How to provide authorized access to video content

During the period of total coronavirus lockdown, online video consumption reached its peak. And now this trend is only gaining momentum. Thus, according to Emarketer, compared to 2020, the average amount of video content watched in the U.S. increased from 133 to 140 minutes. And by the end of 2022, more than 145 minutes per day is predicted. At the same time, consumption of content by subscription is growing rapidly. Just under a third (30.8%) of all video subscription revenue in the U.S. comes from Netflix, more than a quarter (25.9%) from Disney and 13.2% from YouTube Premium.

In order to develop quality video services that viewers will be willing to pay to subscribe to, not only do they need to offer an unparalleled user experience, but they also need to provide a comfortable and secure video distribution at the same time. In this article we will talk about the latter - how and what IT solutions help to implement authorized access to video content.

Unauthorized access to content

There are several ways to access restricted content. The most popular methods can be divided into two categories.

First: at the authorization level

Through the transfer of account data to third parties. These include relatives, friends, colleagues and the audience of public communities and forums.

Selling or leasing, where users resell or temporarily share access to their account.

Leaks and theft of account data.

Second: At the content delivery level

Unauthorized video downloads: via direct link from page code or developer tools console; via browser plugins for downloading from video hosting sites; via using standalone software (e.g., VLC or FFmpeg);

Screencast using both software and hardware.

If at the authorization level it is more or less clear how to provide protection (for example, by blocking two or more simultaneous sessions from one user, using single sign-on technology (SSO), monitoring of suspicious activity), then with the second option, problems can arise. Let's focus on content protection itself.

The evolution of content protection

Video on Demand (VoD) proliferation started long before browsers could play video streams in a secure manner. Cable networks were the first to give access to content and encounter its protection. Security mechanisms were created for them, and over 30 years they have demonstrated a certain degree of reliability.

At that time, the main problem was that people could freely connect to cable networks and access content that was originally closed to them or only available by subscription. As a solution, set-top boxes with special cards were produced. They identified the user and decoded the encrypted signal.

On the Internet, the need to protect content also did not appear immediately. At first, only free video content was posted on the web. Large rightsholders did not upload it for fear of the lack of reliable protection systems. Already with the development of paid video streaming sites organized access on their own.

Today, almost any service that provides access to content uses CDN (Content Delivery Network). This is a geographically distributed infrastructure, which provides rapid delivery of content to users of web services and sites.

Servers that are part of the CDN, located so as to make the response time for users of the service is minimal. In this case, most often it is a third-party solution, and often several providers are used at the same time (Multi-CDN). In this case, anyone with a link has access to the content, placed on the provider's nodes. This is where the need arises to differentiate access rights to content in a distributed and loosely connected system, which, moreover, is open to everyone on the Internet.

 One of the well-known solutions for protecting streaming video content was the encryption of the HLS (HTTP Live Streaming) protocol. Apple called it HLS AES and suggested it for secure transmission of media files over HTTP. Although video segments were encrypted using the AES-128 standard, the keys themselves were transmitted in the clear, allowing them to be intercepted. Protection of these keys had to be done in any case (secure HTTPS channel was not widespread yet). So everyone implemented the access system in their own way.

 In the landscape of multimedia content copy protection technologies, the three main DRM (Digital Rights Management) technologies took firm positions: PlayReady from Microsoft, Widevine from Google and Fairplay from Apple.

Two streaming protocols are widely used today. These are HLS, introduced by Apple in 2009, and the more modern MPEG-DASH (Dynamic Adaptive Streaming over HTTP), which was the first adaptive bitrate video streaming solution to gain international standard status.

The coexistence of the two protocols and the increased need to play online video in browsers prompted the unification of content protection. So in September 2017, the World Wide Web Consortium (W3C) approved Encrypted Media Extensions (EME), a specification for the interaction between browsers and content decryption modules, based on five years of development by Netflix, Google, Apple and Microsoft.

At its core, EME is a browser media extension that provides an API for working with an encryption module. And it leaves the freedom to implement the server side and minimizes the risk of incompatibility. That is, you can use both proprietary DRM (Playready, Widevine, Fairplay), Open Source DRM or your own solution.

However, there are also opponents of content encryption and proprietary DRM systems. The Free Software Foundation organization even declared the May 6 as the Day of Resistance to DRM technologies, arguing that companies use them to infringe on the personal freedom of users. There are alternatives to the standard browsers: for example, the EME-Free build from Firefox. This does not have the Widevine plug-in that Firefox uses in its regular versions, so copy-protected files will not be played back.

There are also variants of DRM solutions, which are based on Open Source as you can find on CLLAX - Software Reviews. For example, China is implementing a key system specification China DRM, which is designed to work with the ISO Common Encryption (CENC) protection scheme and EME.

A complete DRM system and the three pillars of content encryption

Implementing DRM and authorization mechanisms is the most reliable way to protect against unauthorized access to video content. To avoid compatibility issues and minimize holes, it's important to follow three recommendations.

Encrypt video content with multiple keys

How does it work? The source video file is divided into several small parts, each encrypted with a separate key. To decrypt content which can be freely intercepted from the CDN, it is not enough to get the keys. The device has to request them. At the same time, the received keys do not fit all, but only a few video files. On the user side, there is no change: the player receives decryption keys as the user views the video.

This is already enough to prevent the video from being downloaded in the most obvious ways for ordinary users, e.g. via VLC player, FFmpeg, or corresponding extensions that are built into the browser.

Obtain keys to decrypt content through the license server

As a minimum, all requests to the license server must go through a secure HTTPS channel to prevent MITM attacks (key hijacking). At maximum, in this case you should use One Time Password (OTP).

 Giving out keys on request of ID-content or ID-key is not a good protection. To differentiate access, at a minimum, you need to authorize the user on the site - to identify him by his ID-session. In this case, along with the ID-content or ID-key, the user's token is also transferred. This can be a session or any other identifier that will uniquely identify the user. The license server asks whether the content is available for the token, and only in case of a positive answer, gives encryption keys.

 Usually the license server contacts your API and stores the response result in its session, to reduce the load on the service.

Limit the lifetime of the keys

This uses a non-persistent license, which is valid only for the current session. The user's device requests a license before each playback or as the video plays.

When using a non-persistent key, the user can access the content even if it has already been revoked (except for videos that are available offline).

Other ways to protect content

Video content protection is not limited to encryption and DRM implementation. Several other ways can be added to them.

Overlay dynamic watermarks with the overlay in the player or during video transcoding. This can be a company logo, or a user ID by which it can be identified. The technology itself is not capable of preventing video content leakage, but rather is psychological in nature.

DNA coding, when a video is encoded in 4-5 different variants and a different sequence of variants is generated for each user. This process can be divided into two parts. First, the video chain is generated by embedding characters into each frame of the original uncompressed content. The frames are encoded and sent to the server for storage. The user then requests secure content from the provider, which links a digital footprint to the client. This can be created in real time or it can be taken from a database, which contains a string of characters related to video strings. These symbols are used to create watermarked videos by switching between groups of images from video chains.

To summarize

The above protection methods cannot provide a 100% guarantee against unauthorized access and distribution of video content. However, a comprehensive implementation of data protection tools, including encryption, will help organize secure authorized access to video. And promote copyright protection.

Protection technologies are getting better, without creating additional hindrances for the user, and are making life easier for developers. So, betting on the convenience of the product, accessibility and high quality of content, in time we can expect subscription to become a real alternative to open sources.