A Canadian computer scientist’s research could provide a way for Netflix Inc. to shut down “content tourists” who use masking software to gain access to the service’s full content library.
AbdelRahman Abdou, a postdoctorate at the Carleton University Computer Security Lab, has been working in an area known as network measurement that attempts to map the physical properties of the Internet in order to confirm a user’s location. And he says his method could provide a more effective way for the streaming service to crack down on users intentionally accessing movies and TV shows not available in their countries, circumventing its user agreement.
Currently, most attempts at creating content geo-blocks online use the Internet protocol address of the user. But IP addresses are not permanent things with fixed GPS co-ordinates.
“The Internet was never designed to provide this facility, and any technique that we use nowadays is kind of a patch,” Mr. Abdou says. As Netflix has known for years, IP addresses can be easily faked using widely available proxy and virtual private network technology. The common practice is to block fraudulent addresses, but as Neil Hunt, Netflix’s chief product officer, said at the 2016 Consumer Electronics Show in Las Vegas in January, that’s no easy feat: “It’s trivial for them to move to a new IP address and evade.”
Later that month, however, David Fullagar, Netflix’s vice-president of content delivery architecture, declared war on these proxy systems as part of Netlfix’s global expansion. Since then, there have been dozens of anecdotal reports of subscribers who were flagged with messages such as “You seem to be using an unblocker or proxy. Please turn off any of these services and try again.” Many also report being able to restore service without changing proxy providers.
Mr. Abdou’s PhD research breaks that endless game of Whac-a-Mole because it does not rely on identifying features that software can replicate. “Let’s lessen our reliance on client-submitted information. Let’s accurately measure metrics from the network itself,” he says.
His research shows that a system could determine that – as a non-scientific example – a five-millisecond delay should be expected when data are being sent from Toronto to North Carolina. That’s because data travel across fibre-optic and copper cables (or wireless radio waves) at knowable and verifiable speeds. If requested data arrive in “Toronto” in twice the time it should take (perhaps because the user is actually in China on a virtual private network or VPN), network measurement would flag that as a fake destination.
While Mr. Abdou’s research is academic and he does not license it to companies, much debate surrounds the drawbacks of technology like his.
Netflix declined to comment on details of its own plans to end region spoofing, although Mr. Fullagar did write that “technology continues to evolve and we are evolving with it.”
Philip Molter, co-chief technology officer of VyprVPN, which has users in over 195 countries and server clusters in North America, Europe, South America and Asia, says Netflix is fighting the wrong war and that VPNs are not the enemy.
Vypr users have reported Netflix blockages, but still more have trouble connecting to streaming services such as Hulu and online gambling sites, which employ far stricter blacklists and will go so far as to compare web browser logs to see if you’ve ever visited the site from an unsupported territory. “If [Netflix is] taking a blacklist approach, it hasn’t been a very good one,” Mr. Molter says.
“There is a very large market of legitimate use of [VPNs]. We’ve always focused on it as a security and privacy feature, though like any [Internet service provider], we want our customers to have access to everything that’s available,” he says.
Netflix has been accused of turning a blind eye to proxy services in the past. In Mr. Molter’s experience, many of his users employ proxies to evade their local ISP’s efforts to throttle, or slow down, streaming video traffic on their networks. Netflix has engaged in high-profile fights over throttling, and has even cut cash deals with major U.S. ISPs like Verizon to stop the practice.
IP blacklisting can cause unintended problems for Internet subscribers – particularly when a VPN address is abandoned and the new owner is blocked through no fault of their own – but Mr. Molter is not convinced network measurement (Mr. Abdou’s approach) is a good replacement. He warns that something as simple as network congestion could give a false positive in a location test.
Research on network measurement has been around for close to a decade, but the main goal of Mr. Abdou’s work has been to address its remaining flaws. In a paper he published last year, called Delay-based Location Verification for the Internet, he writes: “We avoid those vulnerabilities. We came up with a location verification, versus location identification.” In other words, they don’t have to know exactly where you are to know you’re not where you say.
One reason the technology isn’t used by the industry’s biggest players has to do with speed.
“We do not use augmentations such as network measurement when a customer makes an IP geolocation request,” says Jason Ketola, vice-president of operations at MaxMind Inc., a provider of IP intelligence and online fraud detection tools to 5,000 companies.
“Such augmentations would increase the time required to return a response, and our customers almost universally want as fast of response as possible so as not to delay delivering content. Web companies don’t want to irritate their customers by slowing down their page load times or access to content.”
But Mr. Abdou says those problems can be mitigated.
“It would be a bit slower to measure delays but within practical limits, possibly in the range of one to two seconds,” Mr. Abdou says. “In the case of Netflix, for example, those two seconds of measurements could take place in the background as the user initially scrolls through the list of available media deciding on what to watch.
“As this conflict escalates, people will look into techniques like those.”Report Typo/Error