Unresolved Security Issues Dog Multiscreen TV Agenda

Spencer Stephens, CTO, Sony Pictures

Spencer Stephens, CTO, Sony Pictures

By Fred Dawson

May 9, 2012 – As use cases for premium video content multiply across an endless outpouring of new consumer devices the overarching question for distributors of every description is whether a workable, scalable content protection environment will emerge to make this a viable space for making money.

On the one hand vendors are continually updating their security solutions to stay ahead of the latest vulnerabilities in the distribution chain with advances like forensic watermarking and multi-layered approaches to protection that go well beyond content encryption. And there’s some hope from standards initiatives that efforts to address all these issues will become less fragmented.

But it’s clear that much remains to be accomplished before “crown-jewel” quality content can be routinely released into the multiscreen access domain, especially in unmanaged network environments. And it’s a moving target, notes Bill Rosenblatt, founder of GiantSteps, a consulting firm working with media companies on technology strategies.

“System elements to be secured include headend servers, transmission links to end users and display devices, all with their own set of things to consider,” Rosenblatt says. At the headend or other central point of service origination there needs to be a root of trust where only certain people are allowed into the facility and content is watermarked to help locate sources of theft. Across the distribution system protection has to be matched to degrees of value related to release windows, quality level, usage rules and other factors.

With release windows shrinking for all categories, including premier VOD, hospitality, DVD and electronic sell through, pay-per-view /VOD and free-to-air, security levels for each window become more stringent. And, at the end points, protection, in addition to encryption and rights policy enforcement, now must include mechanisms for device authentication, subscriber information security, blocking “white box” hacking, virtual machine detection and identification of devices that have been compromised.

It all adds up to a huge headache for content owners looking to exploit the multiscreen opportunity, notes Spencer Stephens, the CTO at Sony Pictures Entertainment. “With the abundance of delivery systems and increasing numbers of devices, there’s an explosion in the number of protection systems being brought to us,” Stephens says. “It makes it difficult to nail down how secure something is.”

It helps, Stephens adds, if distributors are using protection systems that content owners have vetted and worked with in the marketplace. “PlayReady [the Microsoft DRM], for example, has a great track record,” he says. “We have a lot of experience with that, and [Microsoft] does a good job of monitoring for hacks on the Internet. If a security system doesn’t have renewability, it’s not of much use to us.”

But, as Rosenblatt notes, coming to a studio or network with a previously endorsed security system doesn’t mean the distributor will be automatically accorded rights to deliver the content. “DRMs like PlayReady and Marlin are conditionally approved, but content owners still want to know robustness rules are being adhered to in terms of how the DRM is implemented,” he says.

Adding to content owners’ difficulties are the vagaries of device classification and adaptive rate streaming when it comes to categorizing usage rights. “It’s becoming difficult to distinguish from one class of device to another,” Stephens says. “What’s a TV versus a set-top box? What’s a tablet versus a PC? A lot of usage rule models had to draw lines between devices for defining licenses that may no longer be relevant yet must somehow be enforced.”

Where adaptive streaming is concerned, the fluctuations in bit rate can have a serious impact on resolution quality and, hence, on what level of security is required. “What happens as the bit rate drops is you get spatial sub-sampling,” Stephens observes. “What was supposed to be an HD video may only have 1440 pixels rather than 1980. So the low end merges with SD, and the question becomes, what is it HD or SD?”

Bleak as all this might sound, there’s hope for reaching the day when the broadband highway can accommodate streamed and downloaded premium content with all the security of a traditional pay TV network. In fact, says Verimatrix CTO Petr Peterka, a big part of the work has already been accomplished. “Over-the-top is changing the marketplace, but from a content protection point of view it’s just an evolutionary step,” Peterka says. “OTT is really playing catch up with what we’ve been working on for a long time.”

Verimatrix, of course, is not alone in touting solutions that are meant to deliver not only ironclad security on multiscreen services but to do it in ways that overcome some of the hassles associated with matching content protection platforms to various DRM formats dictated by various streaming modes. But there’s still a lot of work that goes into providing all the protection required for a premium-caliber multiscreen service, acknowledges Verimatrix CEO Tom Munro.

“Technical teams rush out and do a good job of selecting component parts and integrating it,” Munro says. “But they often underestimate the complexity of doing it. It’s as daunting as putting up a broadcast service platform, and being able to reduce complexity is important.”

In the case of the third-generation Verimatrix Video Content Authority System (VCAS), content distributors can employ the VCAS MultiRights framework to mediate different DRM technologies on multiple networks and devices through a single set of subscriber entitlements interfaces and Web services APIs, Munro notes. This single content authority and entitlement process delivers licenses in whatever DRM format the requesting user device requires, including formats associated with Microsoft Smooth, Apple HTTP Live Streaming (HLS) adaptive rate streaming modes, BD-Live streaming to Blu-ray players and Marlin DRM for Broadband.

But even when such a streamlined approach is provided to cover all the security requirements for premium multiscreen services there are serious snags to getting services off the ground, Munro notes. “The things often missed are issues that complicate legal and commercial negotiations about content – where may I show it and what do users have a right to expect?” he says.

Here is where the ability to enforce rights through close adherence to the policies conveyed in metadata associated with each program becomes vital to moving ahead once all the usage policies are worked out. “When you do have the business rules laid down in black and white and compare that to the system you have to enforce management and report against those rules, you have the basis for an interesting RFP,” he says. “We’re seeing a lot of those.”

Another area where attention to the nuances can be make or break in terms of ultimate success has to do with tuning distributors’ responses to piracy to the nature of the violations and the purposes behind them. Irdeto, having developed a comprehensive suite of protection solutions, including a dynamic approach to renewable security with its ActiveCloak platform and, most recently, a session-based approach to delivering forensic watermarks known as TraceMark, is now focusing on helping content distributors deal with wrong doers depending on where they fit on the “piracy continuum.”

This is no easy task, given the range of user categories that must be addressed, notes Stuart Rosove, vice president of corporate and online marketing at Irdeto. “By looking at the piracy continuum, Irdeto is deconstructing the mechanics of the marketplace so that our customers can define their own solutions for dealing with specific types of users within a holistic approach to content protection,” Rosove says.

Defeat of the online piracy act in Congress has heightened distributors’ focus on self-policing to staunch abuses by their customers in ways that don’t lump every thief into the same category. The spectrum of pirates includes everyone from hard-core criminals stealing for profit and hackers breaking code for glory to a range of individual consumers pursuing illicit access to content for their own pleasure.

These include the large community of what Rosove calls “casual pirates” who don’t have access to TV sets or aren’t interested in using them when do and “frustrated consumers” who can’t get what they want on TV, including fans of certain shows who live in countries where current episodes are not available. And then there are the vast numbers of “confused consumers” who view something online that looks perfectly legitimate without knowing the program or movie has been pirated.

To the extent all these types of broadband consumers are able to get what they want illegally without paying they represent big potential losses for content owners and service providers alike. If they live in pay TV households they become candidates for cord cutting or shaving. If they don’t, they are much harder to win over as new subscribers.

“Any given pay TV household can have confused, frustrated and casual pirates,” Rosove says. “So we need to be able to deal with them in a way that facilitates getting them or keeping them as premium subscribers. In other words, we need to get more bang for the buck when it comes to content protection.”

Ultimately, as the lines blur between content owners and ISPs who are looking to monetize over-the-top distribution, the onus is on everyone who invests in content protection to develop ways to deal effectively with piracy, Rosove says. “We believe it’s possible to convert a lot of frustrated and confused consumers to pay,” he adds.

This means distributors will need to be able to manage data about instances of theft, who the parties are and what has been stolen with tools that give them the ability to react in ways most conducive to obtaining and retaining paying customers. “It’s about putting a solution in place that allows you to deal with the entire spectrum,” Rosove says.

Clearly, there’s hope for more coherent approaches to monetization in the emerging multiscreen pay TV market. But, just as clearly, there’s a long way to go which will require greater dedication to collaboration on everything from defining requirements to legitimizing solutions.