Policy Woes

For a long time I've decided against talking much about this topic over fear of having my own account nuked. Over the weekend @TurvSec had his YouTube account deleted by YouTube over an apparent breach of the "Harmful or dangerous content" policy.

Having recently had a number of my videos removed by YouTube for similar "offences" I wanted to take a closer look at the actual policy to see whether I was actually in breach of these (ever changing) rules.

Excerpt from Google's "Harmful or dangerous content policy"

Of course, YouTube/Google never actually say which part of the policy you have apparently broken, and if you appeal they'll never tell you why your appeal failed or was successful. But judging by the policy it appears as though this recent "wave" of content and channel removals is due to the section which reads ".. with the intent to streal credentials, compromise personal data.."

This obviously poses a bit of a a problem for those of us within the ethical hacking industry as it is literally our job to steal credentials, compromise personal data and compromise systems.

Whilst I am willing to cut some slack over this policy as it would be simple to find countless examples where someone is showing hacking techniques and tools with the goal of being a dirty little black hat, I do think there needs to be some middle ground. As much as I'm sure these policies are written by lawyers and people who just want to cover YouTube's arse, Google/YouTube were founded and built by technies and this all just smells a little hypocritical.

Potential for more harm

By censoring hacking content on YouTube, particularly the content from ethical hackers within the industry, I believe this actually helps to cause way more harm. If you take away the sources of ethical hacking content, or at least make them more difficult to access, you force people who are genuienly interested in these topics to seek out the information elsewhere, and elsewhere is often places which result in a ride in a van with shiny metal bracelets on.

In a way, I believe that censoring legitimate ethical hacking content actually gives a bigger voice to platforms which maybe don't care so much about being ethical, or would actually seek to exploit those looking to break into the industry.

The catch-22

After looking through the videos I've had deleted recently they all fit the trend of compromising credentials. In my case, mostly via phishing attacks. As a result of this I've had GoPhish and Evilginx videos removed from my channel.

I actually think this comes down to the wording within the video itself. I know that YouTube will be using the automatic transcribing for ensuring that channels are adhering to the policy, but this causes a catch-22 in my eyes.

As a YouTube creator I essentially have to make my videos sound a lot more "racey" than they actually are. I could write and speak in all technical terms and talk about compromising an account, but the YouTube algorithm just won't put your video in front of people if you do this. You need to "click-bait" and make what you're showing seem exciting, and make thumbnails seem interesting.

Going back to my point about the wording in the videos, I believe its the combination of needing to make videos more appealing to gain viewership and the transcription based censorship machine which poses a real problem going forward.

Going forward

I still actually like the YouTube platform. Whilst they don't offer the best quality playback, transcoding or even on-platform tooling, they do offer access to the largest viewerbase on the planet. I'd be lying if that wasn't appealing to me.

However, I feel as though I'm now left in the position where I have to avoid certain topics which may result in my videos being censored or removed. This is particularly annoying as phishing is my favourite topic within infosec at the moment. (And its also still how MANY organisations are compromised!)

My plan going forward is to continue to post all of my new videos to YouTube, but if a video is removed I have decided to get a Vimeo subscription so I can offer the video right here.