Setting-Up Axinom DRM To Prevent Screen Recording
Content Piracy Through Screen Recording Tools
If you protect your videos with DRM, only eligible users are able to acquire a DRM License and play the video. But there is a threat: a malicious user can act as a regular user (e.g. purchase a subscription) and play a video using a screen recording tool. Screen recording output is DRM-free and can be further shared in a way not intended by the video owner.
DRM technologies do provide some tools to prevent screen recording. However, you also face some tough trade-offs between usability/interoperability and security when using these tools.
Security Levels
Widevine and PlayReady allow setting the Security Level that a device must meet to be eligible for playback. The essential difference between Security Levels lies in hardware support. Security Level 3000 (PlayReady) and Security Level 1 (Widevine) ensure that the DRM system Client Decryption Module (CDM) is supported by hardware on the device. This way, the whole media path can be secured and it can be assured that even the CPU never gets access to unencrypted content. Specifically, with this Security Level, it is possible to effectively prevent screen recording. Pure software-based CDMs (Security Level 2000 in PlayReady, Security Level 3 in Widevine) are typically not able to prevent screen recording by software tools.
You could acquire a higher security level and prevent screen recording. However, by doing this, you restrict the range of devices where the video can be used. This applies especially to some popular browsers with integrated CDMs. For example, Google Chrome supports Widevine, but cannot meet Security Level 1 and only supports Security Level 3.
Configuring the Security Levels
When you generate an entitlement message, set the following parameters:
Widevine device_security_level parameter accepts the following values:
| Value | Security Levels | Comment |
|---|---|---|
SW-SECURE_CRYPTO |
Level 3 |
Default, lowest security |
SW_SECURE_DECODE |
Level 3 |
|
HW_SECURE_CRYPTO |
Level 2 |
|
HW_SECURE_DECODE |
Level 1 |
|
HW_SECURE_ALL |
Level 1 |
Highest security |
PlayReady min_device_security_level supports the following values:
| Value | Security Levels | Comment |
|---|---|---|
150 |
Software-based |
Only for testing purposes, not suitable for production, lowest security |
2000 |
Software-based |
Default |
3000 |
Hardware-based |
Highest security |
Output Protection Levels
DRM systems let you configure the output protection. You can decide whether you want to let the consumers attach an external display to their device and enjoy playback there. This applies to both cabled and wireless connections (e.g. via Chromecast). You can even go as far as defining which version of the HDCP protocol on the HDMI cable is acceptable for you. It is more convenient for an end-user to be able to do this. However, it is more secure to not allow it. There are capturing devices available (in many countries, they cannot be purchased legally) that plug into an HDMI connection and let you record even HDCP protected streams.
It is even possible to assign different settings to the same asset but for different quality levels. For example, you could let end users use devices with Security Level 3 (Widevine) for lower resolutions, and require Security Level 1 for your high-quality HD streams.
Google Widevine has published some recommended settings (they most likely reflect the often seen requirements by content owners from Hollywood):
Content Encryption Recommendations from Widevine
Widevine reinforces their recommendation of using separate content keys to encrypt each video and audio track. In particular, the emphasis is on using separate content keys for each category of SD, HD, 4K (UHD1), 8K (UHD2), and AUDIO streams.
| Content Type | Minimum | Recommended | Best | Store License | Output Protection | |||||
|---|---|---|---|---|---|---|---|---|---|---|
AUDIO |
No encryption |
Separate content key for audio tracks |
Separate content key for audio tracks |
Yes |
N/A |
|||||
SD |
Single content key for all tracks |
Separate content key for each video group |
Separate content key for each video track |
Yes |
N/A |
|||||
HD (720p or higher) |
Single content key for all tracks |
Separate content key for each video group |
Separate content key for each video track |
Yes |
HDCP 1.4 |
|||||
UHD1 (4K) UHD2 (8K) |
Separate content key |
Separate content key for each video group |
Separate content key for each video track |
No |
HDCP 2.2 |
(Source: https://www.widevine.com/news)
Configuring Output Protection Levels
When you generate an entitlement message, set the DRM provider-specific parameters inside the element content_key_usage_policies:
