Client vs. Headend Watermarking – What’s The Best Approach for OTT?

In the first blog of this three-part series, we looked at how pirates attack watermarking solutions. This knowledge is critical for helping you choose the right WM solution approach for your OTT service, as we’ll see in both this blog and the next.

There are two prevailing forensic WM options available – client watermarking and headend watermarking. Before pitting the two against each other, let’s briefly explain the approaches.

How Forensic WMs Work

Client watermark 

A client watermark is embedded into the video on the client side usually by image overlay or blending. The image may be generated either by the client or at the headend, after which it is delivered to the client. Since a device has limited computational resources for generating an image, most client watermarks are content unaware. Namely, the WM is embedded within the frame without taking into account the displayed video content, which enables you to place the entire ID in a single frame. Even though a forensic content-unaware watermark is considered to be covert, “golden eye” experts can still notice it when embedded in certain content. In addition, in order to overcome piracy attacks, blending visibility and intensity of the client WM must increase, making it more discernible to others.

Headend watermark

A headend watermark is embedded in the video stream before it reaches the client device. It is usually implemented via A/B sequencing or variant watermarking, and may even be carried out by edge embedding in the future. In A/B sequencing, two versions of the same video – A and B – are created with non-visible differences in each segment. Each client receives a different adaptive bit rate (ABR) segment sequence, with the contiguous sequence representing a unique ID for the service user.

Why Client WM?

Now let’s determine which of the two approaches is best for your OTT service. First, we’ll take a look at how a client WM stacks up against some key factors you need to consider when choosing a solution.

Robustness 

When it comes to robustness against pirate attacks, the client WM offers mixed results. On the one hand, since the entire ID is usually in a single frame, the WM is resistant to temporal collusion attacks. On the other hand, since a client WM is typically content unaware, as we just mentioned, its ability to overcome severe distortion and spatial collusion attacks is likely to be compromised by visible artifacts that impact your viewers’ user experience. More importantly, given that the client WM is embedded in the client of an unmanaged device, it is highly vulnerable to various WM avoidance methods. And as we explained in the previous blog, avoidance is one of the main ways pirates attack your service.

User experience 

We just established that the more robust a client watermark is to piracy attacks, the more visible it will be, because a client WM on an OTT device is usually content unaware. For example, to resist camcorder-based strong distortion or to overcome advanced spatial collusion attacks, the WM’s visibility increases. Beyond the trade-off between robustness and minimal visibility, you also need to take into account the trade-off with video extraction duration. That is to say, in order to ensure that your watermark remains robust and relatively indiscernible, you need more time to extract it from the content.

Deployment and maintenance 

Regarding deployment and maintenance, a client WM again has its trade-offs. You may think that in order to deploy a client WM, all you need is a simple SDK. However, a basic SDK covers only a few devices, while in all likelihood you’re supporting myriad, ever-changing device flavours. If we know anything about pirates, once they realize you’ve tracked them down, they will find your weakest link – in this case, client devices not hardened against watermark avoidance. The problem is that hardening all of your unmanaged client devices is an extremely expensive, complex and slow proposition. That’s because hardening greatly depends on the specifics of each client platform technology, which keep changing among today’s OTT clients.

Why Headend WM?

Content awareness 

Since, by definition, the HE WM is located in the headend rather than in the device, it can leverage significant computational resources. In most cases, the headend WM is content aware, making it studio-compliant and meeting the golden-eye standard of an imperceptible, artifact-free watermark. Moreover, as a content-aware watermark, it can optimize robustness (to distortion and spatial collusion), visibility, and video extraction duration. A client WM, in contrast, can meet only two of the three criteria in a given setting.

Robustness 

Another advantage of the watermark residing in the headend is that, by design, it is far more resistant to WM avoidance. And while a headend watermark may be subject to temporal collusion, there are algorithmic solutions available to address such an attack without impacting visibility at all.

Deployment and maintenance  

When it comes to deployment and maintenance, the headend WM stands head and shoulders above the client watermark. The former requires a one-time integration covering myriad current and new OTT devices, no DRM integration, and no device hardening. In contrast, since a client WM covers a limited number of devices, it requires ongoing, time-consuming integration with newly introduced OTT devices. In addition, a client WM is dependent on DRM integration for hardening, and needs to continually undergo software upgrades as the devices used by your viewers evolve.

Not All Trade-offs Are Equal

As we’ve seen, both the client WM and HE WM encounter trade-offs. However, the impact of these trade-offs on each of the approaches significantly differs.

Take, for example, protecting a key OTT service asset such as live sports. If you use a client WM, then you can extract it within a couple of minutes. However, if you focus on minimizing extraction time, you may end up failing to detect any content leakage whatsoever. That’s because the client WM can be removed from non-hardened devices, making the shorter video duration time for extraction irrelevant. So, you might ask: Why not harden all of your client devices to give you 100% coverage against WM avoidance? No go: your deployment and maintenance costs would be way too prohibitive.

In contrast, even though an HE WM requires a slightly longer video recording for extraction, it will detect your content leakages in most circumstances. By design, the watermark always addresses avoidance attacks and never requires client device hardening, regardless of the quantity and frequency at which new devices are added across your service.

And the Winner Is…

So, if you are an OTT provider delivering premium content to viewers across myriad devices, then it’s obvious which WM approach we recommend. As we’ve shown, the HE WM takes the client/device out of the equation to reduce risk and ongoing integration complexity. It also avoids a trade-off between visibility and robustness, even though the watermark requires a slightly longer time for extraction compared to a client WM. Most importantly, it is not vulnerable to any watermark avoidance method regardless of client manipulation. Given these advantages, it’s no wonder that headend watermarking is increasingly becoming the approach of choice for OTT service providers worldwide.

Next Up: When to Insert the WM

Now that you’re aware of the merits of an HE WM solution, it’s time to dig even deeper and ask ourselves whether it is best to insert the WM before or after encoding the content. The answer may be obvious, but the reasoning behind it might not. Stay tuned for our third and final blog of this series to find out more.