For subscription publishers, the prospect of subscribers sharing login credentials with non-paying users is invariably a concerning one.
Password sharing is often a strong indicator of a highly valuable product: Arguably, the only thing worse than subscribers sharing passwords is subscribers not sharing passwords. But the potential for lost revenue and the notion that audiences are “pirating” content is frustrating nonetheless.
There are varying schools of thought on the significance and importance of password sharing on publishers’ businesses. Some take the silver lining view that it can help educate non-subscribers on the value of their products, or that users who access content without paying were unlikely to pay anyway. Other publishers attempt to police it aggressively, often because their products have higher price points and/or because they cater to business audiences who can likely expense their subscriptions anyway.
Meanwhile, paywall technology and analytics providers often downplay the impact of password sharing, potentially because they don’t have strong solutions to the technically difficult challenge of pinpointing password sharers accurately.
This guide outlines the considerations publishers should make when deciding how important password sharing may or may not be to their businesses, and details strategies and tactics that can be employed to help limit password sharing activity and recover lost subscribers and revenue.
What is password sharing?
Password sharing refers to instances where paying subscribers share login credentials with one or more non-subscribers, enabling them to access publishers’ subscriber-only content, services and features without paying.
Why password sharing is a concern for publishers
Password sharing has a number of potential downsides for subscription publishers. These range from the straightforward, such as lost revenue, to secondary considerations around data collection and optimization:
The obvious downside of password sharing for publishers is the potential for lost revenue. If one subscriber shares their login credentials with multiple users, it’s safe to assume — since they’ve gone to the effort of procuring credentials from a third-party — that one or more of those users may have otherwise paid for a subscription themselves.
The potential for lost revenue is more pronounced for those publishers who place highly valuable single pieces of content behind paywalls, such as in-depth reports or exclusive data. While such content is often a powerful driver for new conversions, it can also drive password sharing activity. If readers desire access to content on a one-off rather than recurring basis, their propensity to “borrow” credentials may be increased.
Loss of user data
For many publishers, the ability to understand the nature of their audiences is central to the viability of their business models. In addition to lost revenue, password sharing can result in missed opportunities to collect valuable first-party data, including demographic information, interests and preferences, or attributes such as company type, job titles, functions or responsibilities in a B2B setting. These missed data opportunities can impact other areas of publishers’ businesses, such as their ability to sell advertising and sponsorships and leads to partners, or to effectively cross-sell other products and services they offer.
In addition to the lost data collection opportunities outlined above, widespread password sharing can also skew the behavioral information publishers use to optimize their sites and products, which can result in publishers optimizing to bad signals. If they’re not identified and monitored, password sharers can easily be misconstrued as “power users,” for example, whose behavior, tastes and preferences are often more closely studied and used to help inform editorial, product and business decisions.
Sizing the problem
Password sharing is a phenomenon that affects nearly all subscription publishers, but establishing to what degree — and how significant the impact is for their revenues and businesses — isn’t easy.
Why significance varies by publisher
Password sharing might be difficult to measure and benchmark, but publishers should consider how significant it might be for their specific subscription products and businesses. There’s no one-size-fits-all approach or “right answer”.
While one publisher might embrace password sharing as an opportunity to grow its audience and expose its content to more prospective subscribers, another might reach the conclusion that it significantly hurts revenue. Factors such as the nature of content, audience size, business model, subscription price point, technology capabilities and even cash flow are key variables in this determination.
Publishers should also take care to make their own determinations about the importance of password sharing based on their specific businesses and needs, rather than relying on paywall technology and analytics providers, journalists and other parties to make it for them. Common arguments for turning a blind eye to password sharing often include:
- Users with shared passwords are unlikely to pay for a subscription anyway.
- It drives sampling and pushes audiences down the conversion “funnel”.
- It exposes new audiences to the value of a publishers’ content.
Those assertions may or may not be accurate for any given publisher, but they can also be used by technology providers to mask the fact they do not offer robust solutions for identifying or combating password sharing activity. Publishers should remember they know their businesses best, and make their own assessments.
Identifying password sharers
Pinpointing accurately which accounts are being used by multiple users is, unfortunately, nearly impossible. Subscribers often use their accounts legitimately across a range of devices, from a number of different locations and IP addresses, and increasingly via VPNs, proxies, and other technologies in an attempt to mask their behaviors and protect their data.
As a result, identifying a shared account from one that’s being used by one person is not an exact science. But by monitoring IP addresses, device types and other abnormal behaviour — such as logging in from vastly different locations at the same time — publishers can at least track suspicious activity and begin to identify and quantify accounts they suspect might be sharing passwords.
Some paywall technology providers now offer the ability to measure and report on “suspicious” account activity, often to varying degrees of severity. For example, they may differentiate accounts that exhibit “possibly suspicious” behavior from those that are “very suspicious.” These tools may also be used to export data on suspicious accounts, such as email addresses, to be used to inform mitigation initiatives.
Technologically advanced publishers might alternatively opt to monitor their own traffic to identify potential password sharing activity, while plugins for content management systems such as WordPress might also be used to monitor login behavior and website usage patterns.
Limiting password sharing
Publishers that decide to proactively address suspicious account activity should evaluate the following tactics, approaches and considerations:
Setting clear expectations
Before attempting to crack down on password sharers, publishers should first ensure that subscribers’ expectations have been clearly set, and that their permissions have been clearly communicated to them.
Any relevant terms, conditions or agreements should include specific language about what subscribers are and are not expected to do with their account credentials. Agreements should reserve publishers’ rights to remove access, reset passwords and/or otherwise curtail use if those conditions are abused. This might include specifying:
- That passwords and login credentials must not be shared with others.
- How many people can access a single account as part of their subscription agreement. (For example: 1 person per account.)
- How many devices may be used simultaneously
- Whether or not generic or role based usernames or emails are permitted. (For example: [email protected])
Don’t hide behind T&Cs
While tucking away password sharing language deep in terms and conditions legalese might technically prohibit account sharing, publishers might also benefit from being clearer about what subscribers can and can’t do with their accounts before they purchase them. During the checkout process, subscribers could be required to explicitly agree not to share their account credentials, for example.
Be upfront about the problem
Some publishers might also find clear messaging explaining that they’re funded by reader contributions or subscriptions — and specifically explaining that password sharing threatens their ability to create content — can act as an effective password-sharing deterrent.
As outlined in the “Identifying password sharers” section, it’s near impossible to be 100% certain whether or not a subscriber has shared their password or account credentials with a third-party, or that more than one person is accessing the same account.
As a result, any suspicious account activity is, by default, a security issue – and one that publishers have a responsibility to take seriously. One approach to protecting the security and integrity of users’ accounts is to manually reset the passwords of any accounts that display suspicious activity over a given period of time. (The ability to reset passwords is baked into solutions offered by all major paywall technology providers.)
As a byproduct, regular account security measures like these can also help reduce the efficacy and appeal of password sharing, since anyone disclosing their account credentials will need to recirculate updated passwords or other login information. Even if a user shares new login credentials after being forced to update, they’ll pop up on any suspicious activity list once more, and the cycle continues.
If resetting passwords does not prove effective in mitigating suspected account sharing activity, manual outreach — typically via email — is the logical next step. Effective approaches include:
- Making subscribers aware that suspicious activity has been detected on their account (in the form of multiple logins), and that — for their own security — their password has been reset.
- Expressing concern that a third-party may have obtained and shared their login credentials with unknown entities.
- Stating that multiple logins have been detected, and explicitly asking if the subscriber may have accidentally shared their credentials with a third-party.
Outside of email, publishers might opt to flag suspicious activity to subscribers via on-site messaging such as popups or other notices, or to leverage other communication channels such as direct messaging or phone call, if available and feasible.
Striking the right tone
In instances where users are being contacted because suspicious logins and activity have been detected, it’s important to remember:
- It’s near impossible to say with certainty that a user intentionally shared their password or login
- Friendly emails are often more likely to elicit a favorable response than passive-aggressive or accusatory ones.
- Emails from real people and named email addresses are more likely to prove effective than those from generic addresses, or those in templated formats that are easier to ignore.
Role-based emails and other T&C violations
In instances where there’s a clear and demonstrable violation of terms by a subscriber, outreach can be far more specific and direct. For example, if an account is tied to a role-based email address that violates terms (such as [email protected]), the account owner can be gently informed and invited to update their account information accordingly. Tone remains important — and there’s likely little to be gained from coming across as accusatory — but pointing to a demonstrable violation of terms gives publishers a stronger leg to stand on than multiple logins does.
When password resets and attempts at manual outreach have proved ineffective, publishers might consider the more extreme course of action in disabling renewal of an account’s subscription term.
In instances of repeated logins from multiple devices, this action can be chalked up to ongoing security concerns. In those where a policy is being violated, publishers might wish to make clear that’s why renewal is being disabled. It’s typically best to avoid cancelling subscription terms before they expire or come up for autorenewal, however, to avoid the necessity to issue partial or full refunds.
For many publishers, there is little to prevent a password sharer from simply purchasing a new subscription using a different email address or credentials, but the action may at least signal that ongoing account abuse will continue to result in security checks, outreach, and account renewal roadblocks.
Password sharing as a growth opportunity
Given the technical difficulties with accurately identifying password sharing — and the operational overheads associated with manual outreach and mitigation tactics — some publishers opt to view password sharing as a growth opportunity rather than a threat.
As outlined above, publishers must weigh a range of variables when making such a determination, including the nature of their content and audience, price point, and more.
Here are some effective tactics for using password sharing to grow subscribers and recover potentially lost revenue and data.
Group subscription leads
While password sharing can result in lost revenue, it’s also a strong signal that there is demand for a publisher’s content. In many cases, subscribers do not purchase a subscription with the intent of sharing their account with multiple users (except when such intent is clearly telegraphed by the use of role-based email addresses). If given the benefit of the doubt, subscribers are likely to have signed up, seen value in the content and felt compelled to share it with others.
The most egregious or suspicious accounts therefore present strong opportunities for upselling to group subscriptions or, as is more common in B2B settings, potentially lucrative company-wide licenses.
Lists of accounts deemed highly-likely to be password sharing can therefore represent powerful sales tools and highly-qualified leads for sales teams. Outreach to such users may mention suspicious activity, or might instead focus on the fact that they’re being offered an exclusive and highly-attractive discount on a group subscription by virtue of being a highly engaged reader or “power user.”
Once again, the personalized touch can work well in this scenario. For publishers with sales teams, lists of suspicious accounts should represent an appealing opportunity. For smaller publishers, direct outreach from editors can prove particularly effective.
Granting “bonus” accounts
Those publishers that suspect — or have come to expect — a high level of password sharing might consider offering subscribers the ability to share one or more complementary accounts at no extra charge. This ability can be publicized in marketing materials or at the point of purchase, but can either be extended to all subscribers, or targeted more specifically to those accounts suspected of password sharing.
The bonus account tactic can have four key benefits:
- Recovers first-party data that would otherwise be lost, such as names, contact information, job titles, etc.
- Avoids skewing of behavioral data, since users will use independent accounts that reflect their own specific behaviors and interests.
- Enables highly qualified leads to sample subscriber-only content.
- Gets more users into the sales funnel, with the ability to gauge their interests, the value they’re extracting from the product, and the powerful option to market to them directly via email.
The bonus account tactic can prove particularly useful for publishers that see particular value in first-party audience data, and/or have relatively low-priced subscription products and other revenue streams. If they’re unable to recover lost revenue in the form of subscription payments, they can at least recover valuable data and, perhaps, the opportunity to cross-sell other products.
Whether a publisher has a formal referral program or not, offering suspected password sharers discounts for referring other subscribers can prove an effective method for curbing sharing behavior in the first place.
A password sharer might be offered an entirely free subscription for referring three other paying subscribers, for example, or might instead be compensated directly for every new subscriber they refer.
Password sharers are often viewed as a thorn in publishers’ sides, but with the right incentives they can be transformed into a highly effective referral engine.