Watermarking piracy detection with Access Revocation

You can use third-party Watermarking-based piracy detection services along with our Access Revocation feature to revoke access to a live session that's been flagged as a piracy source. This requires a mapping between the Watermark and the authentication ("auth") token.

What is Access Revocation?

Access Revocation lets you include auth tokens in a "blacklist." Requests that include these tokens are blocked from accessing your content. You generate a token blacklist using the Access Revocation API, include identifiers associated with the offending auth token in the list, and then apply that blacklist in your AMD property configuration.

Before you begin

This workflow requires three services for your AMD property configuration. You need to work with your account representative to ensure you have them on your contract:

  • Watermarking.
  • Segmented Media Protection. This is a recommended behavior and should be available by default.
  • Access Revocation.

Understand the "roles"

There are three roles in this workflow:

  • The content provider. The owner of the content being requested. (If you own the content you want delivered, you're the content provider.)
  • The watermarking vendor. This is a third-party, supported vendor that sets up your content as well as generates and issues the watermarking tokens used in the process.
  • The end user. The individual using a player or client app to request the content.

The workflow

  1. The content provider generates an auth token to protect the target content. Within the token, a "session_id" is established.
  2. When an end user requests the URL to play content, the content provider interfaces with the watermarking vendor to request a watermarking token (WMT) for the end user. The WMT contains a unique "watermark ID" in it for that end user.
  3. The watermarking vendor returns the WMT to the content provider.
  4. The content provider maintains a mapping between the session_id and the watermark ID.
  5. The end user's player uses the playback URL that was retrieved from the content provider, to start playback by fetching content from Akamai.
  6. When the watermarking vendor detects piracy or re-streaming, they pull the watermark ID from the content and communicate it to the content provider.
  7. At this point, either the watermarking vendor or the content provider can revoke access, using the session_id that was set in the auth token.

How to revoke access

Here, we revoke access by blacklisting based on the session_id in an auth token that's been mapped to a “bad” WMT. You need to create an Access Revocation blacklist and add the offending auth token's session_id to it to mark it for revocation.

Note: This process assumes that you are the content provider.
  1. Work with a supported watermarking vendor to set up your content and the WMTs.
  2. Enable Token Authentication in your AMD property configuration, and also apply cookie-less token auth. Note the Encryption Key value you set.
  3. Generate a token for access to your content, and include a session_id in that token.
  4. Add a blacklist using the Access Revocation API, and store its "id." (This is also referred to as the "blacklistId.") You don't need to revoke specific tokens just yet.
  5. Use the blacklistId to set up Access Revocation in your AMD property configuration in Property Manager.
  6. Set up Watermarking in your AMD property configuration in Property Manager.
  7. Set up your player for watermarking.
  8. As requests for content begin, and a bad WMT is identified, either the content provider or the watermarking vendor need to store the session_id that's been mapped to the watermarking ID in that WMT.
  9. Either the content provider or the watermarking vendor can revoke the token using its session_id in the Access Revocation API.