How Spotify changed password sharing and how the cloud enables it
According to the Computer Fraud and Abuse Act, unauthorised access of computers is a federal crime. However, the law's vague definition of "unauthorised access," highlighted by a recent New York court case, has consumer advocates and business groups worried.
This past July, the US Court of Appeals for the Ninth Circuit upheld defendant David Nosal's conviction for using a colleague's login credentials to access his employer's research databases.
Nosal is far from the first person to be convicted on such charges. In October 2015, former Reuters journalist Matthew Keys was sentenced to two years in prison for sharing usernames and passwords with "hacktivist" collective Anonymous.
Despite being illegal, password sharing is ubiquitous. A 2016 LastPass survey found that a staggering 95% of U.S. consumers share passwords with significant others, children, co-workers, and friends.
Rampant password sharing puts content streaming services, law enforcement, and consumers in a difficult position. Do we prosecute everyone who's ever shared a Netflix password? Or do we pretend the law doesn't exist and let hackers off the hook?
Spotify has managed to devise a solution that avoids the situation altogether.
The content access conundrum
To comply with content owner copyright guidelines, a streaming or cloud service user must be authorised by the provider. Most websites and online services use password authentication to enforce these rules.
Between password-protected bank, utility, news, and entertainment sites, it's common for consumers to juggle dozens of passwords. It's also easy for them to share those credentials with others.
To prevent this account abuse, content providers analyse login times, locations, and devices to spot suspicious patterns. Service providers send warnings and threatening emails to inform users that account sharing has been spotted, but most of these companies are attacking the wrong problem.
The issue with subscription sharing isn't unfettered access to gated apps and sites. Frankly, traffic data can be useful to marketers. The real issue is simultaneous access to media.
Netflix, for example, doesn't care if 10 people use the same credentials to browse movies. But when all 10 users simultaneously stream content, the company pays for 10 large data streams and heftier licensing costs. In 2015, Netflix budgeted more than $6 billion for licensing deals through 2018 — the streaming video giant's largest expense.
Tune in to Spotify's solution
Spotify — unlike Netflix, HBO, and dozens of others — handles the problem in a unique way that offers valuable features to users.
The music streaming service uses real-time technology to maintain a live, two-way connection to devices running the app, including laptops, phones, tablets, smart TVs, receivers, and more. This live connection ensures only one song is played at a given time by each Spotify account, regardless of how many people are logged in.
Imagine you're jamming to AC/DC when your cousin decides to listen to Drake using the credentials for your account. Your music cuts off within milliseconds of your relative pressing play, and you're notified of the remote access. When you press play to resume "Thunderstruck," your cousin's music stops and he gets the same message.
What's more, the live connection enables features such as the ability to start a song on a smartphone and switch to another device, like a laptop, without skipping a beat. It's an innovative feature that helps Spotify continue to disrupt the music industry while staying compliant.
Sharing beyond the streaming industry
So why hasn't every streaming provider and secure site followed Spotify's lead?
Until recently, it was difficult to build reliable, high-speed two-way connections. Spotify implemented these connections at a global scale because of its exceptional engineers and worldwide data centers, but not every organisation had such resources.
But that's changed. Today, global data stream networks are easily plugged into existing content-provider applications. Using technology from companies such as Pusher, Google, PubNub, and more, content providers can capitalise on Spotify's brilliant solution.
And it doesn't need to stop there. Cloud services like Amazon have embraced two-way data stream connections, and the proliferation of publicly accessible Wi-Fi and the FCC wireless spectrum auctions are both set to remove bottlenecks in wireless data transfer capabilities.
This new manner of authentication will soon move beyond content providers to reinvent how other sectors manage account access. Perhaps there's nothing truly wrong with an executive allowing a secretary to log in to his workstation or a family sharing a Netflix account.
Spotify has revolutionised content streaming in more ways than it's given credit. By the time Nosal is released from prison, the rest of us hopefully won't have to worry about being incarcerated for something as prevalent as password sharing.
- » Security through visibility: Seeing into virtual and cloud networks
- » Netskope gives another warning to businesses struggling with GDPR compliance
- » Google launches cloud-based key management with new service
- » Building your data castle: Protecting from ransomware and restoring data after a breach
- » ‘Security by design’ and adding compliance to automation