from the rules-on-top-of-rules-on-top-of-futile-efforts dept
TorrentFreak's Andy reports that Amazon recently published the MPAA-required "best practices" for handling physical goods as well as content stored or hosted by its cloud services. This doesn't just cover the obvious storage of movies for streaming services, but also works-in-progress by studios utilizing Amazon's web services.
It's comprehensive and loaded with restrictions and stipulations.
[I]n addition to carrying out background screening on all employees and third party contractors, the MPAA demands that all workers sign annual confidentiality agreements that forbid them from talking about protected content.Other obvious demands are included, all aimed at preventing the leak or physical theft of studio goods: no portable devices with storage capabilities, no baggy clothes, and employees' meals must be brought to work in transparent bags.
With an eye on local law, companies must also implement random searches of their workers for traces of MPAA content, including the removal of coats, hats and belts, the emptying of pockets, a full security pat-down, scanning with metal detectors and inspection of electronic devices.
Interestingly, the MPAA's 2015 agreement with Amazon actually scales back some of its requirements. Demands that Amazon create an MPAA-specific security team and allow reps monthly access to inspect restricted areas are no longer in force. Other stipulations focused on the specific parameters of on-site, physical security have been loosened or removed completely, as well as specifications for CCTV footage storage, access and retention. The requirement that all involved third parties be CTPAT-certified (Customs Trade Partnership Against Terrorism) has also been dropped, suggesting the MPAA is about done humoring the DHS's paranoiac assertions that everything has a potential terrorism nexus.
But the adjustments made between the 2013 and 2015 edition of the MPAA's "rules" don't reflect a change in the MPAA's Ft. Knox mindset. Instead, it shows the MPAA shifting its priorities from physical protection to digital protection. The high-profile hacking of Sony likely contributed to new stipulations like these:
2015 MPAA added the requirements to perform quarterly vuln scans of external IP ranges, secure any point to point connections by using dedicated, private connections and by using encryption. Additionally the requirement to implement baseline security requirements for WAN network infrastructure devices and services.Also new to this ruleset is a whole section dedicated to "mobile security" that addresses the potential security holes created by a BYOD environment.
2015 MPAA added controls around the encryption of content at rest and in motion. Additionally, procedures around the storage of public and private keys.
The documents show the MPAA can be forward-thinking when it comes to the distribution of content -- especially when trying to figure out how to stop it.