Content Security Overview
CineSend is an industry leader in secure streaming video, offering studio-grade content security features that are trusted by every MPA member studio and thousands of clients worldwide. We take content security very seriously on behalf of both rights owners and event/platform operators.
This article details the many security features available on the CineSend On Demand, including those on by default as well as those that are optional features.
- Digital Rights Management (DRM) Technology
- Source File Deletion
- Forensic and Visible Watermarking / Spoilers
- Publishing Controls
- Asset View Count Limits
- Single IP Restrictions (Vouchers)
- Single View Restriction (Vouchers)
- Expiration Period (Vouchers)
- Concurrent Login Restrictions (Subscribers)
1. Digital Rights Management (DRM) Technology
Digital Rights Management (DRM) is technology that helps prevent unauthorized sharing and piracy of video content. DRM is the first line of defence to protect streaming video, and it works by making sure video content is stored and transmitted in an encrypted form, so that only authorized end-users can play it back. Some of the core features/functions of DRM are:
- To prevent end-users from downloading the source streaming video (by way of a video nabbing/download software, for example)
- To prevent end-users from nefariously sharing the video with others
- To provide a trust chain that extends beyond us, the vendor
By default, video files uploaded to the CineSend On Demand are immediately encoded for streaming and encrypted with Digital Rights Management (DRM). There are several competing DRM schemes - Apple FairPlay, Google Widevine, and Microsoft PlayReady. Different devices, operating systems, and browsers work with different schemes, so CineSend employs all three to maximize device compatibility.
Protected with DRM, audiences will be able to watch content on modern computers and mobile devices using browsers that support DRM, as well as on native apps for smart TVs and streaming boxes.
2. Source File Deletion
Source video files (i.e. the video file uploaded by the content provider) are retained on CineSend servers for 15-30 days. The files are stored in encrypted storage, and the retention period allows for the DRM encoding to be repeated if necessary (for example, if a subtitle or closed captioning track is uploaded). Following the retention period, CineSend's servers automatically and permanently delete video.
3. Visible Watermarking / Spoilers
While DRM does a great job preventing end-users from downloading streaming videos, it does little to prevent screen recording; either by way of screen capture software, or pointing a video camera at a computer or TV screen. This is where watermarking can add an additional layer of security when and where it's required.
CineSend supports two types of user-specific watermarking:
- A visible watermark (sometimes called a "spolier"), which often serves as the best deterrent to "casual" piracy.
- An invisible watermark (usually referred to as "forensic"), which can be used to determine the origin of pirated content as a leak source identifier.
It's important to understand the implications of these two technologies. Visible watermarks typically contain some user-identifying information, like a subscriber ID or name. Because these marks are visible, they can detract from the viewing experience, and so for this reason are seldom used on content being watched by a paying audience. Invisible watermarks don't share this problem, but they do very littler to deter piracy and they are instead used after leaks occur to track down a culprit.
If you're unsure about when and why to use these two watermarking options, we recommend getting in touch with your CineSend account rep to discuss in more detail.
Watermarking is an optional security feature that can be enabled from the video's Security sub-menu:
The watermark overlay (visible watermark) can be enabled without assistance and without any additional fees. The invisible/forensic watermark requires some setup from CineSend staff and fees vary depending on the length of the material. Please contact CineSend support if you require forensic watermarking and we will be happy to assist you and provide a quote.
Geoblocking is an optional feature that can restrict content access based upon the viewer's geographical location. Access can be allowed, or disallowed, by countries, Canadian provinces, US states and US zip codes.
To enable, a default can be set for all newly uploaded videos by navigating to SITE SETTINGS > ASSET ACCESS. Alternately, geoblocking can be set and managed on a video by video basis by navigating to each video's Security sub-menu. Select which countries, etc. are allowed to view, or by using the "Use Blocklist?" option you can instead select those that are disallowed.
5. Publishing Controls
Even if a viewer has an entitlement to log into the watch portal and passes through the paywall, the content is still protected by Publishing Controls. If content is unpublished, then the user can view the video's landing page however the Play button will not be active.
You control when content is published from the content's Asset sub-menu screen in the administrative portal. A video can be manually published at any time, or automatic publishing and unpublishing dates and times can be set in advance.
6. Asset View Count Limits
If you need to restrict the number of views for a film you can setup a trigger to have the film unpublish after it reaches a specified number of views. Once the number of views has been reached, the content unpublishes automatically and is no longer playable online.
To enable this feature, navigate to the video's Asset sub-menu, scroll to the bottom and within the Automatic Publishing Actions area you can enable and set the number of views allowed.
By design and by default, you control who has access to your content because it is protected behind a paywall. Viewers must have some entitlement to view the video, whether paid or free, that has been issued by the event producer in the form of a voucher (aka ticket) or a subscription (aka pass). Without receiving access credentials from the event producer, there is no way to get past the initial login page of the event's website
8. Single IP Restrictions (Vouchers)
Vouchers are prevented from being shared with Single IP Restrictions. When this setting is turned on, vouchers issued will lock to the first IP address that uses the voucher. Anyone else trying to use that same voucher will get an error message that it has already been used at a different IP address and is not valid.
This setting is on by default within CineSend On Demand accounts, however it can be turned off by navigating to SITE SETTINGS > ASSET ACCESS > VOUCHER ACCESS and disabling this setting for future vouchers issued.
9. Single View Restrictions (Vouchers)
An optional setting, vouchers granted for video assets can automatically expire after a designated percentage of the content has been viewed (ie. 95%). If, for example, there are very strict view count caps then this setting would be useful to ensure voucher holders are not watching the content more than once, eating up the allotted number of views.
This setting is off by default within CineSend On Demand accounts, however it can be turned on by navigating to SITE SETTINGS > ASSET ACCESS > VOUCHER ACCESS and enabling the setting (and designating the % watched) for future vouchers issued to video assets. This setting does not effect vouchers issued to playlists, live events, or series.
10. Expiration Period (Vouchers)
Vouchers issued from the On Demand system include an expiration period. The expiration period's clock begins ticking when the voucher holder first clicks the Play button for the designated video content. Once the expiry period has been reached, the voucher is no longer valid and an error message informs the viewer that the voucher has expired.
This setting is always on and by default the expiry period is 24 hours, however that period can be modified by navigating to SITE SETTINGS > ASSET ACCESS > VOUCHER ACCESS and changing the number of hours the expiry period should be for future vouchers issued.
11. Concurrent Login Restrictions (Subscribers)
While subscribers do not have IP address limitations by design, the number of devices they are allowed to watch from can be restricted in order to prevent concurrent streaming.
This optional setting can be enabled by navigating to SITE SETTINGS > ASSET ACCESS > SUBSCRIBER ACCESS and enabling the Login Device Restrictions as well as defining the number of devices they are allowed to view with.
Thank you for choosing CineSend for your On Demand platform. If you have any questions about the security measures discussed above, or other security questions, please reach out and we'll be happy to assist you.