In less than 10 years, Netflix has grown into a $700
million DVD rental powerhouse, shipping more than 1.5 million DVDs a day
to its base of 6.3 million subscribers. But the very systems that have
made Netflix so successful -- everything from its sophisticated
recommendation engine to a profit-maximizing formula that determines
which subscribers get movies first -- have proven irresistible to
hackers, who are constantly looking for new ways to crack, manipulate
and reverse-engineer the company.
Mike Kaltschnee
Photo: Michelle McLaughlin
Case in point: Just weeks after Netflix took its first, long-awaited steps into the digital delivery arena by rolling out its
Watch Now
instant viewing feature, which allows users to stream some movies and
TV shows over the internet, one hacker claims to have figured out how to
bypass the mechanism that tracks and limits a subscriber's viewing
time.
The hacker, who calls himself Livesunkept, told Wired News
in an instant messenger interview that Netflix stores a subscriber's
minutes on the user's own PC, in cookies and browser cache files.
Livesunkept discovered he could pause a movie a few minutes into
playback, then wait until it was completely downloaded, unplug his
network adapter and watch the film offline. When he was done, he'd clear
his cache and cookie files before plugging back in, keeping Netflix
from knowing he'd watched more than the initial few minutes of the film.
Steve
Swasey, Netflix's director of corporate communications, says the
company's instant viewing team investigated the hack and found no
evidence that it worked, but Livesunkept claims he successfully repeated
the process five times before Netflix quietly closed the loophole last
week, following Wired News' inquiries.
His crack is just the
latest carried out by a small and ingenious subset of the Netflix
subscriber base that specializes at poking and prodding at the company.
But despite appearances, most of these hackers are just trying to
maximize their Netflix experience, and have no interest in ripping off
the company, says Mike Kaltschnee, founder of the website
Hacking Netflix -- a hub for Netflix tinkerers.
"I'm
all about paying for content, and I'm not interested in teaching people
how to steal from Netflix," Kaltschnee says. "What I am interested in
is helping people learn how the company works."
Netflix is famous
for pioneering the flat-rate subscription model of movie rentals that
allows customers to hold on to a DVD rental indefinitely, with no late
fees. The company offers 10 different rental plans: the cheapest, at $5 a
month, allows a customer one DVD at a time, with a limit of two per
month. The most expensive, at $48 a month, lets customers have up to
eight movies at once, with no monthly limit.
Customers
add the movies they want to see to an online queue, and DVDs from that
list are shipped from Netflix distribution centers as they become
available. Mailing costs in both directions are paid for by the company,
and each time a customer returns a DVD, a new one from his or her queue
is sent.
That seemingly simple arrangement has spawned a wealth of user innovations. Subscribers have
incorporated RSS feeds of their Netflix queues into their blogs. A developer wrote a
PERL module to screen-scrape and export subscriber movie ratings from the site. Others have built quick browser hacks to
search engine
that indexes movies in the Netflix catalog by year, filling a gap in
Netflix's own search capability. A Pittsburgh software engineer built an
online fee calculator that tabulates a subscriber's effective rental costs per movie based on their rental patterns and subscription plan.
Not
all hacks require loads of technology know-how: One user discovered
that he could view his Netflix queue through his Bank of America
portfolio page, an easy-to-set-up aggregator for bank and e-mail
accounts that BOA offers free to its account holders. And around the
country, film fans have set up movie swaps with other local Netflix
subscribers, allowing them access to additional films without waiting
for the company to mail them out.
It was the hackers who first
uncovered Netflix's secret "throttling" technique -- a controversial
inventory allocation practice that favors new and infrequent users, and
results in delays and reduced availability for heavier movie watchers.
Under pressure, Netflix modified its terms of service to acknowledge the
practice in January 2005. ("If all other factors are the same, we give
priority to those members who receive the fewest DVDs through our
service," the TOS now reads).
Hackers have tried a variety of
techniques for manipulating the Netflix queuing system, including
closing their accounts and opening new ones every few weeks, or timing
returns so that movies arrive back at Netflix the same day that new
releases are mailed from the company's distribution facilities. The
merits and efficacy of these techniques have been debated ad nauseum by
subscribers on sites like Hacking Netflix.
Shawn Morton, a
36-year-old product development manager from Louisville, said he began
looking for a way to get movies faster after noticing that titles
showing long wait times in his queue were shipping immediately to
coworkers with trial memberships. He discovered that removing all movies
from his queue except those with an expected "long" or "very long" ship
time caused the DVDs that remained to ship immediately. His technique
was widely adopted in the Netflix hacking community, though with mixed
reports of success. And like many Netflix hacks, the trick stopped
working about two weeks after it became public.
"I wasn't trying
to harm Netflix with any of this," Morton says in his e-mail interview.
"I was simply trying to demonstrate that there are limits to the
company's 'unlimited' service."
Similarly, Livesunkept says he
was motivated by a desire to make Netflix aware of vulnerabilities in
its offering. "It wasn't so that people would get free movies," he
writes. "I did it so that (Netflix) would fix it."
Netflix claims to appreciate the work of hackers.
"We
have some fanatical followers out there, and we're open to their
feedback," Swasey says, "especially if it helps us improve the service."
As proof of this, he cites the
Netflix prize,
which will award $1 million to whoever can come up with an algorithm
that improves the effectiveness of the company's movie recommendation
engine by 10 percent. To give contestants something to work with, the
company released an anonymized dataset of 100 million movie rankings
from half-a-million NetFlix subscribers, scrubbed of personally
identifying information.
But even that contest has led to a hack. Last November, two researchers from the University of Texas released
a paper
(.pdf) demonstrating that users represented in the dataset could be
easily unmasked, if they've also posted movie ratings to a public site,
like IMDb. The ratings of less-popular films, coupled with the dates
they're rated, form a kind of movie-preference fingerprint that can be
used to make matches, the researchers concluded.
Netflix's Swasey
calls the claim "interesting, but absolutely without merit," but Arvind
Narayanan, one of the authors of the paper, says he's got the numbers
to back it up. "Simply removing names does not ensure that data will
remain anonymous. And the implications stretch far beyond the world of
Netflix."
It's the kind of feedback that executives at Netflix
would probably prefer to hear a bit less of, but if past history is any
guide, people will keep challenging the company -- every step of the
way.
