Originally written 5 Jun 21
Discord launched about 6 years ago (March 2015), and for most gamers, it is the go-to platform for voice, text, video and screen sharing now. I started using it about a month after it launched along with my peers.
This service now has roughly 50-80 million active monthly users and is valued at over $10 billion, according to a recent accusation attempt by $MSFT.
Discord came along, seemingly out of nowhere with a modern, Slack inspired UI, free everything, no server hosting issues, and basically eliminated all the crap people had to deal with, and so within a couple of months of launching, everyone I knew was talking about or transitioning to this new platform. Discord’s new approach to VoIP and gaming communications made other communication programs and platforms look like a complete joke.
So what’s wrong? Discord is a massive upgrade and other platforms are still lagging behind by what seems like decades, why would anyone not want to use this new centralized, Silicon Valley-based gaming startup?
From what I understand, the only thing that stopped some communities/users from transitioning was the fact that it was all centralised. You had no control over your server’s availability, if Discord decided to shut your server/community down, too bad.
Apart from this, the only other skepticism was from (very) large gaming communities which relied on mod support (Arma 2/3 communities) for in-game communication systems, and hyper-organized gaming guilds with thousands of members which had very specific and organized chat networks to keep communications and schedules at a stable pace.
Discord did not allow modding/hacking, political or generally offensive communities to operate on their platform. After a couple of weeks (or user reports) of these communities being created, server owners and operators would be permanently banned and deleted from the platform. Without warning, no emails were given before or after the action was taken. They are after all a SF-based social platform, this was always expected but unfortunate. Personally, I would have preferred to have some kind of warning before my account is permanently banned (not deleted from their database, but that’s a different rabbit hole).
Things are a bit better now, on occasion server owners will be contacted by Discord staff so they can try to resolve the issues before action is taken, I experienced this about 3 years ago when my 15,000 member community was suddenly banned and un-banned within a few minutes, maybe a new intern?
Discord since its launch was growing at a rapid pace, it was and still is a very convenient platform with zero barriers to entry, because of this a lot of security and privacy issues exist.
Discord servers have a decent array of options to provide better protection for their user’s and communities’ privacy, but for most servers, these options are not set up properly, and anyone that has a server invite code can view basically all chat history in general chat channels, all users (including connected social accounts).
These privacy issues are easily avoidable if the server is set up properly, but in most servers, this is not the case.
There are no initial password requirements for servers, and simple tools like accepting/denying new users before they can join are un-available to server admins. But generally, servers will not allow new accounts to chat in channels until they’ve been a part of the community for 10 minutes or clicked a 3rd-party verification link.
By default, Discord’s privacy practices for new servers are bad. If you started a small community with your friends, and send out convenient invite codes that never expire, all of the communications with that server are available to anyone who stumbles across this 5-8 letter code.
By default, server messages never expire and anyone in the server can scroll through, use a search box to find specific words, messages, photos, website links with user/channel targeting.
By default, users are encouraged to connect & display their social accounts (Facebook/Spotify/Twitter/Skype and others). There are no privacy options associated with these social connections, and one thing gamers love is showing their full name (Facebook/Spotify & (maybe) Twitter/Skype) publicly on their gaming profiles without realizing they’re doing so.
Some server options are not explained well, one key privacy issue was Server Widgets. When a server chose to enable this setting, a publicly accessible script file along with a JSON file containing all online server users and voice channel activity were available on a rate-limitless URL which allowed for easy data scraping/gathering via the server’s unique identifier. Server widgets were intended to be displayed on 3rd party websites to show a communities’ member activity/status to entice users to join their server, but it ended up being a bit of an issue as this data could be utilized to horde user information.
This vulnerability was patched on 24, December 2019 however. I guess some poor soul was stuck in the trenches pushing security vulnerability patches during the holiest time of the year, ho-ho-ho. Oh, and of course this hot-fix shat the bed; part of this update caused anyone viewing these links too many times to be IP banned across the Discord service for a couple of hours, which resulted in basically any users connected to VPN network to be banned during this time.
As mentioned before, social account connections are vague. On some platforms this type of functionality is an internal, private piece of functionality reserved for cross-posting social content, however, on Discord, it is used to display on your profile and seeing social activity.
Discord is cool, it’s not going away anytime soon, but the trade-off between market growth and user privacy is a glaring hygiene issue, which I can see leading to scandals or worse.
I think a big step towards solving these issues would be having a security-level system on servers, where owners/admins can see what security/privacy recommendations are available. This can include invite code privacy/usage, server roles/channel permissions, adding a new feature to require a server pass-code or for them to pass a quiz created by the server to join the server. But finally, the most effective and most ground breaking solution; allow admins to approve/deny new user applications.
This is my first blog post, contact me on Twitter if you have any feedback :)