Mini Guide to Content Protection

With piracy on the rise again, it is worth taking a moment to consider how you can prevent your content from being pirated. Pirated content (ranging from link sharing to straight-out downloading of content) generally results in a loss of revenue. While there are many approaches to protect your content, each approach has its pros and cons, technical complexity and cost.

EZDRM blog banner (15)


Restricting the access to your content is a fairly simple
and straight-forward approach to avoid your
infrastructure and content being abused. There are different approaches which can be taken for this, which often are very cost effective.

  • Stream Tokenisation
  • Cookies and/or browser sessions
  • Geo-blocking
Stream Tokenisation

Stream tokenisation is a fairly common approach, as several CDNs and servers provide it out of the box. This system is based on access control, as the client will receive a token that allows to access the content through the download of a link. If the link to that video stream is copied, the client cannot access the stream. Most vendors provide solutions which work like this, where a token (for example a JSON Web Token) can be requested on the platform, and then used by a viewer to gain temporary access to a stream.

Cookies and/or Browser Sessions

Cookies and/or browser sessions can also be used in order to restrict access to content. Often this approach is more suited to be used only on manifest files or similar master files as it can be quite intensive for authentication systems which are not scaled for this.


An approach to restrict access within certain geographic areas is geo-blocking. This approach detects the location of the viewer based on information such as the user’s IP address and determines if their location is within the allowed area. An alternative solution could be to restrict the content access only on certain networks, for example within the campus of a university, or on a company network.

Example of stream tokenisation and geo-blocking.

Both stream tokenisation and geo-blocking are very suited as lightweight access restrictions. They can be used to avoid link sharing, and deterring people from using your streaming infrastructure to spread the content. While the approach does not make it extremely difficult to copy the actual content, it can provide an initial barrier for less tech-savvy people.

Content encryption AES-128

The most popular method for content protection is AES encryption. AES encryption is used in combination with all popular streaming protocols and is also the basis of a lot of DRM systems. The approach can be fairly inexpensive as there are a wide range of standard capabilities in streaming servers and tools. AES uses a key to encrypt and decrypt the content. In order to do so, both the sender and the receiver need to know the key.

Although AES is a hard to crack encryption schema, the weakest point in the system is key retrieval: once a key is known, it can always be used to decrypt (a part of) a piece of content. How this is done will depend on the streaming protocol used in tandem with the encryption.

HLS provides AES-128, which simply links the key in the manifest, while DASH is commonly used with the ClearKey encryption scheme. It is important to restrict access to the key itself by means of tokenisation or cookie/session-based access.

The AES approach, in combination with tokenisation, is a sound choice for everyone not being contractually forced by content owners to leverage full blown DRM solutions. It can be used to provide a high-grade protection without the cost of a DRM system and can provide a great challenge for even tech-savvy users.

DIGITAL RIGHTs management (DRM)

Encryption is also the basis of DRM systems. So, what makes a DRM system more secure?
There are two things to consider:

  1. DRM systems are set up so the key to decrypt content is never accessible. Instead, a license is shared, which is used by proprietary pieces of software to extract the key and decrypt the content.
  2. On top of that, most DRM implementations these days are hardware implementations, meaning decryption happens within the chipset itself, and no content can leak outside of a secure container. There are even measures in place to avoid automatic screen recording. These DRMs are often platform specific, such as Google’s Widevine on Android platforms, Microsoft’s PlayReady and Apple’s Fairplay.

Full DRM solutions are often enforced by content owners, especially for HD and 4K content. While there are some cases where DRM is also used for corporate or other high value content, it is often seen as an expensive solution.


The image below depicts a simplified video streaming infrastructure, illustrating how DRM works. The process starts by first transcoding and encrypting the source content, in our case the video content. A copy of the encrypted content is sent to the CDN and the License Server. The CDN then stores and distributes the encrypted video fragments to the Video Player. In order to do anything with that content, the Video Player will need to communicate with the License Server to obtain the Decryption Key. The decryption keys only get communicated through a secure channel within the DRM Licence Server. A decryption key will never leave the DRM component.

Simplified Video Streaming Infrastructure – How DRM works

Deterring Piracy

While you can join the battle and fight piracy by making it more difficult to access, we also see an increase in the alternative approach: making your content easily available on your platform.

By delivering a compelling user experience and pricing model, users can be persuaded to return to your platform, instead of illegally downloading it from an obscure website. By leveraging a reasonable pricing scheme, or an advertisement approach which is not too obtrusive, in combination with features for content discovery, viewers can be persuaded to sign up and return to your portal.

Any questions left? Contact our THEO experts.

Subscribe by email