Dark background with blue code overlay

Fighting Video Piracy Is Strengthened by Collaboration

Shane Keats

Written by

Shane Keats

November 18, 2021


Here’s what I know: My personal email has been “pwned” or stolen at least 18 times. Here’s what I don’t know: if any of the times I have been unable to log in to one of my OTT subscription services was due to my kids sharing our credentials or because of an account takeover — that kill chain that starts with harvesting stolen username/password combinations and then testing them via a credential stuffing attack. 

For my kids’ sake, I hope it was the latter. For my sake, I hope it was the former. Modern life is complicated. 

The video streaming industry — whether the service describes itself as OTT, DTC, SVOD, AVOD, vMVPD, or PSB — is experiencing its largest criminal threat since it was born in 2007, the year Netflix first began streaming.

The reason is clear. Over the past four years, video streaming has grown into the default form of “watching TV,” with subscriptions reaching 1.1 billion worldwide last year. Video piracy — which has been robbing film industry revenue for decades — has surged along with subscriptions and now can be as profitable for attackers as robbing online banking systems. (And thanks to rampant credential sharing, it is a whole lot easier.)

Akamai took a crack at researching just how profitable and found that in the U.S., video piracy tops $1 billion annually, raking in another 1 billion euros in Europe. Reliable estimates for Asia are harder to come by, but the data indicates that the percentage of people engaging in piracy is as high as 45% in some countries.

Yousef Al-Obaidly, Media Group CEO of beIN, the largest licensor of sports rights in the world, summarized the situation in this warning back in October 2019:

“The glorious media rights bubble is about to burst [because] piracy has spread to every corner of the globe and every part of society. We now live in a world where exclusive broadcast rights are, effectively, wholly non-exclusive, [and] the truth is that our industry is completely unprepared. Our industry and rights-holders, in particular, are still sleep-walking towards a financial cliff. The very economic model of our industry is going to be re-written.”

Piracy takes a toll on the entertainment industry and the larger economy

Last year, the Global Innovation Policy Center (GIPC) estimated that worldwide online piracy costs the U.S. economy between $29.9 billion and $71 billion in lost revenue each year. These estimates, especially when the ranges are so vast, should be treated with appropriate skepticism. Details matter. But what is not in doubt is that there are real costs, and not just to the bottom lines of media and entertainment providers. David Hirschmann, president and CEO of the GIPC, said in 2019, “Digital video piracy results in significant losses to the U.S. economy, harming businesses ranging from content production firms to the innovative technology companies that are driving the digital distribution revolution.” The GIPC report also assessed digital video piracy’s impact on U.S. jobs and found that it resulted in between 230,000 and 560,000 industry job losses per year.

The size of the threat is partly because piracy takes such wide-ranging forms. Consider this high-level view of the range of attack vectors, depending on whether the streamed content is live or on demand: 

Live events and channel simulcast attack vectors

  • Tampering with video playback software or Android OS 

  • Recording screens during playback or capturing during a screen-share session

  • Intercepting decrypted video using HDCP strippers connected to set-top boxes

  • Using credential stuffing attacks to access and use legitimate viewer details

  • Tampering with video to defeat watermarking, such as re-quantization

  • Transporting video out of a given market using a virtual private network (VPN)

On-demand attack vectors

  • Data center breaches, which have resulted in the theft of user credentials, cryptographic keys, or video content

  • User identification theft from freelance and full-time staff providing access to video through various systems

  • Recordings of physical assets (less prevalent now) for sharing and distribution

  • System hacks against various production systems providing direct access to video assets

  • Ripping content from legitimate sources

  • Cinema filming systems 

  • Direct theft using impersonation attacks

The way forward: collaborative responses and battle plans that work

Seven years ago, when I first started working at the intersection of streaming and security, the industry didn’t talk nearly enough about the threats they faced. Security was a private matter. Now the impact of piracy is forcing a new path forward. 

In October 2020, the Academy of Motion Picture Arts and Sciences told the story of how it protects the organization from pirating. The Academy’s international membership uses its streaming platform, Academy Screening Room, to watch movies in consideration for the upcoming award season. But what is online is also vulnerable. With the help of four different companies — Brightcove, NAGRA, BuyDRM and Akamai — the Academy was able to provide its membership with convenient access even as it protected its intellectual property from theft.

A year later, another collaboration was announced, this one among three cloud and security companies working together to help regulated defense contractors and software providers streamline ATO (authorization to operate) compliance on AWS. Announced October 1, 2021, this initiative, called FASTTR (short for Faster ATO with Splunk, Telos, and ThreatAlert for Regulated Markets), aims to reduce the time and cost of achieving ATO compliance certifications that, for example, can stall system migration to the cloud. FASTTR also aims to keep organizations more easily compliant with changing government security regulations, which ultimately bolsters protection.

Prevention is one front. Battling back is another. One of Akamai’s customers agreed to share its story, and more of this kind of communication is vital to the fight. As a leading distributor of TV, film, and sports rights across multiple countries, the customer was facing piracy rates as high as 40% for its live event programming. Among the attacks were:

  • Link sharing and token harvesting from sites such as Thop TV and Oreo TV 

  • Modded Android application package (APK) files, which can bypass services’ subscription requirements 

  • VPN proxy abuse, which allows viewers to bypass geo restrictions

The distributor began its journey to curb piracy with a battle plan that offers a model for the industry. Three principles guided the plan:

  • The solution must operate at scale and be capable of managing surging logins 

  • Real-time situational awareness across a range of possible attack vectors must operate at linear scale

  • The solution must identify and remove pirate activity within minutes — not weeks 

Given the range of tactics employed by the attackers and their ability to shift in response to defensive measures, Akamai developed a 360-degree approach with the customer, applying Zero Trust frameworks to a streaming architecture. The battle was ultimately successful. At the end of a major, multi-day event, the company was able to reduce piracy by 75%.

This is the good news: Video streaming services can gain the upper hand. The collaboration among the vendors that protected the Academy Screening Room proves what can happen when no single vendor pretends to have the magic bullet. When this collaborative spirit extends to streaming services and rights buyers — when they compete on content but cooperate on security — we start to win the war on piracy.

Read more about what Akamai helps make possible in the media and entertainment industry.

Shane Keats

Written by

Shane Keats

November 18, 2021