The streaming industry believes it has a serious problem: Password sharing. The solution? Various draconian measures meant to ensure that the only people watching a stream are people who have paid for the privilege, up to and including mandatory biometric authentication.
Imagine Microsoft announcing that in order to prevent Windows piracy, Windows devices would now keep a log of which users had paid part of a yearly fee to access data on that particular PC or to use the operating system. Imagine if Adobe, Apple, Blizzard, Epic, Valve, or any other software ecosystem operator declared that in order to prove you were legally allowed to access data you had paid to access, you had to provide them with biometric authentication data.
The idea is to start by making it annoying for people to share passwords by requiring the use of secondary authentication methods, according to Bloomberg — periodic password changes, or using 2FA to send authentication codes to phones. The goal is to create rules that govern which devices can see streams, allowing a smartphone or tablet to view content, but, say, blocking a Roku device in-use at a second location. Of course, users might just bypass that by streaming from a phone or tablet to a TV, or finding some other way to bypass the restrictions our content overlords wish to deploy. In order to prevent that from happening, the streaming industry is willing to go nuclear.
“If none of those tactics work,” Bloomberg writes, “pay-TV subscribers could someday be required to sign into their accounts using their thumbprints.”
In the past, this kind of biometric authentication system wouldn’t even have been possible. Biometric systems have existed for years, but there was no practical way for a service provider like Microsoft, Netflix, or Hulu to demand you use one. Now that fingerprint readers have been distributed to billions of people, companies are looking for ways to capitalize on them.
This isn’t just an annoying trend. Allowing corporations to require biometrics in this fashion is exceedingly dangerous. It’s true that in theory, at least, biometric security systems could be more secure than password-based authentication could ever be. The problem is, 1). Biometric systems usually aren’t nearly as good as the companies deploying them like to claim, and 2). Once anyone steals your biometric data, they’ve got it forever. We base biometrics on unchanging elements of ourselves. You can change your password. You can’t change your thumbprint. Having biometric data isn’t the same thing as being able to penetrate a biometrically locked account — that depends on the attack vector — but it could certainly simplify the process.
History further suggests that hackers will find ways to exploit weaknesses in biometric authentication practices in order to attack accounts and steal data. There was a time when turning on 2FA and using SMS to lock down an account was widely recommended. Now, articles counsel against the practice in favor of a device like a YubiKey. If biometric data is widely stored and used by companies for authentication, some of those companies will not secure the data properly. Some of that data will be leaked or stolen. It may be used by nation-states who are targeting specific individuals and attempting to hack hardened systems or it may be used by hackers carrying out broad attacks against large groups, but it will be used.
What justification is given for throwing open the floodgates and demanding mandatory authentication of a sort once reserved for criminals and those seeking security clearances, regardless of the further long-term damage to citizen privacy and the ability of individuals to establish their own personal identities? About $15 per month.
“I feel like I’m beating my head against the wall,” Tom Rutledge, the chief executive officer of Charter Communications Inc., said during an earnings call last month. “It’s just too easy to get the product without paying for it.”
Dealing with losses caused by theft of services or product is a fact of being in business. If you manufacture something anyone wants to buy, someone is going to steal it. If you manufacture valuable intellectual property, someone is going to steal it. Millions of people stole Game of Thrones and watched it without paying HBO a dime. Is it moral or ethical to take things you haven’t paid for? No. Is it moral or ethical to deploy this kind of biometric authentication requirement across devices, running a significant long-term risk of data theft? Also no.
I would personally argue the second argument represents a vastly larger practical harm than the first, particularly given how we know large corporations treat user data and how well they secure it. At a certain point, we have to recognize that the only way to safeguard information is to limit the ability of companies to collect it in the first place.
According to Bloomberg, the various companies contemplating these schemes are aware they might prove extraordinarily unpopular with customers. Nonetheless, Netflix, Amazon, Disney, Viacom, ATT, HBO, Comcast, and Charter are all members of the Alliance for Creativity and Entertainment, which has announced it is focusing on password sharing as a means of reducing piracy. Companies like Netflix, which has generally been tolerant of password sharing, have announced they intend to start looking for consumer-friendly ways to “push on the edges of that.”
Galaxy S10 Fingerprint Sensor Reportedly Thwarted By Cheap Screen Protector
Judge: Police Can’t Force You to Unlock Phone With Fingerprint or Face ID
Researchers Create ‘Master Fingerprints’ to Unlock Phones