Content Security Essentials for Studio-Level Video on Demand

Content Security Essentials for Studio-Level Video on Demand

In advance of South Africa’s decision on Set Top Box (STB) Control (security or no security on STBs), I’ve prepared the following on studio security requirements. This has been reviewed by the head of content security for one of the major studios.

Would You Like to Make Money from Studio Content?

As the former CTO of FilmFlex Movies (at the time a joint venture between Disney and Sony) I built the Video on Demand (VOD) film service for Virgin Media cable and Channel 4’s Film4oD broadband.

We delivered Pay By Transaction (PBT) VOD from over 30 suppliers, including all the studios, to almost 4 million homes with around 1 million buys per month.

I was one of the few global experts successfully negotiating technical security agreements with all the major studios – and in the first rights window – Transactional VOD – a window even more secure than the later Subscription VOD (SVOD) window.

Several companies wanted FilmFlex’s white label film service offering, however, I had to send back two major tablet manufactures and two major Set Top Box / broadcaster aggregators to the drawing board as they weren’t secure enough for studio film and TV content in the first rights window.

I wanted more hardware and software manufacturers interested in on-demand video to get it right.

So I went to the Digital Television Group (DTG). In the now infamous Device Group meeting, I cut through the debate and asked, “Would you like to make money from studio content?” When the answer came back as “Yes!”, I said, “This is how you do it.” The end result was a modification to the DTG D-Book 7 Part B to include the security requirements for premium video on demand content. The first major supplier to use these specifications was YouView, who I also advised separately.

I’ve since set up my own technical and strategic consulting company, mireality, where I advise globally on video on demand delivery, with a focus on emerging markets like South Africa.

This is How You Do It

Content Providers grant rights for a retailer per territory, per rights window, per device. This includes both rights granted and usage rules.

Granted rights describe the service that will be offered and the security it requires:

  • Which territory
  • What content type (SD, HD, 3D, 4K)
  • What security (encryption, DRM, output protection, code hardening, secure players)
  • Rental or ownership (UltraViolet or other)
  • Rights Window / Type of service (Transactional, Subscription, Advertising, Free)
  • Streaming or download
  • Delivered over broadband internet (including Wi-Fi) or mobile (2.5G/3G/4G/5G)
  • Traditional delivery (cable, IPTV, DTT, DTH)
  • Which devices it can be viewed on
  • Website or app

Usage rules specify how the retailer and customer can use the content available:

  • How many devices can be registered
  • How often those devices can be changed
  • On how many devices can that content be downloaded simultaneously
  • Whether the content can be shared with a household, and if so, how many
  • How many people can view the content concurrently
  • If sideloading, lending or gifting is allowed

Content Security is more than Just a DRM

Content security requires more than just applying Digital Rights Management (DRM). Security has to be applied throughout the process. Different studios have different levels of requirements, but in general all of the following have to be complied with.

Receiving and storing content

  • Secure receipt of content, especially high-resolution masters
  • Secure storage of content digitally or physically in a library
  • FACT and / or MPAA accreditation of storage
  • Physical and electronic access rights and logging, tracking and reporting
  • Secure storage of duplicates / backups off site
  • Deletion or physical return of masters as required


  • GeoIP restrictions (on site and CDN)
  • Approved DRM
  • Code hardening and following robustness rules
  • Secure players on devices where the built-in player is not deemed secure enough
  • Digital outputs are disabled or restricted (HDCP, DTCP)
  • Analogue outputs require CGMS-A, disabling or Analogue Sunset (downres HD to SD)
  • Device registration and management
  • Rental files deleted from CDN when licence expires (owned files may be stored indefinitely)
  • Fingerprinting, watermarking, etc. as required

Approved Streaming Protection Technologies

One of the best ways to find out what streaming protection the studios will approve is to look at the DECE UltraViolet Specifications DSystem spec. As a former member of the DECE I helped refine these requirements.   All the studios except Disney are part of the DECE. Disney has its own service, Disney Movies Anywhere, powered by its proprietary technology, Keychest. And all accepted DRMs except Apple’s FairPlay are listed. FairPlay is used by Apple and is potentially licensed to other services like Netflix, but it isn’t publically licensed at this stage.

The approved list of streaming security is:

Licensing Authority Technology Video Format Resolution Restrictions
Adobe Flash Access 2.0 / Primetime SD, HD
Cisco/SA PowerKey SD, HD Closed Devices
Marlin Marlin SD, HD
Microsoft MediaRoom SD, HD Closed Devices
Microsoft PlayReady SD, HD
Motorola MediaCipher SD, HD Closed Devices
Motorola SecureMedia SD, HD HD, other restrictions
Nagra Media ACCESS CLK, ELK SD, HD Closed Devices
Nagra MediaAccess PRM SD, HD HD, other restrictions
NDS VideoGuard SD, HD Closed Devices
Rovi DivX DRM Series 5 SD, HD HD, other restrictions
Verimatrix VCAS SD, HD HD, other restrictions
Widevine Widevine Version 4.0 SD, HD

Source: UltraViolet DSystem Spec V2.0.1, Section 18 – Appendix C: Approved Stream Protection Technologies

How 4K Changes Security

4K adds additional video quality and security requirements. These must be adhered to by the hardware manufacturers or the devices will not be allowed to deliver studio content.

For 4K output copy protection must be secured by HDCP 2.2. To be future proof all new devices will need to support this in hardware or be upgradable by software.

In Summary

If all of the security requirements insisted upon by a studio are not in place, content will not be made available on a service. After launch, if security requirements are discovered to be lacking or not adhered to a content provider will pull content off a service. So, be secure or be without content.

5 Comments on “Content Security Essentials for Studio-Level Video on Demand

  1. Nice article, Maria.

    Don’t forget the role of session-based forensic watermarking, which is a powerful influencer when T-VOD operators are negotiating premium content rights, especially for Ultra HD / 4K content (and also for operators streaming live premium sport OTT).

    Civolution’s NexGuard is the world’s most widely-deployed forensic watermarking technology.

    For more info on one of our recent T-VOD deployments, see here:

    • Yes, I mention both fingerprinting and watermarking. For anyone else reading this, Alistair works for Civolution so his post is a product promotion. However, Civolution is well known in this space for providing watermarking technology. Watermarking is only required by studios/content providers in specific cases, but they will tell you when it is required.

  2. Hi Maria,
    Very interesting summary. My experience regarding HD rights on Set-top boxes (especially for TVOD) is that some studios explicitly require TEE (Trusted Execution Environment) support. This is more difficult to achieve than “just” the robustness rules and requires deeper integration with the SOC manufacturer. I was told that 4K will most likely require TEE support in all instances.
    Regarding the video output requirements, I wasn’t able to get a clear view on Miracast support. It’s been there for some time (since WiDi was introduced), but it’s been gaining traction (now part of MS PlayReady compliance rules, and built in into Win8.1/Win10). It’s not clear if studios need to grant specific permission to output to Miracast, and only to a limited (explicit) list of Miracast approved devices, or if as long as the STB HDMI is HDCP 2.2 compliant, any Miracast device should be able to render HD (and soon to come 4K) content.

    • Thanks Stephan. Yes, this is just an overview. There’s a lot more detail and specifics that vary per device and distribution method (e.g. QAM, IP, mobile network).

      In my understanding if Miracast (or similar Wi-Fi technology) is secured by HDCP 2.2 and the content is secured via some form of DRM then it should be fine. But if HDCP 2.2 is broken the security would need to be upgradable to the next version. Both the source and sink (receiver) need to support an approved HDCP version. For 4K certainly the source always needs to be the latest version. I’m getting clarity on whether the sink always has to be. Please note you can only stream to approved registered devices within the physical number limit that is set by the studio within the retail application.

  3. Just catching up on these blogs, this one being particularly relevant to my line of work 😉 An excellent summary. Great to meet you yesterday.

Feeling inspired? Leave a comment!