YouTube Moves to Prohibit Hacking Videos
Earlier this week, Alphabet Inc. owned video streaming platform YouTube updated its content policy to explicitly prohibit the sharing of instructional hacking and phishing videos. In this briefing we will take a look at these changes, the initial impact, and the expected long term implications from such actions.
YouTube made an addition to its harmful or dangerous content policy, explicitly stating that videos containing "Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data” were no longer permitted on the site.
The policy also states that exceptions were made for “A video that depicts dangerous acts may be allowed if the primary purpose is educational, documentary, scientific, or artistic (EDSA), and it isn’t gratuitously graphic.”
The current state of instructable hacking videos on YouTube
This new policy doesn’t come out of nowhere. There is no shortage of videos on the platform that clearly show criminal behavior such as tutorials for cracking software which may contain serial numbers or links to cracking tools.
There are also many purely educational videos on the platform that can be seen as a form of awareness training for users.
The problem with the new policy arises out of two factors:
There is a large grey area between the two extremes. A video demonstrating a basic hacking technique like SQL injection against a prepared target is clearly educational. However it also teaches a skill that can easily be abused once mastered. Our estimates are that around 20% of hacking videos are purely malicious and purely educational respectively with the remaining 60% of contents falling into the above grey area.
YouTube heavily relies on automatic content moderation. With thousands of hours of content uploaded every day, the company struggles to perform manual human reviews of all of their contents. As such, it uses automatic content classification at several points in time. All videos are analyzed for copyright infringement and gross policy violations when uploaded and then analyzed again if they are reported by users. Notably, it is possible for videos to be removed and accounts to be blocked without any human verification. Paired with a notoriously tedious appeals process and the large grey area of information security contents on YouTube, many benevolent contents are likely to be automatically removed in the coming days and months.
The short term impact
The biggest incident within the first 24 hours of the policy change was the partial suspension of a popular educational information security account called Null Byte. It is unclear what particular videos led to the channel being singled out. Overall, it is Reflare’s opinion that the channel clearly fits into the legitimate side of educational information security content. The channel has since been restored by YouTube but this appears to be mostly due to the outcry the suspension caused on social media.
Channels with smaller and less vocal followings, or channels with more controversial contents are significantly less likely to recover.
The long term impact
The coming months will show just how many channels will be suspended under the new rules. If enforcement is reasonable, we expect no major changes. If enforcement is arbitrary or harsh, many channels will move off YouTube while others will stop producing contents altogether. This in turn could well have a negative impact on the available information security workforce into the future since many adolescents currently gain their first understanding of hacking techniques through YouTube. However, it is also reasonable to suspect that such content migrating to other platforms could well balance this out.
The channels moving off YouTube are likely to find several new homes. One group of content creators will look to move their content to PornHub. While that is a seemingly odd choice, this is precisely what happened when YouTube began limiting what gun related contents could be uploaded. A second group will likely migrate to much darker parts of the internet much more clearly related to illegal activities. The last group will turn commercial and host their contents only of for-pay platforms such as udemy. Overall, the quality of freely available information security education would suffer in this scenario.