Discord is the go-to app for communication using voice, video, text, or a mix of all three. It’s especially popular in the gaming community. Players use it to discuss Counter-Strike strategies or coordinate an Apex Legends attack on another squad – which may be why over 250 million people have joined this (Voice Over IP) VOIP service.
However, the service is now under scrutiny. Not only because of numerous security holes but things so extreme, they even attracted the FBI investigation. This article will give you all that you need to know about staying private when using Discord regarding all possible threats to your privacy and security.
Discord privacy issues
Since 2015 when Discord was founded, a few stories have emerged about privacy that users should be aware of. They probably won’t stop you from using Discord to play your favorite games online, but they may encourage you to keep your chats more private.
In late 2017, as Discord’s user base reached 100 million, the gaming press was suddenly filled with talk about the platform’s security issues.
1. Poor product management
Services that you’re using for your gaming communication should adhere to the same quality standards that we apply to other services. Especially considering that you’re giving permission for microphone, screen share, and webcam. However, Discord’s approach was somewhat clumsy when it came to looking after their own product. Here are a few examples:
● Outages resulting in hours of downtime despite promises for a fix. Since then, there were no comments on what was implemented and what’s on hold.
● Several months ago, Discord deleted bug report boards with several years worth of information on issue reports. Some of the reported issues still persist to this day but now have no public record of being published.
● Refusing user requests to fix the UI, then banning users that customize their UI with addons because it’s against their terms of service
This is just the tip of the iceberg. It’s impossible to download Discord’s source code, so it’s not clear how deep this rabbit hole goes when it comes to the actual software. However, there are many, many exploits.
2. Could it be that Discord is a piece of spyware?
Some of Discord’s privacy concerns relate to the way they collect and use data. According to the Spyware Watchdog, the threat level, in this case, is “extremely high” because everything users say or write passes through company servers.
The main way Discord is collecting information is through /api/track and /api/science. Both application programming interfaces are identical and accept the same input. If you’re using a browser with tools like uBlock Origin, /api/track will be blocked, however /api/science will bypass it with ease.
Most importantly, the client sends data through these routes without regard for whether the user has given permission or not. Privacy & Safety policy explicitly states that you can agree with the use of your collected data and not whether it’s being collected.
Discord’s response is that they collect data in case the User will allow usage down the line. Well, they already have your data, and it’s sitting on their servers. Are they being privacy-conscious enough to wait for your permission to use it? Extremely unlikely.
3. Trustworthiness of the service
There are numerous reports of Discord going so far as to ban users for joking about being underage. This happens because being under 13 violates Discord terms of service, so getting a ban lifted will require you to provide an image of your passport with your username written on a piece of paper. Seems rather extreme, but okay – they hold their own staff to the same high standards, presumably… right?
In fact, not at all. There were numerous reports of administrative abuse coming from Discord employees. For example, there are reports of staff snatching vanity URLs for their own channels, skipping official procedures for doing so. This doesn’t paint Discord as a trustworthy organization in the slightest.
4. Legal precedent
In 2018, law enforcement wanted to use evidence from Discord chat rooms against one of the organizers of the “Unite the Right” protests in Charlottesville, 2017, which left a protester dead.
It turned out that neo-Nazis had been using Discord as an organizing hub for their activities. Discord representatives denied knowing anything about that. Afterward, a legal tug of war ensued to determine if anonymous Discord users could be identified.
In August 2018, a judge ruled that the identification of users and their discussions was admissible, potentially compromising future private chats – regardless of whether far-right figures are involved.
5. Things for ROBLOX players to worry about
Some security experts noted that the Discord API could be used to create apps that harvest data of ROBLOX players (a popular title on Discord at the time). By inserting so-called webhooks, cybercriminals could “fish” out ROBLOX sign-in codes and use them to extract in-game currency.
While specifically tied to ROBLOX, such a method could be used for wider malware attacks across other Discord servers – raising the potential for more severe security scandals.
6. Malware hosting and distribution service
Discord’s safety could be described as rebranded LimeWire: it won’t infect your device on its own, but it will provide grounds for malware to spread if you’re not careful what you click on. Remote Access Trojan (RAT) is the most common type of malware distributed via malicious links. When you open a link, RATs are injected into your device, giving hackers administrative rights to your device. This is horrendous for your privacy. The most recent of them is AnarchyGrabber3, still an active exploit.
Discord also has pretty loose regulation of files distributed within their ecosystem. It’s possible to upload a file to some Discord server, and even non-registered users will be able to download it. Even if the hacker decided to delete their account, the data will remain in their servers and will be downloadable.
Users may also upload a file to Discord and then use its link to share it externally. Even users with no Discord account can download it. Moreover, even if someone deletes the file from Discord or removed their account, the platform still stores it in its content delivery network. So no one can trace the original uploader of the file with just a Discord download URL.
7. Discord permissions
When we talk about Discord permissions, we are talking about two different things: app permissions and role permissions within the servers or specific channels. What is common between them is that both could be potentially dangerous for your privacy.
Regarding app permissions, we already discussed how turning off Data Collection prevents your data from being used rather than collected. In other parts, the app itself integrates systemwide push-to-talk to work. The catch is, it will require to receive keystrokes from any application, not just Discord. Considering the sorry state Discord privacy is in, this should never be allowed if you value your privacy.
The situation isn’t any better when we’re talking about specific channel permissions. Users can overwrite moderator or admin hierarchy and change nicknames or Gamertags. If you have a role that allows managing permissions, you won’t be able to give permissions to yourself, but you’ll be able to provide @everyone permissions, effectively giving yourself permissions, and the list goes on.
- Discord records the following information: “username, email address, and any messages, images, transient VOIP data (to enable communication delivery only) or other content you send via the chat feature.“
- Whenever you use Discord, your IP address and activity are logged from start to finish.
- Aggregated data is regularly sold on to third parties or used internally for “research” purposes.
- Discord collects information about your contacts if you link social media accounts.
Managing your Discord privacy settings
The first step is getting your Discord settings right.
To do so, head to the Privacy Settings menu – you’ll find it by clicking the down arrow located next to the name of your current server.
This will allow you to manage things like friend requests and blocks. But what it won’t do is ensure minimal data collection, including keeping your messages private.
Still, it’s like using Facebook and expecting that ticking some of the boxes will allow you to retain a reasonable amount of privacy. In Discord’s case, your privacy is on the line from the moment you decide to sign up for this service. If you must use it for communication purposes, make sure not to click on any suspicious links. Arguably, the browser version is more secure as it doesn’t create entries in your system registry.
Discord are riding the wave of popularity: their product has many privacy issues, however, the lack of competition in their niche has made the company very successful.
Incidentally, popularity is Discord’s main selling point. It’s much easier to opt-in for a service that everyone is using rather than carve a path on some niche platform, in which it could be challenging to find fellow gamers. The main downside is that this creates perfect conditions and further incentivizes bad practices that range from slow patching of security holes, to questionable community management.
If you must use Discord, use it with caution. Keep in mind that you’ll be giving away a lot of your private data and drawing a target on your back for all willing hackers. Whether that’s worth the price is for you to decide.