YouTube policy on removing ‘instructional hacking’ content causes infosec community outrage

Videos removed from a prominent educational channel brought the policy to light. Supporters fought back.

YouTube instructional hacking videos: To ban or not to ban YouTube removed 'instructional hacking' content from a prominent educational channel. Supporters fought back.

YouTube recently decided that instructional content in the realm of cybersecurity, including hacking how-to videos, were not acceptable on the ad-driven video platform. 

There is a gray area to be sure when it comes to teaching people not only how to hack but also educating users more broadly about the infosec industry -- and this fine line between educational purposes and guides for more nefarious activities needs to be publicly maintained. 

However, you can tell the difference, for example, between a guide on what various types of vulnerabilities are and a video on how to create ransomware, and what appeared to be a recent policy change at YouTube has managed to cause an uproar. 

As reported by 9to5Google, Google's YouTube updated its content policy this week to spell out what is considered "harmful or dangerous content."

The list includes "Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data."

screenshot-2019-07-04-at-07-58-15.png

Originally, it seemed that the policy change was new, but as reports surfaced of the changes, YouTube added a comment to the policy page insisting "[this] now includes more examples of content that violates this policy. There are no policy changes."

See also: Facebook abused to spread Remote Access Trojans since 2014

At the same time, Null Byte, a well-regarded ethical hacking channel, noticed a strike on a video concerning the WPS-Pixie Wi-Fi vulnerability, which meant the content creator, Kody Kinzie, was unable to upload a video designed for the 4th July celebrations.  

As one YouTuber pointed out, a ban like this, when YouTube had not even seen the video due to be uploaded, could be seen as "like a potential death for cybersecurity educational videos."

Learners and the infosec community at large responded in support of Null Byte. YouTube then reversed its decision and removed the strikes, thereby restoring the channel to full functionality. 

screenshot-2019-07-04-at-08-05-33.png

CNET: TikTok is being investigated over children's privacy again, report says

There is an exception to the rules which allows videos that serve a "primary purpose [which] is educational, documentary, scientific, or artistic (EDSA)." The company insists the removal was coincidental rather than being caused by a policy change. 

"With the massive volume of videos on our site, sometimes we make the wrong call," a YouTube spokesperson told The Verge. "We have an appeals process in place for users, and when it's brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it."

TechRepublic: Cyberwar risk: Utilities fail to patch critical security vulnerabilities often enough

Content moderation on a platform of YouTube's scale is no small task, and yes, sometimes mistakes can be made. However, YouTube provides a home for a flourishing group of individuals interested in learning about cybersecurity -- perhaps with a future career in mind -- who may not be able to afford or have the time to take dedicated infosec courses. The loss of such a resource for those wanting to learn for ethical purposes would be a terrible thing for the community at large. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0