“Choose your own adventure” stories are no longer limited to books and computer games, thanks to Netflix’s Black Mirror: Bandersnatch. Designed as an interactive movie where your choices change the course of the plot, Bandersnatch was a major hit with streaming audiences — who appreciated the novel approach that Netflix is taking with its programming.
After Bandersnatch’s blockbuster debut, Netflix has chosen to invest in more interactive movies that call for audience participation. But a group of researchers are letting viewers know that Netflix’s fun, new programs may come with a hidden cost: data privacy.
Ya think? Kim talked about this back in January, when everyone was talking about Bandersnatch. “Netflix has always known what you watch. But now, they know how long it takes you to make a decision and what you like, and your choices in human behavior will be tabulated and analyzed,” Kim told her listeners.
Even though Netflix has used streaming encryption across its entire platform since 2016, the researchers found that telltale signs in your video data can let third parties know about the choices you make in interactive movies. This information has the potential to leak to advertisers, internet service providers, and worst of all, hackers and criminals.
How hackers can see the choices you make on Netflix
In an interview with Wired, researchers from the Indian Institute of Technology, Madras, explained that “choose-your-own-adventure” style programs have the potential to compromise data privacy — despite Netflix’s site-wide encryption. This has nothing to do with a security failure on Netflix’s part, but rather a fault in the way that interactive content is served up to users.
In an interactive movie, viewers typically reach a fork in the story where the film pauses and they’re prompted to make a choice. In a computer game, these branching options would normally be coded into the game’s files. But with Netflix, two new video options are queued up for the user to stream. One video is automatically loaded as the “default choice” due to its likelihood of being picked. This helps keep playback faster and smoother for audiences.
Both videos presented at a story fork are encrypted, but the file size and relation to the previous clip are pieces of information that hackers can easily figure out. If one clip is pre-loaded automatically, a hacker can assume it’s the default choice right off the bat. If multiple choices are presented, hackers can narrow which option you picked based on how big the video file is.
By harvesting your story choices from interactive movies, third parties would have access to your decision making process. Just like how a compromised survey app fed data to Cambridge Analytica, third parties would be able to use this data for a range of purposes, including advertising, marketing, and potentially scamming.
What is Netflix doing about this security vulnerability
After submitting their report to Netflix’s bug bounty program, the streaming company returned IIT Madras’ research, saying that the issue was “out of scope,” since they don’t handle the encryption process directly.
Despite the company’s dismissal, the researchers at IIT Madras are continuing to put pressure on Netflix to make changes that would benefit users’ data security. One of the researchers claims that Netflix could easily squash the issue by compressing the queued up videos so their length and content is more ambiguous. This would make it harder for third parties to decipher which one is which.
In the meantime, Netflix is claiming that their system should be safe enough for users as of now. The company claims that a third party would need to connect directly to their servers in order to access this information, making near-future data breaches unlikely.
In spite of the back and forth dialogue between Netflix and IIT Madras, the streaming giant does see value in users’ decision-making data. The company apparently maintains records of every user choice on Bandersnatch, and upcoming interactive features will likely harvest this information as well.