“What we see is increasingly connected to organized crime,” said Miruna Herovanu, Executive Director of the AAPA, about the threat of content piracy. “It’s an organized network that takes place in many countries.”
The AAPA (Audiovisual Anti-Piracy Alliance) is an EU organization fighting piracy through lobbying, law enforcement, and partnerships. Its working groups focus on hosting infrastructure, social media, artificial intelligence, and piracy disruption. Members include Canal+ Group, beIN Sports, DAZN, the Premier League and Sky, plus tech providers like Friend MTS, Irdeto, Verimatrix, and Synamedia.
n 2022, an AAPA study, “The impact of illicit IPTV in Europe” calculated that in the previous year, rights holders in the EU and UK lost €3.21 billion to IPTV piracy alone, while pirates made €1.1 billion in revenue. The report also estimated that in 2021, 4.5% of the EU/UK population used illicit IPTV services. Users of those services spent, on average, a bargain €5.22 per month.
Herovanu has worked in European trade associations and regulators her entire career, with a special focus on intellectual property and copyright. She sees education as an important part of the AAPA’s strategy.
Pirates are often legally as well as technologically sophisticated, taking advantage of the differences in legal frameworks across countries to circumvent some copyright regulations.
“Also there’s the training of law enforcement on the specificities of these crimes, which are very technical and complicated. And there are different legal regimes, because copyright is territorial.”
Earlier this year a report published by Enders Analysis accused the big tech companies of doing little to curb what it dubbed “industrial scale theft of video services”.
Authored by Enders’ Gareth Sutcliffe and Ollie Meir, the report focused on the European market and claimed that easy discovery and access of illegal services, often through simple hardware like the Amazon Fire Stick, have turned the digital content ecosystem into an open bank vault for pirates. The problem has been worsened by a lack of engagement from Google, Microsoft and the other big tech companies.
Content protection requires strong tech
Technology infrastructure for video delivery is both the first defense and the first big vulnerability when it comes to content piracy. Failures at this level can mean disaster for content owners and their bottom lines.
“We deal with tier one broadcasters and live transmission. The content we are managing is critical, with ads that are worth millions of dollars,” said Sergio Ammirata, PhD, Founder and Chief Scientist at SipRadius and Director of RIST Forum.
SipRadius specializes in software-defined video delivery systems, with military-grade security. It has also developed a custom operating system, called CoralOS, to avoid reliance on general-purpose systems and the vulnerabilities they might bring.
The RIST protocol, whose supporters include tech providers like AWS, Zixi and Cobalt, as well as SipRadius, is an interoperable standard for transmission of live streams that includes features like 256 bit AES encryption and rotating keys. The protocol is designed to prevent data interception.
“The level of anxiety about losing control of content is very high,” said Ammirata. “It took a year’s worth of security audits to allow our CoralOS to transmit live streams.”
There is a continual arms race in content safety, with pirates sooner or later finding ways to get around new technologies. Different approaches are required for live delivery versus OTT or on-demand. While the protection of live content can often be managed by the latest delivery technologies, OTT relies more on a wider distribution network that is upgraded only gradually.
“With OTT, you are working with technologies that are three, four or five years old, which have already been exploited and that’s where the breaches come.”
Open or closed, you’re still vulnerable
Ammirata’s experience heading up the RIST Forum, which promotes an open source, open-specification video transport protocol, has attuned him to tradeoffs between easy universally accessible tools and security needs. The transparency of open source tools means hackers know what the vulnerabilities are upfront—and can exploit them.
“Open source, by itself, isn’t necessarily secure,” he told the Summit. “It’s up to the implementor to harden it. A lot of times you see open source workflows, but they haven’t closed the holes in them. Or they did close the holes but did it years ago in the first version of the application, and they haven’t kept up with the updates.”
Continuously upgrading and patching software, open source or not, is just good hygiene when it comes to preventing attacks. But open source software, because of generally slower development times, suffers from a longer updates cycles.
Closed-source software, which does not have the public-facing record of updates, vulnerabilities or versioning, is generally assumed to be more hacker resistant. But this is based on “security by obscurity”, assuming that because you’ve concealed how you’re system works, it will automatically be safer. Not revealing your secrets to potential criminals is good sense, but in some instances it may just be the digital equivalent of hiding your front door key under the welcome mat. And there are numerous closed-source systems that are far more vulnerable than open source implementations.
As is often so, it comes back to the diligence of the people involved. Closed-source software brings no automatic security guarantee with it and can just as easily hide vulnerabilities from customers as hackers.
“In the past, with closed source operating systems, we have seen holes that have been open for years and years with with hackers still exploiting them.”
With content distribution now a part of almost every business, security and anti-piracy needs to be part of every business plan. Frequently, content is now sent directly to fans and subscribers without passing through a broadcaster or a distributor.
New ways of thinking about content distribution, create new attack surfaces for pirates, but also new opportunities for protecting rights and IP.
Eluvio’s “Content Fabric” is a decentralized distribution and storage network which incorporates blockchain technology to identify participants, nodes, and content across the infrastructure. The company is headed—and was co-founded by—Michelle Munson, who created the FASP (Fast Adaptive and Secure Protocol) technology that launched video transfer workhorse Aspera, now part of IBM.
Multiple sports leagues are using the Eluvio Content Fabric to connect to their audiences. While the user experience of both the content owner and audience might be indistinguishable from a traditional CDN distribution, behind the scenes there is an entirely different process at work. Rather than content or its stream being duplicated across locations and CDN’s, the Content Fabric is in effect retaining only a single instance of content which is being accessed directly by those with authorization.
This could be a valuable tool for combatting ploys like CDN leeching, a new piracy strategy which directly accesses content hosted on a Content Delivery Network without proper authorization. In the case of the Content Fabric, there are no duplicates of content spread out across CDNs.
The Content Fabric also enables direct gatekeeping of content by the rights holder. They can control ticketing and content access without going through a third party service for monetization or fan interaction. Reducing the number of third parties entering the chain, also means getting more direct audience and viewing metrics.
Says Munson: “Video over IP distribution has been broken up between the source, transcoding, packaging, the origin, and the CDN, with other providers sitting on top. It’s been difficult to create the end to end context.
“The byproduct of our end-to-end session-based security, that’s owner controlled, is the audience relationship and associated data are direct.”
Eluvio also offers security for contribution in the production workflows with the Content Fabric providing end-to-end encryption, forensic watermarking in line, and options for visible, dynamic watermarking and owner-controlled security.
“Camera feeds need to go to a variety of destinations for remote production,” explains Munson. “For that we need low latency, but with encryption end-to-end. We need to distribute that in a way that guarantees authenticity and ownership, and guarantees that there can be no piracy.
“If you look at security, you see everything is encrypted based on the owner’s keys. We’ve been involved in a successful major pilot this summer with one of the biggest leagues in the world. Those sessions are under their control, end-to-end.”
Claiming what’s yours
Dr. Manny Ahmed, founder of OpenOrigins and a researcher at the University of Cambridge, has been tackling the content control problem from the point of view of content provability, particularly important in a world of material infuenced by AI. Authenticating provenance of content at its source is a key part of the OpenOrigins toolkit and includes authenticating pre-existing IP libraries.
“There is a lot of attention focused on content that is being created now or in the future, but no one was thinking in depth about what we do with all this historical content,” said Ahmed.
“How do we know that your version of Obama’s speech from 2008 is the real one, when we could create an alternative version that looks just as photorealistic?”
Organizations like C2PA are working on methodologies to certify the provenance of content, but these still rely ultimately on the authority of a specific organization of individual. OpenOrigins aims for a solution for content authentication that is decentralized that doesn’t have to refer to gatekeepers or nodes of authority.
“I think C2PA is fine if you are working within a very limited information silo,” noted Ahmed. “If you are in an organization and you have end to end control over what software everyone is using. But the moment you put it on Twitter and someone takes a screenshot, the metadata gets ripped out. You have similar issues with watermarking, which is always going to be an arms race.”
With OpenOrigins, blockchain is used to store proof information as content is ingested. The company’s Archive Anchor, which builds a provenance layer into media assets, has already secured over a petabyte of historic news content from media organizations like ITN.
“We work with large news archives,” said Ahmed. “We do a security audit, then literally go item by item and provide an audit trail of when that piece of content was first uploaded, how it was modified, and how it was broadcast. Any further modifications are being tracked as well.”
Despite the development of new tools, it’s important to keep in mind that the landscape is not static. The media tech environment today is different from the one even six months ago.
“Pirates adapt quickly. They are the first ones to make use of technology,” warned Herovanu. “And unfortunately, the law really runs behind these types of behaviors.”
The world of IPTV has been one the newest targets, but wherever there is content, there is vulnerability.
“So far tech companies and hosting services have benefited from a lack of responsibility. But if there was some common recognition of the social and moral duty that these intermediaries—some of whom are offshore—whose infrastructures are being used by pirates that would help.
“In the EU the bigger actors, such as Meta and X, have to take measures to remove illegal content from their services, but that’s still not enough because pirates are obviously very resourceful.”
