Have you ever tried to take a screenshot of a video on Netflix?
No? Just me? Well here's what happens:
A black screen?! How? I can see the video with my eyes, but not in the screenshot — what gives? Is it magic? Is my computer broken? Did I leave the lens cap on my screenshot camera?
Well that, my friends, is DRM in action: Digital Rights Management.
DRM is designed to protect your content against those pesky internet pirates, who are sometimes eager to infringe on the copyright of your lovingly created, high-value video content.
In streaming video, the term "DRM" is commonly used to refer to a set of technologies used to provide an extra layer of content security for video content through encryption and licensing. In the wider world, you'll also hear the term DRM used to describe content protection for other media types, like video games, ebooks, or even coffee pods!
Using DRM on your videos can help block or limit the impact of screen recording, screen sharing, downloading tools, and other content security concerns that can't be completely addressed with traditional security tools like signed URLs, referrer, or user agent restrictions.
When should you use DRM?
Making the decision to add DRM to your video service isn't an easy one. DRM is likely to both increase the cost of delivering content — since the tools and services that back the DRM ecosystem aren't free — and also risk increasing the friction your viewers experience when consuming content.
Generally, we see streaming services choosing to implement DRM for one or both of these reasons:
First, when piracy is costing you revenue. Your business model might involve selling access to content for money, be that in a subscription (SVOD), transactional (TVOD), or even advertisement supported (AVOD) model. We often see platforms calculate lost revenue by looking at estimated rates of viewers watching the pirated content and multiplying that by the prices they charge for their platform. They’ll then compare that against the cost to implement DRM to understand if there's enough benefit. However, for more casual types of content, viewers may only be watching pirated content because it’s free or might not be willing to pay at the legitimate price. Instead of assuming that 100% of unauthorized viewers would pay the price in a world with no free version available, some research has suggested that the lost revenue figure is closer to 30-40% of these naive estimates.
Second, when the content on a platform isn’t yours. Whether this content is licensed from large studios or through a platform for UGC creators, there are expectations of how well you’ll protect their content while it’s in your care. The value of a closed platform is much lower if every creator's exclusive video is uploaded to YouTube right after it's posted privately. It's very common for media library owners (movie or TV studios) to require DRM of content in their licensing deals, and sometimes these deals even include restrictions on the resolutions or geographic locations in which content can be viewed. Some platforms, especially user-generated ones, are starting to choose to use a selective DRM experience — offering DRM to premium content creators on a more expensive package, while the basic package leverages more traditional content protection approaches.
DRM also offers the added benefit of raising the legal stakes against pirates. While making unauthorized copies of copyrighted content is already illegal, legislation like the US Digital Millennium Copyright Act (DMCA) makes tampering with DRM a crime in and of itself, something that could dissuade your pirates or make taking legal action against them easier.
How does DRM work?
First, a quick primer on streaming video: Most streaming platforms are built on top of an adaptive, segmented streaming protocol such as HLS or MPEG DASH. In these technologies, the video you're watching is delivered as a series of short segments between about 2 and 10 seconds in duration. These segments are created in a variety of different qualities (resolution, bitrate, etc.) so that the video player can choose the appropriate version based on the capabilities of your internet connection.
When a video is protected by DRM, those segments of media are also encrypted server side before delivery, usually using a technology called MPEG Common Encryption (CENC), so they can't be correctly decoded and played without a decryption key. When DRM'd content is played back, a license for playback is acquired through a separate request. This license contains the decryption key for the content, along with metadata like the license expiry time, and if the content can be played offline or not. This decryption key is then passed to the video player, so it can securely decrypt and display the content.
Under the hood, a system called a Content Decryption Module (CDM) is responsible for decrypting the content (it's also responsible for a lot of the license exchange process, but that's a whole other blog post). It's this combination of hardware and software that also works with your operating system to make sure that any encrypted content is also protected when you try to screenshot, or record content.
There are several industry standards for the CDM and license protocol that enable the playback of video content protected by DRM. The three main ecosystems you're likely to hear about are Google's Widevine, Microsoft's Playready, and Apple's Fairplay [1]. If you want to host and deliver DRM'd video content to a comprehensive footprint of browsers, phones, tablets, and smart TVs, you'll need all three.
[1] Use of Apple's Fairplay DRM requires a streaming service to have a direct relationship with Apple, see Apple's documentation for more details.
The tradeoffs and challenges of using DRM
DRM technologies, regardless of whether they were built for video or not, were born out of the rise of piracy — it had become too easy for content to be copied and distributed illicitly. But the introduction of DRM or copy protection inevitably created friction for users (does anyone else remember dial-a-pirate?). In the early days of internet video, watching DRM'd content may have needed special plugins, or the content might have been available on very limited devices. This in turn drove users back to piracy, creating a vicious circle. To prevent DRM from pushing users into piracy, it needs to be unobtrusive to work well for users.
Thankfully, video DRM technologies have come a long way over the last 10 years and some level of DRM is available on almost every browser and device. However, it's still not perfect. Modern DRM systems let you control the level of security required to stream content, and as this level increases, the number of viewers who can legitimately view content starts to reduce. Not everyone has a smartphone modern enough to stream content protected with high levels of DRM, and some people have displays plugged in which don't support secure communication between computer and display (HDCP), which can stop content playing on external screens or playing at all.
If you choose to implement DRM in your video service, you'll have to decide what tradeoffs to make — do you want to deliver content with the highest security level, knowing that a more limited set of customers can view it, or do you acknowledge that some piracy will still happen, but keep the barrier of entry to the viewer as low as possible? Many premium streaming services are contractually required to make this decision based on the quality of the content — low-security devices are capped at SD video, while high-security devices get HD or 4K video.
You’ll also need to think about how to authenticate your viewers. At a technology level, DRM deliberately does not handle user authentication — that's something that's left up to the team integrating with a DRM service to build. Deciding exactly who, how often, and on what devices viewers are allowed to obtain a license and start playback of DRM'd video content is often just as important as the implementation of DRM itself. If you hand out licenses to just anyone, you're probably going to have a lot of illegitimate viewers, just watching your content with DRM.
It's worth remembering that the DRM technology itself isn't flawless, from several perspectives:
First, DRM is possible to defeat (sorry, legal!). How else would you still be able to find high-quality copies of Netflix, Disney+, and other exclusives available on seedy corners of the internet? So if DRM is defeatable, why bother? Generally, the aim when implementing DRM isn't to flawlessly prevent the professional pirate from getting a copy of your content — it's about making it sufficiently hard for the casual pirate to plunder it.
Second, DRM can't stop someone from pointing a camera at a screen (though fun fact: Apple has a patent on a similar technology for blocking the recording and streaming of concerts). You should keep this in mind as you think about the value of your video content. If the value of your content is in the information contained within it (let's say an all-hands presentation from a large company), DRM might not be the right solution for you.
Managing objections to DRM
For some, those three letters D, R and M, invoke a visceral reaction. Concerns over playability and privacy are common amongst more sophisticated viewers. Thankfully modern DRM can be reliable while unobtrusive, and the vast majority of users don't realize they're using DRM every time they stream a TV show or movie… until they try to take a screenshot.
Many of the more legitimate concerns we hear end-viewers voice about DRM originate from questions around content ownership when buying DRM'd content: What happens if the company that's responsible for licensing the content goes out of business? Does the viewer still "own" the content? Thankfully "buy to own" DRM has become much less prevalent since the rise of the subscription streaming service. Not that you asked, but my personal approach to owning content these days is still to buy the physical UHD Blu-ray release.
Thankfully you can also protect yourself against a large public outcry by rolling out DRM slowly and thoughtfully, maybe starting with a selection of your most premium content or a specific cohort of users. You can then use a QoE tool like Mux Data to evaluate the impact to users, adjusting your DRM strategy to find the right balance of viewability and security for your product.
Making DRM easier
There's no two ways about it, implementing DRM is too hard today, and awash with both technical and business complexities. But here's the good news: we're working hard on making sure that Mux's DRM feature is unobtrusive, and Just Works™️, leaving you free to make the right choices for where and when you use it.
We also know that while DRM is undoubtedly one of the strongest content protection tools available to video platforms, and often a necessity, it's also not a complete story on its own. When you're using DRM in your video product, we encourage you to keep using the more fundamental content protection tools you already know and love, including signed URLs, domain referrer restrictions, and user agent restrictions. You can think of the fundamentals combined with DRM as a "belt and suspenders" approach to content security.
Want to be among the first to try out Mux Video's DRM feature? If so, you can register your interest right here and we'll let you know as soon as it's ready for you to try.