Rise of the Netflix Hackers

Rise of the Netflix Hackers http://www.wired.com/news/technology/0,72963-0.html In less than 10 years, Netflix has grown into a $700 million DVD rental powerhouse, shipping more than 1.5 million DVDs a day to its base of 6.3 million subscribers. But the very systems that have made Netflix so successful -- everything from its sophisticated recommendation engine to a profit-maximizing formula that determines which subscribers get movies first -- have proven irresistible to hackers, who are constantly looking for new ways to crack, manipulate and reverse-engineer the company. Case in point: Just weeks after Netflix took its first, long-awaited steps into the digital delivery arena by rolling out its Watch Now instant viewing feature, which allows users to stream some movies and TV shows over the internet, one hacker claims to have figured out how to bypass the mechanism that tracks and limits a subscriber's viewing time. The hacker, who calls himself Livesunkept, told Wired News in an instant messenger interview that Netflix stores a subscriber's minutes on the user's own PC, in cookies and browser cache files. Livesunkept discovered he could pause a movie a few minutes into playback, then wait until it was completely downloaded, unplug his network adapter and watch the film offline. When he was done, he'd clear his cache and cookie files before plugging back in, keeping Netflix from knowing he'd watched more than the initial few minutes of the film. Steve Swasey, Netflix's director of corporate communications, says the company's instant viewing team investigated the hack and found no evidence that it worked, but Livesunkept claims he successfully repeated the process five times before Netflix quietly closed the loophole last week, following Wired News' inquiries. His crack is just the latest carried out by a small and ingenious subset of the Netflix subscriber base that specializes at poking and prodding at the company. But despite appearances, most of these hackers are just trying to maximize their Netflix experience, and have no interest in ripping off the company, says Mike Kaltschnee, founder of the website Hacking Netflix -- a hub for Netflix tinkerers. "I'm all about paying for content, and I'm not interested in teaching people how to steal from Netflix," Kaltschnee says. "What I am interested in is helping people learn how the company works." Netflix is famous for pioneering the flat-rate subscription model of movie rentals that allows customers to hold on to a DVD rental indefinitely, with no late fees. The company offers 10 different rental plans: the cheapest, at $5 a month, allows a customer one DVD at a time, with a limit of two per month. The most expensive, at $48 a month, lets customers have up to eight movies at once, with no monthly limit. 1 Customers add the movies they want to see to an online queue, and DVDs from that list are shipped from Netflix distribution centers as they become available. Mailing costs in both directions are paid for by the company, and each time a customer returns a DVD, a new one from his or her queue is sent. That seemingly simple arrangement has spawned a wealth of user innovations. Subscribers have incorporated RSS feeds of their Netflix queues into their blogs. A developer wrote a PERL module to screen-scrape and export subscriber movie ratings from the site. Others have built quick browser hacks to toggle between a Netflix movie page and its corresponding page on IMDb or Rotten Tomatoes with one click.An engineer at Juniper Networks maintains a search engine that indexes movies in the Netflix catalog by year, filling a gap in Netflix's own search capability. A Pittsburgh software engineer built an online fee calculator that tabulates a subscriber's effective rental costs per movie based on their rental patterns and subscription plan. Not all hacks require loads of technology know-how: One user discovered that he could view his Netflix queue through his Bank of America portfolio page, an easy-to-set-up aggregator for bank and e-mail accounts that BOA offers free to its account holders. And around the country, film fans have set up movie swaps with other local Netflix subscribers, allowing them access to additional films without waiting for the company to mail them out. It was the hackers who first uncovered Netflix's secret "throttling" technique -- a controversial inventory allocation practice that favors new and infrequent users, and results in delays and reduced availability for heavier movie watchers. Under pressure, Netflix modified its terms of service to acknowledge the practice in January 2005. ("If all other factors are the same, we give priority to those members who receive the fewest DVDs through our service," the TOS now reads). Hackers have tried a variety of techniques for manipulating the Netflix queuing system, including closing their accounts and opening new ones every few weeks, or timing returns so that movies arrive back at Netflix the same day that new releases are mailed from the company's distribution facilities. The merits and efficacy of these techniques have been debated ad nauseum by subscribers on sites like Hacking Netflix. Shawn Morton, a 36-year-old product development manager from Louisville, said he began looking for a way to get movies faster after noticing that titles showing long wait times in his queue were shipping immediately to coworkers with trial memberships. He discovered that removing all movies from his queue except those with an expected "long" or "very long" ship time caused the DVDs that remained to ship immediately. His technique was widely adopted in the Netflix hacking community, though with mixed reports of success. And like many Netflix hacks, the trick stopped working about two weeks after it became public. "I wasn't trying to harm Netflix with any of this," Morton says in his e-mail interview. "I was simply trying to demonstrate that there are limits to the company's 'unlimited' service." Similarly, Livesunkept says he was motivated by a desire to make Netflix aware of vulnerabilities in its offering. "It wasn't so that people would get free movies," he writes. "I did it so that (Netflix) would fix it." Netflix claims to appreciate the work of hackers. "We have some fanatical followers out there, and we're open to their feedback," Swasey says, "especially if it helps us improve the service." As proof of this, he cites the Netflix prize, which will award $1 million to whoever can come up with an algorithm that improves the effectiveness of the company's movie recommendation engine by 10 percent. To give contestants something to work with, the company released an anonymized dataset of 100 million movie rankings from half-a-million NetFlix subscribers, scrubbed of personally identifying information. But even that contest has led to a hack. Last November, two researchers from the University of Texas released a paper (.pdf) demonstrating that users represented in the dataset could be easily unmasked, if they've also posted movie ratings to a public site, like IMDb. The ratings of less-popular films, coupled with the dates they're rated, form a kind of movie-preference fingerprint that can be used to make matches, the researchers concluded. Netflix's Swasey calls the claim "interesting, but absolutely without merit," but Arvind Narayanan, one of the authors of the paper, says he's got the numbers to back it up. "Simply removing names does not ensure that data will remain anonymous. And the implications stretch far beyond the world of Netflix." It's the kind of feedback that executives at Netflix would probably prefer to hear a bit less of, but if past history is any guide, people will keep challenging the company -- every step of the way.