Digital Rights & Football Piracy — Encryption Changes Exploited
With the new football season just 4 weeks away in the UK, we take a minute to look at the problem of streaming piracy and the role of mobile networks. At the end of the domestic season in May 2025, the role of the big 6 content providers was examined by the BBC, which looked at the scale of the problem for rights holders, who is promoting pirated streaming, and the erosion of digital rights management[1]. Changes in the web in the 2024–25 season brought new problems for rights holders and enforcement – a challenge not easily answered. In this article, we look at what changed and what the next season holds for football digital rights enforcement.
What’s Changed in the Web?
Meanwhile, a parallel story has been unfolding in Spain and Italy. Rights holders in both countries have been pushing for stronger legal obligations to crack down on piracy. At the heart of the issue is a highly technical but important development: the rollout of new encryption protocols, namely TLS 1.3 and its extension, Encrypted Client Hello (ECH)[2].
These protocols are designed to enhance privacy by encrypting more of the data exchanged when a user connects to a website. With Cloudflare enabling this feature even for its free-tier users, many websites — both legitimate and illegitimate — can now share the same IP address, making it extremely difficult to distinguish between legal and pirated streaming activity.
How do Encryption Changes Affect Piracy?
Pirates have exploited this change to stream top-flight Spanish and Italian football (La Liga and Serie A). Because the encrypted traffic obscures the origin and content of the streams, traditional detection methods have been rendered ineffective.
In the case of Spain last season, it ended up in the courts, with the rights holders (La Liga / Movistar) winning the right to block pirated content[3]. In Italy, however, they already had a law via the original ‘Piracy Shield’[4], involving detection and reporting of IP addresses involved in illegal streaming to be blocked by ISPs within thirty minutes of receiving a report. But this approach was invalidated by changes in TLS & ECH, in which a single IP address represents multiple sites, and so over-blocking is an issue, among others[5].
Enforcement – Time to Get Surgical
Italian authorities have shifted enforcement tactics to VPN & DNS companies[6] to detect and block pirated streams, as well as the league itself collaborating with Meta[7] to detect illegal streaming as an extension of their Piracy Shield. In respect of VPNs, a similar approach was taken in France, with Canal+ working with the French league to stop pirated content via VPN[8].
In Spain, however, the approach taken by Telefonica (O2, Movistar) has been more blunt: simply banning IP addresses from Cloudflare Level 1 services at match times. This has caused widespread disruption for legitimate websites relying on Cloudflare’s free services – leading to a patchy web experience and a lot of negative commentary. Cloudflare filed their appeal[9] in June to stop this blanket enforcement.
What Does the 2025–2026 Season Hold?
At the heart of the debate lies a key tension between online privacy and digital rights enforcement. While the goal is to protect premium content, heavy-handed blocking measures risk undermining legitimate internet activity — creating friction for users and businesses alike.
What lies ahead in other jurisdictions remains uncertain. But history shows that once a vulnerability in enforcement is discovered, it tends to be quickly and repeatedly exploited. A more nuanced approach is needed — one that involves identifying specific IP traffic patterns, reassessing the roles of VPN and DNS providers, and engaging directly with major content platforms to strike a better balance between protecting rights and preserving internet freedoms.
Web security is evolving rapidly, and what’s urgently required are intelligent data traffic management solutions that can detect and act in real time. That’s where Enea can make a meaningful difference with the Enea network traffic management toolset to both identify ECH & streaming flows and selectively enforce mobile network operator policy.
References:
[1] BBC Football Industrial Piracy https://www.bbc.co.uk/news/articles/cp3n7dx2174o
[2] Enea TLS 1.3 / Encrypted Client Hello extension explained: https://www.enea.com/solutions/traffic-management/encrypted-client-hello-ech-tls-1-3/
[3] Telefonica/La Liga Legal Update:
[4] Italian Piracy Shield Law – https://portolano.it/en/newsletter/portolano-cavallo-inform-digital-ip/copyright-protection-italy-approves-new-anti-piracy-law.
[5] Italian Piracy Shield Commentary https://www.euroispa.org/2025/04/piracy-shield-a-flawed-approach-in-the-fight-against-online-piracy/.
[6] Italy – DNS & VPN Approach: https://www.techradar.com/vpn/vpn-privacy-security/italy-to-require-vpn-and-dns-providers-to-block-pirated-content
[7] Meta & Serie-A https://www.reuters.com/sports/soccer/italys-serie-does-deal-with-meta-fight-illegal-streaming-2024-12-12/.
[8] France – Canal+ Approach: https://www.techradar.com/vpn/vpn-privacy-security/canal-wants-to-block-vpn-usage-and-vpn-providers-are-fuming
[9] Cloudflare Appeal https://www.techradar.com/vpn/vpn-privacy-security/cloudflare-wants-to-fix-spains-blocking-of-illegal-football-streams-ahead-of-next-laliga-season
