Identify scenarios, practical solutions, and best practices to prevent unauthorized access to, and digital piracy of, copyrighted content, while also enabling simple, seamless access to content for subscribing consumers and ensuring the security of their private information.
Create a record of recommendations around general principles for managing unpermitted use as well as examples of permitted use. These are proposed as high-level recommendations only, intended to simplify implementation – they are not mandates or requirements. Every member will come to their own conclusions about what is best for their customers.
Consumer Privacy & Protection
Personally-identifiable information (“PII”) must be protected throughout all processes.
Parental control restrictions established by the consumer should be supported.
Consumers are responsible for content delivered to a personal device which they manage, and they are encouraged to maintain control over credentials and devices to protect accounts from unpermitted use.
Unpermitted uses include providing credentials or a credentialed device to a third party unrelated to the household account for his/her use (for example, to allow the third-party access to content to which the third party does not directly subscribe, or to circumvent rights associated with sports or other content).
Concurrent stream rules are not yet widely adopted, although they are under consideration across the industry. If adopted, they would be applied by individual companies for authorized video services, depending on device type and location.
Some companies may choose to establish a limit on concurrent streams irrespective of location while others may establish separate limits specific to location (for example, limiting use to 5 concurrent in-home streams and 3 concurrent out-of-home streams).
The ultimate solution for managing concurrent streams measures across access points and not just a single programmer access point.
As a general recommendation, for devices at a subscriber’s service address, a generous limit of concurrent streams should be applied.
Location and Network
Home-based authentication (HBA) should be implemented to provide ease of use for subscribers.
HBA should be permitted for devices only when at subscriber address.
Connected devices should be authorized automatically, when possible, if detected to be secure. Some companies may elect to allow connected devices to be authorized for access to authenticated content only while at subscriber address. Likewise, some companies may choose to disable mirroring technologies to prevent the push of authenticated content from mobile devices to larger screens when content is accessed while not at the subscriber address.
Some companies may choose to limit devices (via device registration) to help protect against unpermitted use.
Some companies are considering mobile check-in processes to protect against sustained unpermitted use. With a mobile check-in process, mobile devices may be authorized for access to authenticated content if connected at subscriber address at least once per an established maximum number of days. This presumes MVPD can ascertain location and confirm network.
The Authentication platform should identify the user and the security of the session and authorize as follows:
Authorization should be requested every time a user attempts to access authorized content.
MVPD’s and Content Providers should enable HBA where possible, and not rely solely on username and password for authentication and authorization.
Applicable viewing restrictions should be enforced to authorize correct content to consumer based upon entitlements as a function of MVPD, entitlements and geographic location.
At subscriber address: The state of a customer’s authentication or authorization session when their device is connected successfully to the MVPD’s network using an authorized modem associated with the customer account, or via a registered IP address (or other method of location verification for video-only HHs). Applies to both mobile devices and connected devices. Note: This definition of subscriber address requires presence of modem.
Authentication platform: The network and device-based authentication and authorization platform that determines, at runtime, the security of the session and the required method(s) of authentication for each request.
Connected devices: Devices connected - either wired or wirelessly - to a video display (static, immobile) that are intended primarily for location-specific viewing (e.g., a television), including, but not limited to, the applicable MVPD’s set-top boxes, gaming consoles, connected “smart” TVs, and retail-purchased video streaming devices (e.g., Roku, FireTV, Apple TV, and Chromecast).
Credential-based authorization: The secure access to authenticated services by requiring the successful entry of an account and username (where applicable, profile-specific) and password.
Devices: Both mobile devices and connected devices, and desktop and laptop computers.
Home-based authentication (HBA): The state of a customer’s authentication or authorization session when their device is connected successfully to the MVPD’s network using an authorized modem associated with the customer account. Applies to both mobile devices and connected devices (does not apply to set top boxes).
Mirroring technologies: The streaming of video content from a mobile device to an external display device via technologies such as AirPlay and Chromecast.
Mobile and portable devices: Devices that the Authentication platform identifies as being portable and containing integrated video display capabilities and/or web browsers (e.g., phones, tablets), usually utilized through a connection to a wireless network. For sake of completeness, laptop and desktop computers are included here.
Scenarios provide opportunity to discuss common and edge cases to identify issues, subtleties, commonalities, and areas where approaches will differ more easily.
Jane is a single mom, with two teenage kids, Amy and Adam. Their home is in southern Georgia. Amy is in high school and Adam is away at college in Boston. They have a subscription to Acme Entertainment that includes the triple play bundle - voice, video, and data. Jane is the subscription account owner. She has set up individual sub-accounts – one for Amy, and one for Adam. Jane pays roughly $215 per month for her services.
Each of them have several internet-connected devices that they use to watch TV shows, movies, and sports while they’re in the home as well as when they are out of the home.
PERMITTED Use Scenarios
1. Account member using credentials out of home (on own device)
Amy is a typical high school student, spending time with her friends and watching TV when they should be studying. When Amy is visiting her best friend, Elizabeth, Amy sometimes streams an episode of “Dancing with the Stars” using her Chromecast stick on Elizabeth’s TV.
Determination: In this instance, Amy’s use of her credentials away from home is likely a permitted use.
2. Account member using credentials out of home (on another’s device)
Amy signs in with her Acme user name and password to the tablet of her best friend, Elizabeth when Amy is visiting Elizabeth’s house.
Determination: In this instance, Amy’s use of her credentials away from home is likely a permitted use.
3. Account non-member using account member’s HBA enabled device in home
Jane is dating Randy. Randy comes over on the weekends and uses Jane’s HBA-enabled device to watch baseball. Randy does not have his own user name and password.
Determination: In most instances, Randy’s in-the-home use of Jane’s device that has been enabled by HBA or signed in actively by Jane is likely a permitted use.
UNPERMITTED Use Scenarios
4. Account member providing credentials to an account non-member
Amy often visits her best friend Elizabeth’s home and they watch content together. Amy has given her Acme user name and password to Elizabeth to use.
Determination: Amy’s provision of her credentials to account non-member Elizabeth is an unpermitted use.
5. Account non-member using account member credentials
Amy signs in with her Acme user name and password to the tablet of her best friend, Elizabeth when Amy is visiting Elizabeth’s house. Sometimes Amy forgets to log out and the access from Amy’s account is still active at Elizabeth’s when Amy leaves, so Elizabeth enjoys Amy’s account privileges.
Determination: Amy fails to safeguard credentials when she does not sign out from her account on non-member Elizabeth’s device. This is an unpermitted use.
6. Account member providing credentials to an account non-member
Adam’s girlfriend, Debbie, uses Adam’s user name and password to watch HBO on her mobile phone in her dorm room, at GA Tech.
Determination: Adam’s provision of credentials to account non-member Debbie is an unpermitted use.
"GREY AREA" Scenarios
7. Use by household member at a temporary address other than the primary account/service address
Adam is away at college in Boston, but is a legal resident of his home state, Georgia, where his mom and sister live. While his college offers cable services that are included in the room and board fees, the service doesn’t include HBO. Adam uses his Acme Entertainment credentials from the home account for which his mom pays.
Determination: Each MVPDs terms of service regarding the status of individuals living temporarily away from the service residence associated with the account likely govern whether Adam’s use of his credentials while at college constitutes permitted or unpermitted use.
8. Use by household member away from temporary address other than the primary account/service address
Adam is an avid gamer and loves his PlayStation. He takes it to college and uses his home-based authentication credentials to play it in Boston. Sometimes, he takes it to a friend’s dorm room to play games and watch authenticated programming.
Determination: Consistent with the previous scenario, if applicable MVPD terms of service don’t consider Adam a legitimate member of the account household, this scenario represents unpermitted use. If MVPD terms of service consider Adam a legitimate member of the account household, Adam’s use of his credentials in another location is likely to be a permitted use. The type of device involved, whether a mobile phone/tablet vs. a connected TV device (e.g., Roku, Apple TV, Xbox, etc.) may also determine whether this is a permitted or unpermitted use.
9. Use by household member at temporary address other than primary account/service address
Jane owns a vacation home. She, Amy and/or Adam often spend a few days up to two weeks there, bringing mobile devices, connected devices and laptops. While there, they use their Acme home account credentials to enjoy content.
Determination: Each MVPDs terms of service regarding the status of individuals living temporarily away from the account service residence likely govern whether use of credentials while at a vacation home constitutes permitted or unpermitted use.
SCENARIO WRAP UP
The whole family loves to watch Southern Charm, but they’re rarely in the same location to watch as a family. So Monday nights, there is a lot of streaming going on. Adam (Boston) and his girlfriend (GA Tech) are streaming using Adam’s credentials; Amy and Elizabeth are streaming on their mobile phones using Amy’s credentials, and Randy and Jane are streaming the show using her credentials, but in separate geographic locations, as Randy travels for work.
Determination: Amy’s streaming away from home is permitted, but Elizabeth streaming at her own home using Amy’s credentials is not permitted. Streaming by Debbie (Adam’s girlfriend at GA Tech) using Adam’s credentials is not permitted. Jane’s streaming is permitted, but Randy’s is not unless he is viewing in Jane’s house. Adam’s streaming of the show while away at college may or may not be permissible use, depending upon the MVPD guidelines.