As recent events have demonstrated, organizations as diverse as retailers and governmental agencies are apparently not doing enough to secure their data from hackers. Security breaches at Sony, in 2014, and post facility Larson Studios at the end of 2016, have also turned the spotlight on the media and entertainment business, bringing about renewed efforts to combat piracy.
On June 14, 2017, the Alliance for Creativity and Entertainment (ACE), a newly formed worldwide coalition of 30 entertainment companies, announced that it would be working with law enforcement, seeking new partnerships with content protection groups and will be filing civil litigation against illegal enterprises, to curtail piracy. The group, including Amazon, BBC Worldwide, Bell Canada, Canal+ Group and others, will draw upon the global antipiracy resources of the Motion Picture Association of America (MPAA).
A statement from ACE reports that, in the U.S. alone, the creative sector adds over $1.2 trillion to the economy and supports more than 5.5 million direct jobs each year. The industry has long been plagued by piracy, which threatens jobs and income. According to the statement, there were an estimated 5.4 billion downloads of pirated wide-release films and primetime TV and VOD shows using peer-to-peer protocols worldwide in 2016, and an estimated 21.4 billion visits to streaming piracy sites worldwide.
ACE’s efforts are aimed at reducing large-scale, for-profit online theft of content—typically, fully completed shows—from some of the largest content stakeholders on the planet. Yet as the breach at Larson showed, smaller, third-party vendors are often the most vulnerable to hacking.
A determined hacker can likely access all but the most secure data repository, given enough time and resources. And the fact is, piracy of a yet-to-be-released record album or TV show can start from something as simple as someone walking out of a facility with a project on a USB drive.
Some of the larger content creators and owners will send auditors to a potential vendor such as a postproduction shop to confirm that security best practices are being followed before engaging them on a project. Facilities can pre-empt any potential problems by calling in an independent auditor. The CDSA (Content Delivery & Security Association), for example, offers assessment and certification programs based on standardized content security best practices for post-production houses and recording studios. The programs cover areas such as personnel, asset management, physical and IT security, training and awareness, and incident management and recovery planning.
As noted by Zoe Thrall, director of the Studio at The Palms Casino Resort in Las Vegas, which has undergone CDSA certification, many best practices are common sense—yet they may be overlooked or ignored by some facilities. “It’s in the forefront of our minds all the time. We have a lot of high-profile clients come here and we don’t want to be the studio that is accused of anything,” she says.
New employees are not given access to client files for an initial period, and are trained on the importance of content security, reports Thrall. “On a normal day-to-day session, we do not have any of our rigs on the internet. And we don’t allow our engineers to put client files on their personal computers.”
Client files are removed from computers at the end of the session. “They’re backed up to the client’s drive or drives—preferably two—and they are immediately removed from the computer,” she says. If the client chooses to leave a copy for safekeeping, it’s put in a secure vault overlooked by a camera.
Throughout the production process, there is a paper trail. “We can cross-check who worked on what where with a specific file.”
A paper record is even generated when files are exchanged with the client over secure FTP. “That gets attached to any paperwork associated with the session, including who it was sent to, the date and everything,” she says.
The studio’s unique location adds another layer of security, Thrall also notes. “We’re all technically employees of the resort, and there are strict employee rules. Everybody gets trained under that umbrella as well.”
As noted by an executive producer at an audio post house who wishes to remain anonymous, “If somebody wants to steal something, they’re going to steal it. We try to mitigate the damage.”
Small facilities are at a disadvantage compared to larger enterprises with IT staff and big budgets, he comments. “I look at the MPAA guidelines and think, that would be great, but I don’t have the million dollars to install this infrastructure.”
Some of the security measures at his facility were originally implemented for other reasons: “We work local on every machine here; that was more for cost effectiveness.”
Air-gapped computers are critical here, too. “Use your own laptop to go online. I want [our] computers unplugged from the internet.”
Best practices implemented by clients also contribute to overall security. For example, a print sent to the post house for ADR work will be low-resolution and thus likely less attractive to pirates. “And it’ll be a very rough cut and will be watermarked—that’s how they protect things.”
Specializing in independent film work, the facility hasn’t had to implement the most stringent security measures—yet. But the facility would like to book episodic series work. “If that works comes down the pike—and I’m trying to get it now—I will put in compliant camera systems and only give access via biometrics or cards or whatever for people to only access certain parts of the facility at certain times,” he says.