contribution Myths of native vs. downloadable DRM According to Steve Christian, SVP of Marketing, Verimatrix, the assumption that certain DRM choices are inevitable must be challenged urgently, on technical, financial and business grounds. A ll the recent hype about native player and native DRM implementations on mobile devices might suggest that the benefits of this shift in approach towards free security are well proven. Yet closer examination suggests that any advantages are elusive – and in fact the reliance on unpredictable support for a mobile OS may limit the competitiveness of operator services. It may even undermine the security perimeter protecting delivery of a service’s content. So as operators take a hard look at their options here, the question has to be posed – who is reaping the benefits of native security? The fallacy that client-side content security will be in the future be natively available in a streaming world – and either free or very inexpensive – has recently been promulgated by the major Internet players and especially Google. It is important that video service operators (VSOs) challenge this hype on several counts, chiefly to understand that it really is a fallacy and not in their long-term interests. The assertion about use of mobile native DRM emerges as VSOs are delivering ever more premium content, increasingly including live streaming video, that must be protected on a fragmented constellation of unmanaged consumer electronics devices. At the same time, there is broad recognition that attempts to unify security across the browser world under HTML5 with its associated Encrypted Media Extensions (EME) and Content Decryption Module Interface (CDMi) have failed in their bid to simplify cross-platform app development and content delivery. This outcome seemed inevitable for a 22 TV Everywhere variety of proprietary commercial reasons, with the result that VSOs and content owners now need to manage secure content delivery and subscriber management across all the combinations of streaming format and principal DRM platforms that have emerged. At the same time, this growth in streaming of premium content, with more live sports, a trend towards Ultra HD (UHD), and shorter windows for blockbuster movies, is exerting pressure on VSOs to be more conscious and in control of client-side security. Against this background, the perception has grown that the media content world should rally around the security mechanisms that come with the underlying devices, built into browsers or the operating systems. This view has its origins with Google, whose Widevine DRM is increasingly available in Android- based consumer electronic (CE) devices, while Microsoft has been consistently reducing effective licensing costs of its PlayReady DRM. With a bit of campaign management by the companies involved, this view has crystallised among the consultants and systems integrators serving VSOs, which threatens to help spread the myth throughout the video life cycle and value chain to the severe detriment of revenue protection in the longer term. The result has been that many VSOs, including a number of Tier 1 operators, have come to assume certain DRM choices are inevitable, dictated by what comes with target platforms. They have come to see native DRMs almost as axiomatic and even set them out in RFPs (request for proposals), yet this is an unfortunate myth that must be challenged urgently, on technical, financial and business grounds. Financial Myths There are two particular strands of thought that do not add up: 1) the idea that native security can be free and 2) that it can be effective. On the first of these counts, it is only the DRM core that is free, which is just one component of the TCO (total cost of ownership) associated with content security. This completely ignores all the server side aspects of security that will require additional investment to cater for multiple client platforms, as well as the limitations inherent in native DRMs beyond the control of operators. There is also the important point that the DRM itself is not an isolated component that can be treated as a one-off project, but is instead an ongoing development program that must be capable of responding to challenges and threats as they emerge. Such challenges can lead to unscheduled R&D, as well as additional testing, when for example a new standard is implemented or a service is extended. Technical Myths This leads to the second point about effectiveness. One thing that has become absolutely clear is that for security to work over time and counter not just known threats, but new ones as they emerge, it must be renewable. This fundamental realisation is at the heart of the now well- established MovieLabs Enhanced Content Protection guidelines. Although these were originally aimed at a new generation of UHD security, the same underlying principles of software renewability are now acknowledged by everyone in the security business. Supporters of native security argue that it must be more robust against tampering or external attack because it is built into the operating system rather than relying on downloadable components. But this fundamentally misrepresents, or fails to understand, the direction security is going in the era of streaming and IoT (internet of things), where the threat landscape will be constantly changing and creating new risks, some of which cannot be anticipated at all in advance. The trend is firmly towards actively managed, fully upgradeable, security that can be delivered in the same way as apps and so be managed independently of devices and the OSs inside them. Of course the OS can itself be upgraded remotely, but the point is that this is under the control of a third party, typically the device maker, rather than VSOs themselves or their