Re-Evaluating OTT/Streaming Security: Part 5 - Tackling Streaming Credentials Sharing

Pay TV operators have followed major video streamers to combat unauthorized credentials sharing among friends and family beyond the subscriber’s home. But they face a delicate balance between cracking down on the practice and avoiding annoying innocent customers.

Major video streaming providers such as Netflix and Disney+ have changed their tune dramatically about sharing of subscription credentials among friends and family for access outside the nominated home. They are being joined in their campaigns by pay TV operators and even some commercial Free To Air broadcasters for ad-free paid online versions of their packages.

The problem for all of them is harder than it would be if they could just throw technology at the problem with no concern over consequences for the service experience of innocent subscribers. Such subscribers naturally expect to access their services wherever they are within their home country at least, even if they accept limitations imposed by geoaccess constraints abroad, whether they are travelling, staying with friends, or in a hotel. They are more likely to churn to rival providers if they face significant security hurdles accessing their services away from home, or worse find the service barred completely.

The challenge then for many streaming service providers lies in avoiding throwing out the baby with the bathwater, the baby being the good will of their customers many of whom do not engage in credentials sharing. We recall that it has only been recognized as a problem for around six years, and before that major SVoD providers such as Netflix were at least tacitly condoning, if not actively encouraging, the practice. They perhaps saw it as free marketing, spreading the word among friends and family in the hope that some would then subscribe themselves.

For a while that worked, but that was when Netflix was dominating the SVod world and growing fast, as the defacto aggregator of streaming content. Even before major content providers such as Disney started their own streaming services and pulling content from Netflix, consumers were beginning to get SVoD fatigue. They started needing to subscribe to multiple services to obtain the content they wanted and faced paying just as much as they had done for the old, bloated pay TV packages from the cable TV and satellite providers.

Consumers then started sharing credentials more, so that one member of a group would take a Netflix sub, another Disney+, a third Comcast’s Peacock, or say Sky Now in say the USA, UK, or Germany among a few other countries. That earlier cozy marketing model was broken, and Netflix was among the first major streamers to acknowledge the problem, quickly followed by others, including pay TV operators in the context of their streaming services that were becoming increasingly important revenue sources in their own right. Among the latter was US cable group Charter Communications, whose chairman and CEO Tom Rutledge pointed out that unauthorized credentials sharing had become a problem for the whole industry and not just dedicated streaming providers, threatening the whole content funding model.

All sorts of statistics were trotted out, as Netflix in early 2022 revealed that 100 million households, or around 40% of its total global subscriber base, were now sharing accounts illicitly, "impacting our ability to invest in great new TV and films."

Wall street analysts calculated that Netflix could add an extra $1.6 billion to its top line if it implemented the plan to charge those who share credentials with people outside their households. That figure admittedly is based on the dubious assumption that all such subscribers would upgrade to the new “legitimate” sharing account, which is not borne out by feedback as the plan is rolled out.

In Spain, for example, Netflix started charging €5.99 to add an additional location beyond the original home, under its option called “buy an extra member”, which costs $7.99 in the USA and £4.99 in the UK. Yet as a result Netflix lost more than a million subscribers in Spain over the first three months of 2023, according to data analytics group Kantar.

This highlights the dilemma and explains why many streamers are treading delicately with a combination of publicity and incentives, and taking care to avoid draconian crackdowns. This is very much the case at Disney+, which has been changing its terms and conditions to include warnings against unauthorized credentials sharing but has yet to enact any technical measures. Disney CEO Bob Iger has confirmed that specific measures to combat credential fraud will be introduced in 2024, while admitting that they were unlikely to achieve any financial gains until well into 2025.

Whatever strategy is taken the first step is to identify when and where credentials sharing is occurring and then to determine whether this is unauthorized, that is for access by someone beyond the defined group. Until recently the only constraint has been to limit the number of concurrent streams, but as that is often three in practice so it only prevents rampant piracy rather than the drip feed of credentials sharing whose cumulative impact has become just as great.

This begins by identifying devices, typically through a combination of IP address, device identifier, and account activity, all analyzed with the help of machine learning. All three have to be taken into consideration because each has its shortcomings and no single one on its own can pin down illicit credentials sharing.

Device IDs, comprising anonymous strings of numbers and letters, uniquely identify streaming devices such as smartphones, tablets, or even smart TVs, can be read by mobile apps or cookies. However, they are of little use in the case of subscribers gaining access from a shared facility in a venue or hotel room.

IP addresses, allocated to devices during a session, can give some idea of location. But these are an unreliable indicator of the end client which may be behind a gateway to which the address is allocated. There are also ways of obscuring IP addresses, behind proxies or VPNs for example. Streamers can mitigate these to varying degrees but still IP addresses are best included as just one of many signals in identifying illicit credentials sharing.

Analysis of activity during a session, combined with identification of location, can indicate when credentials sharing is occurring. Actions taken can include sending a onetime passkey to the smartphone of the remote user, but that only works if that user can be identified and is already among the authorized family group. Even then it imposes an inconvenience.

Another tactic is to contact the main account holder to check if the access is genuine and then offer an upgrade to make it legitimate if it is not. But again, as Netflix has found in Spain, that can lead to loss of the subscriber.

As a result of the anxiety among streamers not to impact quality of experience for subscribers, or annoy them too much, many of the protections against the practice imposed so far are quite easy to circumvent.

Obviously, this is not the place to reveal ways of working around measures to prevent credentials sharing, but a key point is that all streaming providers have to cater for subscribers while they are traveling and away from the home. This is often done by mechanisms that operate like two factor authentication, that is something users know such as a code and something they have, like their smartphone.

When users travel and try to sign on, the main account holder may receive a notification in the home inviting them to apply for a temporary access code. When obtained this can then be emailed or texted to the remote user. In this case the second factor is not a device as such – since the remote user is coming in from an unrecognized one. It is the main account holder, upon whose integrity therefore the streaming provider is still relying on.

The upshot is that credentials sharing, even more than other threats to revenue such as outright piracy, cannot be addressed by technology alone. Netflix admitted recently it was still refining its measures in the light of feedback both from customers and the bottom line, as it seeks to navigate this turbulent middle ground between discouraging the practice and deterring legitimate customers.

The likes of Disney+ have also been watching from the sidelines, hoping to avoid Netflix’s mistakes and come in with measures that maximize overall revenues, while accepting there will still be some losses to casual account sharing. It seems to be leaning towards an approach relying more on incentives such as upgrades to entice its subscribers to share legitimately.

To some extent the best remedy depends on the overall business model. Amazon Prime Video for example can afford to be more relaxed about credentials sharing (which it allows up to a point through its Amazon Household feature), for two reasons.

First, Amazon Prime as a whole generates more revenue than any other global subscription model, also including ecommerce, music and gaming, so is less dependent on video content alone, which can almost be pitched as a loss leader. Second, subscriptions are based around digital wallets hitched to credit or debit cards, so subscribers will be more reluctant to share other than with close friends and family for security reasons.

Few streaming providers are in that position, but in all cases preventative measures against credentials sharing need tailoring to the business model, also catering for cultural and demographic differences between countries or areas in which they operate.

You might also like...

HDR & WCG For Broadcast: Part 3 - Achieving Simultaneous HDR-SDR Workflows

Welcome to Part 3 of ‘HDR & WCG For Broadcast’ - a major 10 article exploration of the science and practical applications of all aspects of High Dynamic Range and Wide Color Gamut for broadcast production. Part 3 discusses the creative challenges of HDR…

IP Security For Broadcasters: Part 4 - MACsec Explained

IPsec and VPN provide much improved security over untrusted networks such as the internet. However, security may need to improve within a local area network, and to achieve this we have MACsec in our arsenal of security solutions.

Standards: Part 23 - Media Types Vs MIME Types

Media Types describe the container and content format when delivering media over a network. Historically they were described as MIME Types.

Six Considerations For Transitioning To Cloud Based Video Distribution

There are many reasons why companies are transitioning from legacy video distribution workflows to ones hosted entirely in the public cloud, but it’s not a simple process and takes an enormous amount of planning. Many potential pitfalls can be a…

IP Security For Broadcasters: Part 3 - IPsec Explained

One of the great advantages of the internet is that it relies on open standards that promote routing of IP packets between multiple networks. But this provides many challenges when considering security. The good news is that we have solutions…