YouTube’s Policy on Hacking Tutorials is Problematic

Recently YouTube changed its policy on “hacking” tutorials to an essential blanket ban. In the past, such content was occasionally removed under YouTube’s broad “Harmful and Dangerous Content” clause, which prohibited videos “encouraging illegal activity”. An updated policy now specifically targets instructional hacking videos.

YouTube’s previous policy simply banned “encouraging dangerous or illegal activities” with a few examples given.
The new policy sets out a much more specific list of content, including explicitly banning “instructional hacking and phishing”.

One major problem here is that hacking tutorials are not inherently bad. There exist a vast YouTube community aimed at teaching the next generation of cyber security experts.

If you were to ask someone to identify a person breaking into a house, in most cases they’d be able to. Everyone knows it’s possible to climb through an open window, but how many could identify a hacker breaking into a website? Probably very few. Without knowing what it is hackers do, or how they do it, how can someone possibly be expected to prevent or stop them? The answer is simple: they can’t.

It’s not like this policy is just a precaution either. Kody Kinzie, a well known YouTuber and Blogger, who makes educational security content has already had his account suspended as a result.

We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can’t upload it.

YouTube now bans: “Instructional hacking and phishing: Showing users how to bypass secure computer systems”

— Kody (@KodyKinzie) July 2, 2019

Regardless the intention of YouTube’s new policy, it’s naive to think that your average moderators will be even be able to distinguish between “good” and “bad” hacking video.

The Bigger Picture

YouTube’s ban on hacking tutorials is just a small part of a much bigger problem: the long held belief that all hacking is bad. It is imperative that we understand there is legitimate use for all hacking knowledge. Let’s consider some hacking skills which are commonly, though wrongly, understood to be illegal or unethical.

  • Credit Card Fraud Unethical: stealing money from unsuspecting people.
    Ethical: developing a system to detect and prevent the use of stolen credit cards.
  • DDoSing Unethical: disrupting businesses by taking offline their e-commerce websites.
    Ethical: designing and testing services designed to mitigate DDoS attacks.
  • Writing Malware Unethical: infecting and destroying people’s computers.
    Ethical: simulating fake malware attacks in order to test your organization’s ability to detect and respond to a malware outbreak.
  • Hacking Websites Unethical: breaking into websites and stealing confidential user data.
    Ethical: testing website software for security holes before it goes live to the general public.

My personal belief is that when it comes to hacking, it matters not what is taught, but how and by whom. Context is extremely important, especially with a potential audience of young and impressionable teens. Hacking tutorials will always be available no matter what, the only real question is where.

To add to my point, I visited a well-known hacking forum. The forum in question isn’t some secretive invite-only underground darkweb criminal hide out: it’s English speaking, registration is open to everyone, and is easily found by searching google for hacking tutorials.

Malware is often sold on the forum, where some users argue selling it is neither illegal nor unethical. A common argument being: gun manufacturers are not held liable when one of their guns is used in a shooting; therefore, malware sellers shouldn’t be either. The argument is extremely flawed, yet regularly parroted by many users.

Here’s a couple of comments on a thread about a user being arrested for selling malware.

Here’s that gun argument.
The same gun argument again.
The gun argument again, but more British.

So what about stealing people’s credit cards? Surely there’s at least a consensus that it’s unethical and illegal. Well, here is a response to a thread by a user asking if they’d be arrested for stealing credit cards.

The user argues that they’d not be arrested and the victim would simply “get their money back from the bank”.

Then there’s the following reply to a thread from a user asking how to monetize his botnet (collection of illegally hacked computers).

Among other things, one user encourages infecting the victims with ransomware due to its “very good success rate”.

While it can be argue the forum isn’t all bad (it’s certainly has lots of ethical users); however, the board is rife with dangerous and misleading advice.

One has to ask, where would we rather kids learn about computer security?
A sites like YouTube, where security professionals will steer them in the direction of a legitimate job, six figure salaries, and strong ethics?
Or a shady forum where they will not only be exposed to crime, but criminals who believe what they are doing is both legal and ethical?

Many criminal and ex-criminal hackers started out as kids, possessing only an interest in computers. Are shady forums where we want those easily susceptible to peer influence hanging out? Are policies suppressing educational content, through fear of abuse, worth creating the very criminals they aim to impede?