Stopping Piracy Before It Starts
Episode Notes
Transcript
This week I’m joined by Terri Davies. Terri heads up the Motion Picture Association’s Trusted Partners Network, which helps studios and other partners develop best practices for avoiding leaks of films and TV shows pre-release, from pre- to post-production. We discussed her time at Sony Pictures from 2000 to 2015, a period of time during which the business of distribution was revolutionized (and digitized), how the MPA helps studios reduce the likelihood of a movie leaking before its release date, and how different solutions are tailored for content creators of different sizes. If you enjoyed this episode, share it with a friend!
This transcript was generated automatically and may contain errors and omissions. Ironically, the transcription service has particular problems with the word “bulwark,” so you may see it mangled as “Bullard,” “Boulart,” or even “bull word.” Enjoy!
-
Welcome back to the Bulwark goes to Hollywood. My name is Sunny bunch culture editor at the Bulwark. And I’m very pleased to be joined today by Terry Davis at the Motion Picture Association, the head of the trusted partner network. We’re gonna talk about that in a minute. And protecting content films, TV shows, everything else from, leaking before release.
-
It’s part of the MPAs, you know, three hundred sixty degree two sided strategy on on keeping stuff safe. I’m I’m really excited to talk to Terry about this. Thanks for being on the show today.
-
My pleasure. Thanks for having me.
-
So, Terry, one thing, I really wanted to talk to you about. We were discussing this a little bit beforehand. Was your time at Sony pictures. You were there from two thousand to two thousand fifteen, which is an enormously important time in terms of the transition of how distribution actually happened. I mean, I, like, I I, you know, sometimes people make fun of me about this because I’m a little bit of a nerd on digital protection and that sort of thing.
-
But I’m I’m fascinated by this period of transition where you go from, you know, physical analog tapes film, actual film stock, delivering prints to theaters all across the country to essentially doing everything digitally over the internet. What was that? What was what was living through that transition like? What was working through that transition like?
-
It it was it was amazing. I mean, my background is post production in London, and then Sony Pictures hired me and moved me over to LA. And we had just gotten through, VHS to DVD, right, which was a huge change. That was taking a workflow that happened discreetly for every single VHS release around the world to suddenly saying, hang on a minute, we can do this better. We can aggregate stuff onto one disc.
-
What does that look like? So we went through that cycle of, decentralized two centralized, so we had just got through that. But it was still tape for the most part. And then, digital files start to come up, I guess, for, like, two thousand seven, two thousand eight, maybe a little bit earlier. And, of course, Being at Sony and anybody else who was at a studio or being a vendor of a studio knows there was such huge volume of video tape.
-
We had videotape libraries everywhere. And all we knew about those videotapes was what was written on the label. Norman by some tape hop, right, in in in a lab, with very little instruction from us. So suddenly, the these became even more precious assets, but they became really the source. For having to digitize all of those assets.
-
And, you know, there was a big focus on going back to the best source. But the reality was we had to move quickly. So in some cases, we were digitizing or encoding rather, from distribution masters. As opposed to the actual, you know, proper, proper, master. So we went through that, and the change management involved in it was just enormous.
-
It was almost incomprehensible trying to wrap your mind around this huge machine, of any any studio and the thousands of pieces of content that we were moving every month, and building a supply chain that could accommodate all of those different variables And by the way, that’s still a challenge today. Are you go to any conference we’re still talking about digital supply chain? But also how how do you go about digitizing your library in a way that you are collecting the right information to drive the automation that was needed? And then, of course, you know, we were all thinking about that and planning and moving forward, and then the tsunami happened in Japan. Which effectively wiped out all tape stock production.
-
So, you know, we we we were talking about things and doing things like recycling HD cam SR tapes because we just didn’t have enough to keep the, you know, the post, the pipeline going. The post production. So that really accelerated everything. And, there was a moment actually that I don’t think many people know about where the industry came together specifically Sony Fox and Paramount, led a huge initiative at IBC and Amsterdam. I think it was in Rio.
-
It’s twenty eleven, the same year as the tsunami, and we called it Go Digital. And we we spoke to the industry at lunch saying, look, we have to have a cutoff time, at which you guys who receive tape from us, broadcasters, distributors, whoever we were selling our content to had to move to file. So we we really had to try and the pace on it after the tsunami in particular.
-
That’s fast. I I so the tsunami story, I don’t actually know anything about it. So the tsunami, destroyed the actual tape production facilities in Japan?
-
Yeah. For Sony.
-
Oh, man. That’s that is, that’s crazy. Alright. So so two thousand eleven, then this is, so this is a few years after the, move to digital projection kind of happens. Right, in theaters.
-
Right? Is is is this about the same time about a little after that? Were you guys following that same
-
sort
-
of game plan or
-
It was all going on at the same time. So I was dealing with distribution for post theatrical, but, obviously, you know, we we followed theatrical’s lead. So the digital cinema conversations were very much going on around that time as well. So it was massive information and change management at a time when really the only significant, transformation we had been through on the on the post the optical side was VHS to DVD, and that nearly killed all of us. And then suddenly, we had to, you know, we had to pivot again, and we had to think about, building our own digital supply chains and our own digital asset management solutions at a time when all of the great applications that are available now to stand up a digital supply chain.
-
Reasonably, simply and cost effectively didn’t exist, so we were all building our own bespoke bespoke systems going up. How do we build automation? What’s involved? I mean, We we started up departments in a studio that never existed before. We had to create a metadata department and think about, title schemas and how are we going to recognize these files when we create them?
-
Onboarding as well, You know, we were delivering to thousands of destinations who hadn’t got their head around file either. So when they said, this is our spec, We actually had to create nonboarding team who worked with those recipients of what we were delivering to say, sure. You mean this when you put down that codec because we’ve tested it, and it doesn’t work very well. Or or, oh, this is a great idea. We haven’t even thought about this yet, or how do we do this?
-
It it was it was enormous, really.
-
Yeah. That’s fast. And and that’s also around the same time that, that Bluray becomes
-
Yes.
-
I mean, you know, I, as as somebody who owned both an HD DVD player and a Sony PS three, in order to fully fully maximize, my HD opportunities. That that was another kind of wild time to live through.
-
Yeah. It just it just seems to, you know, sort of two thousand nine two today, really. It just hasn’t stopped. And and I think up until that point, you know, the the biggest, the biggest innovation was VHS, which like I said was a fairly simple supply chain because it was one for one. It was, you know, I’m the French, I’m the prison French version of age of innocence, and I’m the VHS of that.
-
Right? So that that was a much more simple simple workflow.
-
Yeah. When you when you Sorry. Just one more one more question about DVD because I I do find this, again, weirdly interesting. When you when you were making the the DVD masters for those. Were you pulling from I mean, were you pulling from essentially the the Let’s let’s let’s talk about TV in particular.
-
Right? Were you pulling from the, like, broadcast, tapes that you sent to the Bulwark, or how how did that Bulwark, where where were the source materials from?
-
So for the picture, we were remastering. We were going back the old IPs and remastering because we wanted it to be, you know, the best quality because DVD, of course, was sold as top quality, but Where it came to localization, that was a massive challenge because in some cases, we would have sold title a to a broadcaster in Italy and given the right to the broadcaster in Italy back then to create the Italian dub and the Italian subtitles. So we were constantly in this this ROI analysis of, like, oh, is it easier to remake it, or is it better to go and negotiate with the broadcaster to get back the rights for those, local language tracks and subtitles and, use them. But what if they weren’t created to the standard that we need them or what if they’d done censorship and there would be holes in it. And, of course, DVD, we wanted to provide full length as much as possible.
-
It was, yeah, it it it’s, wherever possible, we got the highest quality source assets. But, again, it was a complex balance of how much money do we throw at this thing.
-
That’s a yeah. That’s again, I I could talk about this all day. But let’s, alright. So let’s let’s move on, to the the again, the the transfer to digital and protecting digital assets because that’s that’s what the the TPM, the trusted partner network, at MPA is doing here. You’re you’re you’re Actually, let me let me this is a thing I like to do because I find it I find it extremely useful.
-
Could you explain in your own words what, what you what you do it TPN and and what you the the goal of the organization is.
-
So, trusted partner network TPN is wholly owned by the motion picture. So station. And our mission very simply is to keep content secure. It it it’s really as simple as that. So everything involved, in that.
-
So Bulwark with all six of the MPA studio members and more now. We have the other big two, as members of TPN as Will Saletan with BBC Studios and Sky Studios and so on. And we leverage the MPA best practices. So I don’t know if you know this, but for All decades, MPA have been publishing content security best practices. And, you know, they have been really the bible the foundation for security in the industry.
-
I remember being a receptionist at a post production house in London. And the guy from the MPA coming to visit our building to check that it was secure, you know, and we, like, biting everything away and bringing out the best teapots and all of that. So this has been going on for a long, long, long time. And at the same time, the studios were doing all of their security assessments of the vendor. So, basically, we we have a community of, I don’t know, I don’t know the number, three thousand plus, vendors out in the world who provide services to the studios to create and distribute content.
-
Visual effects, houses, audio post production, localization, you name it. Any type of service is needed to create or distribute content, and every one of them has to be as secure as they possibly can be. So what was happening was MPA were doing their assessments, but increasing these studios were doing their own assessments as well. And because Really, the community of vendors who work on pre release content is fairly finite. These vendors were finding themselves being audited by up to eight, nine, ten different studios, in a year, in a single year.
-
So it hit breaking point, and the studios realized that they’re not really competing on security. Security is a baseline that, you know, everybody should be contributing to to keep all content safe. And some brilliant people before I got involved, came up with the idea of TPN, and they said, well, what if we did one industry, one audit? What if we leverage the MPA best practices, and we built a assessment on top of that, and we drove all of the vendors to TPN, to do a TPN assessment that would then be held in a central location, and all of the studios could leverage that. Right?
-
So we would introduce massive efficiency into the industry. So that’s what they did and they launched in twenty eighteen. Super successful. I think they grew something crazy, like, three hundred and fifty percent in their first year because it was fulfilling such a need in the industry. But they were only focused on site assessment because cloud was still kind of sort of new, and while everybody knew They had to get to cloud security.
-
The site assessments were really the important things, like literally brick and mortar cameras on those. So they had this huge growth and then of course COVID hits and the pandemic and everybody went to work from home and did what? They moved to the cloud. Yeah. So that it created this huge fracture.
-
So all of the progress that TPN had made, stopped. The studios were still to some degree producing content. They had to start introducing their own cloud assessments to make sure the vendors they were giving work to was secure. And TPN really became fractured. So I joined in February twenty twenty two, not as a security expert, but as a sort of, really operations in the industry and, some expertise in business transformation.
-
And we introduced app and cloud, updated the TPN assessments to include that. So today, vendors can’t voluntary program, being voluntarily, sign up to do TPN. And the studios have a central repository again now to look at site or application and cloud. Security assessments from which they can make their own independent risk based decisions because I know I’m saying a lot. I’ve finished after this one since.
-
The really fascinating thing about this job that I sit in is I work with all of the studios, but they all have different risk profiles. Right? So TPN doesn’t pass or fail or approve or or disapprove. All we do is gather the status and that each studio makes their own decision. But what we do is, you know, gather as much information as the studios need.
-
And that’s constantly changing, you know, with new technology coming along. So, it’s it’s a great it’s a great central position.
-
Well, this is a I let’s let’s jump back just a little bit because I’m I’m actually I’m I’m kinda curious what the difference between the security on on on analog or even, like, early digital, you know, disks and and that sort of thing. What what was the NPA looking at when you were when you were there as the receptionist, you know, watching them come in and and and, you know, scan the place for for for leaks and whatever. But, like, what do what is the difference between that look like and the difference between now with the cloud based, you know, digital digital first difference.
-
It’s very different, but what, again, what’s interesting is because this is, you know, while we adapt to change quickly, in some ways that we don’t. Right? So probably well, not probably. I know I, you know, we we we haven’t even been launched with this new program, including app and cloud for a year yet, but we’re looking at the dates now, and we know conclusively that many of our members are hybrid. Right?
-
They still work on prem. And in the cloud. So we’re still asking the old questions, cameras on doors, you know, the the the proper Way to secure a building? Do you keep your visitor logs? How long do you keep them for?
-
Who has the keys to the safe room? All of those questions, you know, very, very, physical. But at the same time, we’re talking about vulnerability scanning and, you know, cloud frameworks and what is needed. To make sure that you you don’t have any issues intrusion detection, you know, all of all of those things that we need to worry about now. So we’re we’re balancing the two and With just now, starting to see software application, vendors join as well.
-
So, like, Adobe, and signiant and soho net, you know, really big name in the industry. And they’re they’re completing the TPN assessment. But if They don’t have a physical infrastructure. We’re not gonna ask them about, you know, cameras on doors, for example.
-
Right. Well, I mean, this gets to, kind of an interesting thing that that you guys have to have to figure out here, which is as you mentioned, risk profiles, you know, there there’s a difference between, a company that is putting out a two hundred million dollar blockbuster in three thousand screens and, like, trying to keep that, that asset, that investment safe as opposed to somebody who is doing the final dub on a honeymooners episode, you know, from from fifty or sixty years ago. Like, what what when you’re when you’re looking at these companies and trying to figure out who needs what, how do you I don’t know, make that individualize that for them. Yeah.
-
That’s a great question. I’m glad you asked her actually because we have a solution for that. So we have some baseline questions. There’s about ten of them that we ask upfront. Do you work on pre release content?
-
Do you work on post release content? Do you have work from home employees? Do you work in the cloud, on-site, or just site? Do you do DVD replication? Because that still exists.
-
Right? So we have these these baseline questions from which we can descope the assessment or scope it up. Right? If they do everything. So we we try every way to improve the experience of the vendors.
-
Because, I mean, these these assessments, they’re tough. Right? They take a long time, it’s a big investment for the vendors to go through this. So we want to make sure we only ask them the relevant questions. And we’ve we’ve spent a lot of time on that.
-
Actually, we rebuilt a new platform, towards the end of last year, We launched it when we relaunched the program with Appen Cloud, and we’ve spent a lot of time thinking about building that functionality in. And it and it never stops. Right? Because we will continue to update the best practices. With feedback from all of the studios.
-
Actually, we have a workshop coming up where we’re gonna be talking about this with all the studios, but also with feedback from the vendor community, those of those who have been through TPN. We wanna hear from them, and we wanna take their feedback as well. So we’re constantly Adding new best practices without making the list too big. Right? I mean, Fun fact, when we got here and injured, started to look at the MPA best practices, they were at something like three hundred and sixty.
-
Not including our cloud, which is very, very, very difficult to answer all of those questions. And as we start to look into it, we realized some were duplicative. Some weren’t, you know, really, a requirement anymore, like, you know, wearing form fitting clothing, in a replication plants, and you don’t steal a d two in your in your pants at the end of the day, and that type of thing. While balancing the need to update it for the new technology. So we spent Maybe six months with all of the studios and some key stakeholders in the vendor community saying how can we rewrite these while still being robust and secure enough to do the job, but to improve the user experience.
-
And we ended up republishing last October with sixty five. So we took it from three hundred and sixty to sixty five, which in turn informs the questions that we ask the vendors.
-
Yeah. Yeah. And I mean, it’s it’s I it’s funny. I was I was going through the list of best practices. And frankly, I this is so much of it is over my head and just like, well, these are things I don’t I don’t really understand, but I it is it is really interesting to think about all of the different leak points, you know, the the potential places where a pre release thing can be released.
-
And this is an important distinction as well because, I mean, like, I think when most people think of piracy, they think of, like, the guy in movie theater with the camcorder or now a phone, you know, taping the screen or, you know, after the fact, you know, something’s on shows up on HBO Max and then, you know, thirty seconds later it’s on pirate bay. And, like, this is an entirely different this is an entirely different front of the pri privacy war that I think people don’t really think about in the the the the the problems are when when you’re looking at the the best practices. You know, what are what are you guys most concerned about? Is it is it strictly technical safety, secure websites? I mean, are you looking, is it, individuals, background checks, that sort of thing?
-
Like, what is that what is that process look like. And what are you guys most afraid of?
-
I mean, it it’s everything, and that that’s the problem. Right? It’s a we’re in a one size does not fit all business, but trying to, implement a sort of one size fits all solution because we can’t bespoke it too much apart from the automation that I just described to you. Is is everything we ask about background checks? We ask about training.
-
We ask about password policies. It it’s everything. We have four different domains. Where we we press heavily on organization, is your management aware of what your business continuity programs are? You know, we ask we ask things like that really, really pushed on it because if you think about it, the best practices are trying to ensure that the work the studios give to their vendors is done with confidence.
-
Right? There has to be a trust. I didn’t come up with an entrusted partner Bulwark. And since I’ve taken over, I’ve really, you know, looked at it from all angles. I’m like, is it a great name?
-
And, actually, it’s a great name because What we have is a is a registry of trusted partners who have answered these questions. They’ve taken a good honest look at where their vulnerabilities are. They work with us then to address the vulnerabilities and close the gaps. And it it’s a it’s on a biannual cadence. So, you know, we it it’s a relay it’s not a one time relationship.
-
But, you know, so we have the organizational domain. We have the technical domain where we get into cloud. We have physical domain where we’re pushing on, you know, if you have a building, what does that building look like and how have you organized it? And it used to be, you know, we talk about script to screen. Right.
-
It sounds good. Script to screen, but actually we are way prescript. Right. We’re we’re starting we’re we’re working with vendors to protect story boards. And visual ideas.
-
And, you know, we way way back then. And then all the way through to distribution, which is, I believe you have your meeting with Jan Van von, are, are head of head of the Ace Program at
-
Mhmm.
-
And PA So that’s kind of the, you know, TPN and Ace are the two sides of the same coin. Right? We do what we call content security. So we work upfront with anybody who’s touching content throughout the supply chain, prescripts to screen. And then what Yarn will talk about is what happens with, you know, sites that are pirated.
-
How does he go in and shut them down and he he he does an amazing job. So the MPA is trying to serve its members and the general industry. By this three sixty approach, what do we do proactively? ACE is proactive as well, but, you know, meaning we’re in the we’re in the production and post production. Pipeline, and then what do we do afterwards?
-
Because it’s as damaging, now to lose subscriptions. Right?
-
Right. Right. Right. I mean, I yeah. I it’s funny.
-
I hadn’t even really thought about the whole pre vis, you know, angle, the storyboards and all that because, I mean, sure, you know, if somebody got a a good look into Kevin Feige’s hard drive, there would be, you know, problems for years after that. But it it’s it’s fascinating mean, I I, you know, again, I it’s funny. I was I was doing some I was doing some research before the show and trying to remember some of the, some of the big pre release leaks. And I feel like there haven’t been that many. I feel like it’s been a it’s I’m sure it is still a problem.
-
I’m sure it’s still happens. But, you know, back in the back in the the late, the mid to late aughts and the early the early teens, I mean, it was, like, revenge of the sith leaked. Like Xman origins, wolverine, you know. I think the expendables three. I remember that one.
-
Being on pirate bay and whatever, and, you know, I I think it was something like five million downloads before they were able to kind of pull it down. I what are some of the I’m I’m curious if if these things still happen and are just kind of quietly, we’re not gonna we’re not gonna draw attention to it, or if it is if it’s a problem that really has kind of gone been gotten under control. In in recent years.
-
So looking at our data, right, because now we’re in a we’re in a great position where We can actually look we have, since we launched in February, we’ve got just over eight hundred companies who have signed to this program, which is way more than we thought would happen in the first year. So it speaks to the need in the industry. So we’re able to slice and dice this data now and really take a good look at, we we we have a membership fee. Right, then the membership fee is based on annual gross revenue. So we’re able to say, well, what does security look like for companies?
-
With less than five million dollars annual gross revenue a year. What does security look like for companies who are two hundred million dollars plus? And then you you slice and dice it by, you know, EMEA, and APAC, and Latin and North American you look at it that way. And what is really, really heartening at this early look, not even a year in? Is anybody, any company, smallest mom and pop shop in Indonesia, all the way up to the multinational global two hundred in dollar plus companies understand how important security is.
-
And I I have to say we’re really, really pleased with how each company no matter their demographic has taken this very, very seriously. And, Going back to a question you asked earlier, you know, the sort of, seinfeld rerun versus the Marvel prerelease conundrum. Right? So we Mhmm. The descoping But we’ve also introduced a concept where, we have a blue blue TPN shield and a gold TPN shield.
-
Blue TPN shield means that the company has self reported. They’ve self attested what their security, status is and answered questions. Which if I’m a studio and I’m looking at, you know, some library TV rerun, that may be good enough. I’m not gonna force them to go through an assessment. If it’s a, you know, top tier title pre release, you’re gonna want to go through an assessment.
-
So we have a directory of assessors that we’ve worked with to a credit. These are fantastic people who know the industry inside but also are really auditors by trade. And they go in and they work with all of the vendors who have answered our questionnaire to say, Actually, you said yes, but we say no, and this is a remediation item that you need to go and fit. So has it reduced incidents? I’m probably the wrong person to ask.
-
You would need to ask each individual studio about you know, what they’re battling with. But is the industry continually raising the security standard yes Is the TPN program helping with that? Yes. Because we now see the data and we see where the gaps are. And in twenty twenty four, we’ll be working on you know, what do we do to improve that?
-
Do we do we provide some sort of education program? Do we provide some sort of library of security policies for the smaller companies that don’t have a CSO position or a security department. Right. So we’re very, very focused on Obviously, getting the studios what they need in terms of making vendor choices independently and based on our own risk risk profile. But we’re also very focused on now.
-
We’re in this great position to rising tide splits or boats. Right? What what can we do to help everybody?
-
Alright. At the risk of at the risk of exposing a security problem, at the risk of, you know, what when you slice and dice the data, what is, an area that kind of routinely comes up as, a a risk area or a problem area that needs addressing?
-
So, there are a few that come to mind. Probably business continuity planning. Right? Because when something happens, when you get that, you know, punched stomach that there’s been a ransomware attack or there’s been something or an employee has, you know, taken something they shouldn’t have done or whatever whatever the cause of the incident is. You need to shut down and you need to regroup.
-
But you’re a key part of this this industry pipeline. So what is your business continuity? If you need to shut down, your infrastructure. Right? What’s your business continuity?
-
How are you gonna keep going? Which are disaster recovery. And it’s a really, really hard thing to do. I remember doing business continuity planning, in my old jobs, and it’s awful. You have to sit down, look at every single workflow.
-
And at each stage, though, what if go through all the what ifs. I mean, it’s it’s exhausting, but so important. So I think, you know, that is something that I would encourage all companies to really focus on. And, you know, MFA, multi factor authentication is kind of a facts of life these days, but incredibly important when you have work from home employees, which a lot of these companies still do as a throwback. To the pandemic.
-
Mhmm. Mhmm. Alright. Well, that was everything I wanted to ask. That was pretty much everything I wanted to to focus on here.
-
I always like to close these interviews by asking if there’s anything I should have asked if you think there’s folks, stuff folks should know about TPN, MPA, I frankly anything. Alright. What what do you what do you think folks should know about that I I have failed to discuss with you today?
-
I think re the global nature of this. Right? So of the eight hundred plus companies that we have signed up TPM, seventy percent of those companies are international. Some thirty percent in the US. Which is is incredible.
-
It’s crossed something like fifty eight different countries. So again, you know, we we need to really, really consider that and make sure that We have TPN assessors who can travel to those countries or are in those countries or have language skills. You know, this industry I think TPN because it’s under MPA, could be perceived to be very Hollywoodized because we work with the Hollywood studios, but This is a global business now. MPA is global. Right?
-
TPN accordingly has to be in the the companies that are signing up to do this, demonstrate that.
-
I it’s funny you mentioned that because I was having to explain to somebody the other day that the MPA is the MPAA. They dropped the the last day for, you know, it’s a global business, but, it’s that that is It’s a good reminder. Well, Terry, thank you very much for being on the show. I really appreciate it.
-
Thank you. It’s been my pleasure.
-
And as always, I am Sunny Bunch from Culture Editor at the Bulwark and I will be back next week with another episode of the Bulwark goes to Hollywood. We’ll see you guys then.