Re-Evaluating OTT/Streaming Security: Part 5 - Tackling Streaming Credentials Sharing

Pay TV operators have followed major video streamers to combat unauthorized credentials sharing among friends and family beyond the subscriber’s home. But they face a delicate balance between cracking down on the practice and avoiding annoying innocent customers.

Major video streaming providers such as Netflix and Disney+ have changed their tune dramatically about sharing of subscription credentials among friends and family for access outside the nominated home. They are being joined in their campaigns by pay TV operators and even some commercial Free To Air broadcasters for ad-free paid online versions of their packages.

The problem for all of them is harder than it would be if they could just throw technology at the problem with no concern over consequences for the service experience of innocent subscribers. Such subscribers naturally expect to access their services wherever they are within their home country at least, even if they accept limitations imposed by geoaccess constraints abroad, whether they are travelling, staying with friends, or in a hotel. They are more likely to churn to rival providers if they face significant security hurdles accessing their services away from home, or worse find the service barred completely.

The challenge then for many streaming service providers lies in avoiding throwing out the baby with the bathwater, the baby being the good will of their customers many of whom do not engage in credentials sharing. We recall that it has only been recognized as a problem for around six years, and before that major SVoD providers such as Netflix were at least tacitly condoning, if not actively encouraging, the practice. They perhaps saw it as free marketing, spreading the word among friends and family in the hope that some would then subscribe themselves.

For a while that worked, but that was when Netflix was dominating the SVod world and growing fast, as the defacto aggregator of streaming content. Even before major content providers such as Disney started their own streaming services and pulling content from Netflix, consumers were beginning to get SVoD fatigue. They started needing to subscribe to multiple services to obtain the content they wanted and faced paying just as much as they had done for the old, bloated pay TV packages from the cable TV and satellite providers.

Consumers then started sharing credentials more, so that one member of a group would take a Netflix sub, another Disney+, a third Comcast’s Peacock, or say Sky Now in say the USA, UK, or Germany among a few other countries. That earlier cozy marketing model was broken, and Netflix was among the first major streamers to acknowledge the problem, quickly followed by others, including pay TV operators in the context of their streaming services that were becoming increasingly important revenue sources in their own right. Among the latter was US cable group Charter Communications, whose chairman and CEO Tom Rutledge pointed out that unauthorized credentials sharing had become a problem for the whole industry and not just dedicated streaming providers, threatening the whole content funding model.

All sorts of statistics were trotted out, as Netflix in early 2022 revealed that 100 million households, or around 40% of its total global subscriber base, were now sharing accounts illicitly, "impacting our ability to invest in great new TV and films."

Wall street analysts calculated that Netflix could add an extra $1.6 billion to its top line if it implemented the plan to charge those who share credentials with people outside their households. That figure admittedly is based on the dubious assumption that all such subscribers would upgrade to the new “legitimate” sharing account, which is not borne out by feedback as the plan is rolled out.

In Spain, for example, Netflix started charging €5.99 to add an additional location beyond the original home, under its option called “buy an extra member”, which costs $7.99 in the USA and £4.99 in the UK. Yet as a result Netflix lost more than a million subscribers in Spain over the first three months of 2023, according to data analytics group Kantar.

This highlights the dilemma and explains why many streamers are treading delicately with a combination of publicity and incentives, and taking care to avoid draconian crackdowns. This is very much the case at Disney+, which has been changing its terms and conditions to include warnings against unauthorized credentials sharing but has yet to enact any technical measures. Disney CEO Bob Iger has confirmed that specific measures to combat credential fraud will be introduced in 2024, while admitting that they were unlikely to achieve any financial gains until well into 2025.

Whatever strategy is taken the first step is to identify when and where credentials sharing is occurring and then to determine whether this is unauthorized, that is for access by someone beyond the defined group. Until recently the only constraint has been to limit the number of concurrent streams, but as that is often three in practice so it only prevents rampant piracy rather than the drip feed of credentials sharing whose cumulative impact has become just as great.

This begins by identifying devices, typically through a combination of IP address, device identifier, and account activity, all analyzed with the help of machine learning. All three have to be taken into consideration because each has its shortcomings and no single one on its own can pin down illicit credentials sharing.

Device IDs, comprising anonymous strings of numbers and letters, uniquely identify streaming devices such as smartphones, tablets, or even smart TVs, can be read by mobile apps or cookies. However, they are of little use in the case of subscribers gaining access from a shared facility in a venue or hotel room.

IP addresses, allocated to devices during a session, can give some idea of location. But these are an unreliable indicator of the end client which may be behind a gateway to which the address is allocated. There are also ways of obscuring IP addresses, behind proxies or VPNs for example. Streamers can mitigate these to varying degrees but still IP addresses are best included as just one of many signals in identifying illicit credentials sharing.

Analysis of activity during a session, combined with identification of location, can indicate when credentials sharing is occurring. Actions taken can include sending a onetime passkey to the smartphone of the remote user, but that only works if that user can be identified and is already among the authorized family group. Even then it imposes an inconvenience.

Another tactic is to contact the main account holder to check if the access is genuine and then offer an upgrade to make it legitimate if it is not. But again, as Netflix has found in Spain, that can lead to loss of the subscriber.

As a result of the anxiety among streamers not to impact quality of experience for subscribers, or annoy them too much, many of the protections against the practice imposed so far are quite easy to circumvent.

Obviously, this is not the place to reveal ways of working around measures to prevent credentials sharing, but a key point is that all streaming providers have to cater for subscribers while they are traveling and away from the home. This is often done by mechanisms that operate like two factor authentication, that is something users know such as a code and something they have, like their smartphone.

When users travel and try to sign on, the main account holder may receive a notification in the home inviting them to apply for a temporary access code. When obtained this can then be emailed or texted to the remote user. In this case the second factor is not a device as such – since the remote user is coming in from an unrecognized one. It is the main account holder, upon whose integrity therefore the streaming provider is still relying on.

The upshot is that credentials sharing, even more than other threats to revenue such as outright piracy, cannot be addressed by technology alone. Netflix admitted recently it was still refining its measures in the light of feedback both from customers and the bottom line, as it seeks to navigate this turbulent middle ground between discouraging the practice and deterring legitimate customers.

The likes of Disney+ have also been watching from the sidelines, hoping to avoid Netflix’s mistakes and come in with measures that maximize overall revenues, while accepting there will still be some losses to casual account sharing. It seems to be leaning towards an approach relying more on incentives such as upgrades to entice its subscribers to share legitimately.

To some extent the best remedy depends on the overall business model. Amazon Prime Video for example can afford to be more relaxed about credentials sharing (which it allows up to a point through its Amazon Household feature), for two reasons.

First, Amazon Prime as a whole generates more revenue than any other global subscription model, also including ecommerce, music and gaming, so is less dependent on video content alone, which can almost be pitched as a loss leader. Second, subscriptions are based around digital wallets hitched to credit or debit cards, so subscribers will be more reluctant to share other than with close friends and family for security reasons.

Few streaming providers are in that position, but in all cases preventative measures against credentials sharing need tailoring to the business model, also catering for cultural and demographic differences between countries or areas in which they operate.

You might also like...

Standards: Part 3 - Standards For Video Coding

This article gives an overview of the various codec specifications currently in use. ISO and non-ISO standards will be covered alongside SMPTE 2110 elements to contextualize all the different video coding standard alternatives and their comparative efficiency - all of which…

The Streaming Tsunami: Securing Universal Service Delivery For Public Service Broadcasters (Part 1)

One of the biggest challenges for national Public Service Broadcasters is how to maintain their obligation for universal service in a future landscape where audiences have migrated to streaming as their primary method of media access.

5G Broadcast: Part 4 - 5G Broadcast Challenges Digital Terrestrial

Fast growing traction for 5G Broadcast and Multicast has the potential to disrupt over the air broadcasting by presenting an alternative to the established digital terrestrial networks just as they progress to the next generation. Yet the two may end…

Standards: Part 2 - Standards For Broadcasting & Deployment

This article gives an overview of the standards relating to production and transmission or playout. It prepares the ground for subsequent more detailed articles which will explore the following subject areas: ST 2110, higher bit rate codecs and profiles that are…

5G Broadcast: Part 3 - 5G Broadcast Trials & Launches

5G Broadcast is approaching commercial deployment by some video service providers after a raft of trials were completed in 2023. The first tentative commercial services are arriving from the likes of Boston based WWOO in the USA.