DRM (Digital Rights Management): The Definitive Guide [2023]

Welcome to our complete guide to digital rights management in 2023.

This page provides digital content creators with everything they need to understand how DRM works today to protect video content from unauthorized users.

As the digital media landscape evolves, challenging copyright laws and threatening intellectual property like never before, DRM solutions play an increasingly vital role in protecting copyright infringement of digital assets.

Start at the beginning, or use the table of contents below to jump to the most relevant chapter:

What is Digital Rights Management?

The meaning of DRM

Digital Rights Management refers to the algorithms and processes that were created to enforce copyright compliance when consuming digital content.

Without DRM, your content can be easily copied by the end-user. A process typically referred to as pirating.

It is, therefore, necessary in an online video distribution architecture, but it is not visible to the consumer.

DRM is also used offline to provide the copyright holder with protection for CDs, DVDs, and BluRays.

The benefits of digital rights management

The necessity for streaming capabilities amongst the media industry and video content distributors at large is at an all-time high.

Consumers and developers are racing to find and distribute the best content at their disposal.

Unfortunately, this high demand for video content is often undermined by a lack of security around original digital assets.

As a result, creators and distributors are finding themselves in positions where they need to protect themselves and their copyrighted material from unauthorized users; enter DRM technologies.

How DRM works to protect streaming services

Currently, Digital Rights Management can be implemented as both a software and/or hardware solution; and in most instances it’s implemented as a combination of both.

Regardless of DRM hardware or software implementation types, all providers seeking to protect their digital content will see their files pass through an encryption & decryption cycle.

Here’s an example of that process:

The Encryption Cycle

To begin the “security” cycle, communications between the requesting encoding software and the licence server are encrypted.

Each segment is encrypted according to the MPEG Common Encryption (CENC) specification for ISO-BMFF.

What is ISO-BMFF?

ISO-BMFF is a standardized file format and serves as a container for audio and video content. A well-known implementation of ISO-BMFF (and often used synonymously with it) is the MP4 or fragmented MP4 (fMP4) file format. In the DRM workflow, the multimedia content is encrypted and the ISO-BMFF container is enhanced by DRM-specific metadata and encryption algorithms.

DRM systems utilize ISO-BMFF to store and transport encrypted media data, and enables the association with a DRM license. When users attempt to access the protected media, the DRM system verifies if the user is allowed to based on the associated license.

In short, it enables secure storage, delivery, and control of digital media within DRM frameworks.

Segments can either be fully encrypted, or partially encrypted, where only some frames, or even only parts of frames are encrypted.

The MPEG-CENC standard defines how a segment is encrypted and maps which decryption key needs to be used for which segment (or parts of it) by associating a key id to it. MPEG-CENC is used for DASH and HLS streams if the segments are in the fMP4 container format.

Standard content encryption is done using the Advanced Encryption Standard (AES) algorithm, using 128-bit keys. Depending on the DRM system being used, it is either used in the Counter (CTR) or the Cipher Block Chaining (CBC) mode.

These two modes differentiate how a payload is encrypted.

It’s important to note that only the raw audio and video data within a segment is encrypted, but the metadata added in the container is not.

There are three main DRM providers: Google Widevine, Apple FairPlay, and Microsoft Playready.

Their application can vary greatly based on many unique factors – having to select a provider that matches the content distributor’s delivery & playback needs (based on which devices are supported) can introduce a lot of complexity to the DRM implementation process.

In order to improve security and decrease the risk of reverse engineering DRM systems, there are typically no clear log messages.

In fact, parts of the process are treated as a black box – and as a result, debugging can be even harder on devices (for example SmartTVs or Set-Top Boxes) with older versions of DRM software.

In the browser or operating system, the content will then be decrypted by a Content Decryption Module (CDM), which decrypts each encrypted audio and video segment.

The Decryption Cycle

When a web player identifies DRM-protected content, it calls on processes and interfaces defined by Encrypted Media Extensions (EME), which are used in browsers to initiate a license request process.

The EME is used to interface with the Content Decryption Module (CDM) that is implemented in the browser and may or may not rely on operating system features like HDCP.

When DRM protected content is played back, license requests are generated by the CDM and passed to the player through the EME.

All of the decryption work is done by the CDM. Crucially, the decrypted content stays within the  CDM – it is not, and must not be, accessible to the playback software as otherwise it would be possible to create decrypted copies of the content.

In order to playback protected content, upon detecting that the content is protected, the player or playback software issues a license request to the licensing server.

If the license is cached locally, this request can be skipped and the cached license can be used instead.

The license request sent by the player of playback software always includes metadata that uniquely identifies the content being played back, and the format of that metadata depends on the used DRM solution.

This DRM metadata can be contained either in the manifest (like MPEG-DASH or embedded in HLS), in a player’s configuration, or within the individual segments.

Although it is not a requirement, the request typically includes additional data from the requesting device, like an ID that can be used to uniquely identify it.

If all mandatory information is provided, the server may grant a license to the player or playback software with the decryption keys necessary to allow secure playback of the requested content on the client. 

The returned license agreement may include information about the content’s required decryption security level, for example: decrypting content using software is significantly less secure than decrypting over hardware. 

From the perspective of the player – the license acquisition using the EME starts from the playback client creating a so-called key session. Using that key session and the DRM metadata taken from the segments, manifest or other sources, the player starts the license request process using the EME.

The CDM then generates a signed key message which is sent to the license server by the player or payback software.

The license server returns the requested license – with the resulting decision of whether or not the client is granted playback rights to the requested content; if not, playback is halted and an error is shown. 

Alternatively, the license server can also determine, that e.g. the player is only allowed to play back SD representations of the content.

If the license request was successful, the client updates the key session with the returned license. 

The content decryption is then handled fully by the CDM. 

In some circumstances, the license is cached for a set time and can be used to playback protected content offline (ex: Netflix). 

The workflow is very similar for non-Web platforms, such as native Android, iOS, or tvOS apps. Each platform has their own set of APIs, similar to the EME on Web, to interact with the underlying, integrated CDM.

The license and the decrypted data must not be accessible to clients other than the licensed content user. 

Therefore, the private keys and decrypted data are kept in a secure environment within the browser, operating system, or even hardware (if supported), like Trusted Execution Environments.

The usage of different container formats, like fMP4 and MPEG-2 TS, made it hard to distribute the same content across all platforms. 

However, the rapid adoption of CMAF and the standardization of CENC across hardware manufacturers and software developers are reducing the complexity of implementation for the industry. 

Although CMAF and CENC still allow AES CTR and AES CBC usage, DRM providers are gradually converging towards the use of AES CBC.

DRM Technologies in use today

Here are some of the most common DRM technologies :

Apple Fairplay: Cipher Block Chaining encryption, the only option for Apple devices, such as the iPhone, iPad, AppleTV, and for the Safari browser, and is also used by iTunes. 

Widevine: Developed by Widevine Technologies, bought by Google. Used on Android Devices natively, in Chrome, Edge, Roku, Smart TVs. Widevine uses protobuf format for metadata.

Microsoft PlayReady: Developed and maintained by Microsoft. Supported on Windows, XBox gaming consoles, most set-top boxes and TVs, uses XML-based WRMHEADER tag objects as metadata format.

Additional DRM vendors can be seen in Irdeto’s graphic below:

This segmented market of DRM providers is equally represented by a highly fragmented application. 

The following graph from the latest Bitmovin Video Developer Report shows the current distribution in the application of DRM systems within the video developer community:

Preventing copyrighted content being copied from other rights-holders

Suppose you are hosting an online video on demand platform that can be used to watch all kinds of different Hollywood movies. The right holder of the content you’re distributing wouldn’t want your users to be able to just create copies of that content.

The provider of the platform may therefore be contractually required to use some form of content protection to honor the rights of the content right holder.

This is often the case for broadcasters that not only host their own content, but for example live TV or other movies or series. DRM systems can be used to protect the content from being copied by the users of that service illicitly.

Choosing the best DRM services 

There are a number of options when looking to control access to your digital content, restricting it only authorized users. When we asked our video developer community how they were implementing digital rights management into their workflow, 52% said they were using a commercial DRM provider:

DRM provider’s offer solutions and services to content creators, publishers, and distributors. 

They specialize in developing and implementing technologies, tools, and systems that enable the protection, distribution, and management of your digital content. They also ensure compliance with licensing terms and copyright laws. 

Solutions like encryption, access control, license management, content protection, and monitoring can all be provided by a good DRM partner. 

Choosing a DRM provider

There are a number of high quality partners out there. So make sure that the one you choose covers all of the bases when it comes to DRM. 

A typical suite of services will look something like this: 

DRM System Integration: DRM providers integrate their technologies into existing content distribution platforms, websites, or streaming platforms, enabling seamless DRM functionality and protection for digital content.

Content Encryption: Encryption solutions safeguard digital content from unauthorized users and online piracy. A good partner will apply robust encryption algorithms to protect your content during storage, transmission, and playback.

License Management: License management systems handle the creation, issuance, and management of DRM licenses. These systems ensure that users have the necessary permissions and rights to access your protected content.

Rights Enforcement: These mechanisms enforce usage rights defined by DRM licenses. This may involve restricting the number of devices on which your content can be accessed, enforcing time-limited access, or controlling the ability to copy or share content.

Analytics and Monitoring: DRM providers offer analytics and monitoring tools to track content usage, detect potential breaches, and gather insights into user behavior.

Recommended DRM providers from our partner network

Irdeto

Irdeto is a global industry leader in digital platform security, catering to businesses in video entertainment, video games, connected transport, and IoT connected industries. They empower customers to safeguard their revenue, innovate with new offerings, and combat cybercrime effectively. 

With 50 years of security expertise, Irdeto currently protects over 5 billion devices and applications for renowned brands worldwide. Their stated mission is to create a secure future, enabling people to embrace connectivity without compromising on safety and trust.

NAGRA

NAGRA, the digital TV division of the Kudelski Group (SIX:KUD.S), specializes in offering comprehensive security and multiscreen user experience solutions for the monetization of digital media. 

Their expertise lies in equipping prominent content providers and digital TV operators across the globe with secure, open, and seamlessly integrated platforms and applications for broadcast, broadband, and mobile platforms.H4: Verimatrix

Verimatrix

Verimatrix stands as a global provider of trusted security and analytics solutions, dedicated to safeguarding devices, services, and applications across a wide range of markets.

Countless service providers and industry innovators place their trust in Verimatrix to protect the essential systems that people rely on every single day. 

Verimatrix offers user-friendly software solutions, cloud services, and advanced silicon IP, ensuring robust security measures and empowering businesses with valuable insights and intelligence.

PallyCon

PallyCon, powered by INKA ENTWORKS, is a pioneering industry leader providing the first cloud-based SaaS solution for comprehensive content security.

Their end-to-end solution encompasses a wide range of features including Multi DRM, Forensic watermarking, Visible watermarking, Anti screen capture, Anti-piracy services, and App security, all seamlessly integrated into a single workflow. 

With over 20 years’ of experience in content security, PallyCon empowers customers to safeguard their revenue with a scalable, globally accessible, reliable, and cost-effective solution.

Intertrust ExpressPlay

Intertrust ExpressPlay provides a suite of protection and anti-piracy services designed for rights owners and distributors of both live and VOD content. 

Their cloud-based ExpressPlay Media Security Suite offers solutions such as the ExpressPlay multi-DRM service, ExpressPlay XCA broadcast security solution, and ExpressPlay Anti-Piracy and Watermarking services. 

They are known for their scalability and are trusted by major OTT streaming platforms worldwide. Additionally, ExpressPlay DRM Offline ensures secure streaming of premium content through an offline multi-DRM platform.

EZDRM

EZDRM is an expert in Digital Rights Management as a Service (DRMaaS), providing all-in-one solutions for safeguarding and monetizing video content. They have been around since 2001. 

They use a hosted and managed multi-DRM offering designed to simplify the support for live, on-demand, downloadable, and offline video delivery services. They are very flexible when it comes to accommodating various business models. 

Their Universal DRM combines Google’s Widevine and Microsoft’s PlayReady using Common Encryption (CENC) over DASH, alongside EZDRM’s Apple FairPlay Streaming. 

BuyDRM

BuyDRM is a prominent provider of Content Security Services, catering to industries such as entertainment, education, enterprise, and hospitality. 

Operating under OVHcloud, BuyDRM’s KeyOS content security platform is used widely by well-known brands in the media and technology sectors. 

They are very experienced at implementing commercial content security solutions and media technologies and have a good track record with major brands including ABC (Australian Broadcasting Corporation), AMPAS (The Academy), Blizzard Entertainment, Cinedigm, Crackle, Crunchyroll, Daily Rounds, Deluxe Digital, EPIX, FuboTV, POPS Worldwide, Rakuten Viki, Redbox, SBS Belgium, Sinclair Digital, and Zee5.Crunchyroll, Daily Rounds, Deluxe Digital, EPIX, FuboTV, POPS Worldwide, Rakuten Viki, Redbox, SBS Belgium, Sinclair Digital, and Zee5.

Axinom

Axinom is a well-known provider of digital solutions, catering to major brands in the media and entertainment industry. 

Their OTT portfolio encompasses content management (CMS), DRM, and pre-built reference applications (Apps) for on-demand, live event, and live linear content. 

Axinom can deliver a comprehensive solution that covers the entire workflow, from video acquisition to delivery across various devices such as HTML5, iOS, Android, Windows 10, Xbox, set-top boxes, and Smart TVs. 

Axinom’s focus is on building the next generation of OTT video solutions that ensure a swift time-to-market.

Friend MTS

Friend MTS is a trusted provider of content security solutions for media and entertainment companies. 

Their advanced services encompass comprehensive measurement, monitoring, detection, and disabling of content piracy. By offering a holistic approach to combating online piracy, Friend MTS provides businesses with a clear understanding of the constantly evolving piracy landscape. 

They proactively stay ahead of sophisticated online piracy behavior and technologies, ensuring that revenue can grow and creativity can flourish in a secure environment.

DRM Case Study: fuboTV Enhances Viewer Experience and Content Security with DRM Integration

Client Background

fuboTV, a prominent Live Sport OTT provider with over 65 channels, competes with traditional pay TV offerings by streaming highly demanded sports content. In an intensely competitive marketplace, fuboTV prioritizes delivering a high-quality viewing experience to retain their valued viewers.

Challenge

To safeguard their valuable content and maintain superior streaming quality, fuboTV recognized the critical need for robust DRM solutions. Their objectives included implementing DRM technologies, managing encryption key initialization, protecting content across multiple IP addresses, and ensuring seamless playback regardless of the number of times viewers accessed the content.

Solution

fuboTV partnered with Bitmovin, a leading video technology company, to address their DRM requirements comprehensively. Bitmovin provided a cross-platform Video Player, cloud-based encoding, and encryption services through the Bitmovin Encoding Service. The integration involved utilizing BuyDRM’s KeyOS Encryption Key API for encryption key initialization and the KeyOS MultiKey multi-DRM service for content protection. To securely deliver content across nine Showtime channels, fuboTV leveraged Zixi Feeder technology.

Collaboration and Implementation

The collaboration between fuboTV and Bitmovin was characterized by close cooperation and efficient communication from the first time their development teams came together.

Bitmovin’s engineering team seamlessly integrated with fuboTV’s internal team, resulting in streamlined workflows and rapid implementation. The use of Bitmovin’s Video Player provided unparalleled control and flexibility, surpassing competing players in the market. With careful attention to detail, the implementation ensured a significant improvement in user experience compared to the previous player used by fuboTV.

fuboTV Testimonial

Through the successful integration of DRM solutions provided by Bitmovin and BuyDRM, fuboTV significantly improved the viewer experience, ensured robust content security across multiple IP addresses, and addressed the challenge of initializing encryption keys. Moreover, the implementation enabled seamless playback, regardless of the number of times viewers accessed the content.

“Bitmovin’s engineering team has been great to work with. We were able to rely on them to become an extension of our engineering team. Bitmovin gives us greater control over the player than any other player in the market. We were able to get our implementation to production with markedly better experience than our previous player. We’re looking forward to exploring more ways to work together.

– Sung Ho Choi (Co-founder, fuboTV)

Source

As a result, fuboTV strengthened their position in the OTT market and continued to deliver exceptional sports streaming services to their loyal audience.

Conclusion

Clearly, digital rights management is a complex subject with no one-size-fits-all approach. But it is an essential part of the video workflow for anyone looking to protect or monetize their digital video content. It’s an area of continuous development as those intent on piracy look for new ways to circumvent your content protection for their own gain.

Fortunately, Bitmovin has the experience, expertise, technology and network of partners to keep you several steps ahead. Get in touch with us to discuss your specific requirements and let us do some of the heavy lifting when it comes to DRM.

Originally published June 2019, this blog was updated July 2023 with the latest information.

---

DRM FAQS – Commonly Asked Questions About Digital Rights Management 

How does a DRM work?

DRM prevents unauthorized use of works by encrypting the segments of a stream so that they can not be played back without acquiring an authentication license first.

Who uses DRM?

DRM is widely used across various industries to protect digital content from unauthorized copying and distribution. Industries such as media and entertainment, gaming, publishing, software, education, and government agencies rely on DRM to safeguard their content and intellectual property rights.

What still uses DRM?

DRM is used in almost all major online video platforms, but also on CDs, DVDs or BluRay Discs.

Does Netflix use DRM?

Yes, Netflix uses DRM, most likely Widevine, PlayReady and Fairplay.

What does DRM mean?

DRM stands for Digital Rights Management.

What is an example of DRM?

One example of DRM is the copy protection used on DVDs or the protection used by Netflix.

What is DRM licensing?

DRM licensing refers to the process of obtaining licenses from DRM (Digital Rights Management) providers to utilize their technology and services for digital content protection and distribution.

What is the problem with DRM Software?

DRM (Digital Rights Management) has faced criticism due to concerns around restrictions on user rights and limiting the ability to enjoy purchased content. It can lead to compatibility issues and vendor lock-in, limiting user choices. Digital rights management systems can also become obsolete, making it difficult to access purchased content in the future. Balancing the need for content protection with user rights and freedoms remains a challenge in the ongoing DRM discussion.

What is DRM technology used for?

Digital Rights Management technology is used to prevent content from being multiplied without the permission of the content’s right holder.

What are the pros and cons of DRM?

DRM systems can be used to prevent unauthorized copying of protected content. But it adds additional complexity in the encoding, distribution and playback of the content.

How do you get DRM?

DRM workflows are usually implemented in the encoding process.

What are some reasons why DRM is not effective?

DRM systems usually require some hardware support. If those DRM systems are implemented in hardware, and that hardware cannot easily be updated, once a system is broken, it can’t easily be patched. This is why you can easily copy a DVD nowadays. As web based players must be online to function, and can therefore usually be updated easily, that is not a big concern for video playback on the web.