Discord is a privacy nightmare…

As you may have heard, Henry is sunsetting the Techlore discord. I was curious about how bad Discord was for privacy, so I started doing some researching and found this post on r/privacy, which does a great job of summarizing the issues. I also looked into Mozilla’s Privacy Not Included review, which also seemed to point out some pretty big issues. (Also I feel like no one ever talks about Privacy Not Included even though it does great dives into the privacy of products.)

Here are some concerns with security and privacy on Discord I found:

Things tracked outside the program include : programs you run and other system specific information that can identify your hardware (such as your HWID’s)

Discord does collect a fair amount of data on its users and says it can share that data with third-parties. Discord says they do not monetize this data – their business model is based on subscriptions to premium services rather than monetizing data for advertising. However, we found their privacy policy to be pretty vaguely worded, which is a concern.

One of numerous confusing clauses is, ‘We may also share aggregated or non-personally identifiable information with our partners or others for business purposes.’

However, it is worth noting that Discord has repeatedly said that they do not sell any information to third-parties or advertisers and that their revenue stream is subscriptions, not ads.

Discord claims users can delete any message they have ever sent. Once a message is deleted, it is permanently deleted from their servers. If a channel, a server or a user account is deleted, all personal information is deleted too.

(From the Privacy Policy)

We generally retain personal data for so long as it may be relevant to the purposes identified herein. To dispose of personal data, we may anonymize it, delete it or take other appropriate steps. Data may persist in copies made for backup and business continuity purposes for additional time.

Edit: After further review, the Reddit post tends to exaggerate and make some statements that are partially incorrect.

Discord is a bit of a garbage platform anyways, and I think many of us already know how bad their privacy can be. Not only do they sell your data, but they have, in the past:

1. monitored messages using AI
2. banned people based on servers they joined
3. banned modifications to the client in order to minimise data collection
4. suspended accounts and demanded phone numbers, basically making users dox themselves
5. shared the chat logs with the FBI and also
6. prevented the use of autodelete bots to ensure messages aren’t saved

It’s unfortunate how popular it is today, but it’s not at all a platform that values you.

Could you provide a source for that? As far as I can tell there is no proof for that claim and people just spread that because it fits into their narrative.

While yes technically both things are against ToS I havent seen them actually enforcing those rules (excluding people who use modifications to bypass things like upload limits) so I wouldnt use words like “banned” or “prevented”

I have a bit of a problem with the misuse of the word dox, and while yes it sucks to have to give them your phone number is they think your account is sus its probably one of the most effective way to deal with bots (and discord still has a lot of those)

pretty much all companies will give data to the FBI if they request it

You should criticize Discord for things they actually are doing wrong and not make up things or things they can’t do anything against like:

• lack of End-to-end encryption (but they at least wanna add it for voice and video chats Encryption for Voice and Video on Discord)
• no easy way to mass delete your own messages (same on this forum but you can ask Jonah to delete them for you)
  • no way of deleting messages from a server you’re no longer part of

Discord claims that they do not sell any data to third-parties, however, their privacy policy is very vague and would technically give them the power to sell that data.

Yes, discord rarely bans accounts for using modified clients (I personally have been running BetterDiscord & Vencord for about two years now.) they still do ban accounts whose modifications are disruptive or noticeable. However, they actually have tried to prevent client mods, by changing how injections work.

Most of @amog’s statements likely come from this reddit post (which I bring up in my topic post) The post does contain some important and useful information, however, some of the points mentioned are exaggerated or partially incorrect.

—

If you want more info or want to discuss this further, I recently posted this topic about Discord’s privacy.

From their privacy policy:

To advertise our services on Discord and other platforms. We are proud of the product we’ve built. We may tell you about our paid services and other features directly in the services and through our own channels, and we spend money advertising Discord on other platforms. As part of that, we use certain information to assist in the delivery of our advertising, to measure the effectiveness of advertisements for our own products, and to improve such advertisements in the future.

Aggregated or de-identified information. We may disclose information that has been aggregated or anonymized such that it cannot reasonably be used to identify you. For example, we may share aggregated user statistics in order to describe our business to partners or the public.

They’re using your data as part of their (not fully free) product. That’s more or less selling it. Then, there includes the google analytics cookies. While not directly selling your data, they basically let google harvest your information from their site. (basically the same thing).

While yes technically both things are against ToS I havent seen them actually enforcing those rules (excluding people who use modifications to bypass things like upload limits) so I wouldnt use words like “banned” or “prevented”

Been IP banned for it before. They won’t tell you, but they’ll automatically flag your IP address.

I have a bit of a problem with the misuse of the word dox, and while yes it sucks to have to give them your phone number is they think your account is sus its probably one of the most effective way to deal with bots (and discord still has a lot of those)

In many of the countries that discord operates in, a phone number is linked to national IDs. In India, where a massive breach just happened, this basically means that with someone’s phone number you have their real name, DOB, home address, and phone number. That’s more or less the contents of most doxes.

pretty much all companies will give data to the FBI if they request it

That’s fair though. Most companies will share this data, but to create a product which is designed in a way such that the FBI could simply tap a server and read every single message is beyond scary in 2024 when encryption is as developed as it is.

Oh, another fun thing about discord is despite its awful privacy policy (and jokes apart) it is actually full of pedophiles. I’ve seen ceepee openly being advertised on certain servers, and it took discord several weeks to actually take any action after I reported the servers in question. It’d be a different issue if discord was treated as a controlled “family friendly” platform which didn’t advertise privacy, but their marketing saying it’s for everyone while having ineffective selective moderation makes the platform pretty shit.

Some things worth considering when talking about Discord’s privacy policy:

1. It can integrate with various services such as Twitch, Patreon, and Google, where they will share personal information with each other. This could include your usernames, email, and so on. Discord might even manage your Discord content, because they can control Discord server access, via things like Patreon tiers.
2. You will be interacting with company servers, so anything you type is technically not owned by you, it’s owned by the server. Same goes for anything you say. It’s now their data. So be careful with what you say/type.
3. Discord has a rich presence feature which allows Discord to detect what games you’re playing on your system. Now that is incredibly bad for privacy but does add functionality for wanting to play a game with friends, and being more social. This is kind of what Discord was meant for. An interaction platform with game related content. It’s just massively grown since this inception.
4. Discord does use analytics services and I believe they use Sentry(dot)io. Not the worst platform, I believe it is open source. Something worth noting. It’s not like they’re sharing all your information with Google… when it comes to analytics anyway.

Honestly, is Discord the most private platform? Absofrickinlootly not. At the same time, I think its the ideal platform for various communities. It fills a need, and they’d need this kind of Privacy Policy to facilitate it.

Thanks @Jonah for moving the messages to this thread.

I dont really see anything here that says “we sell your data” it just says they show you ads for nitro, server boots, avatar decorations, …, that they buy ads on other platforms (which probably includes things like X million users or X messages per second which technically is using your data but not really) and that they measure how effective those ads are

that sounds for me like “we create stats and show it to others”

to give you an example of a Privacy Policy that actually says “we sell your data” T-Mobile

no its still not doxing, look at my initial message or here, i linked a definition, its not public so its not doxing

fair enough and as I said you can complain that they have no End-to-end encryption but then you should apply the same standard to all services including this forum

yes thats a problem and they should take action way quicker and to go back to your initial post

don’t you think that people that are on those servers should be banned?

Well yea, almost no one gets banned, they even put in easter eggs for users with a modded client sometimes. And idk if I’d say the tried to prevent modded clients, they just changed something and that broke them.

I’d say: I’ve never heard of it before! Thanks for that!

I’ve tried joining Discord a couple of times, because there are some nice communities that use it exclusively. First I’m treated like a crimina for using a VPN. They insist on knowing my “real IP”. OK, fine. Maybe I really want to join this community. Then I’m hit with the demand for a phone number. After asking myself if I really really want to join this community, I might try and use a number from one of the free SMS receiving services (like this one). I finally managing to register, only to find that the site is completely unusable with uBO.

That’s when I simply close that tab and vow never to touch Discord again. It’s just so hostile to its users, every step of the way. It really shakes my faith in humanity that they 150 million users who are willing to put up with all of that crap.

I know this is diverging from the main points, but it’s important for administration and moderation.

The conclusion that all members of a “bad” place (past and present) should be banned is similar to the problems we have with “possession” being a crime in the USA. You couldn’t safely join a place, discover the content to be bad, and then report it without the same problem as handing something over to the police – you’re a member or the material is in your possession. Add in the fact tricking users is common practice in scams and advertising, and the possibility that exploits may exist to get new server members, and then it’s lazy/sloppy moderation that selects everyone affected/involved and bans them all. At times, being in a place is necessary for evidence collection such as recording what people have said (I am not talking about saving the illegal content which also happens to be an example of possession=crime); and verification of take-down (ex “took discord several weeks to actually take any action”) would be complicated by relying on whether invitations appear valid. If a bad place isn’t taken down, another complaint, escalation in the ticket/company management, or involvement of [more] agencies may be necessary; but I doubt reporting a suspicious invitation alone would get the sort of thorough investigation that may be necessary; and at the same time, any exposure to (or investigation of) a scam or bad area can look like “involvement” in the logs, even unintentional exposure.

For me personally, my biggest issue is the moderation.
A few weeks ago, a 3 year old account of mine got false banned (no email w/ ban reason) and when I sent in a ticket, they marked it as solved without actually addressing it. I sent 4 more tickets afterwards, all of them got ignored.

I even got Better Business Bureau involved and Discord STILL won’t do anything.

The only reason they’ve survived imo is cause there is yet to be a mainstream competitor in their niche of casual/gaming instant messaging. (Although Guilded exists, I’ve heard from some people who use it that it isn’t all that better)

I would strongly urge you to examine the underlying assumptions of this statement.

People, who have very different life situations and threat models, making a decision to engage with a platform in a very different way than you do, is in itself evidence that they are in some important way strongly morally or logistically wrong?

Here’s something you might not have considered: your way of doing things is not the only correct way. Your situation is not universally the case. It is entirely possible, indeed likely, that people can arrive at exactly opposite conclusions to you for entirely valid and correct reasons, and those conclusions may well be right for them.

For example, while I am not happy about Discord’s insistence on a phone number, it’s a compromise I am prepared to make - the benefits I see strongly outweigh the marginal potential downside. Who are you to say that that decision is wrong? Do you know my situation and threat model?

I have a friend who maintains, and actively uses, a Facebook account. In part because it allows him to widen the reach of a community group we run (like it or not, Facebook is still extremely popular), in part because a lot of his family is unwilling to move off Facebook and use Messenger as their primary means of contact. He has tried to get them to change to Signal or something, it’s not happening. Is he wrong to do so? Heck no. And Facebook is, by any even somewhat reasonable measure, way worse than Discord.

I am glad to have spread it as Mozilla does a great job of diving into policies and even talks to companies, while still making the site very easy to understand and read, even if you’re not the most tech savvy. Maybe I’ll make a forum post for “What are some underrated/underseen privacy resources?”

For most people, they don’t care about it not being ETE. They don’t have any issues with Discord, because they don’t use a VPN, adblock, or anti-fingerprinting. Most people just install the app of their platform. Even for people who do care, like me, it’s simply an issue of where your friends are. That’s not to say nothing can be done or that no attempt at switching people off it should be made, but that for a lot of people, it’s not just an easy choice to just leave the platform.

Do you have custom UBO filters, it werx for me™

Enabled a few of the disabled by default lists, mostly under Annoyances, but nothing beyond that.

I still have to use Discord because of some of the gaming community servers. I’m furious that I had to surrender my phone number to them but I’ve forced myself to accept.

unfortunately many servers tend to have the highest requirement set (which is to require a phone number), its such a bummer instead of choosing the one above it…

The rise in Discord’s popularity was really due to the lack of services for gamers to communicate. TeamSpeak was bad, so was Skype. Discord had great timing and a great free feature set to match. It quickly became the default platform for gaming, then for other communities because everyone was on it and servers offered a great way to have communities build around specific things.

The problem is that with just email verification, bots are still a huge issue, as it is basically free to create infinite email accounts. Sure, you can still get phone numbers, but it is harder and more expensive, discouraging some spammers.