YouTube attaches advertising to millions of videos, but the company is drawing criticism for monetizing a subset of videos that give step-by-step instructions on hacking into webcams in strangers’ homes, an I-Team investigation has found.
The I-Team found dozens of "how-to" hacker videos on YouTube with embedded advertisements from companies including Disney, American Express and major auto makers.
Some of the video tutorials teach people techniques to “slave” computers by infecting them with malware. Other videos show young women who apparently have no idea they’re being watched by remote hackers through their laptop cameras.
YouTube, which is owned by Google, said the company prohibits posting of videos that offer instructions on hacking webcams with malicious intent. The company said such videos are removed when users raise concerns.
"YouTube has clear policies that outline what content is acceptable to post, and we remove videos violating these policies when flagged by our users,” a YouTube spokeswoman told the I-Team in an email.
Some cyber safety advocates are urging Google and YouTube to do more.
“We’d like to see more concern from Google about the safety and well-being of YouTube users,” said Adam Benson, communications director for Digital Citizens Alliance, a nonprofit cybersecurity watchdog.
Benson said Google should use its own employees to search for and remove problem content, instead of relying on web surfers to flag the webcam hacking videos.
“Our feeling is that this is an area where a human team can be very helpful in rooting out some of these bad videos and making sure that advertising is not showing up next to videos of young girls and women being exploited,” Benson said.
Earlier this summer, Digital Citizens Alliance published a report estimating more than a third of YouTube videos that teach how to “slave” strangers’ computers are supported by corporate advertising.
There is no indication corporate sponsors are aware their advertisements are being assigned to webcam hacking tutorials. Companies have little control over where their ads land on YouTube because they are generally assigned to videos based on the computer user’s browsing history.
The I-Team reached out to American Express and Disney about their ads appearing alongside the hacker videos.
Disney issued a statement saying, “The placement resulted from limitations in Google's algorithm for programmatic advertising and once we became aware of the matter we contacted Google to remove the ad and have asked them to take additional steps to ensure this doesn’t occur in the future.”
American Express did not respond to the I-Team’s inquiry.
The most popular way hackers gain control of strangers’ webcams is by enticing them to download files that contain malware known as Remote Access Trojans, or RATs.
Georgia Weidman, a self-described “ethical hacker” who helped with the Digital Citizens Alliance report, said the best RATs take control over a computer or phone without the owner having any idea.
"In very sophisticated trojans there would be no reason for the end user to suspect anything was wrong with their computer,” Weidman said. “They wouldn't see the light coming on -- on their camera -- when they're being watched."
YouTube has argued the company’s process for removing questionable videos represents a gold standard in policing content, but with 400 hours of video uploaded every minute, it is not possible to catch every improper video before it goes online.
The company also criticized the Digital Citizens Alliance, suggesting the nonprofit is more interested in damaging Google’s reputation than real consumer advocacy. Media reports have linked Digital Citizens Alliance with the Motion Picture Association of America, which has an ongoing feud with Google over Internet piracy.
“While we take feedback very seriously, legal documents and news reports establish that the movie industry spent hundreds of thousands of dollars to fund, coordinate, and heavily publicize the efforts of this fake consumer organization,” the YouTube statement said.
Benson denied the nonprofit group has had direct contributions from the MPAA, saying the organization has received support from companies in many fields including “the creative industry.”
“It’s unfortunate that Google spends its time pointing fingers when it should focus on making the Internet a safer place,” Benson said.