How premimum video platforms use manifest-level watermarking and client-side watermarking to control piracy

With the increasing demand for OTT and VoD content, piracy of premium content has also been on the rise. This has led to the adoption of forensic watermarking solutions to secure DRM protected content once it reaches the user’s device. Forensic watermarking can be further divided into A/B watermarking and bitstream-based watermarking. 

In A/B watermarking, two variants, called A and B, of each streaming session are generated which receive a different watermark. These streams are then broken up into segments which are ultimately combined to form a single stream with a unique combination of A and B segments. Whereas, in the case of bitstream watermarking, the watermark is inserted in real time by edge servers during streaming.

The A/B variant watermarking can further be divided into manifest-level watermarking and client-side watermarking. In manifest level video watermarking, the two unique versions of watermarked video files are mixed to create a unique user-specific watermark which is distributed to users. A disadvantage of A/B watermarking is that the two variants for each segment require double storage/caching compared to non-watermarked content. It  may not be effective for certain use-cases, such as live streaming, since it is time and resource demanding and needs a lot of storage space.

In the client-side watermarking option, the two watermarked versions of content are mixed by a client-side agent which play DRM protected content to create a unique user-specific version. The video segments are combined by the client video player rather than the edge server. However, since the watermark is placed in an adversarial environment (on the client side), the logic is exposed. Attackers can use easily accessible tools, such as debuggers, to disrupt and bypass watermarking. This can be done in two ways: Reverse-engineering the agent’s exposed JavaScript code or tampering with the DOM. Content providers can overcome these problems by JavaScript obfuscation (transforming the code into a hard-to-understand and reverse-engineer format) and real-time monitoring of the DOM to detect or block any malicious attacks by the user, respectively. In addition, the JavaScript protection approach could also include anti-tampering and anti-debugging capabilities. This breaks the web player in the event of an attack, thereby preventing any dynamic or static code analysis.