MODERN DATA SECURITY FOR FILM FESTIVALS

We've shared the following in the interest of transparency.  These Standards & Procedures are a work in progress targeting our 2026 edition in October.  Please direct feedback to info@berlinscifi.org.

Berlin Sci-Fi Filmfest

IP Security Standards & Procedures

For the 2026 season of the Berlin Sci-Fi Filmfest, we are introducing a modernized security and distribution framework designed specifically for the needs of independent speculative cinema. This will incur no cost or additional effort to the filmmaker, yet provide a screening experience more secure than a traditional DCP by deploying modern cybersecurity protocols and procedures for protecting data.

While the DCP format is still an available option for filmmakers who wish to screen their work at the Berlin Sci-Fi Filmfest, from our end we can see the gaps and faults in the DCP approach in 2026.  The James Bond-esque carrying case and specialized drive housing made exclusively for specialized projectors create a high bar of entry for secure distribution and screening, incurring unnecessary costs for an independent filmmaker when superior methods exist which are indeed standard in industries less bound by tradition and gatekeepers.  The KDM restrictions on screening time can be circumvented with a simple toggle in DCP-o-matic.  And an unencrypted DCP offers no advantages, only drawbacks.  After all, the files are ridiculously large.  

High-Level Policy Statement

Our mission is to nurture and cultivate science fiction in Berlin through a hopeful, green, and democratic perspective. To achieve this, we are moving beyond traditional, high-friction industry standards to a more accessible, software-defined security pipeline. 

• Our Goals:

  • Eliminate Entry Barriers: By removing the "DCP tax," we ensure that a filmmaker’s budget is spent on their art, not on expensive proprietary encoding and key management.

  • Modernized Security: We replace "security theater" with enterprise-grade protection, utilizing Google Nonprofit cloud encryption for transit and Windows 11 kernel-level lockdowns for playback.

  • Human-verified Certificate of Disposal, ensuring your intellectual property is handled with professional integrity and legally-binding transparency.

Technical & Security Standards

For the 2026 Berlin Sci-Fi Filmfest, our technical architecture is built upon globally recognized cryptographic and data-handling standards. By adhering to these benchmarks, we ensure that the transition away from DCI-hardware-based encryption does not result in a compromise of security or quality.

1. Data Encryption Standards (Transit and At-Rest)

• AES-256 (Advanced Encryption Standard): All film assets stored within our Google Nonprofit Cloud and on local festival hardware are protected by 256-bit AES encryption. This is the same standard utilized by financial institutions and government agencies for Top Secret data.

• TLS 1.3 (Transport Layer Security): All HTTPS ingest portals utilize TLS 1.3 to ensure that files are encrypted while in transit from the filmmaker to our servers, preventing "man-in-the-middle" interceptions.

2. Data Sanitization & Disposal Standards

• All data sanitization is performed in accordance with ISO/IEC 27040 and NIST SP 800-88 Rev. 1 ('Clear' level), meeting the secure disposal requirements mandated by the EU General Data Protection Regulation (GDPR) and the German DIN 66399standard

3. Operational Security Standards

• Principle of Least Privilege (PoLP): Our internal account structures comply with PoLP standards. Projectionist accounts are restricted at the kernel level to "Read-Only" access, preventing the unauthorized copying or modification of intellectual property.

• FIPS 140-2/3: Any hardware modules used for encryption (including TPM chips in our Windows 11 laptops) comply with Federal Information Processing Standards for cryptographic modules.

Technical & Security Procedures

For the 2026 Berlin Sci-Fi Filmfest, our data handling procedures are designed to protect filmmaker intellectual property (IP) through every stage of the festival lifecycle. This verbose SOP (Standard Operating Procedure) outlines the end-to-end journey of a film asset. 

Phase 1: Secure Ingest & Verification

• Direct Ingest Portal: Once a film is officially accepted, the filmmaker receives a unique, time-sensitive HTTPS upload link generated via our Google Workspace for Nonprofits. This connection uses TLS 1.3 to encrypt data in transit.

• Encryption at Rest (Cloud): Upon successful upload, the asset is automatically stored in a restricted Google Drive folder encrypted with AES-256. Access is limited exclusively to the Festival Director and Lead Technician.

Phase 2: Local Processing & Lockdown

• Transfer to Secure Local Volume: Log in to the Google Workspace for Nonprofits festival account.

• Navigate to the restricted AES-256 encrypted folder containing the film assets.

• Select the film file and choose Download.

• Critical: When the browser prompt appears, set the download destination directly to the mounted VeraCrypt volume on the external SSD.

• This ensures that no unencrypted fragments of the film remain on the laptop's primary storage surface.

• NTFS Permission Hardening: Within the mounted drive, the file permissions are set to Read & Execute for projectionist accounts, while Write and Modify permissions are explicitly denied to prevent accidental alteration or unauthorized copying. 

Phase 3: Exhibition Security

• Kiosk Mode Environment: On screening days, projectionists log into a Windows 11 Multi-App Kiosk account. This kernel-level lockdown restricts the user to a single media player interface, hiding the desktop, File Explorer, and system settings to prevent "backdoor" file copying.

• Hardware Isolation: Before the first screening, all non-essential hardware ports and wireless radios (Wi-Fi, Bluetooth, and secondary USB ports) are disabled at the driver level to prevent data exfiltration.  The encrypted media drive connects to a USB port configured to only allow connections from that particular drive.

• On-the-Fly Decryption: During playback, the laptop's CPU (or dedicated hardware-accelerated BitLocker silicon on 2026-model devices) decrypts the data in real-time. No unencrypted version of the film ever exists on the physical disk surface during the screening process. 

Phase 4: Certified Disposal & Documentation

• Secure Sanitization: At the conclusion of the festival, all film assets are deleted using the NIST SP 800-88 Rev. 1 "Clear" standard.

• Logical Overwriting: Rather than simple deletion, our 2026 software tools perform a verified overwrite of the media's storage sectors, rendering data recovery infeasible even with laboratory-grade forensic tools.

• Sanitization Validation: The software generates a detailed log file confirming that every data block associated with the film has been successfully purged and verified.

• Issuance of Certificate: Finally, the filmmaker is sent an official Certificate of Data Disposal (compliant with ISO/IEC 27040). This document includes the specific sanitization method, hardware identifiers, and a timestamp of the destruction, providing a legal and technical guarantee that their IP has been removed from all festival systems. 

Laptop Hardening & Kiosk Preparation SOP

To ensure technical continuity, the following procedures must be followed by the Technical Director to harden festival laptops and deploy the restricted playback environment on Windows 11.

1. System-Level Hardware Hardening

Before creating user accounts, the following hardware-level restrictions must be applied to prevent data exfiltration or unauthorized network access:

• Disable Wireless Radios

  • Open Device Manager and locate Network Adapters and Bluetooth. Right-click and select Disable device for all Wi-Fi and Bluetooth controllers.

• Identify the Authorized Drive's Hardware ID

  • Before locking the system, you must "teach" Windows which drive is allowed:

• Plug the authorized external drive into the laptop.

• Open Device Manager (Win + X > Device Manager).

• Expand Disk drives, right-click your external drive, and select Properties.

• Go to the Details tab and change the Property dropdown to Hardware Ids.

• Right-click and Copy the top string (it usually looks like USBSTOR\Disk...). Keep this in a text file. 

• Configure Group Policy Whitelisting 

  • Use the Local Group Policy Editor (gpedit.msc) to enforce the restriction: 

• Navigate to: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions.

• Allow the Specific Drive

  • Find the policy "Allow installation of devices that match any of these device IDs".

• Set it to Enabled, click Show..., and paste the Hardware ID you copied earlier. 

  • Repeat this process for each exhibition drive.

• Block Everything Else

• Find the policy "Prevent installation of devices not described by other policy settings".

  • Set this to Enabled.

  • Critical: Ensure "Apply layered order of evaluation..." is enabled if prompted, to ensure "Allow" rules take priority over "Prevent" rules. 

• The Result: If a projectionist tries to plug in their own personal USB thumb drive, Windows will detect it but refuse to install the driver, showing an "Access is denied" or "Installation forbidden" message.

• Encrypting External Media Drives: To ensure the security of media at rest when drives are physically transported or stored, all external drives must be encrypted using free/open-source software before first use.

• Tool: Use VeraCrypt (verified open-source AES-256 encryption).

• One-Time Setup: This is an administrative procedure performed once per drive. The drive is permanently formatted as an encrypted volume.

• Procedure:

  • Install and run VeraCrypt as an administrator.

  • Select "Create Volume" and follow prompts to encrypt the entire drive partition.

  • Use default settings (AES encryption, SHA-512 hash).

  • Set a strong, secure password known only to the Technical Director and Festival Director.

• Mounting for Playback: The encrypted drive must be "mounted" (unlocked with the password) by an administrator before the projectionist logs into their kiosk session.

• Security: When "dismounted" or powered off, the drive is a locked, unreadable data blob. The drive remains secure if lost or stolen.

2. Kiosk Configuration (Assigned Access)

The "Kiosk" is a kernel-level restricted environment that prevents projectionists from accessing the desktop, File Explorer, or settings. 

• Create the Base Account: Navigate to Settings > Accounts > Other Users and create a Standard Local User account (e.g., "Projectionist_Kino"). Do not grant administrator rights.

• Configure Assigned Access:

  • In the same Other Users menu, find the Kiosk section and select Get started.

  • Choose a unique name for the kiosk profile and link it to the previously created "Projectionist_Kino" account.

• Select the Playback Application: Select the approved festival player (e.g., DCP-o-matic Player or VLC) as the designated kiosk app.

  • Note: In 2026, if using a non-UWP (Win32) app like VLC, the Technical Director may need to use Shell Launcher via PowerShell to replace explorer.exe with the player's path.

• Set Read-Only NTFS Permissions: After the administrator has mounted the encrypted external drive using VeraCrypt, specific file system permissions must be applied:

  • Right-click the mounted drive/folder, go to Properties > Security.

  • Set the "Projectionist_Kino" account to have Read & Execute and Read permissions only.

  • Explicitly Deny "Full Control," "Modify," and "Write" to prevent unauthorized copying or deletion of the film files during screening hours.

3. Storage Volume Lockdown

• Mount the VHDX: Mount the BitLocker-encrypted Virtual Hard Disk that will contain the festival screeners.

• Set Read-Only NTFS Permissions:

  • Right-click the mounted drive/folder, go to Properties > Security.

  • Set the "Projectionist_Kino" account to have Read & Execute and Read permissions only.

  • Explicitly Deny "Full Control," "Modify," and "Write." 

4. Final Deployment Check

• Auto-Logon: Configure the laptop to automatically log into the Kiosk account upon boot.

• Sign-Out Security: Verify that the Ctrl + Alt + Delete shortcut is the only way to exit the session, which should immediately return the user to the Windows login screen.

• Notifications: Ensure "Focus Assist" is set to "Alarms Only" or "Off" to prevent OS pop-ups from appearing over the video output during a screening.