The Password Sharing Problem – A Paradox
The password sharing activity has happened to me at least in two different occasions, and I’m certain it has happened with you too. See if this story is familiar to you. A family that had recently purchased a smart tv asked to use the service, NETFLIX – they were not fond of using credit card transactions. In a under developed countries having people afraid of using their credit card is quite common. The second instance was during my master course, where I had purchased a software that would ease the transcript of documents and the process of writing the dissertation. A friend wanted me to share it to ease his burdens. In both occasions I didn’t feel bad. I don’t think anybody does.
Recent research tells that the younger the audience the bigger the probability of one share his password. It is 35% more likely that a millennial will share his password whereas 19% of the Generation X and 13% of Baby Boomers will do the same. Being a Generation Y dude or in other words a millennial, I’m apparently genetically pre-disposed to share my password (sic).
Working for the Pay-TV industry I’m led to wonder and ask: Is this really a problem? if it is, how can it be solved?
Determining the problem
Netflix is expected to close 2019 with over 155 millions subscribers worldwide. The ever increasing number of users who share their credentials is at 10%. It means in practical terms that with a near $10 dollars average ingress ticket (15,5 x $9,95), Netflix is losing 155 million dollars per year in revenue.
Netflix caused the TV industry to modify themselves to catch on the new type of consumers. Amazon came next, and after dozens of “Watch Everywhere” platforms enables one to watch his favorite show. In essence, if there is a channel there is an app to watch it. But that is not all. The TV operators also have their place for users to log in and watch, movies and their TV shows. The programmers (those that create the content) partnered with the TV/Internet operators (those that distribute the content) to bring entertainment close to the end users.
Each one of these “nodes” have their access conditions. 3 simultaneous devices, 10 simultaneous sessions and so on. If you consider that a family account is shared with one of the children to be used in college, that is not a problem. But the problem seems to arise when one considers the amount of concurrent sessions given by the platforms when they are stacked. If you go to Twitter for example and perform a simple search, you will find numerous events where people request and are given each other’s passwords. That keeps circling until it reaches its limit (none). It is not uncommon to see a single credential be used by no less than 50 different people.
It is piracy! People using, consuming a service they have not paid for, and it is causing the industry damages in the order of billions. According to Parks Associates the TV industry’s losses from password sharing are expected to rise to $9.9 billion by 2021 from $3.5 billion this year.
Crap! Are the channels devaluing their product by allowing multiple logins or are they actually promoting it? It seems to be an interesting paradox.
Finding the Solution
If the operators and channels transform the login into a cumbersome-too-many-steps process it will drive customer away. At one point the executives of such companies have made the math between the losses of sharing passwords versus the losses of stopping it and stimulate other forms of piracy. It is indeed risky! If it becomes crazy expensive and restrictive, nobody will sign it. How to find the balance? Netflix, Amazon and a few other have accepted it as the occupational hazard of being in the new era. How can they grow despite of this problem? Is it a matter of calculated risk? Or the benefits are bigger than the damages? Or the contrary, it is not that they are not doing anything.. but doing just enough to keep balance?
It is clear to me that the matter it not about feasibility but about its impactc. It is more about user experience than security. Note we have not even touched the aspect that a portion of this users are using the same password for more than one service, including the important ones. Apparently nobody cares.
Then, for the sake of being practical, lets consider that those CEOs have decided to fix the problem but also maintain the number of concurrent sessions high. We also have the challenge to avoid transforming the user experience into a boring multiple steps authentication. What can be done? The most popular solutions out there are around the following:
- Maximum number of concurrent streams
- Device session control
- Geoblocking with VPN detection
Machine learning curiously have not being largely used to prevent this. Machine learning and AI could be used, for instance, to identify user consumption pattern. The regular user demonstrate certain habits in the media genre, length, time of the day and so on. The absence of a pattern from a frequent login could be also be an indication of misusage. The device ID in conjunction with geo location calculations could also be used to determine if a user is way too far from each other or in a location that is not a match with the identified profiles of that account.
The advantage of using machine learning to construct user behavior patterns is that it will automatically change along with the user taste instead of a hard coded algorithm that would have to be manually updated. Other sources of data could also integrate the learning database such a zipcode, payment address, device type (Android, iOS, SmartTv) ad many others.
Well, technology is available to be used. There is a cost in usability and also a cost in security which have to be leveraged to compose the best solution. Companies in the early stages of OTT launching seems to be more lenient towards password sharing as it is perceived as a way of promoting the new business, however as the business and interest grows, the opinion towards that 10% loss is radically changed.