YouTube has sparked outrage after wrongly removing legitimate educational cybersecurity videos as a result of a new written policy.
According to tech site The Register, the written policy first appeared in the Internet Wayback Machine's archive in an April 5, 2019 snapshot.
The policy specifically bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data."
But the infosec community says this policy is broken, because it’s seeing viable educational content also being removed. This content has been used by security professionals and businesses for many years to hone their skills and learn about new threats.
The issues with YouTube’s written policy on hacking videos became clear when security researcher Kody Kinzie complained to The Register after his video created for the U.S. July 4 holiday–which showed launching fireworks over Wi-Fi–couldn't be uploaded. He claimed he has also had issues with other content he had tried to post to YouTube's Null Byte channel.
YouTube’s response
Kinzie tweeted on July 3: “We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it.”
YouTube has now reinstated the video. It responded to Kinzie on Twitter, saying: “Our policy team reviewed the flagged video and determined that it was taken down by mistake. We have gone ahead and reinstated the video and resolved the strike on your channel. We hope you can upload the 4th of July fireworks video now!”
YouTube also sent a statement via email. A spokesperson says: “With the massive volume of videos on our site, sometimes we make the wrong call. We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.”
It is thought Kinzie’s video was banned because it was mistaken for “hacking” content: something that provides reproducible steps to gain unauthorized access to a secure system, where the victim is a large institution for example.
YouTube has been accused of wrongly taking down valid content before. In the past, it has come under fire for wrongly flagging content showing war crimes as violent or extremist, to the frustration of human rights activists.
As far as cybersecurity videos are concerned, YouTube often removed them previously if enough users complained–or if they were found to have violated Google’s video site’s written policies.
YouTube: Infosec community response
The video that sparked the debate is now available again, but the issue has raised concern among infosec professionals, who question the clarity of the policy overall. “It is concerning that the Harmful and Dangerous Community Content Policy is quite broad in its definition which means legit videos may be taken down as a result–especially when said policy uses the word ‘hacking’ in a derogatory way,” says security researcher Chrissy Morgan.
At the same time, it is not clear exactly how YouTube is flagging these videos for removal. It removes extremist content via a machine learning algorithm which will auto-flag videos that violate YouTube policies. It is thought a human also views content flagged by the machine learning algorithm.
Morgan says social media moderation teams “already have a hard enough time” meeting requirements, asking: “I wonder how they will perform under something which may fall down to technicalities.”
“While I do see perhaps their reasoning, providing a blanket ban is affecting those who use these videos legitimately,” agrees security researcher Sean Wright. He says Google should revisit this policy “since it is simply too broad.”
“These videos provide a great opportunity to many who otherwise could not afford the training to help them get into the industry and better their careers–as well as helping secure their organizations."
Wright also wonders what the cause is for this "sudden" policy change. “What will be Google's next move? Ban search results on 'hacking' books?”
YouTube policy in the long term
What the policy means for educational security videos on YouTube in the long term is still unknown. But the security community agrees that if legitimate videos continue to be taken down, it will cause major issues. “It would be a big loss of free online training content,” says security researcher John Opdenakker. “I don’t get why they do it to be honest. Even black hat hacking videos are beneficial to defenders. Blocking all hacking videos to me is a really poor decision.”
“YouTube needs to state clearly what is acceptable and how legitimate videos can continue to be shared online within this area,” says Morgan. “Are publicly disclosed and patched vulnerabilities going to be an issue to give coverage to? Are adaptions and modifications, any tampering to serve a greater good but against TOS or EULAs going to be taken down?”
Morgan also expresses concern for smaller providers, who she says could find themselves silenced. “We may lose these resources as a result.”
But some experts think this could be an opportunity for other online video platforms: “A lot of people will be not amused by this–and previous recent actions from Google,” Opdenakker says.
“Online learning has taken away many barriers for people, and people will adapt,” agrees Morgan. “If YouTube will not host it, someone else will.”
