Following those lines, a few days ago, YouTube decided that it will ban all “instructional hacking and phishing” videos and listed it as “harmful or dangerous content” prohibited on its platform. YouTube mentioned that videos that demonstrate how to bypass secure computer systems or steal user credentials and personal data will be pulled from the platform.
This recent addition to YouTube’s content policy is a big blow to all users in the infosec industry watching such videos for educational purposes or to develop their skills and also to the infosec Youtube content creators who make a living on maintaining dedicated channels on cybersecurity. The written policy first appears in the Internet Wayback Machine's archive of web history in an April 5, 2019 snapshot.
According to The Register, "Lack of clarity about the permissibility of cyber-security related content has been an issue for years. In the past, hacking videos in years past could be removed if enough viewers submitted reports objecting to them or if moderators found the videos violated other articulated policies. Now that there's a written rule, there's renewed concern about how the policy is being applied".
Kody Kinzie, a security researcher, educator, and owner of the popular ethical hacking and infosec YouTube channel, Null Byte, tweeted that on Tuesday they could not upload a video because of the rule. He said the video was created for the US July 4th holiday to demonstrate launching fireworks over Wi-Fi.
https://twitter.com/KodyKinzie/status/1146196570083192832
After refraining Kinzie from uploading videos, he said that YouTube started to flag and remove his existing content and also issued a further strike on his channel.
https://twitter.com/fuzz_sh/status/1146197679434883074
https://twitter.com/KodyKinzie/status/1146202025513771010
"I'm worried for everyone that teaches about infosec and tries to fill in the gaps for people who are learning," Kinzie said via Twitter. "It is hard, often boring, and expensive to learn cybersecurity."
A lot of learners and the infosec community responded in support of Null Byte. YouTube then reversed its decision and removed the strikes, thereby restoring the channel to full functionality.
https://twitter.com/myexploit2600/status/1146327656658550785
https://twitter.com/KodyKinzie/status/1146566379962695681
The YouTube policy page includes a list for content creators on things they should be careful of while uploading content.
However, this is not a new policy and Youtube highlights, “the article now includes more examples of content that violates this policy. There are no policy changes.”
According to Boing Boing, “This may sound like a commonsense measure but consider: the "bad guys" can figure this stuff out on their own. The two groups that really benefit from these disclosures are:
A YouTube spokesperson told The Verge that Kody Kinzie’s channel was flagged by mistake and the videos have since been reinstated. “With the massive volume of videos on our site, sometimes we make the wrong call,” the spokesperson said. “We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.”
Dale Ruane, a hacker and penetration tester who runs a YouTube channel called DemmSec, told The Register via email that he believes this policy has always existed in some form. "But recently I've personally noticed a lot more people having issues where videos are being taken down," he said.
"It seems adding video tags or titles which could be interpreted as malicious results in your video being 'dinged,'” he said. "For example, I made a video about a tool which basically provided instructions of how to phish a Facebook user. That video was taken down by YouTube after a couple of weeks."
He also said, "I think the way in which this policy is written is far too broad. I also find the policy extremely hypocritical from a company (Google) that has a history of embracing 'hacker' culture and claims to have the goal of organizing the world's information."
YouTube has recently taken actions towards content moderation, like taking down videos fighting white supremacy alongside white supremacist content. Also, on May 30th Vox host Carlos Maza tweeted a thread that pointed to a pattern of homophobic harassment from conservative pundit Steven Crowder on Youtube. In one of his comments, Crowder referred to Maza as a “little queer,” “lispy queer,” and “the gay Vox sprite.” After several days of investigation, YouTube said that Crowder did not violate the platform’s policies, but the company did not provide any insight into its process, and it chose to issue an unsigned statement via a reply to Maza on Twitter.
Following YouTube’s decision, some Google employees said this does not send a positive message to everyone. An employee said, “This kind of makes me feel like it would be okay if my coworkers started calling me a lispy queer”. “...It’s the latest in a long series of really, really shitty behavior and double-talking on the part of my employer as pertains to anything to do with queer shit.”
After a lot of opposition from people, YouTube opted to demonetize Crowder’s channel, citing “widespread harm to the YouTube community resulting from the ongoing pattern of egregious behavior.” The company has now also promised to “evolve its policies” on harassment in response to widespread backlash to these moves. A lot of YouTube creators have publicly derided the company for its decision calling it an unsurprising move from a platform they feel has failed to properly address harassment.
Also, the recent taking down of videos that benefit a lot of users to develop skills with a fear that it can be misused, is not a correct move too. Hackers can implement a lot of stuff without the help of these videos. Youtube banning videos may not make the platform more secure, nor will it prevent attackers from exploiting defects.
MalwareTech in its blog post mentions, “when it comes to hacking, it matters not what is taught, but how and by whom. Context is extremely important, especially with a potential audience of young and impressionable teens. Hacking tutorials will always be available no matter what, the only real question is where”. In its post, MalwareTech has also shown a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal.
FTC to investigate YouTube over mishandling children’s data privacy
YouTube disables all comments on videos featuring children in an attempt to curb predatory behavior and appease advertisers
Facebook fined $2.3 million by Germany for providing incomplete information about hate speech content