DRM Protection and Screen Recording
If you protect your videos with DRM, only eligible users are able to acquire a DRM License and play the video.
But there is a threat: a malicious user can act as a regular user (e.g. purchase a subscription) and play a video using a screen recording tool. Screen recording output is DRM-free and can be further shared in a way not intended by the video owner.
DRM technologies do provide some tools to prevent screen recording. However, you also face some tough trade-offs between usability/interoperability and security when using these tools.
Security Level​
Widevine and PlayReady allow setting the Security Level that a device must meet to be eligible for playback. The essential difference between Security Levels lies in hardware support. Security Level 3000 (PlayReady) and Security Level 1 (Widevine) ensure that the DRM system Client Decryption Module (CDM) is supported by hardware on the device. This way, the whole media path can be secured and it can be assured that even the CPU never gets access to unencrypted content. Specifically, with this Security Level, it is possible to effectively prevent screen recording. Pure software-based CDMs (Security Level 2000 in PlayReady, Security Level 3 in Widevine) are typically not able to prevent screen recording by software tools.
You could acquire a higher security level and prevent screen recording.
However, by doing this, you restrict the range of devices where the video can be played. This applies especially to some popular browsers on desktop systems. For example, Google Chrome or Firefox on desktop systems support Widevine, but cannot meet Security Level 1. They support only Security Level 3 (note that Google Chrome on Android is not affected by this issue, it comes with support for Security Level 1).
How to Set the Security Level with Axinom DRM​
When you generate an entitlement message, set the following parameters:
"content_key_usage_policies":
[
{
"name": "Policy A",
"widevine":
{
"device_security_level": "HW_SECURE_ALL",
...
},
"playready":
{
"min_device_security_level": 3000,
...
}
},
...
]
Widevine device_security_level parameter accepts the following values:
| Value | EME Security Level | Device Security Level | Comment |
|---|---|---|---|
| SW_SECURE_CRYPTO | 1 | Level 3 | Default, lowest security |
| SW_SECURE_DECODE | 2 | Level 3 | |
| HW_SECURE_CRYPTO | 3 | Level 2 | |
| HW_SECURE_DECODE | 4 | Level 1 | |
| HW_SECURE_ALL | 5 | Level 1 | Highest security |
This setting defines the minimum security level required to acquire a license.
PlayReady min_device_security_level supports the following values:
| Value | Security Level | Comment |
|---|---|---|
| 150 | Software-based | Only for testing purposes, not suitable for production,Lowest security |
| 2000 | Software-based | Default |
| 3000 | Hardware-based | Highest security |
Output Protection​
DRM systems let you configure the output protection. You can decide whether you want to let the consumers attach an external display to their device and enjoy playback there. This applies to both cabled and wireless connections (e.g. via Chromecast). You can even go as far as defining which version of the HDCP protocol on the HDMI cable is acceptable for you. It is more convenient for an end-user to be able to do this. At the same time, it is more secure to not allow it. There are capturing devices available (in many countries, they cannot be purchased legally) that plug into an HDMI connection and let you record even HDCP protected streams.
It is even possible to assign different settings to the same asset but for different quality levels. For example, you could let end users use devices with Security Level 3 (Widevine) for lower resolutions, and require Security Level 1 for your high-quality HD streams.
According to Widevine documentation, For Android L3, playback stops if output protection is required. L3 is best-effort and cannot be reliably enforced when specified.
Google Widevine has published some recommended settings (they most likely reflect the often seen requirements by content owners from Hollywood):
Source: https://www.widevine.com/news
How to Set the Output Protection Level with Axinom DRM​
When you generate an entitlement message, set the DRM provider-specific parameters inside the element content_key_usage_policies:
"content_key_usage_policies":
[
{
"name": "Policy A",
"widevine":
{
"device_security_level": "SW_SECURE_DECODE",
"cgms-a": "once",
"hdcp": "2.0"
},
"playready":
{
"min_device_security_level": 2000,
"analog_video_opl": 100,
"compressed_digital_audio_opl": 200,
"uncompressed_digital_audio_opl": 300,
"compressed_digital_video_opl": 400,
"uncompressed_digital_video_opl": 500,
"source_id": 258,
"play_enablers":
[
"786627D8-C2A6-44BE-8F88-08AE255B01A7",
"5ABF0F0D-DC29-4B82-9982-FD8E57525BFC"
],
"analog_video_output_protections":
[
{
"id": "e8103fec-76d3-401e-abfc-812f58df19a2",
"config_data": "6BA/7HbTQB6r/IEvWN8Zog=="
}
],
"digital_video_output_protections":
[
{
"id": "6f727eaa-831e-4f99-9c83-292a5f305e21",
"config_data": "b3J+qoMeT5mcgykqXzBeIQ=="
}
],
"digital_audio_output_protections":
[
{
"id": "72098751-6f56-49b6-b072-02b35cba6ae9",
"config_data": "cgmHUW9WSbawcgKzXLpq6Q=="
}
]
}
}
]
For a full list of supported parameters, check the Entitlement Message format specification.