Content Security Essentials for Studio-Level Video on Demand
In advance of South Africa’s decision on Set Top Box (STB) Control (security or no security on STBs), I’ve prepared the following on studio security requirements. This has been reviewed by the head of content security for one of the major studios.
Would You Like to Make Money from Studio Content?
As the former CTO of FilmFlex Movies (at the time a joint venture between Disney and Sony) I built the Video on Demand (VOD) film service for Virgin Media cable and Channel 4’s Film4oD broadband.
We delivered Pay By Transaction (PBT) VOD from over 30 suppliers, including all the studios, to almost 4 million homes with around 1 million buys per month.
I was one of the few global experts successfully negotiating technical security agreements with all the major studios – and in the first rights window – Transactional VOD – a window even more secure than the later Subscription VOD (SVOD) window.
Several companies wanted FilmFlex’s white label film service offering, however, I had to send back two major tablet manufactures and two major Set Top Box / broadcaster aggregators to the drawing board as they weren’t secure enough for studio film and TV content in the first rights window.
I wanted more hardware and software manufacturers interested in on-demand video to get it right.
So I went to the Digital Television Group (DTG). In the now infamous Device Group meeting, I cut through the debate and asked, “Would you like to make money from studio content?” When the answer came back as “Yes!”, I said, “This is how you do it.” The end result was a modification to the DTG D-Book 7 Part B to include the security requirements for premium video on demand content. The first major supplier to use these specifications was YouView, who I also advised separately.
I’ve since set up my own technical and strategic consulting company, mireality, where I advise globally on video on demand delivery, with a focus on emerging markets like South Africa.
This is How You Do It
Content Providers grant rights for a retailer per territory, per rights window, per device. This includes both rights granted and usage rules.
Granted rights describe the service that will be offered and the security it requires:
- Which territory
- What content type (SD, HD, 3D, 4K)
- What security (encryption, DRM, output protection, code hardening, secure players)
- Rental or ownership (UltraViolet or other)
- Rights Window / Type of service (Transactional, Subscription, Advertising, Free)
- Streaming or download
- Delivered over broadband internet (including Wi-Fi) or mobile (2.5G/3G/4G/5G)
- Traditional delivery (cable, IPTV, DTT, DTH)
- Which devices it can be viewed on
- Website or app
Usage rules specify how the retailer and customer can use the content available:
- How many devices can be registered
- How often those devices can be changed
- On how many devices can that content be downloaded simultaneously
- Whether the content can be shared with a household, and if so, how many
- How many people can view the content concurrently
- If sideloading, lending or gifting is allowed
Content Security is more than Just a DRM
Content security requires more than just applying Digital Rights Management (DRM). Security has to be applied throughout the process. Different studios have different levels of requirements, but in general all of the following have to be complied with.
Receiving and storing content
- Secure receipt of content, especially high-resolution masters
- Secure storage of content digitally or physically in a library
- FACT and / or MPAA accreditation of storage
- Physical and electronic access rights and logging, tracking and reporting
- Secure storage of duplicates / backups off site
- Deletion or physical return of masters as required
- GeoIP restrictions (on site and CDN)
- Approved DRM
- Code hardening and following robustness rules
- Secure players on devices where the built-in player is not deemed secure enough
- Digital outputs are disabled or restricted (HDCP, DTCP)
- Analogue outputs require CGMS-A, disabling or Analogue Sunset (downres HD to SD)
- Device registration and management
- Rental files deleted from CDN when licence expires (owned files may be stored indefinitely)
- Fingerprinting, watermarking, etc. as required
Approved Streaming Protection Technologies
One of the best ways to find out what streaming protection the studios will approve is to look at the DECE UltraViolet Specifications DSystem spec. As a former member of the DECE I helped refine these requirements. All the studios except Disney are part of the DECE. Disney has its own service, Disney Movies Anywhere, powered by its proprietary technology, Keychest. And all accepted DRMs except Apple’s FairPlay are listed. FairPlay is used by Apple and is potentially licensed to other services like Netflix, but it isn’t publically licensed at this stage.
The approved list of streaming security is:
|Licensing Authority||Technology||Video Format Resolution||Restrictions|
|Adobe||Flash Access 2.0 / Primetime||SD, HD|
|Cisco/SA||PowerKey||SD, HD||Closed Devices|
|Microsoft||MediaRoom||SD, HD||Closed Devices|
|Motorola||MediaCipher||SD, HD||Closed Devices|
|Motorola||SecureMedia||SD, HD||HD, other restrictions|
|Nagra||Media ACCESS CLK, ELK||SD, HD||Closed Devices|
|Nagra||MediaAccess PRM||SD, HD||HD, other restrictions|
|NDS||VideoGuard||SD, HD||Closed Devices|
|CMLA||CMLA-OMA DRM||SD, HD|
|Rovi||DivX DRM Series 5||SD, HD||HD, other restrictions|
|Verimatrix||VCAS||SD, HD||HD, other restrictions|
|Widevine||Widevine Version 4.0||SD, HD|
Source: UltraViolet DSystem Spec V2.0.1, Section 18 – Appendix C: Approved Stream Protection Technologies
How 4K Changes Security
4K adds additional video quality and security requirements. These must be adhered to by the hardware manufacturers or the devices will not be allowed to deliver studio content.
For 4K output copy protection must be secured by HDCP 2.2. To be future proof all new devices will need to support this in hardware or be upgradable by software.
If all of the security requirements insisted upon by a studio are not in place, content will not be made available on a service. After launch, if security requirements are discovered to be lacking or not adhered to a content provider will pull content off a service. So, be secure or be without content.