Access granted

High-speed broadband networks and advanced consumer devices mean three-screen strategies are back on the agenda. Graham Pomphrey assesses the security issues.

The success of online video services iPlayer and Hulu has proven one thing – people are prepared to watch full-length programmes and movies on their PCs. But there is a caveat – the content needs to be high-quality and preferably free.
For a while, the potential of online TV looked doubtful as the graveyard of failed OTT start-ups began to fill up. According to Steve Christian, vice-president of marketing for content security specialist Verimatrix, a transition is now taking place from the original OTT obsession with ad-based business models to a predominant interest in how to support subscription-based services, with pay-TV operators ideally placed to offer and manage such services. “The expectation is that service providers can extend the reach of their services to non-traditional delivery platforms and do it on a paid basis. That transition in business models has caused somewhat of a reset in terms of the technology required,” he says.

Christian’s colleague Steve Oetegenn, Verimatrix’s chief sales and marketing officer, says the company is developing services based on its customers’ plans, and that means delivering converged services that includes traditional linear broadcast delivery via cable, satellite, and increasingly IP, combined with OTT models that includes time shifting and place shifting, as part of an overall pay-TV offer. Pay-TV operators seem an obvious choice to deliver such services – ahead of content owners or device manufacturers. They already have the subscribers, and a billing relationship with them, they have a vested interest to keep those subscribers and in many cases they also own the content. “In some cases the OTT services will be free as long as you subscribe to your regular service. In other cases, operators could charge an extra monthly subscription. The traditional pay-TV operators are reacting, slower than some would have expected, but in an orderly fashion,” Oetegenn suggests.

Unsurprisingly, the major worry for the entire TV world is that the industry will get turned upside down by the internet in the same way the music industry did. Increased internet speeds a few years ago were enough for peer-to-peer websites to almost ruin the music industry, and the TV industry wants to avoid the same thing happening to premium content. Many in the industry are confident that people will be willing to pay for online and mobile video services if the content is premium and of high enough quality.

“The expectation is that service providers can extend the reach of their services to non-traditional delivery platforms, on a paid basis.”
Steve Christian,  Verimatrix

To date, however, pay-TV operators have generally struggled to deliver successful three-screen services. The reasons are many, but nearly all come down to issues of security. Hollywood studios are reluctant to hand over premium content for online or mobile distribution for fear of it being pirated, the result being that operators are unable to charge for services that are lacking in the same quality content as their TV offerings. To this end, security specialists are working to enable a similar level of security offered in set-top boxes on different devices. Andrew Wajs, chief technology officer at security provider Irdeto, sees a window of opportunity for online services in particular. “In terms of multi-screen strategies, the PC is clearly the first screen [after the TV] that needs to be embraced by pay-TV operators. You have OTT suppliers coming onto the market and showing levels of success that incumbent operators want a part of. The magic throughput seems to be 10Mbps – that starts bringing the viability of good quality downloading of video or even streaming of video to the home. As soon as you start hitting that quality of throughput, the movies start to come.”
However, once at this stage, security begins to take centre stage. Hollywood studios do not see the PC as having the same level of security as that found in set-tops. “The big issue is what quality of video and what release windows will be allowed by the studios for PC delivery,” says Wajs. “Over-the-top and cable operators are vying for a mechanism to try and get content as early as possible and at as high a quality as possible as a means of differentiating themselves. Within that lies a security challenge that will have to be overcome.”

Security challenges

Viaccess has experience with three-screen deployments, having powered the launch of Orange’s Cinema Series, which offers film channels via TV, PC and mobile phone in France. “Three-screen strategies are already a reality as far as we’re concerned,” says Noureddine Hamdane, executive vice-president strategy and communications for Viaccess. “A meaningful three-screen strategy by a service provider is one that allows the end user to use any device to select or order content, and then watch or record on any device authorised by the service providers, anywhere without having to think about the network, the platform, or whatever,” he says. “A meaningful three-screen strategy by a technology vendor like Viaccess is one that allows the service providers to enable such an end-user cross-device experience without having to deal with a silo implementation.” Viaccess’ Flexible rights management solution enables operators to roll out multi-DRM services to provide what Hamdane describes as a “simple and flexible” content purchase and usage experience.

[icitspot id=”9334″ template=”box-story”]

Traditional conditional-access security measures involving the placing of smartcards into set-top boxes are still regarded as the most secure by many, despite the development and improvement of software options. However, security vendors have had to develop their services to enable delivery to other devices. After all, “A smartcard won’t fit into a mobile or a PC,” says NDS’s senior product marketing manager, Howard Silverman. “There are clearly different security implementations that need to be done on different devices. OTT has different challenges, for example, because it’s a more open environment so the security challenges are greater than in a closed set-top environment where we define much more closely the design to ensure that it can’t be broken.”

NDS has developed a multi-device DRM approach using its VideoGuard platform whereby it develops its DRM technology to service different types of devices on the client side and on the headend side. “Our Unified Headend supports multiple devices within the same headend,” says Silverman. “We’re trying to provide our operators with an abstraction layer that leaves the business rules and workflows associated with DRM unified such that you can build a business scenario and have a system take care of exactly how to get the particular rights and to protect the content to the end device.” As Silverman points out, the number of devices that an operator could potentially support will always grow, which means they’re likely to “focus on markets where there’s high penetration of particular devices”. They will either take a standards-based approach to those client devices or they’ll implement security and/or user interfaces depending on the capabilities of the devices and the extent to which they want to reach their brands into each device, he says: “For a certain class of device they’ll use a more standards-based approach to protecting or encrypting the content. For others that are more central to their business strategy, they’ll integrate more of the vertical market than they would in a standard device.”

Latens’ chief technology officer Jason Roger agrees that content providers are likely to choose platform strategies that can address the widest spectrum of devices. “This means that single-technology platforms will prove to be expensive and will not deliver to a reasonable set of devices. The platform should be able to cope with a variety of content protection standards – some of these will be of a traditional CAS type; others will be consumer devices purchased on the open market,” says Roger. “With the movement to the support of a wider range of devices, the content owners will either be pushed into accepting alternative approaches to protecting content or will suffer the consequences of consumers turning elsewhere for video content.”

Content security specialist Widevine has developed a software-based DRM that is designed specifically to work on devices with low processing power. “Widevine’s DRM client is already integrated on a wide range of devices from LG Blu-ray players, to Samsung connected TVs, to the Nintendo Wii,” says marketing manager Amanda Burrows. She says the plethora of devices available to play video content is a particular challenge for operators. “With some devices, such as the iPhone, an operator will have to develop an App and have it approved by the devices manufacturer. Other devices, such as gaming platforms, connected TVs and Blu-ray players will require working directly with the device manufacturer to have their storefront installed on the devices. This can be a long process for the operator as device manufacturers want to control their devices as much as possible,” she says. “It can be helpful to work with enabling technologies like DRM or adaptive streaming that are already integrated onto the device. This makes it easier for a device manufacturer to include operator storefronts on their devices.”

Some operators have developed hardware solutions for delivering live TV on a PC, for example, using a dongle that can be inserted into a USB port. However, Silverman believes that this kind of option is falling out of favour, one reason being that consumers will not appreciate the effort of having to place the dongle in and out of devices: “Customers with a multi-device strategy will tend to want to do streaming over the network. Some want more of a gateway device that has storage – and any device connected to it can take advantage of that DVR functionality as a way to book and stream content, using the storage a place to cache locally.” In more advanced networks where there is a greater ability for the network to scale, Silveman says people will be able to pull content from the headend and not do anything locally.

Bridging devices

Conax executive vice-president, products and marketing Geir Bjørndal says that pay-TV content that is secured by a high-security CA system in the broadcast domain can be bridged into a home network environment, where multiple devices from different vendors can be used to consume the content. This typically involves bridging the content to a different DRM system that is only used inside the home network. “Content owners will typically define a set of usage rules or licences associated with the content that restricts what the consumer can do with the content with regards to copying, redistribution and output port control,” he explains. “The CA system must control whether release of content into the home network is allowed and securely associate usage licences with the content.”

Various DRM systems support the distribution of content to multiple devices. Integration with a CA system that usually has a higher degree of security is needed to transfer content to household devices such as PCs and mobile phones. Conax is integrating its security solution with the DRM solution from partner TiVo, for example, making it possible to consume content securely on several different devices. It is also creating a bridge to the Microsoft DRM system.
“The key to distributing TV content from a high security environment to a multiple device environment is to implement a DRM control system whereby content passed through the high security network can be tagged with the rights to consume the content in the said multi-device environment.  Most likely a span of free-to-air content through to premium content that is only available for consumption on the main device will be deployed,” says Bjørndal.

A “DRM control” system will also provide secure delivery of content into a DLNA network, he adds: “A CA system will then enable use of all DLNA-certified devices in a scenario where content can be distributed from a home gateway that acts as the main DLNA server receiving content from the secure network.” The home gateway will typically be an advanced set-top that controls distribution according to the rules defined in the DRM control system. “The most important security requirement is that export of content from a highly secure broadcast environment into a home networking environment is controlled by a high-security CA system,” says Bjørndal.

Verimatrix has adopted what it calls a “cloud-based” strategy of delivering multiple different types of streams to different devices from a common headend. The company’s latest platform, VCAS 3, provides security for multi-format adaptive streaming over the internet, while the MultiRights framework delivers multiple forms of content security from a single headed.
According to Christian, this is a strategy that appeals to a subset of operators who believe that the home gateway is an expensive option in terms of customer premise equipment. “The approach we’re taking is being able to service as many devices as possible from a single headend,” he says. “The format-independent approach is delivered using our VCAS 3 strategy and is a function of being able to protect streams that are delivered using different protocols and file formats.”

As part of the adaptive streaming technology development that Verimatrix has carried out, it has added an authentication component that sits alongside the adaptive streaming mechanism. “That enables the registration of devices, from an internet-based set-top, to a PC or to a mobile phone device. You just add them to your account as a subscriber and you have access to all the same services that you would have on your TV. It’s a case of aggregating devices onto a users account,” says Christian.

One benefit of this kind of set-up is that it could enable a service provider to offer content to purchase on various devices in a completely transparent way. An obvious way of doing this is to integrate purchasing into existing pay-TV subscriptions – either as a micro-payment to a customer’s existing billing account or bundling services into the subscription. This is an area Irdeto has been moving into. “We spent a lot of time making the underlying security. We’ve also done a lot of work in allowing operators to ingest and publish content to multiplatforms and track where it goes. We’re now turning our intention to the mechanism of authenticated and managing the subscriber through their daily life,” says Wajs. That requires some work on the billing systems in terms of identifying customers using various devices and the packages they’ve subscribed to. “The biggest challenge is creating an environment where a consumer can click and pay in a totally transparent way. Unless we do that, we’ll have a struggle to eradicate piracy,” adds Wajs.
Ultimately, whatever business models and technology choices pay-TV operators make in regards to using the internet and third-party devices to distribute content from various sources, security vendors are preparing for every eventuality. “Regardless of the source of content, whether its from the open internet or a digital broadcast, content security is about securing access to content by leveraging a combination of hardware and software sitting on the CPE, the network and the headend,” says Viaccess’s Hamdane.