I have updated this article with a shorter run-down of why you should avoid Discord. Keep scrolling for the original post.
The year was 2015.
A new chat application had launched, named Discord. Discord was easy-to-use and offers some features that the competition lacked. People gave up on the complexity of Mumble, Skype and Teamspeak for a better alternative.
Discord was revolutionary, offering unique features meant Discord became gamers' favourite chat app. High-quality voice chats; a polished UI and the simplicity of the interface were something other platforms didn't offer.
But with the revelations in the past and current, are we beginning to change our minds?
Fast forward to 2020.
963,000,000 messages are sent on Discord every day.
Discord has seen a huge growth in its userbase after the initial launch. Millions of users rely on Discord for school voice chats (especially since the pandemic); game streaming and socialising with friends.
Discord has apps for iOS; Android; the web, and a native Desktop client. This is awesome!
Discord isn't perfect though.
It's far from it.
People are continuing to lose trust in Discord, especially when they knowingly provide a home for fascists and racists. Combined with the events that took place in November of 2019, where a 'Trust and Safety' moderator decided to allow sexual depictions of children on their platform ("cub porn"), this really does paint a telling picture of how the platform is governed.
Users from Discord have been unjustly banned from the platform, with no explanation or apology from Discord. Pedophiles on the platform aren't being banned, but innocent people are.
It's not just that.
Discord is also known for its horrendous privacy. Every Discord message, activity, connected account, and voice chat is uploaded onto Google's servers. When Google has been exposed as battling against user freedom and privacy, giving them access to billions of unencrypted communication is asking for trouble. Discord uses Google's Cloud Platform, which can be used to host apps.
Discord have also been the subject of a group that steals the data of everyday users and sells it on the internet. This has been operating for 2 years.
No legal reprocussions have been brought against this group. This suggests that Discord doesn't really care about the security of its userbase.
I have publically challenged this group for betraying the privacy and security of users, but without the support of Discord, that was a fruitless endeavour. Discord did nothing to protect us. Discord users are being stalked every day.
Instead of Discord, I use matrix, a decentralised, open-source, platform that doesn't abuse my trust, my privacy or my security.
Some reputable links
- Why you shouldn't trust Discord ─ Cadence
- My views on the issues of Discord ─ Austin Huang
- An open letter to Discord
- Discord has a furry pedophile problem ─ ganker
- Discord’s lax policy on furry ‘cub content’ leads to user outcry ─ Polygon
Here's the original post from 14th of March, 2020.
The Discord privacy scandal
Recently, I have reviewed a group of people operating under the name "dis.cool". This group have been stealing the personal data of "100 million users", and selling it to the masses.
I'll start by introducing the group behind "dis.cool". This service is run by rogi and relative. These two are spearheading the organization.
This group was created a while after the release of Discord, a communication platform for gamers, and everyone else; this service attracts young children, teenagers and everyone else. Then, three years later, the "dis.cool" domain was officially registered. And that's when things took a turn for the worst.
Recently, a very good friend of mine wrote a brief Reddit post about dis.cool. He had contacted the ICO, and many other organizations in a bid to stop this group. We had discovered that dis.cool was not only collecting data without consent, but selling it for $7 USD a year. This is a direct violation of regulations such as the GDPR (Europe), and the CCPA (California). If you'd like to read more about this, I suggest you visit the Reddit post he wrote, and my lengthy comment which explains why this is a danger.
We were appalled to find that the information being sold included the connected accounts of users, the server list of users, and information about servers worldwide.
Please remember that children use this platform, and the selling of their personal information could potentially put them in grave danger. We, as a community, need to be protecting our aspiring young gamers, and provide a safe environment for them. Right now, that's nonexistent on Discord.
Also, this is illegal.
How did this happen?
First off, Discord has had an everlasting problem that goes by the name of selfbots. Selfbots are banned by the Discord ToS. A selfbot is a bot masquerading as a user, and it logs into a user account. These selfbots are then joined into millions of Discord servers, sending data back to dis.cool such as: channel information, information of the users in the server, and all messages sent in channels the selfbot is permitted to read . I have witnessed the selling of these tokens for myself, and it seems to be quite a big business. Discord have put some measures in place (like the prevention of the
Authentication header), but it is not enough to stop people like these.
However, I'd like to credit Discord for sending an official letter to Donuts, which thankfully got the dis.cool domain shut down. They have since moved to new domains, such as dsc.cool and tracr.co. Furthermore, their new Twitter account is here.
Why not ask them to delete the information?
That's the thing. When anyone requests to have their personal data removed from this service, they are redirected to a meme instructing them to "delete your account". This is not only ethically unacceptable, but the refusal to delete personal data is a violation of the GDPR, and the CCPA. Also, their advice is meaningless, considering that if you do follow their instruction, nothing will be deleted.
It is clear to see that these people believe they are above the laws set out to protect victimised users.
Tips on staying safe
Currently, you should refrain from posting your server on popular Discord server listing sites. This includes sites such as top.gg and Discord.Me; I have good reason to suspect dis.cool are scraping information from these services, because (as quoted by them) there is no ratelimiting system present on some listing services. Following this, you should disable your Server Widget. This allows anyone to view information about your server without joining. While some information such as discriminators are anonymized, this is still a security hole.
Also, you should be careful about where you post invites. I am unable to gain insight into every service they scrape, but I'd imagine things like server listing subreddits are scraped too. There is some manual work to the scraping too, which makes this a bit harder.
There is no way to limit the information that user accounts can see in your server, aside from limiting the channels they can see. They can still get the name of every channel, and the topics of them too; don't store sensitive information in channel topics.
In addition, a well-established verification system is invaluable in these circumstances. I recommend bots such as Valkyrja, which only allows new user accounts to see one channel; the verification process of good bots will definitely slow down selfbots.
Me, and a close friend have been in touch with Discord to limit the information that can be seen by user accounts in your server(s). Stay tuned for updates. Systems such as the Gateway Intents system have the capability to solve issues such as this, but time will tell.
You should also be careful with the bots you add to your server. These bots can ultimately store any and all data you permit them access to, so you should be sure to only allow the permissions required for the bot. As an example, a music bot definitely does not need the Administrator permission (looking at you, Rythm).
If you have any connected accounts (you can access these in the
Connections section of the settings menu), you should disconnect them immediately. There is the obvious risk that dis.cool have already scraped this information; in that case, there's nothing you can do aside from not connecting any more accounts, and removing the current ones. Over time, their data will grow stale and will essentially be useless.
Moreover, encourage server owners to follow the guidelines above. This is a stepping stone to a more secure system.
What can I do?
You should lodge a complaint with the relevant parties immediately. A good starting point would be to email these companies:
- OVH (Server hosting) (email@example.com)
- Epik (domain registrar) (firstname.lastname@example.org)
- DDoS-Guard (DDoS protection) (email@example.com)
- Discord (request form)
There are templates for emailing these companies here.
- UK GDPR enforcement contact info
- German GDPR enforcement contact info
- My post on the r/privacy subreddit
- My friend's post on the r/discord subreddit
- My friend's post on the r/discordapp subreddit
- The Twitter thread where I first confronted them
- The (unofficial) disdotcool subreddit
Which articles of the GDPR are they breaching?
Probably best to skip this if you're not a lawyer.
Processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consentto the processing of his or her personal data for one or more specific purposes;
Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. 2Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data have been unlawfully processed; the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
<i>Emphasis added to relevant points.</i>
This is very scary for the privacy of Discord users worldwide. I can only hope Discord are able to collaborate with their community to foster brand new, and more secure systems. As an observer, privacy seems to be an afterthought with Discord's API. Thank you for reading this blog post, and I hope I have informed you of the data this group collects and sells, and how you can protect yourself in the meantime.