Category: Net Neutrali

Your Menstrual App Is Probably Selling Data Ab…

Your Menstrual App Is Probably Selling Data About Your Body:

Your Menstrual App Is Probably Selling Data About Your Body

From here

Why a DNA data breach is much worse than a cre…

Why a DNA data breach is much worse than a credit card leak:

Why a DNA data breach is much worse than a credit card leak

From here

Amazon’s Alexa will be built into all new home…

Amazon’s Alexa will be built into all new homes from Lennar:

Amazon’s Alexa will be built into all new homes from Lennar

From here

China has turned Xinjiang into a police state …

China has turned Xinjiang into a police state like no other:

China has turned Xinjiang into a police state like no other

From here

The surreal moment the Guardian destroyed the …

The surreal moment the Guardian destroyed the Snowden files:

The surreal moment the Guardian destroyed the Snowden files

From here

getting shadowbanned and autoremoved here – wh…

Tried posting inquiring about another post of mine getting shadowbanned, and coundnt even post that. This website just gets worse and worse.

Ill try to link to what im trying to say in the comments, and soon as this post is hopefully not banned.

Found here

Operator of world’s top internet hub sues Germ…

Operator of world’s top internet hub sues German spy agency:

Operator of world’s top internet hub sues German spy agency

From here

What steps have you actually taken to protect …

What’s the threat the action was designed to address? Curious about your actions and what your personal threat model is and how those actions help mitigate the threats. Perhaps we can learn something from each other and improve our privacy as a group?

Found here

Amazon selling facial recognition technology t…

Amazon selling facial recognition technology to governments:

Amazon selling facial recognition technology to governments

From here

Friends Don’t Let Friends Use Discord – The Me…

DISCLAIMER

I have tried my best to make this post as accurate as possible, citing sources where appropriate and going to great length to be very detailed. However, despite by best research and editing efforts, I am only human and mistakes do happen. I will do my best to correct any errors when they are pointed out and I have free time.

There is a HUGE Discord presence on Reddit and it goes without saying that plenty of people won’t like what I have to say. Be wary of those who solely post opinion, and always ask for sources. Should anyone notice I am lacking a source where one would be a good fit, by all means let me know and I will do my best to include it when I have time.

Happy redditing!

 

The Discord messenger is a complete privacy nightmare. The app has managed to claw its way into popularity despite rampant abuse of its users’ privacy. By aggresively marketing itself as a messaging platform specifically “for gamers”, Discord has amassed over 14 million daily users according to their company page at the time of this post. The team behind Discord understands that gamers carry their product, and don’t hesitate to slap their “for gamers” branding as many places as they can. Unfortunately, popularity and a “pretty” UI does NOT automatically translate into good privacy practices. I will be analyzing the Discord app in this post and hopefully we will get a great discussion below.

So What is Discord?

Discord was founded in mid 2015 by Jason Citron. Citron previously founded the OpenFeint mobile gaming social platform, which was subject to a class action suit in 2011 over abuse of its users privacy through invasive tracking services. Allegations included accessing private device information without any prior permission and selling this data to other developers. The company behind Discord initially tried their hand at game development with the production of the MOBA “Fates Forever”. Upon failing to gain any substantial popularity, the company then decided they would try playing with development of a VoIP chat app and had sold OpenFeint for $104 million. The company cited frustration with current chat applications and lack of an application they liked as their inspiration for Discord. Grabbing investment capital in the millions range, the company broke ground on the development of Discord. According to the CEO Jason Citron, Discord only promoted their app on Reddit and let the gaming community do the rest.

Short and sweet, Discord is a proprietary VoIP chat application that allows users to communicate over text, voice, or video chat [Source]. The service is completely free to use which makes it attractive for widespread use. Discord is marketed particularly as the chat app “for gamers” and takes advantage of its popularity in this niche to stay on top. Discord has only recently begun to explore monetization options, previously claiming to rely solely on the investment captial they recieved when the service was being developed. The app is cross-platform, meaning it works on all devices and stays synchronized between them. With a modern UI, fun graphics, and a development team adamant on appearing to be “gamers” just like you, Discord passes itself as a trustworthy program that does exactly what it says. Unfortunately, the developers choice of technology, their statements online, and their privacy policy all contradict this trustworthy, fun impression we are expected to believe.

The Privacy Policy

Let’s start with Discord’s Privacy Policy. You can view it here or by finding it yourself at the bottom of the Discord website. As per the statements in their Privacy Policy, Discord:

  • Collects and stores your IP address, device ID, username, email address, ANY messages/links/text/etc sent over the service, ANY images/videos/media sent over the service, transient VoIP data, and a very vague “or other content you send via the chat feature”. Discord reserves the right to store this data on their own servers, those of their affiliates, agents, and/or service providers, as well as “in copies made for backup and business continuity purposes for additional time”. Please note that Discord at NO point communicates how long they will store your data within the privacy policy.
  • Monitors and tracks your activity across the service, storing accompanying data as listed above.
  • Compiles aggregate data on user demographics, interests, and behavior. Discord reserves the right to share this with current/future partners and third parties, and at NO point communicates how long Discord, its partners, or these mystery third parties store all of this data.
  • Can obtain information from social network accounts tied to your Discord account, and presumably share information back based on the service.
  • Employs the use of cookies. Discord claims this is “to keep track of your local computer settings”, though potential exists for much more.
  • Uses third party analytics programs, such as Google Analytics to track its user base. Discord lazily refers you to the Privacy Policy of those companies if you want to find out how your data is abused. It no longer matters to Discord what happens.
  • “Personalizes” advertising through tracking and advertising platforms may collect this data for use outside of Discord.
  • Does not mention how long all of the data above is kept for, and again lazily refers you to the Privacy Policies of anyone they give your data to if you want to know what happens to it.
  • Does not delete any chat logs, user information, or media when an account is supposedly “deactivated”. This does little more than essentialy prevent you from logging in to your account.
  • Claims to take “reasonable” steps to protect all of the information described above and does not provide any additional detail on how they accomplish this or specifically what these “reasonable” steps are.
  • Reserves the right to “share your information with our Related Companies” in addition to the partners and affiliates described above.
  • States specifically that “Developers using our SDK or API will have access to their end users’ information, including message content, message metadata, and voice metadata”. Their very vague “information” wording can be assumed to include ALL data listed above.

The Discord Team

It’s pretty apparent that the team behind Discord could care less about the privacy of its users, as has been shown multiple times through official statements and correspondence online. The Discord team has most noticably refused on multiple occasions to go open source, implement secure and proven end to end encryption, and to delete the data of users that no longer wish to use their service. The developers would rather exploit their users to make money under the guise of acting like “gamers” just like you instead of taking a honest look at how the privacy of the Discord app could be massively improved. The refusal to even consider showing us the Discord code or consider using end to end encryption to protect its userbase indicates that the devs want something in the code to stay hidden or that they can’t afford to lose out on the revenue generated by cheating their users out of privacy. Inside sources interviewed by TechCrunch claim that Discord insiders cashed out in secret while Discord quietly raised ~$50M in funding.

On Discord’s feedback forum, the Discord team sought user input on ways to improve Discord. A suggestion was posed to “Implement WhisperSystems Encryption for Voice and Text” in the interest of protecting their userbase’s privacy and boosting the security of the Discord platform. The development team said clearly that “we are not currently planning on implementing end to end encryption” and “E2E encryption is not a focus nor currently planned”. The team stated directly that “encryption on Discord is a very hard problem to solve” despite the readily availabile documentation and resources available for helping devs implement strong encryption. Coming from a development team that the very same post claims “has a huge focus and commitment to security” and has “a heavy interest and historical background in security”, it’s rather incredulous that they claim this can’t be done with millions of dollars backing them. I have provided the original posting here for reference.

When confronted on Reddit as to whether or not Discord’s source code would ever be opened, the Discord team was quick to respond, stating “We don’t have plans to go Open Source”. No further comment was given. That original thread can be found here. Another posting asking a similar question regarding an open source Discord was shot down fast with the team responding “No, we will not”. When asked by multiple users why, the team refused to give any further comment on the matter. That thread can be found here

The Business Model

Any time that a service is free, the first question you should ask is “How do they make their money?”. Very few people/organizations are willing to provide things truly free without getting some kind of profit out of it. This is where Discord’s business model is a little confusing and more of a big gray area than anything else. As stated previously, Discord is sitting on a pretty sizeable investment of millions of dollars (see above). Discord claims that this is what they use to fuel their company and have stated many times before that they would explore monetization options later on (again, see above). Discord introduced a premium service called “Discord Nitro”, which grants users extra functionality in exchange for a monthly subscription fee. Other than that, Discord honestly doesn’t have much else going for it. The service has refused to host ads (no ad revenue), does not charge for use of its program, and its current plan to make money (aside from Nitro) is to sell stickers/merch gear. While I am not saying it’s flat out impossible to run a worldwide online service solely on an optional subscription and selling chat stickers, I’m pretty confident in saying that IMHO Discord would be struggling without that huge capital cushion to fall back on. This begs the question as to what Discord will do when they no longer have millions of dollars to rely on. If Discord indeed cannot make enough off of its premium service or its sticker sales, should the user expect to be flooded with ads? Maybe the Discord team will find it profitable to explore selling all of that user data they collect and store for an unspecified amount of time (see the Privacy Policy or section above). Successful or not, it would be responsible on behalf of the Discord team to disclose exactly what their plans are in much more detail than “we plan to sell stickers” or “here’s this little subscription service for a while”.

TL;DR

Discord loves to present itself as a company run by a few gamers just like you. The service aggressively advertises itself as “for gamers” with the hope that this “reputation” alone will propel Discord to the top. This has worked really well. The Discord team has refused, however, on multiple occasions to take certain steps to protect their userbase, described in more detail above such as adoption of E2E encryption or going open source. Instead, the Discord team states clearly in their privacy policy that they will gladly hoard a plethora of data about their users indefinitely, loosely claiming to only delete it when its no longer needed. The data they collect and store includes (but is not limited to) full chat logs, all chat media, a list of who you chat with, email address, IP address, device ID, behavioral analysis, activity tracking on the service, pulling info from social media accounts you link, and much more as stated above and in their Privacy Policy. Discord shares this same data with all of its partners, affiliates, agents, and “Related Companies” while lazily instructing you to check their privacy policy to find out what happened to your information, as its no longer any concern to Discord. In addition, Discord goes further to say “Developers using our SDK or API will have access to their end users’ information, including message content, message metadata, and voice metadata”. Their very vague “information” wording allows Discord to send whatever they please while, of course, leaving it up to you to go check their privacy policy and figure out just where and to who Discord sloppily throws your data around. Discord continues to show little to no progress or effort in considering open source code, strong end-to-end encryption adoption, or even something as simple as allowing the deletion of an old account. It is important to note that while Discord allows the “deactivation” of an account, their support team will happily inform you that they do not delete your data and your account cannot be deleted. This data is again stored for an indefinite period of time.

Make sure you read and understand what you are signing up for online. Encourage your friends to use more privacy friendly alternatives to abusive programs like Discord. By ALL means, I would love to see this turn into a big discussion over the service, so please feel free to leave a comment and debate!

EDIT: Minor formatting issues resolved.

Found here