The streaming service market is vitally important to the global and U.S. economies. According to the annual Motion Picture Association (MPA), the digital content streaming marketplace has been growing rapidly, and in 2021 accounted for 72% of the combined theatrical and home/mobile entertainment market. To get an idea of its upward trajectory, in 2019, digital streaming represented just 46% of the market.
But piracy threatens this vibrant industry, putting revenue, franchises, and jobs at risk. In its report, the MPA estimates that online TV and film piracy costs the U.S. economy a minimum of $29 billion in lost revenue each year, and robs the industry of hundreds and thousands of jobs.
A big part of the problem is the ease with which consumers can access out-of-market streaming content. Content creators and copyright owners never give licensors carte blanche to stream their content. Rather, they negotiate agreements with the creators on a region by region basis, and deploy IP blocks to enforce compliance and licensing rights.
As anyone who has seen affiliate ads for VPN services knows, it is now child’s play to get around those IP blocks. VPNs are encryption tools that hide a device’s IP address as well as the user’s online activity. Many also offer users the ability to choose their geo-location for the express purpose of circumventing out-of-market restrictions. According to Security.org’s Third Annual VPN Market Report, 22% of consumers say that “access to out-of-market streaming media” is their top reason for using a VPN service.
With piracy tactics constantly evolving, it’s time to approach piracy as the cybersecurity threat it demonstrably is. The following is a list of best practices for identifying potential circumvention attempts:
Leverage IP Address As Starting Point
IP blocks are still effective for the simple reason the IP address is one of the most accurate ways to identify the location of a device. IP stands for “Internet protocol,” which is a set of rules that govern the format of all data that’s sent via the Internet. An IP address is the unique address that identifies an Internet-connected device, be it a computer, mobile phone, or connected TV.
Without the IP protocols, the Internet wouldn’t be able to tell one device from another, and data would be misdirected. This makes the IP address persistent, and it’s a good starting point for determining where a device is geographically located, and whether to allow it access to content. There are caveats to this, such as network address translation (NAT) but for the sake of the topic, IP addresses are valuable for identifying a location.
Deploy Proxy Detection
Once the streaming platform determines the geo-location data, the next step is to determine whether or not the device is using a proxy server. Proxy servers are slightly different from VPNs, in that they hide only the device’s IP address, but do not necessarily encrypt the traffic.
Therefore, we can safely assume that devices associated with a proxy are hiding their IP addresses for reasons other than privacy, which should raise a red flag for any security team. Proxies have many uses, but become nefarious when an attacker leverages multiple of them to avoid firewall IP address blocking.
Detect VPNs
While many VPNs invite consumers to leverage their services to more or less spoof their geo-location, it’s neither fair nor accurate to say that all VPNs do. The VPN market has exploded over the past few years, and continues to grow and become highly nuanced. While many enable their users to circumvent geo-restrictions, many more do not.
What’s more, per Security.org, 55% of VPN users just want the security and privacy that VPNs offer, and 35% of people use a VPN because their job requires it. Therefore, we can’t assume that all VPN users are keen to access content that is out-of-market to them.
The trick for streaming companies is to understand the nuances of the VPN market, distinguishing between VPN providers that tout (or simply allow) circumvention of geo-restrictions, and those that don’t.
Next, they need to understand their own appetite for risk vs. user experience. A streaming service can opt to ban all VPN traffic (a tactic that retail sites like Amazon have deployed), but it may mean bad user experiences for the millions of consumers who happen to use a VPN.
If total VPN blocking is unacceptable, the streaming service can prompt for additional authentication, such as entering a Zip or postal code, or even registering for an account prior to gaining access to free content. But even that has a limit as they are trusting a user is entering data truthfully.
Detect Residential IP Proxies
As streaming services get better at detecting VPN traffic that’s outside of their markets, pirates are moving on to a new tactic: residential IP proxy networks. These are networks that pay consumers to share their Internet.
Next, those residential IP addresses are “rented” to other companies or players that want to appear as residential IP addresses within a specific region (e.g. a consumer in a specific city). Although residential IP proxies look like legitimate traffic, IP intelligence data can be deployed to determine if traffic is proxied.
Set Granular Access Rules
Once the security and digital access rights teams have a better understanding of the VPN services used by their customers, they can use this contextual insight to set rules that better protect their content. For instance, they can (and should!) block all traffic associated with a proxy.
They can approach VPN traffic on a case-by-case basis. Given many of the VPN services allow their users to select their exit point, streaming companies can opt to ban some providers, but not others, based on the VPN’s user policies. Amazon asks VPN users to disable their VPNs in order to access the site; streaming providers may want to follow suit.
Stay Vigilant
Finally, remain vigilant. Nefarious players—whether they’re pirates that steal content outright or some kind of provider that allows end users to do so—are in it for the vast sums of money to be gained. This makes them highly motivated to innovate new ways to circumvent geo restrictions, which could make keeping content safe feel like playing a game of whack-a-mole.
But rest assured, there are data and security companies tracking their tactics, and offering up tools to protect unauthorized users from accessing the publisher’s content.
