The backlash that Netflix is receiving in its efforts to clamp down on password sharing is in a league of its own, with several users calling out the streaming giant for going back on a tweet it made in 2017 that (in)famously read “Love is sharing a password”.
As it turns out, Netflix’s love for sharing has a limit, and that limit was found after it recorded its deepest subscriber loss in a decade. After all, when multiple privileged parties share a single set of login credentials, they are effectively paying for only the one account/seat/license. Even if just 5% of 231 million Netflix subscribers do not pay for usage and obtain illegitimate access through password sharing, based on the cheapest Netflix plan, this equates to approximately $81 million in lost revenue per month!
Since then, Netflix has been testing ways to boost their subscriber count and monetize account sharing, a move which tells us that its hardened stance against password sharing has nothing to do with safeguarding the security of its users, and everything to do with ensuring the survival of the business.
The other streaming services are undoubtedly keeping a close eye on how this situation unfolds to inform their own evaluation about whether such a move is indeed a viable business plan, but we suspect there is a wider audience at play because it is not only the consumers who are guilty of sharing passwords. Businesses have also been known to share login details for user-limited accounts in an attempt to try to save money. Introducing measures to regulate password sharing then becomes a struggle that ALL service providers (and security professionals) have to grapple with.
Before that, we must first address the question of how a service provider would be able to detect account sharing (so that they may later restrict it).
It comes down to the ability to control and manage the access of legitimate users. This process is otherwise known as access management, and the goal is to ensure that authorized users have access to the resources they need while prohibiting access to unauthorized users.
To start, the service provider must first define who the authorized users are. Take note, it is not sufficient to simply provide a textbook definition.
Had Netflix said they were restricting password sharing to people in a single household and left it at that, we humans who typically understand a household as a group of people who are related by blood will likely assume that we may continue sharing an account with a brother who now lives in Ireland, and parents who reside in Malaysia – all without repercussions.
However, it is not quite feasible to implement password sharing restrictions based on this understanding we have of a household because it can be extremely difficult for service providers to determine kinship with just the login details users provide.
Netflix has chosen to furnish their own definition that clearly states under which conditions is password sharing permissible. Having grouped “people who live in the same location with the account owner” under the umbrella of authorized users, it then becomes clear that the people who land outside of this box are people who will need to sign up for their own account or pay more to continue sharing an account with people outside of the account holder’s household.
Next, how would you as a service provider, with the limited information you have about a user, be able to differentiate between the authorized and the unauthorized users?
Based on information on Netflix’s Help Center page, it is suggested that a Netflix Household can be determined by the use of one Wi-Fi connection, which would mean that when a user logs in to an account via a Wi-Fi connection that is different than the one used by the account holder, they may run into issues.
Noting however that users may access the streaming service while commuting or traveling, Netflix has also made provisions for determining devices in a household by taking into consideration “IP addresses, device IDs, and account activity from devices signed into the Netflix account.”
This is one way that service providers might choose to verify login attempts and manage user access, but it is important to note that the means of user authentication methods may differ depending on how your organization defines authorization.
Having to pay more than before to access content that remains largely the same is a sore point for Netflix users, and this reaction is what any service provider looking to bolster their revenue by passing on the costs to consumers can be expected to face.
So before implementing any change, consider this: Is there a business case for challenging the status quo?
If change is absolutely necessary, the goal is to then implement it in a way that minimizes the adverse impacts and maximize the benefits to broader business goals in the long run, if not in the immediate term.
To do so, the change could be implemented in stages.
For instance, Netflix is rolling out paid account sharing in Canada, New Zealand, Portugal and Spain after trialing the effort in Latin America.
The rollout must be consistent and paired with well-crafted messaging that reinforces the need for change to ensure buy-in. There must also be a concrete plan that outlines the equipment, infrastructure, and IT systems required for a smooth transition.
Written by Wen Sin Lim