This week, YouTube launched a new age verification system. There are no tick boxes asking users to confirm they’re over 18; no forms to enter their birthdays. Instead, an AI will examine what sorts of videos you’ve been searching for and watching, and decide based on those whether or not you’re an adult.
YouTube already accounted for the possibility of some mis-aging. If an adult is mistakenly identified as a minor, they can submit either a government ID or a credit card to prove their age.
After this system was announced, numerous content creators expressed concerns that if they submitted an ID to YouTube, their real names and addresses may be exposed if their channels were ever compromised. This was especially of concern to VTubers, who generally don’t reveal their IRL names, faces, or locations, instead choosing to use their digital avatars as their online identities.
Subscribe for daily Tubefilter Top Stories
VTubers who raised this issue pointed to ongoing issues with hackers who purposefully target creators’ channels. This just happened to VTuber AmatsukaUto, whose ~600K subscriber channel was hacked and turned into a crypto-shilling farm directing viewers to scammy exchanges and “investment opportunities” (a common outcome for hacked channels). The hack lasted for days, and AmatsukaUto’s channel went offline before YouTube finally kicked the hackers out and returned it to her.
YouTube assures creators it can keep their accounts safe. But another recent incident showed YouTube can’t even keep its own channels safe.
Earlier this week, the official Google India YouTube channel was hacked–once again by crypto scammers. Like AmatsukaUto’s channel, Google India’s ended up being pulled offline–but while it was still live, the hackers flooded it with crypto propaganda. One livestream, called Michael Saylor: Bitcoin PUMP – Is Bull Run CONFIRMED?! BTC Price Prediction, had around 60 viewers, as you can see in screenshots from Android Authority.
YouTube says after it was “alerted to unauthorized activity on the Google India YouTube channel, we took immediate action to secure and restore the account.” Google India’s channel is now back to normal.
But this still raises questions about YouTube’s ability to keep creators’ channels–and information–safe. How was YouTube “alerted” that the Google India channel had been compromised? Were its systems not able to recognize unusual activity when the hackers logged in in the first place, and things only tripped when videos and livestreams began going up? Did a third party alert it?
In the cases of AmatsukaUto and other hacked creators, they’ve had to go tell YouTube their channels were compromised and wait days for responses. Why can’t YouTube detect hacks when they’re happening? Why does someone need to let it know when channels have been overtaken? What safeguards can YouTube put in place to keep all this from happening?
YouTube tells us that protecting creators’ privacy and security “is a top priority, and Google/YouTube has long used the world’s most advanced security to protect user data against threats.”
Addressing creators’ concerns about how secure their age verification information will be, YouTube adds that for users who choose to prove their identity with a credit card, it will submit a request for authorization to their bank, and, once successful, will store the card information on the user’s account. The user can manually remove the card anytime they like.
As for government IDs, YouTube will look at the ID and then store the user’s date of birth on their account. The submitted image of their ID is “deleted a short time after successful verification,” YouTube says.
Does that mean it’s possible for a hacker to capture the image of a creator’s government ID and use it to see their real name and address? We’re not cybersecurity experts, and we don’t know if those stored ID images will be accessible on the user/hacker side.
What we do know is that channels being hacked is a very real threat, and continues to happen–even to Google’s own accounts. If it wants to maintain creators’ trust, it has to find ways to preempt attacks–or, at least, respond more quickly when they’ve already happened.
