Streaming Wars Episode III
I've figured out a way Netflix can appease the vast number of people using privacy tools such as VPNs, whilst keeping their noses clean with the distribitors they buy content from.I'm a regular user of VPNs - I have a policy which excludes open traffic on the UK data networks, and even when I'm not using a VPN I'll use some form of secured (and authenticated) DNS. It's not because I would be doing anything unlawful - I'm a law abiding citizen - but the companies that operate our networks are thriving on our meta-data, filtering our content and injecting malvertising into our web pages and mobile apps.
If you own a second home you want to rent - do you furnish it and offer it for free? No. Your renters pay you rent and then pay their own utilities in most cases. Why should that be different for use of our personal data and meta-data? Data is not "property" in the eyes of the law, but consent to use that data can be deemed as much of a commodity as the subscription services we regularly use. Such as Spotify or Netflix.
You don't own your Spotify or Netflix titles, you effectively rent the right to view them. No different to renting the right to use your personal data or meta-data to companies that use it for profit.
Perhaps four years ago I remember being able to use VPNs to access my regular content on Netflix largely without issue. I'd occasionally see a "You're using a proxy or unblocker" error and have to connect to another VPN server or service.
As the years progressed Netflix were largely forced into a more proactive stance by the film distribution companies, in order to ensure that those market (country) distribution rights were being enforced. Distribution companies make their money by selling distribution of their films in each market e.g. country or region, to the highest bidder in that region. If all regions paid the same slice on a pay-per-view they would lose premium essentially.
Netflix then embarked on an aggressive policy of enumerating as many VPN server IPs as possible - I suspect they buy accounts with many VPN services and catalogue any new IPs. They also watch to see if you stream from one IP then another IP in quick succession. Using probability calculations and geo-IP databases it's easy to work out which is the most frequently used home location, and which are the unusual (out-of-region) IPs. Finally I suspect the Netflix desktop and mobile apps look for network connections associated with VPN. For OpenVPN that's relatively easy as the default is a tun0 adapter. IKE v2 is a little more complex but just as detectable. If your VPN solution DNS leaks, or the DNS servers you're using are known VPN-provider DNS, I'm sure that is factored into the detection algorithm.
You may remember that Netflix then started investing heavily in paying for it's own content to become it's own production and distribution organisation. When pressed for answers about why Netflix continues to block VPN access back to your own country when abroad, or blocks VPN access on hostile networks; you will reach a wall of silence. In one of the help.netflix.com pages it does describe some of the complexities of the distribution (inc. streaming) agreements, which explains some of the inconsistencies for "Netflix Originals".
Basically Netflix has partially adopted the broken distribution rights model, in selling streaming rights to it's own content to other streaming providers. So in some countries you won't be able to see Netflix Originals on Netflix, perhaps you might on Sky or Apple TV.
For me this isn't an answer to the question: "why are you blocking subscribers using privacy tools such as VPN?"
I think there's a simple solution, and one that will help Netflix get an upper hand in the recently started Streaming Wars.
The Solution
When you sign up for an account, you provide a handful of details. The level of information is good for privacy advocates because it isn't burdensome, nor does it require irrelevant information.You need a username (email), password and payment card. The card can be either a credit or a debit card, and must be authorised with the provider before use.
So if I were to operate the billing department I would then know the following:
- The domain name of the email address, and which country it's registered
- The country of origin of the payment card and it's provider name
Netflix store the card PAN, expiry date and CVV too. From the PAN I can identify the provider and country before I hash and store. I could probably ask the payment gateway API to provide me that information without me having to do it myself - that way I would reduce my compliance requirements for PCI-DSS.
Therefore... I know which country the billing account is based in. Why not associate the account with a home region (my country)? That way if I detect the user to be using a VPN I can restrict the available content to Netflix Originals which Netflix have rights to stream everywhere, and perhaps Originals content Netflix have rights to stream in my home region.
I could still view content from outside my home region if, for example, I was on hols in Spain and using Netflix without a privacy tool (c.f. proxy / VPN). I would be watching the Spanish Netflix library.
Although this dramatically reduces the amount of content I can view whilst using privacy tools, it means everyone is playing by the rules.
We can then also accept the added bonus that people in other countries can't take advantage of geo-unblocking capabilities to view content which breaches the distribution / streaming contracts.
Surely that's a win-win for everyone?
