouTube a short test video. The screenshot from YouTube’s Video Manager tool can be seen below.

Screenshot from YouTube’s Video Manager, dated 18 July 2014, 12:55

Immediately after the upload, he downloaded that same video from YouTube and ran a metadata analysis tool (ffprobe.exe) on it. It showed a file creation date at 10:55 on 17 July 2014. That implied that the file had been created on the day prior to the actual recording and uploading, a total of 26 hours earlier.

Screenshot from the metadata analysis of downloaded file performed with Ffprobe.exe

The cause for this discrepancy — which was unclear at the time of the experiment, and which Christo attributed in his blog post to simply a wrong calculation of time zones involved — was explained subsequently by a Google software engineer. Anatoly Vorobey, who works for YouTube’s parent company from Israel, provided his explanation on his personal blog two days later, on 20 July 2014.

The rather technical explanation boils down to the mundane fact that the prevalent video format used by YouTube (Mpeg-4, or mp4) was originally proprietary to Apple.  As a result, its metadata container has a timestamp field that measures “time” as the number of seconds passed since 1 January 1904, the start of the so called Macintosh Epoch. However, all modern servers use a different “epoch” to measure time. That is the Unix Epoch: namely, the number of seconds elapsed since 1 January 1970. Thus, in order to embed the correct timestamp into an mp4 file, a well-coded server must (1) obtain the Unix timestamp, (2) add the difference between the Unix and Macintosh Epochs, and (3) embed the sum of 1 and 2 into the mp4 timestamp field.

Most computer code that converts raw video into the mp4 format uses a set of open-source reference libraries, available here. These libraries, however, contain a constant number for the difference between the Unix and Macintosh Epochs equal to 2082758400 (search for this number in the library’s source code). However, a proper computation of the difference in seconds between 1 January 1904 and 1 January 1970 gives us a number of 2082844800. The difference between this correct number and the reference library (incorrect) number is exactly 86400 seconds, i.e. 24 hours less than the true timestamp.

This simple error, which Google fixed in 2019 by re-encoding all its videos without applying buggy ISO/IEC 14496-5 standard libraries, plus the time-zone differences between users’ PCs and the YouTube servers, explains away the complete “post-dated conspiracy” which Russia has used on and off since 2014 to discredit the investigation into MH17.

What remains without explanation is why the Russian Federation would submit a formal defense statement to the European Court of Human Rights without the most basic of due diligence into its validity and into the probity of its arguments.