Iniquitous Cord-Cutting: an Analysis of Infringing IPTV Services

2019 IEEE European Symposium on Security and Privacy Workshops

Iniquitous Cord-Cutting: An Analysis of Infringing IPTV Services

Prakhar Pandey∗, Maxwell Aliapoulios∗, Damon McCoy∗ ∗ New York University

Abstract— Large scale, subscription based, Internet Protocol illegal content distribution, which until now has been a gap in Television (IPTV) media piracy is occurring despite current copy- this literature. Lastly, we discuss the ongoing legal intervention right enforcement efforts. Cybercriminals are abusing legitimate efforts undertaken largely by the companies whose content is services to setup and maintain illegitimate business operations offering pirated media content on a subscription basis. Due to being infringed upon by these illicit services. The goal of our the underground aspect of these pirated IPTV operations, these study is to provide a lens into how these illicit providers are services are not well understood and so current enforcement able to exist and operate under the shadow of copyright law. action against them appear to not be effective. In this paper, In summary, the main contributions of this work can be we empirically measure the network infrastructure, payment, described as the following: and order intermediary services that are used by a subset of the infringing IPTV ecosystem. We demonstrate how the • We provide an analysis of the ecosystem architecture of measurements we make in this paper give insight into the business subscription-based illegal content distribution. behind subscription based pirated media. Lastly, we show how • We provide an economic analysis of the revenue streams these measurements can lead to potentially more informed policy accumulated by bad actors providing pirated content. decisions and intervention measures against subscription based • IPTV piracy. We highlight the third-party software, hardware, and Index Terms—IPTV, cybercrime, media piracy other services like CDNs and payment processors, that subscription-based illegal content distribution relies on. • I. INTRODUCTION We evaluate the efficacy of ongoing efforts to disrupt these infringing media distribution services and suggest Illegally streaming or downloading online content has be- a streamlined intervention process. come a thriving industry that makes up a large part of the The remainder of this paper is structured as follows. Section cybercrime economy [4], [11], [17], [25], causing financial II discusses related work in this area, its shortcomings, and losses in the hundreds of billions [32]. Some of the services touches on how this research fits into the larger picture. Section providing free live streaming attract millions of viewers every III presents the structure of the infringing ecosystem and month [29]. Despite copyright enforcement efforts [20] and touches on the ethical and legal aspects of these services. Then better methods of detecting this piracy [26], the criminal section IV presents our methodology of discovering infringing ecosystem still exists and continues to grow. IPTV services and V presents our analysis of the illicit IPTV Although there have been efforts to thwart free media subscription based ecosystem. Section VI describes some in piracy activity, little is known about the subscription-based depth case studies of several pieces of the infringing archi- infringing content distribution business models. In Thomas et tecture. Finally section VII provides some insight into the al. [39] researchers argue that security practitioners need a limitations of our study, the inefficacy of existing methods to clear framework for investigating the cost and infrastructure disrupt these practices and suggests a streamlined intervention behind internet crime and without one, there is no basis to process. We conclude in section VIII. evaluate intervention strategies. In this regard, we researched the distribution hardware and software architectures, and the II. RELATED WORK economic value chains of these pay-to-pirate illicit media We provide some of the related work to our study in the distribution services. areas of infringing streaming services and more generally in Our main motivation in studying subscription based illegal studying cybercrime. content distribution is three fold. First, we want to bring awareness to the complex inner workings of these services. A. Infringing Streaming Services This includes all the third-party services that they depend on One of the initial academic studies of free ad-supported to continue their illicit media distribution operations, such infringing streaming sites found that they expose visitors as middleware hardware and software, major CDNs, and to advertising networks which attempt to exploit users or online payment processors. This understanding allows us to social engineer them into installing malware and unwanted shine a light on the challenges that these bad actors have to sotfware [29]. A followup study of infringing sports streaming overcome in order to deploy these systems, and the gaps in websites found that they include more trackers than legitimate security practices that allow them to exist. Second, we want sports streaming websites [38]. We found that most paid sub- to estimate the economic activity around subscription based scription based infringing services do not include advertising.

© 2019, Prakhar Pandey. Under license to IEEE. 423 DOI 10.1109/EuroSPW.2019.00054 Ibosiola et al. [31] found that the free ad-supported On- as subscriber management, billing, and reporting. This mid- line Video Piracy (OVP) is centralized and that copyright dleware software also provides IPTV output streams. These enforcement only targets a small subset of the ecosystem. We services can come as suites of any combination of content found similar results in our study of paid subscription based acquisition, management, and media delivery services. infringing IPTV services. A key limitation of these previous Sellers Sellers operate websites which sell infringing IPTV studies is their focus on free ad-based services. To the best subscriptions to end-users and resellers. These sellers manage of our knowledge ours is the first to study paid subscription advertising and establish accounts with third-party payment infringing IPTV services. channels, customer support services, and infringing media providers. Some sellers vertically integrate the customer sup- B. Cybercrime port services or backend infringing media infrastructure. The Prior work has demonstrated that understanding the stake- seller then provides the infringing media to end-users and holders [36] and economics of cybercriminal enterprises [18] resellers in the form of m3u playlist files, custom desktop can lead to discovering improved intervention points [23], applications, mobile applications, Kodi boxes, Amazon Fire- [37]. Our study of paid subscription infringing IPTV services sticks, or smart TVs. is motivated by this prior work. Resellers Resellers typically purchase credits from sellers The methodologies used in our study are based off several and then sell the IPTV connections to end-users. Resellers prior studies focused on understanding the economics and do not purchase or create the infrastructure themselves to technical aspects of cybercrime [39]. Kanick et al. [33] was the pirate the media but instead purchase subscriptions from larger first to propose the purchase-pair method for revenue based es- sellers and resell them to end-users. A reseller’s primary focus timation in their study of illicit pharmaceutical sellers. Karami is on advertising and establishing a reliable set of payment et al. [34] purchased subscriptions for DDoS-for-hire services channels. to obtain measurements of their technical infrastructure. To End-Users These are the customers that purchase infringing the best of our knowledge, our work is the first to use these IPTV subscriptions from sellers or resellers. methods to present an economic and technical infrastructure B. Content Delivery Methods analysis of the subscription-based infringing IPTV ecosystem. End-users use various applications to play the content. For III. BACKGROUND communicating the source of media streams to the applications, there are generally three different mechanisms we have In this section, we provide key terminology and background observed to be used: about infringing IPTV services. We introduce the key stake- m3u File When the output stream format is chosen to be holders and the customer acquisition methods of infringing MPEG-TS then m3u files have been observed to be used for IPTV services. We finish this section by describing our ethical delivery. m3u (MP3 URL or Moving Picture Experts Group and legal framework for this study. Audio Layer 3 Uniform Resource Locator) files are multi- A. Stakeholders media playlists containing all of the TV Channel information and links to the streams in a format which many multimedia Creating infringing subscription based content delivery ser- players like VLC media player can understand and play. Figure vices involves a number of different stakeholders. The rela- 2 is an example of the content of an m3u file. tionship between these parties is illustrated in Figure 1 and m3u8 File In this case, a service provider asks the user described below. This diagram is not meant to depict the only to download and install a custom application as per the set-up available for streaming infringing content, but it is a operating system or device of the user. Instead of providing common configuration that we have observed in the wild. the playlist file to be directly downloaded, these files are used Media Providers These stakeholders take legitimate con- in network interaction between the custom applications used tent from cable/satellite/terrestrial TV and make it deliverable and a middleware server. through IP Protocol so an end-user’s set-top-box or PC can Kodi This is a free and open-source media player developed play it. They utilize a wide range of dedicated hardware and by the XBMC Foundation that does not directly include any software to deliver this service. infringing media content 1. However, there is a large ecosystem Broadcasting Servers The broadcasting server delivers un- of free and paid third-party add-ons (i.e., IPTV subscription scrambled TV channel streams to middleware after decryption service add-ons) which provide access to infringing media and transcoding. These broadcasting servers can be built using [5]. Initially, technically savvy users started installing free free or paid software packages running on general purpose infringing Kodi add-ons to access a wide range of pirated computers. There is also dedicated broadcast server hardware media. Merchants noticed this trend and started selling what which provides improved reliability and performance. We are termed “fully loaded Kodi boxes” which are normally provide an in-depth explanation of the technical infrastructure jailbroken Amazon Firesticks and other Android devices with of infringing IPTV services in Appendix A. infringing Kodi add-ons pre-installed. Middleware Providers A middleware provider creates dedicated software and hardware to handle functionality such 1https://kodi.tv/

424 IPTV Headend

IPTV Management and Delivery $

Smart card Seller or Reseller $ Card Sharing with reader $ Server Middleware Provider Operator Dashboard Mobile Apps

Satellite Broadcasting KODI End users Server $

Middleware Server Live streaming Server with Payment tuner cards Firestick Channel

Transcoder

Antenna CDN Smart TV Apps

$ Indicates where services are sold Desktop Apps VoD Media Provider

Figure 1: IPTV Architecture. The "$" indicates where in this ecosystem services are bought and sold.

#EXTM3U #EXTINF:-1 tvg-id="" tvg-name="US:HBO" tvg-logo="" group-title="USA",US:HBO http://tv.onsecc.com:6227/live/3Ta826Hqz/vhJ531emS5/16944.ts

#EXTINF:-1 tvg-id="" tvg-name="US:HBO Comedy HD" tvg-logo="" group- title="USA",US:HBO Comedy HD http://tv.onsecc.com:6227/live/3Ta826Hqz/vhJ531emS5/16949.ts

#EXTINF:-1 tvg-id="" tvg-name="Marvel's Luke Cage S02 E13" tvg- logo="http://tv.onsecc.com:6227/images/dWqB2rTdqzoHT7OhZljBfMd0n2Y_small.jpg" group-title="Series",Marvel's Luke Cage S02 E13 http://tv.onsecc.com:6227/series/3Ta826Hqz/vhJ531emS5/19691.mp4

Figure 2: m3u file containing URL of MPEG-TS files for LIVE TV and MP4 files for Video On Demand

C. Customer Acquisition Figure 3: A screenshot of paid Google adwords advertisements To increase their subscriber bases and profits, infringing for subscription based IPTV services providing pirated con- IPTV providers broadly market their services. Based on our tent. informal investigation, customers are acquired through a number of advertising and sales channels including IPTV forums, eBay, through YouTube videos providing setup instructions, services to perform some of the methodologies described in and also through targeted online advertisements such as the section V. ones shown in Figure 3. Some of the key selling points We justify the purchases by showing this methodology of these services are the expansive media content available was the only available way to derive the types of analysis including most major live sporting event through a single we performed. For example, in order to estimate economic platform for a low cost. This alleviates the need for multiple revenue, we needed to make purchases to measure order streaming subscriptions, paying for premium pay-per-view volume. When making these purchases, we always chose the sporting events, and switching between different applications. cheapest option to minimize the amount of money given to these services. In total we spent no more than $500. Most D. Ethics and Legal payments were made through PayPal and we assumed proper In order to abide by an ethical framework throughout this controls were in place at PayPal to mitigate the risk of money study, when purchasing pirated copyright materials, we always flowing to criminals. consulted with the intellectual property holder. We performed NYU’s IRB exempted our experiments involving conversa- this consultation first to ensure that they were aware when we tions with IPTV providers since they were of a transactional were required to purchase and or use illegal IPTV subscription business natures and we did not obtain any Personally Iden-

425 tifiable Information (PII). Lastly, it is important to note that A. Network Analysis although this work may present information that could point In order to discover the third-party networking providers to specific kinds of illegal conduct, it should not be used as used by infringing IPTV services we purchased a subscription proof in any sort of trial or conviction. Establishing any legal to each of the 12 infringing IPTV services selected using proof of criminal activity was not the goal of this work. the method described in the prior section. We then requested both live IPTV (i.e., news broadcasts and sporting events) IV. INFRINGING IPTV SERVICE DISCOVERY and prerecorded Video on Demand (VoD) media (i.e., movies This section describes how we selected the sets of services and TV episodes) which enabled us to obtain the domain to study for our network, payment, and revenue estimation names and IP addresses hosting the media. We could then analysis. link the observed domain names and IP addresses to CDN and Our infringing IPTV service discovery method starts by hosting providers. We performed these measurement between acting in the same way customers would and searching for September and October 2018 and in February 2019. IPTV subscription services. We started with an initial set of Table I displays the different network infrastructures utilized IPTV services returned as the top results of Google keyword by the infringing IPTV providers. There are 11 networking searches such as "IPTV subscription". However, some of these providers and some overlap between IPTV services. The two are legitimate IPTV services and some are infringing. This most prevalent hosting providers are Datacamp and World- means that we need a method for distinguishing which IPTV Stream. Only four infringing IPTV services used CDNs, but services are infringing. they all used Akamai. This indicates that, in terms of hosting We selected HBO content to serve as a litmus test for providers, there are likely many options, but for lower latency determining whether a service infringes directly or indirectly CDNs there might not be as many options. by allowing distributors to use their services. This is because an HBO subscription is only available through one of the Network Provider IPTV VoD following methods: 1) HBO NOW subscription, 2) HBO On Demand and HBO GO, or 3) Digital subscription through CDN Hosting Hosting Amazon, Hulu, DIRECTV NOW or Playstation Vue. There- AKAMAI 4 -- fore, if a seller or reseller is providing HBO content, we can BAREFRUIT - 1 - be fairly confident that it is obtaining the content via methods CONTABO - - 1 which infringe copyright. DATACAMP LIMITED - 44 Our networking and revenue estimation methods both re- DIGITAL OCEAN - 2 - quired purchasing subscriptions which limited the number of LEVEL 3 COMMUNICATIONS - 2 - services we could include in our study. We identified twelve NETERRA - 1 - services for the network and payment processor based analyses that were infringing and showed up in the top results of our ONLINE SAS - 2 1 searches. OVH - - 1 We selected a smaller set of four services for the revenue UK SERVERS - 1 1 estimation analysis. Although there is overlap between the WORLDSTREAM - 2 4 two sub-sets of services identified, we were constrained when selecting services for our revenue estimation analysis. We Table I: This table depicts which CDN and hosting providers excluded IPTV services that offered free trial subscriptions are used for IPTV or VoD services across 12 different IPTV since this would prevent a lower-bound revenue estimation. services. The infringing IPTV services also needed to continue operating long enough for us to place a followup purchase. We B. Payment processors acknowledge both lists are not a comprehensive set but rather a small sample of the services available. Furthermore, each of Our payment processor measurements are based on the same the twelve IPTV providers are highly likely to be infringing 12 infringing IPTV services as our networking observations. copyrights based on our litmus test. Infringing IPTV services accept a wide range of payment methods as shown in Table II 2. However, all 12 services V. A NALYSIS studied accepted credit card payments directly or through a third-party, such as PayPal. Only three of the services ac- Our analysis of subscription-based infringing IPTV ser- cepted cryptocurrency payments. This high usage of regulated vices focused on understanding three components. The first payment methods such as Visa and Mastercard indicates that two components were focused on measuring the third-party there is likely not much intervention pressure being placed on network services and payment channels utilized by these payment processing for infringing IPTV services. Prior studies subscription-based infringing IPTV services. The final analysis was focused on estimating the revenue generated by these 2Some services accepted multiple payment channels which is why there infringing services. are more payment channels than services.

426 have shown that disrupting an illicit service’s ability to accept to produce what we believe is a conservative lower bound payments through regulated payment channels causes them to estimate of revenue. However, there are many other factors primarily accept cryptocurrencies. However, the same study such as refunds that we cannot measure. saw this switch to cryptocurrencies was correlated with a 50% Table III shows our estimated revenue for four providers decline in revenue [22]. that we subscribed to repeatedly. We received explicit permis- sion from a content distributor to purchase these providers Payment Method No. of providers to avoid copyright issue. We estimate that some of these IPTV providers likely make upwards of $12,400 per month. Credit card 12 However, these are smaller players compared to one of the PayPal 3 largest infringing IPTV providers SET TV, which has faced VoguePay 2 legal action and is reported to have had upwards of 180,000 coinpayments.net 2 subscribers [14]. The amount of subscribers and revenue Debit card 1 indicates the demand for pirated IPTV services. OKPAY 1 Authorize.net 1 $$ Money transfer 1 $ Payoneer 1 Our Order¬ Our Order¬ Our Order¬ Bitcoin 1 Real Paymentwall 1 No. 456 No. 457 order No. 567 No. SOFORT Banking by Payssion 1 XXX Paysera (bank transfer) 1

Table II: This table depicts which payment processors are accepted by a total of 12 different IPTV services. They total more than 12 because some of the payment processors accept January 1st January 30th multiple payment methods. Figure 4: This figure depicts our methodology for estimating order volume. By consecutively purchasing the service to C. Revenue Estimation verify that order numbers are assigned sequentially, and then Our revenue estimation is based on our smaller set of waiting some time to make a final purchase, we can deduce four infringing IPTV services which were longer lived and the order number incrementation and estimate the total number excluded services that offered a free trial subscription. We use of orders in the elapsed time frame. For example consider a a technique called “purchase pair” in order to estimate revenue first purchase resulted in order 456 and 30 days later, a third by measuring how many subscriptions were sold during a purchase resulted in order 567. The calculation to measure the certain time period [33]. The high level idea of this method number of orders per day is (567 − 456)/30 = 3.7 is that if order numbers are sequentially incremented then we can derive the order volume during a period of time. If the order numbers are not assigned sequentially, then this method VI. CASE STUDIES is not effective for estimating the order volume and revenue of In this section, we discuss three case studies which repre- that service. This method works in the following way: First we sent the behavior, economic operations, and the scale of the perform consecutive purchasing of the service to determine if technology abused while streaming infringing media. In some the service is assigning order numbers sequentially. If the order cases we applied the HBO litmus test, wherein if a service numbers for our consecutive purchases are consecutive and offered HBO content we assumed that they were distributing increment by one we assume they are assigned sequentially infringing media. In other cases, we did not apply the litmus and our method can estimate order volume. For those services test because the IPTV provider was already found to have that do assign order numbers sequentially we waited some violating copyrights by court judgments. We also contacted time, and then made another purchase. We can measure the some third party end-to-end IPTV solution providers when order volume by subtracting the two order numbers and we were uncertain about the specifics of their offerings. dividing by the elapsed time period. An example of our method is depicted in Figure 4. A. Kodi Ecosystem The final step is to estimate the average order cost which can Revenue in the infringing Kodi ecosystem is primarily be multiplied with the order volume estimate to extrapolate a derived from two sources: (1) One-time payments for buy- revenue estimation [33]. Unfortunately, we do not have a good ing marked up jailbroken TV sticks loaded with infringing estimate of average order cost for infringing IPTV services. Kodi add-ons, or (2) Paying for IPTV subscriptions that are Therefore, we use the minimum subscription cost of a service connected to infringing Kodi add-ons.

427 DS S M($) S ∗ M IPTV providers D Total $ per day Total $ per month www.iptv-subscription.net 43 474 ∼11 7.38 3,498.12 81.18 2,535.8 www.iptvsubscription.us 43 9 ∼0.2 5 45 1 31 www.iptvlocal.com 20 847 ∼42.4 5 4,235 212 6,572 www.iptvsubscription.net 31 1,252 ∼40 10 12,520 400 12,400

Table III: Sample order volume analyses, based on the cheapest plan and a 31 day month. D corresponds to the number of days, S corresponds to the number of subscribers, M corresponds to the cost for the least expensive plan. This analysis began S January 26th 2018 and continued for "D" days. D is subscribers per day and S ∗ M is the lower bound total money earned for the D period of days.

Customer: ... will you mind if use my own content Customer: ... I understand that you can provide me like HBO Channels (which can be copyright with the servers, transcoders, [etc] which might be infringing in some areas). Will this be fine with required in the process. you while I use your IPTV solution? Provider: We can provide you with Hosting and we can recommend some other tools that we are using Provider: ... we don't mind if you use your own successfully for teleporting (transcoding). content, the operator is responsible for it.

Customer: ...I am not sure where I can get my Customer: ... Can you give reference of some premium TV channel streams... content providers. I have to verify the content before buying your service. Provider: ...we can provide you with the Premium channels. Setting up your own white label TikiLIVE Provider: ... we will introduce your contacts to platform is a must in order to receive the streams our network once they decide to use our platform Provider: We offer a turnkey solution, covering: hosting platform, content transportation, billing (a) and financial reports, content delivery to end users.

Customer: Will you provide me with the premium channel streams or ... hardware/software ... so that my team can generate the streams itself?

Provider: ...we provide the channels as well as assist with getting the broadcasting rights to legally distribute.

(b)

Figure 5: (a) Transcript from Mware Solutions, an end-to-end IPTV provider. (b) Transcript from contacting representatives from TikiLIVE, an Omniverse distributor.

Content right holders have initiated legal actions against service that delivered premium channels such as HBO through copyright infringing Kodi add-on developers. In November a standalone computer application. The application was strik- 2017, some developers of popular Kodi add-ons received a ingly similar in appearance to Nora Go, an app developed by ’Notice of Copyright Infringement’ by the Motion Picture end-to-end IPTV solution provider SetPlex. We estimate that Association (MPA) and Alliance for Creativity and Entertain- SET TV sold about 5,810 subscriptions per day on average. We ment (ACE) 3 after which they ceased to manage the add-on calculated this figure by the Order Volume Analysis described software. In 2018, the Federal Communications Commissions in figure 4. In 2018, Dish Network and NagraStar filed a (FCC) wrote a letter to the CEO of Amazon and eBay, joint federal court lawsuit against SET TV for copyright requesting a crackdown on the sale of these infringing Kodi infringement. SET TV was found in violation of the Federal devices [1]. Communications Act (FCA) and Dish was awarded statutory damages of $90,199,000 [7]. B. SET TV After SET TV ceased operation, we found several other SET TV was an IPTV business which provided premium IPTV providers that we suspect to be connected. Our suspicion IPTV subscriptions for $20 monthly and $200 annually. SET is based on the similarity of their network footprint, shown in TV quickly appeared to become a popular infringing IPTV Table IV, and the app they use to distribute content. Just like SET TV, the other three copyright-infringing ser- 3MPA and ACE represent a coalition of media, film and entertainment companies vices are connecting to the same IP Address 185.59.223.14

428 IPTV Provider CDN Hosting required to operate a streaming media service. Omniverse is accused of providing unlicensed infringing content to IPTV setvnow.com Akamai Datacamp (185.59.223.14) tvstreamsnow.com Akamai Datacamp (185.59.223.14) services [2]. These IPTV services redistributing content pro- vustreamtv.com Akamai Datacamp (185.59.223.14) vided by Omniverse marketed themselves as legitimate 4. bimotv.com Akamai Datacamp (185.59.223.14) Apart from this, we found that two Omniverse distributors, Table IV: This table depicts the similarity between SET TV Tikilive and NKT TV, are listed as ofﬁcial providers on and other three IPTV services which came after it. All three Sony Movie Channel website [9]. This situation of legally are still operational. This table was generated by using the licensing some content while pirating other media creates a same network analysis method described in Section V challenge when attempting to distinguish between legitimate and infringing content providers [2].

D. Mware Solutions (Datacamp) for streaming VoD content. They all use the same CDN, Akamai Technologies. Also, all three services use the Mware Solutions is a third party end-to-end IPTV solution Nora Go application by SetPlex to deliver content. provider. As part of our methodology, we contacted them to get In the case of IPTV, all three services request infringing information regarding their offerings. Figure 5 (a) illustrates media streams from the same host: tk3.fastbroad.com. The the conversation with them. The received impression post Registrant contact information derived from whois.icann.org conversation was that they turned a blind eye towards HBO for domains fastbroad.com and setplex.com are the same. In copyright infringement. This case study can be a potential the case of VoD, all three services fetch media files from the example of intermediaries not proactively addressing their host cdnvod.setv.ca. customers’ actions. However, we have to also consider the This case study shows that it is likely difficult to ensure possibility that the employee communicating with us was not that the infringing service actually has ceased operations after properly trained on this subject and that the company does successful legal action. This, combined with the low barrier of proactively address infringement issues. Although legally in entry for new actors, causes an inevitable game of whack-a- the US, Section 230 of the Communications Decency Act mole. In each case, products/services originally used by SET (CDA) largely insulates intermediaries from the illegal actions TV or developed by SetPlex were likely still utilized by these of their customers as long as they reactively respond to new infringing IPTV services. This reflects the adaptability in complaints. abuse of end-to-end IPTV solution providers. VII. DISCUSSION C. Omniverse A. Limitations One World Television (Omniverse) is a stream provider All of the results from our analysis should be consid- who likely provides infringing premium streams to distributors ered preliminary. We encountered several challenges while who deliver content to end-users. These distributors profit researching infringing subscription based IPTV services. The in two main ways: (1) Selling subscriptions to end-user, (2) first, is that we had to purchase a subscription to each Providing end-to-end IPTV Solutions to enable starting a new service that we analyzed in order to identify which networking IPTV business. Distributors then mention on their websites "In providers they were using for media delivery and to confirm Cooperation with Omniverse One World Television Inc." or that each service was providing access to infringing media. "Powered by Omniverse". The Omniverse distributors that fail This purchasing requirement constrained the number of in- our litmus test of providing HBO content are SkyStreamTV, fringing services that we could analyze. Another challenge Flixon TV, and TikiLIVE. They all provide subscription based we faced when performing our revenue analysis was that IPTV and VoD content to end-users. many of these infringing content sellers do not operate for We contacted TikiLIVE, which offers premium channels long. It is difficult to measure properties such as their revenue such as HBO and lists itself as an authorized distributor of since our purchase pair technique requires periodic purchases. Omniverse. We asked them for details about their end-to-end Therefore, the measurements of the limited and potentially IPTV solution, depicted in Figure 5 (b). In summary, they biased sample of infringing services we analyzed in this paper state that they can obtain the broadcasting rights to legally are a lower bound of the number of services that are operating. distribute content, such as HBO. Although, we have to also While our study is not comprehensive, it does provide an initial consider the possibility that the employee communicating with understanding of the potential scale and how subscription- us was not properly trained on this subject and the information based infringing media services are structured. provided does not reflect the actual company policies. In An avenue for future work could be an automated method February 2019, members of the Alliance for Creativity and to collect metadata about and analyze potentially infringing Entertainment (ACE) filed a lawsuit against Omniverse for services. Expanding this study to a larger set of infringing distributing infringing media, although the lawsuit does not services would be helpful in order to capture a wider net name Tikilive [15]. This case study describes a middle-man third-party service, 4It is unclear if these IPTV services knew that the content they were Omniverse, which offers most of the infrastructure and content provided from Omniverse was not legally licensed.

429 of potentially illicit content distributors. Our study was also al. [19], utilizing intermediaries to disrupt these operations focused on IPTV services marketed towards English speaking provides a streamlined approach. consumers. Expanding the services discovered by searching in other languages using a geographically diverse set of IP Identifying Intermediaries Content-owners can use a user addresses would result in less biased coverage of infringing complaint system to collect intelligence from investigations in IPTV services. order to identify the intermediaries used in IPTV providers Lastly, some sellers are moving toward accepting cryp- operation. We have described methods to identify interme- tocurrency as payment, which adds a new layer of payment diaries, like payment processors, CDN providers, or hosting blockchain tracking in order to measure payment activity. service providers. These intermediaries may or may not be We do not expect to see a situation where IPTV pirates aware of their participation and role in these illegitimate only accept cryptocurrency because revenue has been show operations [16]. Intermediaries may be willing to deny services to taper for criminals in those situations [22]. That being to such illegitimate operations reported by content-owners said, following cryptocurrency payments can lead to improved [33]. This might result in interruption of services for IPTV insights into who is purchasing the subscriptions and where providers and economic loss. the cryptocurrency is being exchanged to fiat [30]. For example, if the identified intermediaries are not vol- untarily willing to deny services to IPTV providers, US B. Mitigating Subcription-based Infringing IPTV Services copyright holders can use Rule 65 of the Federal Rules of Civil Previous work has highlighted the economic and ethical im- Procedure (FRCP) to obtain a Temporary Restraining Order portance of enforcing copy-right, and how for-profit infringing (TRO). A TRO can legally compel intermediaries to deny content distribution adversely affects content creators [12]. services to infringing IPTV providers. Rule 65 is potentially However, enforcement of existing laws against infringing more effective than CDA 230 or the DMCA because it is a content distribution is largely left to the rights holders. What much quicker process. Prior cases using TROs have resulted we have observed in our analysis is the likely ineffectiveness in the take down of domain names within 9 days after a filing and limitations of the current legal strategy. of Motion for a TRO [13]. However, these swift TROs are While observing the current landscape of legal interven- ex parte (TRO received without notice to defendant), which tions, we saw that Digital Millennium Copyright Act (DMCA) brings about questions of due process [19]. take-down notices and legal complaints asserting claims under Another potentially effective strategy is to make use of Copyright Act and Federal Communications Act are typically streamlined private processes for reporting infringing activ- sent out by content-owners. Recently, members of the Alliance ity. Examples of these processes are Visa’s Global Brand for Creativity and Entertainment (ACE) filed legal complaints Protection Program (GBPP) and Mastercard’s Business Risk against copyright infringing media services like SET TV, Assessment and Mitigation (BRAM) Compliance Program. Omniverse, Tickbox, and Dragonbox [2], [6], [8], [10]. Both of these programs allow trademark holders to report DMCA notices have been found to be ineffective based infringing merchants directly to Visa or Mastercard. These on studies by Boyden [21] and Goldman [27]. According to companies will then investigate the claims and take direct Boyden, in spite of DMCA notices, the infringing content action to terminate accounts and fine infringing merchants, mostly reappears. The legal complaints filed by ACE members often within 30 days [37]. Amazon and Ebay have similar against SET TV resulted in a permanent injunction where programs to remove infringing merchants from their platforms. they were required to cease all operations and hand over These streamlined private remedies can potentially have more infrastructure. Unfortunately, we observed that three other of a deterrence effect since money in the infringing account infringing IPTV services with the same network fingerprint is frozen and the merchant cannot accept future payments started operating after SET TV ceased operations. In summary, until they establish another account. However, it is unclear we can say that the aforementioned legal interventions can win if any of these methods would be more effective and it would a battle but are largely losing the war. require future studies to measure the efficacy of these alternate Our measurements of the subscription based IPTV ecosys- disruption methods in the infringing IPTV ecosystem. tem are likely not complete enough to propose potential choke points [24] for disrupting the services and thus we leave this to Working with payment processors to stop services to IPTV a further study. However, we can provide a discussion of prior operations would demotivate IPTV operations financially [28] studies and their efficacy in public and private interventions and has been effective in the past at limiting the ability methods against other similar online infringing and illicit of illicit services to accept regulated payment methods such merchants. as credit cards and PayPal [34]. Overall, a form of content Like any other business, infringing IPTV providers depend watermarking combined with a streamlined approach would on third-party intermediaries for monetization and efficient lead to more successful IPTV piracy counter measures. That service delivery. We have highlighted some important inter- being said, there needs to be a balance where due process is mediaries like hosting providers, advertising, and payment provided and validation of infringement claims is performed channels. According to a study done by Aniket Kesari et in these streamlined approaches so that they are not abused.

430 VIII. CONCLUSIONS [16] ALRWAIS, S., LIAO, X., MI, X., WANG,P.,WANG, X., QIAN,F., BEYAH, R., AND MCCOY, D. Under the shadow of sunshine: Under- In this paper we described and measured the current state standing and detecting bulletproof hosting on legitimate service provider networks. In 2017 IEEE Symposium on Security and Privacy (SP) (May of the subscription-based infringing IPTV ecosystem. Our 2017), pp. 805–823. work presents a lower bound on the scale at which these [17] AN, J., AND KIM, H. A data analytics approach to the cybercrime business operate globally. We observed that current efforts underground economy. IEEE Access 6 (2018), 26636–26652. [18] ANDERSON, R. Why information security is hard-an economic perspec- to thwart these business are likely ineffective at undermining tive. In Proceedings of the 17th Annual Computer Security Applications subscription-based infringing IPTV services. We also collected Conference (Washington, DC, USA, 2001), ACSAC ’01, IEEE Com- empirical measurements and analyzed them to depict the third- puter Society, pp. 358–. [19] ANIKET KESARI,C.H.,AND MCCOY, D. Deterring cybercrime: Focus party services that these infringing IPTV services rely on on intermediaries. In 32 BerkeleyTech. L.J. 1093 (2018) (2018). to conduct their day-to-day business. Our hope is that an [20] BALLARD, B. Premier League knocks out Wiziwig in illegal streaming increased understanding as a result of these empirical measure- crackdown. http://goo.gl/ETCjH2. [21] BOYDEN, B. How the dmca’s online copyright safe harbor failed. In ments of network and payment methods can potentially lead to George Mason University, School of Law (2014). more effective techniques of undermining subscription-based [22] BRUNT, R., PANDEY,P.,AND MCCOY, D. Booted: An Analysis of a infringing media streaming services. Payment Intervention on a DDoS-for-Hire Service . In Workshop on the Economics of Information Security (WEIS) (2017). [23] CLAYTON, R., MOORE,T.,AND CHRISTIN, N. Concentrating correctly ACKNOWLEDGMENTS on cybercrime concentration. In Proceedings (online) of the Fourteenth Workshop on the Economics of Information Security (WEIS) (Delft, We thank Melissa McCoy for her editing assistance and the Netherlands, June 2015). [24] CLAYTON, R., MOORE,T.,AND CHRISTIN, N. Concentrating correctly anonymous reviewers for their useful feedback. This work was on cybercrime concentration. In WEIS (2015). funded in part by the National Science Foundation through [25] ELSTEIN, A. Web pirates are stealing from sports broadcasters. http: CNS-1717062 and a grant from the Comcast Innovation //goo.gl/TVOxRi. [26] ENGLEHARDT,S. Automated discovery of privacy violations on the Fund. web. PhD thesis, Princeton University, 2018. [27] GOLDMAN, E. The failure of the dmca notice and takedown system: A REFERENCES twentieth century solution to a twenty-first century problem. In 3 NTUT J. of Intell. Prop. L. and Mgmt. 195 (2014). [28] GOLDMAN, Z. K., AND MCCOY, D. Deterring financially motivated [1] FCC asks Amazon and eBay to stop selling fake pay TV cybercrime. In Journal of National Security Law and Policy (2016). boxes. https://techcrunch.com/2018/05/29/fcc-asks-amazon-and-ebay- [29] HSIAO, L., AND AYERS, H. The price of free illegal live streaming to-stop-selling-fake-pay-tv-boxes/. services. 1901.00579 arXiv, 2019. [2] Hollywood tries to cripple several alleged pirate TV services in one [30] HUANG,D.Y.,ALIAPOULIOS, M. M., LI, V. G., INVERNIZZI, L., lawsuit. https://arstechnica.com/tech-policy/2019/02/pirate-tv-provider- BURSZTEIN, E., MCROBERTS, K., LEVIN, J., LEVCHENKO, K., SNO- lied-about-paying-for-licensing-hollywood-lawsuit-says/. EREN, A. C., AND MCCOY, D. Tracking ransomware end-to-end. In [3] HTTP Live Streaming. https://goo.gl/crRhm9. 2018 IEEE Symposium on Security and Privacy (SP) (May 2018), [4] Illegal streaming is dominating online piracy. https://www. pp. 618–631. businessinsider.com/illegal-streaming-is-dominating-online-piracy- [31] IBOSIOLA, D., STEER, B., GARCÍA-RECUERO, Á., STRINGHINI, G., 2016-8. UHLIG, S., AND TYSON, G. Movie pirates of the caribbean: Exploring [5] Kodi users face crackdown over illegal add-ons. https://www. illegal streaming cyberlockers. CoRR abs/1804.02679 (2018). independent.co.uk/life-style/gadgets-and-tech/news/kodi-boxes-addons- [32] KAL RAUSTIALA, C. S. How much do music and movie piracy really downloads-legal-crackdown-copyright-films-fact-a7809306.html. hurt the u.s. economy? http://freakonomics.com/2012/01/12/how-much- [6] Netflix, Amazon and studios sue Dragon Box streaming device seller, do-music-and-movie-piracy-really-hurt-the-u-s-economy/. alleging copyright theft. https://www.latimes.com/business/hollywood/ [33] KANICH, C., WEAVER, N., MCCOY, D., HALVORSON,T.,KREIBICH, la-fi-ct-netflix-dragon-box-piracy-20180111-story.html. C., LEVCHENKO, K., PAXSON,V.,VOELKER, G. M., AND SAVAG E , [7] SET TV is Ordered To Pay Dish $90 Million in Piracy Dam- S. Show me the money: Characterizing spam-advertised revenue. In ages. https://www.cordcuttersnews.com/set-tv-is-ordered-to-pay-dish- USENIX Security Symposium (2011). 90-million-in-piracy-damages/. [34] KARAMI, M., PARK,Y.,AND MCCOY, D. Stress testing the booters: [8] Set TV, the streaming service sued by Netflix, Amazon, is ’un- Understanding and undermining the business of ddos services. In WWW available’. https://www.cnet.com/news/set-tv-streaming-service-sued- (2016). by-netflix-amazon-is-unavailable/. [35] KOEMMERLING. Card sharing countermeasures, Jun 2011. [9] Sony Movie Channel Affiliates. https://www.sonymoviechannel.com/ [36] LEVCHENKO, K., PITSILLIDIS, A., CHACHRA, N., ENRIGHT, B., FÉL- affiliate. EGYHÁZI, M., GRIER, C., HALVORSON,T.,KANICH, C., KREIBICH, [10] TickBox Agrees to $25 Million Judgment in Copyright Infringement C., LIU, H., MCCOY, D., WEAVER, N., PAXSON,V.,VOELKER, Case. https://variety.com/2018/digital/news/tickbox-copyright-suit-25- G. M., AND SAVAG E , S. Click trajectories: End-to-end analysis of million-1202936712/. the spam value chain. In Proceedings of the 2011 IEEE Symposium [11] Traffic Report: Online Piracy and Counterfeiting. https: on Security and Privacy (Washington, DC, USA, 2011), SP ’11, IEEE //www.markmonitor.com/download/report/MarkMonitor_-_Traffic_ Computer Society, pp. 431–446. Report_110111.pdf. [37] MCCOY, D., DHARMDASANI, H., KREIBICH, C., VOELKER, G. M., [12] Illegal streaming and cyber security risks: A dangerous status AND SAVAG E , S. Priceless: The role of payments in abuse-advertised quo? https://cryptome.org/2014/09/illegal-streaming-malware-epoch- goods. In In Proceedings of the 19th ACM conference on Computer and times-full-14-0923.pdf, 2014. communications security (2012). [13] Luxottica Grp. S.p.A. v. The Partnerships and Unincorporated Associa- [38] RAFIQUE,M.Z.,GOETHEM,T.V., JOOSEN,W.,HUYGENS, C., AND tions. Sept 2016. NIKIFORAKIS, N. It’s free for a reason: Exploring the ecosystem of [14] Dish Network L.L.C. and Nagrastar LLC. v. Nelson Johnson, Jason free live streaming services. NDSS (2016), 1–15. Labossiere, Set Broadcast LLC, Streaming Entertainment Technology [39] THOMAS, K., HUANG, D., WANG, D., BURSZTEIN, E., GRIER,C., LLC. Nov 2018. HOLT,T.J.,KRUEGEL, C., MCCOY, D., SAVAG E , S., AND VIGNA,G. [15] Paramount Pictures Corp. v. Omniverse One World Television, inc. Feb Framing dependencies introduced by underground commoditization. In 2019. Workshop on the Economics of Information Security (2015).

431 APPENDIX cryptographic key called a Control Word (CW) [35]. IPTV pirates intercept CW so that they can use it to unscramble A. Technical Infrastructure channels for their business and then monetize it further by We describe the technical operations of these IPTV redistributing it to other illegitimate IPTV businesses. In this providers in order to provide a lens into the third-party way, a paid subscription from a legal TV provider meant infrastructure utilized by most infringing IPTV services. This for one user is used to unscramble channels for multiple information was gathered by monitoring IPTV related forums users. Hence the name Card Sharing. To intercept the CW, and contacting consultants on these forums. For the most part, IPTV pirates setup a server with software known as softcam. this information is not readily available because these consul- This server is connected to a smart card reader using a valid tants sell their skills of developing infringing IPTV business TV smart card. Softcam emulates the decryption process of set-ups and thus are reluctant to share this information. channels and intercept the CW while doing that. IPTV providers serve two main types of media content: IPTV Management and Delivery. The IPTV headend de- LIVE TV Channels and Video on demand (VoD). We primarily scribed in the last section provides unscrambled TV channels focus on the infrastructure on the for LIVE TV Channels in some of the following formats; HLS (HTTP live stream- (i.e., IPTV) since that has stricter latency requirements and ing) streams [3], MPEG transport streams (transport stream, the media must be obtained in real-time. MPEG-TS, MTS or TS), or RTP streams. In this section, we IPTV Headend IPTV headend is a term we are using to will discuss management, delivery and monetization of these describe an infrastructure setup which takes input media and streams. always outputs unscrambled channel streams that are ready e) Transcoder: Transcoding the HLS streams is not for delivery through the IP protocol. An IPTV headend can required but is done in some cases to improve user experience. be described as any combination of following sub-parts: Transcoding in general means altering the video/audio to a) TV Input: The TV stream input to an IPTV headend accommodate: can be scrambled or unscrambled live TV Channels from • End-users with different levels of bandwidth - Bit rate satellite TV, cable TV or terrestrial TV. These inputs generally of video is altered so that users with different bandwidth rely on communication based on international open standards can be served streams accordingly. HLS streaming is an for digital television called the Digital Video Broadcasting adaptive bit rate technology which can handle transcod- (DVB) standards. ing. b) TV Tuner Cards: TV tuner cards are used to receive • End-Users with different devices: Re-sizing the video TV streams on a computer from a TV input. These tuner frame to adjust resolution best suited for the device the cards can be used in general purpose computers or dedicated end-user is using, such as computer, phone, or tablet. IPTV streaming servers which have slots for these cards. Transcoding is a resource intensive operation and requires For example, a TBS2951 MOI PRO AMD card, which is dedicated hardware with enough resources. The transcoding an IPTV Streaming Server, has 4 PCIe slots and can take job is sometimes handled by middleware software which is up to 32 TV inputs. This example streaming server, has a discussed in the next sub-section. user friendly web interface and is manufactured by a Chinese f) IPTV Middleware: Middleware is a crucial part of company called TBS Technologies International Ltd. They the IPTV ecosystem because it acts as the glue between the make TV tuner cards, IPTV streaming servers with pre-loaded headend and delivery. IPTV middleware is software capable software, transcoders and all the other requirements for an of various tasks, including but not limited to, subscriber IPTV infrastructure. Their software and hardware is popular management, reseller management, stream management, load- on IPTV forums where bad actors discuss setups for pirated balancing, transcoding and generating TV output channel content. playlists. It works by taking the input streams from broadcast- c) Broadcasting Server: A broadcasting server is loaded ing server in and generating output streams. These streams with software capable of taking DVB satellite input from TV of different channels can be combined to form a "bouquet", tuner cards and publishing streams to later be transmitted which is a package of selected TV channels offered to an on IP based data networks using protocols like real-time end-user. As mentioned before, pirated pre-prepared streams transport protocol (RTP) or HTTP live streaming (HLS). The are sold on forums and plugged into middleware. This means software installed on a broadcasting server has a web-based that for some, middleware providers are the ﬁrst step in their user interface which can be used to conﬁgure different DVB infrastructure. sources and encode the input into desirable output stream g) Content Delivery Network (CDN): Content Delivery while assigning a multicast IP Address to each stream. Network (CDN) is used to ensure that the user get the content d) Card Sharing Server: The two types of TV channels with high availability and performance. CDN services are used distributed by providers are free to air (FTA) channels and to reduce overall bandwidth cost and ensure that streams are encrypted or scrambled channels. The FTA channels are ready delivered with high availability around the globe. to be transmitted without any intervention unlike scrambled channels which need to be decrypted via a smart card used with a set-top-box or STB. The decryption happens using a

432