I've spent >20 years doing content security in various forms at various companies. Until recently I was directing the technology at a major streaming platform.
I can confirm that while there are serious issues with Widevine (and to a lesser extent PlayReady), the protection measures aren't totally ineffective. My work in improving security had measurable results saving significant amounts of money and reducing content leakage. One memorable time my colleague and I had a call with a big rights owner who tracks the piracy of their assets and they said "Can you tell us what you've been doing recently? Because the amount of piracy from your platform has dropped significantly."
Anti-piracy and content security is also a differentiator between platforms when bidding for content deals. Rights owners will absolutely give the best deals to the provider who provides more assurance and avoid platforms which are leaky buckets.
I know that doesn't fit the narrative, but until recently this was literally my job.
From previous experience some platforms are considered a "leakage source" for content and major rights owners won't put their content there because it's too easy to steal from. The security measures that are put on streaming platforms aren't totally ineffective, they're restrictive but it's considered worth the trouble because platforms can actually measure the effect of restrictions.
The low resolution option is something many rightsholders accept, but from a product proposition perspective it's difficult to explain to many customers. They're just grumpy that they paid for content and can only watch it in SD, that reduces your customer satisfaction. Better to do nothing than a poor job sometimes.
Many content rights contracts I see instruct the streaming platforms that they must detect Linux and either give low quality or deny the playback entirely.
It's because, rightly or not, they don't trust Linux in comparison to MacOS and view it as a piracy vector.
I worked for a company that built a really advanced TV DVR software stack, commissioned by a well know Linux distro company, could have been amazing. It was capable of handling combinations of TV playback and recording that would make any current solutions envious. But then said distro company decided they didn't want to get into the TV OS business, so they stopped the project when it was 75% complete.
Our company retained the right to use the source code. We pushed it, but some circumstances and some assholes stood in the way. The business started to struggle, we considered open sourcing it but the contract was complex and it would have been difficult to prepare the code to be open sourced. We didn't have the time and money to open source it and said distro company didn't want to pay us to do that.
Eventually the company was bought by some Russian company, the team laid off, the code was forgotten about and likely just illegitimately sits in a handful of ex-staff drives.
I feel it was a loss for the world that a huge effort never saw the light of day.
Until I changed job recently, I spent the past 8 years working in an area of tech that many people on places like HN and Reddit think that the work is a horrific waste of effort (DRM and content security for a streaming company).
The idea that if companies like my former employer would stop doing DRM their audience would embrace it is rife idealism. But based on bitter experience so enough people will do bad things just for the lulz that you need to cover your ass.
My home lab will never have an open port, I'll always put things behind a CDN or zero trust system, even then...
FWIW, it's worthwhile just for educational reasons to look at abuseipdb.com quite revealing.
It wasn't really a comment on the tech of DRM but of the business threats that require its use.
That being said, streaming content security is more than just DRM and DRM is more than just copy protection. There's a whole suite of tools inside DRM systems to manage content access at different levels and rulesets that can be applied for different situations. It's still fundamentally controlling an encrypted bitstream however. But I've implemented a great deal more than just DRM in order to build a better content security platform. Transit level controls, advanced token schemes, visible/invisible watermarking, threat/intrusion detection and abuse detection, there's quite a bit that can be implemented.
There are lots of platforms where people pay for their distribution, but they're not as successful.
The main problem is that smaller creators couldn't afford the true cost of hosting and indexing to the level that YT provides.
As someone who's spent many years building streaming platforms, the lack of understanding of the economics and this kind of massive over simplification is really sad.
There's no conspiracy with YT, they've built a 'wonder of the world' which has a very low barrier to entry and which has paid out billions to creators.
In streaming your website is typically totally divorced from your media serving. Media serving is just a question of cloud storage and pointing at an hls/dash manifest in that object store. Once it starts playing the website itself does almost nothing. Live streaming adds more complexity but it's still not much of a website problem.
Maintaining the media lifecycle, receiving, transcoding, making it available and removing it, is the big task but that's not real-time, it's batch/event processing at best efforts.
The biggest challenges with streaming are maintaining the content catalogue, which aren't just a few million records but rich metadata about the lifecycle and content relationships. Then user management and payments tends to also have a significant overhead, especially when you're talking about international payment processing.
This was before HTML5 and before the browser magically handled a lot of this… so there was definitely a bit more to it. Every company also wanted to have statistics of where people scrub to and all of that. It wasn’t super simple, but yeah, it also wasn’t crazy complex. The point is, scale is achievable without complex inf.
I can confirm that while there are serious issues with Widevine (and to a lesser extent PlayReady), the protection measures aren't totally ineffective. My work in improving security had measurable results saving significant amounts of money and reducing content leakage. One memorable time my colleague and I had a call with a big rights owner who tracks the piracy of their assets and they said "Can you tell us what you've been doing recently? Because the amount of piracy from your platform has dropped significantly."
Anti-piracy and content security is also a differentiator between platforms when bidding for content deals. Rights owners will absolutely give the best deals to the provider who provides more assurance and avoid platforms which are leaky buckets.
I know that doesn't fit the narrative, but until recently this was literally my job.
reply