<- kngsly.io

Discord’s rise and bad privacy practices

Originally written 5 Jun 21

Discord launched about 6 years ago (March 2015), and for most gamers, it is the go-to platform for voice, text, video and screen sharing now. I started using it about a month after it launched along with my peers.

This service now has roughly 50-80 million active monthly users and is valued at over $10 billion, according to a recent accusation attempt by $MSFT.

Technical and market dominance

Discord has created a dominating, convenient environment for gamers. Before Discord’s existence, most gamers were either using Teamspeak (TS3), Ventrilo (Vent), or Skype for gaming & social communications. TS3 and Vent were alright, but you had to pay for server hosting each month relative to member slots available, on top of that community owners and users had to deal with DDoS attacks and IP leaks as a regular occurrence and part of an ongoing trend within the industry, plus these services had basically zero social functionality outside of voice channels and crappy text channels. Another alternative was Skype which was better in terms of user and social functionality, but was only utilized by small groups of people and came with issues such as peer-to-peer connections leading to DDoS attacks on personal users, including 3rd party IP resolving exploits, which allowed anyone on the internet to get the connection IP address of any Skype user in the world.

Discord came along, seemingly out of nowhere with a modern, Slack inspired UI, free everything, no server hosting issues, and basically eliminated all the crap people had to deal with, and so within a couple of months of launching, everyone I knew was talking about or transitioning to this new platform. Discord’s new approach to VoIP and gaming communications made other communication programs and platforms look like a complete joke.

Early skepticism

So what’s wrong? Discord is a massive upgrade and other platforms are still lagging behind by what seems like decades, why would anyone not want to use this new centralized, Silicon Valley-based gaming startup?

From what I understand, the only thing that stopped some communities/users from transitioning was the fact that it was all centralised. You had no control over your server’s availability, if Discord decided to shut your server/community down, too bad.

Apart from this, the only other skepticism was from (very) large gaming communities which relied on mod support (Arma 2/3 communities) for in-game communication systems, and hyper-organized gaming guilds with thousands of members which had very specific and organized chat networks to keep communications and schedules at a stable pace.

Early de-platforming issues

Discord did not allow modding/hacking, political or generally offensive communities to operate on their platform. After a couple of weeks (or user reports) of these communities being created, server owners and operators would be permanently banned and deleted from the platform. Without warning, no emails were given before or after the action was taken. They are after all a SF-based social platform, this was always expected but unfortunate. Personally, I would have preferred to have some kind of warning before my account is permanently banned (not deleted from their database, but that’s a different rabbit hole).

Things are a bit better now, on occasion server owners will be contacted by Discord staff so they can try to resolve the issues before action is taken, I experienced this about 3 years ago when my 15,000 member community was suddenly banned and un-banned within a few minutes, maybe a new intern?

Growth > security & privacy

Discord since its launch was growing at a rapid pace, it was and still is a very convenient platform with zero barriers to entry, because of this a lot of security and privacy issues exist.

Discord servers have a decent array of options to provide better protection for their user’s and communities’ privacy, but for most servers, these options are not set up properly, and anyone that has a server invite code can view basically all chat history in general chat channels, all users (including connected social accounts).

These privacy issues are easily avoidable if the server is set up properly, but in most servers, this is not the case.

There are no initial password requirements for servers, and simple tools like accepting/denying new users before they can join are un-available to server admins. But generally, servers will not allow new accounts to chat in channels until they’ve been a part of the community for 10 minutes or clicked a 3rd-party verification link.

Platform entry comparisons

Bad defaults

By default, Discord’s privacy practices for new servers are bad. If you started a small community with your friends, and send out convenient invite codes that never expire, all of the communications with that server are available to anyone who stumbles across this 5-8 letter code.

By default, server messages never expire and anyone in the server can scroll through, use a search box to find specific words, messages, photos, website links with user/channel targeting.

By default, users are encouraged to connect & display their social accounts (Facebook/Spotify/Twitter/Skype and others). There are no privacy options associated with these social connections, and one thing gamers love is showing their full name (Facebook/Spotify & (maybe) Twitter/Skype) publicly on their gaming profiles without realizing they’re doing so.

Vague settings

Some server options are not explained well, one key privacy issue was Server Widgets. When a server chose to enable this setting, a publicly accessible script file along with a JSON file containing all online server users and voice channel activity were available on a rate-limitless URL which allowed for easy data scraping/gathering via the server’s unique identifier. Server widgets were intended to be displayed on 3rd party websites to show a communities’ member activity/status to entice users to join their server, but it ended up being a bit of an issue as this data could be utilized to horde user information.

This vulnerability was patched on 24, December 2019 however. I guess some poor soul was stuck in the trenches pushing security vulnerability patches during the holiest time of the year, ho-ho-ho. Oh, and of course this hot-fix shat the bed; part of this update caused anyone viewing these links too many times to be IP banned across the Discord service for a couple of hours, which resulted in basically any users connected to VPN network to be banned during this time.

As mentioned before, social account connections are vague. On some platforms this type of functionality is an internal, private piece of functionality reserved for cross-posting social content, however, on Discord, it is used to display on your profile and seeing social activity.

Summary

Discord is cool, it’s not going away anytime soon, but the trade-off between market growth and user privacy is a glaring hygiene issue, which I can see leading to scandals or worse.

I think a big step towards solving these issues would be having a security-level system on servers, where owners/admins can see what security/privacy recommendations are available. This can include invite code privacy/usage, server roles/channel permissions, adding a new feature to require a server pass-code or for them to pass a quiz created by the server to join the server. But finally, the most effective and most ground breaking solution; allow admins to approve/deny new user applications.

Notes

This is my first blog post, contact me on Twitter if you have any feedback :)