Updated YouTube, under fire since inception for building a business on other people's copyrights and in recent years for its vacillating policies on irredeemable content, recently decided it no longer wants to host instructional hacking videos.
The written policy first appears in the Internet Wayback Machine's archive of web history in an April 5, 2019 snapshot. It forbids: "Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data."
Lack of clarity about the permissibility of cybersecurity-related content has been an issue for years. In the past, hacking videos in years past could be removed if enough viewers submitted reports objecting to themor if moderators found the videos violated other articulated policies.
Now that there's a written rule, there's renewed concern about how the policy is being applied.
Kody Kinzie, a security researcher and educator who posts hacking videos to YouTube's Null Byte channel, on Tuesday said a video created for the US July 4th holiday to demonstrate launching fireworks over Wi-Fi has been removed because of the rule.
"I'm worried for everyone that teaches about infosec and tries to fill in the gaps for people who are learning," he said via Twitter. "It is hard, often boring, and expensive to learn cybersecurity."
The Register asked Google's YouTube for comment but we've not heard back.
Security professionals find the policy questionable. "Very simply, hacking is not a derogatory term and shouldn’t be used in a policy about what content is acceptable," said Tim Erlin, VP of product management and strategy at cybersecurity biz Tripwire, in an email to The Register.
"Google’s intention here might be laudable, but the result is likely to stifle valuable information sharing in the information security community."
Erlin said that while it may be reasonable to block content that shows actual illegal activities, like breaking into a specific organization's systems, instructional videos play an important role in cybersecurity education.
"In cybersecurity, we improve our defenses by understanding how attacks actually work," said Erlin. "Theoretical explanations are often not the most effective tools, and forcing content creators onto platforms restricted in distribution, like a paid training course, simply creates roadblocks to the industry. Sharing real world examples brings more people to the industry, rather than creating more criminals."
Tyler Reguly, manager of security R&D at Tripwire, said censorship has been a concern among YouTube video makers for some time. In an email to The Register, he expressed sympathy for the challenge YouTube faces as a business.
"If YouTube wants advertisers to pay, they need to be aware of the content they are allowing," he said. "We tend to forget that these websites exist to make money, not for the betterment of society."
But he noted that YouTube's policies aren't easy to interpret and there may be reasons Kinze's video got flagged, such as the fact that it deals with fireworks.
"The YouTube system, based on reports that I’ve seen in the past, is quite arbitrary and difficult to understand, even as a YouTuber working directly with the company, nothing is as straightforward as it seems," he said.
Dale Ruane, a hacker and penetration tester who runs a YouTube channel called DemmSec, told The Register via email that he believes this policy has always existed in some form. "But recently I've personally noticed a lot more people having issues where videos are being taken down," he said.
Read more here