Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

YouTube’s ban on “instructional hacking and phishing” videos receives backlash from the infosec community

Save for later
  • 7 min read
  • 04 Jul 2019

article-image
Updated: Mentioned MalwareTech's article, which shows a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal.

A month ago, in June, YouTube, in their blog post said, “The openness of YouTube’s platform has helped creativity and access to information thrive. It’s our responsibility to protect that, and prevent our platform from being used to incite hatred, harassment, discrimination, and violence.”

YouTube said it plans to moderate content on its platform via three ways:
  1. By removing more hateful and supremacist content from the platform by banning supremacists, which will remove Nazis and other extremists who advocate segregation or exclusion based on age, gender, race, religion, sexual orientation, or veteran status.
  2. Reducing the spread of “borderline content and harmful misinformation” such as videos promoting a phony miracle cure for a serious illness, or claiming the earth is flat, etc. and recommend videos from more authoritative sources, like top news channels, in its “next watch” panel.
  3. Will suspend channels that repeatedly brush up against its hate speech policies from the YouTube Partner program. This means they will not be able to run ads on their channel or use other monetization features like Super Chat, which lets channel subscribers pay creators directly for extra chat features


Following those lines, a few days ago, YouTube decided that it will ban all “instructional hacking and phishing” videos and listed it as “harmful or dangerous content” prohibited on its platform. YouTube mentioned that videos that demonstrate how to bypass secure computer systems or steal user credentials and personal data will be pulled from the platform.

This recent addition to YouTube’s content policy is a big blow to all users in the infosec industry watching such videos for educational purposes or to develop their skills and also to the infosec Youtube content creators who make a living on maintaining dedicated channels on cybersecurity. The written policy first appears in the Internet Wayback Machine's archive of web history in an April 5, 2019 snapshot.

According to The Register, "Lack of clarity about the permissibility of cyber-security related content has been an issue for years. In the past, hacking videos in years past could be removed if enough viewers submitted reports objecting to them or if moderators found the videos violated other articulated policies. Now that there's a written rule, there's renewed concern about how the policy is being applied".

Kody Kinzie, a security researcher, educator, and owner of the popular ethical hacking and infosec YouTube channel, Null Byte, tweeted that on Tuesday they could not upload a video because of the rule. He said the video was created for the US July 4th holiday to demonstrate launching fireworks over Wi-Fi.

https://twitter.com/KodyKinzie/status/1146196570083192832

After refraining Kinzie from uploading videos, he said that YouTube started to flag and remove his existing content and also issued a further strike on his channel.

https://twitter.com/fuzz_sh/status/1146197679434883074

https://twitter.com/KodyKinzie/status/1146202025513771010

"I'm worried for everyone that teaches about infosec and tries to fill in the gaps for people who are learning," Kinzie said via Twitter. "It is hard, often boring, and expensive to learn cybersecurity."

A lot of learners and the infosec community responded in support of Null Byte. YouTube then reversed its decision and removed the strikes, thereby restoring the channel to full functionality.

https://twitter.com/myexploit2600/status/1146327656658550785

https://twitter.com/KodyKinzie/status/1146566379962695681

The YouTube policy page includes a list for content creators on things they should be careful of while uploading content.

youtubes-ban-on-instructional-hacking-and-phishing-videos-receives-backlash-from-the-infosec-community-img-0

However, this is not a new policy and Youtube highlights, “the article now includes more examples of content that violates this policy. There are no policy changes.”

According to Boing Boing, “This may sound like a commonsense measure but consider: the "bad guys" can figure this stuff out on their own. The two groups that really benefit from these disclosures are:

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
  1. Users, who get to know which systems they should and should not trust; and
  2. Developers, who learn from other developers' blunders and improve their own security.”


A YouTube spokesperson told The Verge that Kody Kinzie’s channel was flagged by mistake and the videos have since been reinstated. “With the massive volume of videos on our site, sometimes we make the wrong call,” the spokesperson said. “We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.”

Dale Ruane, a hacker and penetration tester who runs a YouTube channel called DemmSec, told The Register via email that he believes this policy has always existed in some form. "But recently I've personally noticed a lot more people having issues where videos are being taken down," he said.

"It seems adding video tags or titles which could be interpreted as malicious results in your video being 'dinged,'” he said. "For example, I made a video about a tool which basically provided instructions of how to phish a Facebook user. That video was taken down by YouTube after a couple of weeks."

He also said, "I think the way in which this policy is written is far too broad. I also find the policy extremely hypocritical from a company (Google) that has a history of embracing 'hacker' culture and claims to have the goal of organizing the world's information."

YouTube has recently taken actions towards content moderation, like taking down videos fighting white supremacy alongside white supremacist content. Also, on May 30th Vox host Carlos Maza tweeted a thread that pointed to a pattern of homophobic harassment from conservative pundit Steven Crowder on Youtube. In one of his comments, Crowder referred to Maza as a “little queer,” “lispy queer,” and “the gay Vox sprite.” After several days of investigation, YouTube said that Crowder did not violate the platform’s policies, but the company did not provide any insight into its process, and it chose to issue an unsigned statement via a reply to Maza on Twitter.

Following YouTube’s decision, some Google employees said this does not send a positive message to everyone. An employee said, “This kind of makes me feel like it would be okay if my coworkers started calling me a lispy queer”. “...It’s the latest in a long series of really, really shitty behavior and double-talking on the part of my employer as pertains to anything to do with queer shit.”

After a lot of opposition from people, YouTube opted to demonetize Crowder’s channel, citing “widespread harm to the YouTube community resulting from the ongoing pattern of egregious behavior.” The company has now also promised to “evolve its policies” on harassment in response to widespread backlash to these moves. A lot of YouTube creators have publicly derided the company for its decision calling it an unsurprising move from a platform they feel has failed to properly address harassment.

Also, the recent taking down of videos that benefit a lot of users to develop skills with a fear that it can be misused, is not a correct move too. Hackers can implement a lot of stuff without the help of these videos. Youtube banning videos may not make the platform more secure, nor will it prevent attackers from exploiting defects.

MalwareTech in its blog post mentions, “when it comes to hacking, it matters not what is taught, but how and by whom. Context is extremely important, especially with a potential audience of young and impressionable teens. Hacking tutorials will always be available no matter what, the only real question is where”. In its post, MalwareTech has also shown a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal.

FTC to investigate YouTube over mishandling children’s data privacy

YouTube disables all comments on videos featuring children in an attempt to curb predatory behavior and appease advertisers

Facebook fined $2.3 million by Germany for providing incomplete information about hate speech content