Protecting over-the-top streaming with watermarking and disruption from Synamedia and AWS Part II: VOD
The new VOD business model
In a previous blog post, we discussed how individual manifests of live content can be intercepted regardless of digital rights management (DRM). We proposed that running Synamedia Streaming Piracy Disruption (SPD) on Amazon Web Services (AWS) can help protect content.
In this blog post, we expand on that model, describing how a VOD watermarking solution looks when integrating with an AWS media plane and content delivery network (CDN).
Video on Demand (VOD) is a significant revenue channel for entertainment providers, with a market size that exceeded $55 billion in 2019 and growing at 15% CAGR, according to Global Market Insight. Typically, VOD architectures apply the same HTTP adaptive bit rate (ABR) delivery model from a CDN as live streaming, with the only difference being that they enable on-demand access to pre-encoded and pre-packaged assets using a single manifest file. This allows VOD service providers to offer new content choices to end users.
In the comfort of their own home, viewers can choose from a library of thousands of movies, binge watch successive episodes of a series, or even catch early box releases (aka Premium VOD or PVOD)
Many of the largest VOD over-the-top (OTT) providers, especially in the United States, are either advertising or subscription-based providers. They offer all their content with either pre-roll, mid-roll and/or post-roll advertisements (AVOD) or on a monthly subscription basis (SVOD). In the case of SVOD, much of the content is produced by the Direct-To-Consumer (D2C) service providers themselves.
It has always been critical to protect VOD content with robust security. But with the COVID-19 pandemic seeing premium content released even earlier and effectively shutting the ‘release window’, the need for strong security to protect VOD content and services has become even more urgent (Figure 1).
So, what does providing “strong security to protect VOD content and services” entail?
It means preventing non-paying users from accessing the service provider CDN while ensuring that the VOD content cannot be extracted and leaked without identifying the leakage source. VOD protection technologies typically include multi-DRM, sophisticated service protection capabilities beyond the DRM, and forensic watermarking.
Adopting these protection technologies is a feasible way to reasonably protect a VOD service.
But what about the content itself?
Protecting VOD content
Even with DRM, each individual manifest (VOD content per user) can never be completely protected because it can be leaked from any one of a multitude of unmanaged devices and then copied or uploaded to an innumerable number of content sites. Once a VOD asset is fully extracted, it can be offered for purchase as part of a non-legal service.
So, what can direct-to-consumer service providers do to prevent leakage?
Once any individual VOD content has been leaked from a D2C service, it is critical to take two immediate actions:
- Take down redistributing or reselling sites as soon as possible.
- Prevent the source from further leaking more content in the future.
The former can be solved using automated technologies to enforce the Digital Millennium Copyright Act (DMCA). Prevention measures identify the leakage source using watermarking technologies and then disrupts the leakage source by deny-listing the account ID.
Both actions require a world class, low-latency monitoring system to identify anyone that has taken specific VOD content. On their own, the two actions can be more, and less, effective depending on each unique D2C environment. Used in tandem with the same end-to-end anti-piracy system as part of a single integrated system, they are an economical way to take down and prevent non-legal distribution.
An example of an integrated VOD system to prevent non-legal distribution is depicted in the following diagram:
Why you need watermarking to detect VOD content leakage
Watermarking VOD content is akin to watermarking live content. In fact, watermarking of live and VOD content complement, and even support, one another.
As discussed in our previous blog, in both live and VOD content distribution, watermarking adds a unique identity of the customer to the common video as personalized data, in an imperceptible but detectable manner. This is important because typically, the same entity that takes and leaks live content is also likely to take VOD content. By blocking that entity source identity through detection of a VOD watermark, the service provider prevents future VOD theft while also disrupting the viewing of live content from the same entity. And by blocking live content immediately in response to a watermark detection, that entity will not be able to take VOD content in the future.
That is why a single back-end intelligence system for both live and VOD content—see Synamedia EverGuard in the previous diagram (Figure 2)—is used to aggregate intelligence. Combined with hybrid live/VOD watermarking, EverGuard detects the source, and immediately disrupts those detected identities. This disruption prevents the detected entity from leaking either VOD or linear content in the future.
AWS and Synamedia partnership
AWS Media Services are a leading media plane for both live and VOD content delivery. In a separate blog, we describe how the Synamedia SPD watermarking solution integrates into a live pipeline with a framework of AWS Elemental MediaLive, AWS Elemental MediaPackage, and Amazon CloudFront, to implement a secure, robust, imperceptible, yet detectable, low-latency watermark on live content. Now, a similar Synamedia solution is integrated into the AWS VOD pipeline within the framework of AWS Elemental MediaConvert, MediaPackage, and CloudFront. This new capability is illustrated in the following diagram.
- MediaConvert provides HLS TS encoded files to the Synamedia Watermark Inserter running on Amazon Elastic Container Service (ECS)
- The Synamedia Watermark Inserter container duplicates each segment, inserting both an A and B watermark within each resolution file of the VOD asset and stores the manifest in Amazon Simple Storage Service (Amazon S3) accessible to MediaPackage referenced by a Playback URL.
- The Synamedia SPD Origin Proxy requests all VOD segments from the MediaPackage just-in-time packager using the appropriate playback URL.
- MediaPackage accesses the requested A and B segments from storage and packages all segments into either HLS or DASH renditions, then encrypts each segment with keys obtained from the service provider DRM service.
- The Origin Proxy unpacks the A and B segments and stores A and B renditions in storage accessible by the CDN origin.
- The user requests a URL for a specific VOD asset from the service provider control plane.
- The service provider control plane appends to the URL a token that includes the watermark ID representing the secure identity of the user, received from the Synamedia Token generator.
- The user device provides the URL+Token to the CloudFront CDN to receive the DASH MPD or HLS M3U8 manifest file and is directed to the appropriate resolution segment.
- The Synamedia SPD VSG implemented as a Lambda@Edge, within the CloudFront CDN, opens the token, extracts the identity, and further directs that user device to the URL of appropriate A or B segment for the requested resolution segment.
- The Lambda@Edge VSG returns the appropriate A or B segment to the device to enable rendering of the VOD asset in a way that the full identity of that user’s watermark can be extracted over a time sequence of segments.
This VOD two-step watermarking pipeline, where the watermark inserter is placed as a micro-service between a separate encoder and packager, has several advantages:
- Watermarking occurs post-encoding, saving close to half of the encoding resources and cost that you would incur when encoding the two copies of your A and B sequencing.
- Additional DRM choices are available with MediaPackage.
- Easily extensible to support VOD-to-live and time-shifting use cases using the harvesting capability in MediaPackage.
Protecting both linear and VOD with a Synamedia SPD watermark and AWS for live and VOD pipelines
As mentioned previously, the ultimate solution enables a hybrid system for watermarking both linear and VOD content. The Synamedia architecture enables:
- Watermark generation using the same control plane and token generation for both linear and VOD.
- Sequencing of A and B segments for each resolution of a VOD and/or linear segment using the same VSG via Lambda@Edge.
- Detection and disruption of the leaked source account ID via the same EverGuard back-end system.
Synamedia’s SPD integration with both MediaLive and MediaConvert uses the following architecture. The architecture is orchestrated via a combination of AWS CloudFormation templates, Docker images, and ECS/EKS clusters.
This hybrid linear and VOD end-to-end solution has been successfully implemented and deployed for a large OTT service provider in Asia Pacific, protecting thousands of assets with watermarking, monitoring, and takedown capabilities as described in this blog.
Get ready to up your content protection game
Watermarking is a key component for any content protection solution that detects and disrupts video theft. Synamedia has worked hard to integrate its watermarking solution within the AWS Media Services live and VOD pipelines, and to ensure that deployment is easily provisioned and orchestrated, highly available, fault tolerant, monitored by service assurance, and secure. Furthermore, watermarking can be seamlessly added along with other protection capabilities such as automatic takedowns, digital fingerprinting, and advanced content monitoring using the same EverGuard back end as part of the rich end-to-end Synamedia Streaming Piracy Disruption service.
If you are a service provider already using AWS Media Services and want to up your game content protection, I invite you to contact me to help you deploy both headend watermarking and Full SPD.
Steve Epstein, Head of Innovation and Distinguished Engineer at Synamedia: firstname.lastname@example.org