avatarThomas Smith

Summary

Discord has taken significant steps to improve its security and privacy practices following a critical report by the Mozilla Foundation, aligning with its shift towards a broader user base beyond gamers.

Abstract

In response to a Mozilla Foundation report that highlighted security vulnerabilities, Discord swiftly addressed its most pressing issue by strengthening password requirements. The company, which has a business model based on subscriptions rather than data monetization, has been proactive in enhancing user privacy and security. Despite initial skepticism due to its association with controversial user groups, detailed investigations by journalists and researchers, including the use of data logging tools and analysis of privacy policies, have revealed that Discord is genuinely committed to user safety. The company has implemented measures such as disallowing compromised passwords, enabling two-factor authentication, and avoiding data sharing with third-party advertising platforms. These efforts, along with a significant funding round and a pivot towards catering to a wider audience, suggest that Discord is prioritizing privacy and security as it grows and evolves.

Opinions

  • The Mozilla Foundation's report card on video calling apps initially gave Discord a failing grade for security, specifically for allowing weak passwords.
  • Discord's rapid response to fix security holes was commended by the Mozilla Foundation, indicating a commitment to user security.
  • Researchers, including Jen Caltrider, were pleasantly surprised by Discord's privacy and security measures, despite initial doubts based on the platform's early user demographics.
  • Discord's co-founder Stanislav Vishnevskiy was noted for reaching out promptly and providing detailed information about the company's security and privacy policies post-report.
  • The investigations into Discord's data practices suggest that the company does not share user data with third-party advertisers, which is unusual for a technology company.
  • Discord's privacy policy raises some questions as it seems to leave room for potential data sharing with third parties, though there is no current evidence of such practices.
  • The company's valuation and recent funding round reflect confidence in Discord's pivot from a gamer-centric platform to a broader communication tool akin to Slack.
  • There is an opinion that Discord should make two-factor authentication mandatory for all users to further enhance security.
  • The platform has been actively working to curb hate speech and attract a more diverse user base, including book clubs and casual users, moving away from its previous association with alt-right groups.

Inside Discord’s Security Overhaul

Popular communications tool tweaks settings to court everyday users

Photo: Future Publishing/Getty Images

In an April 2020 report on the security and privacy of 15 video calling apps, the Mozilla Foundation gave failing grades to three apps: Doxy, Houseparty, and Discord. I was one of the journalists who worked with the foundation to break the story.

It’s been months since the report came out, and both Doxy and Houseparty are still on the foundation’s fail list. But Discord, a voice, video, and text communication tool that’s popular with gamers and on the rise among other groups, is different. Within one day of the Mozilla report’s release, Mozilla announced that Discord had fixed its most glaring security hole, which allowed accounts to be created with passwords as simple as “111111.” The foundation applauded the rapid change, saying, “We’re pleased to see Discord prioritize consumers’ security, and thank them for their quick action.”

After the Mozilla report, Discord reached out to me with information about the privacy of its app. The spokesperson said, “We do not make any money via advertising or share [user] data with any third-parties that look to profit off of the information from our users. Our business model is entirely based on subscriptions (Nitro).”

Fixing password procedures seems like it should be straightforward, but in reality, it requires changing verification systems across multiple websites, apps, and other digital endpoints.

Zero monetized data sharing is a pretty bold claim for a technology company to make. So I started to dig deeply into Discord’s privacy and security — from a legal, technical, and business standpoint. I expected to find all kinds of lurking demons. But instead, I walked away pleasantly surprised. Discord still faces challenges, but the company seems genuinely committed to improving privacy and security for its users.

For my investigation, I started by using a browser-based data logger to capture and view all the data Discord sent as I used the service. I also used Lumen — an app developed by UC Berkeley’s Haystack Project — to monitor the data sent out by Discord’s Android app as I logged in, joined chats, and performed other actions. I also grabbed a dump of all my user data directly from Discord and combed through it. And I spoke at length with Jen Caltrider, a lead researcher on the Mozilla Foundation’s report.

Caltrider confirmed that upon starting her own research on Discord, she was skeptical about the app’s privacy and security. This was primarily due to her knowledge of Discord’s original user base, which included neo-Nazis, Gamergate promoters, and the like. (Mozilla still warns that “Discord has had problems with toxic content, harassment, human trafficking, and other online crimes.”)

But Caltrider, too, ultimately walked away feeling that the company was genuinely trying to do right by its users.

After Mozilla’s report went live, Caltrider said that Discord co-founder Stanislav Vishnevskiy immediately reached out to her with a detailed message. She called the email a “feat of computer engineering” and said the message went into Discord’s privacy policies and security measures in intense (sometimes overwhelming) detail. Caltrider said that while everything wasn’t perfect about the company’s plans, Discord was “addressing all the right things.”

Caltrider was also impressed by the speed with which Discord fixed its password issues. Fixing password procedures seems like it should be straightforward, but in reality, it requires changing verification systems across multiple websites, apps, and other digital endpoints. It also means potentially invalidating passwords that are too weak and dealing with a surge of users updating their credentials all at once.

Mozilla says that Discord also moved to disallow passwords that had been compromised through other websites’ data breaches, enable two-factor authentication for major users of the platform (other users can opt in to two-factor authentication using Google Authenticator or Authy), and integrate a third-party authentication service rather than relying on less secure SMS messages. These are all positive steps toward better privacy and security. Caltrider found it surprising that Discord made them so quickly.

My own investigation of Discord was mostly notable for what I didn’t find. Firstly, I saw no evidence that Discord was sharing customer data with third-party advertising platforms, at least in the browser. Even companies that publicly boycott platforms like Facebook still often share data with them, and Zoom got into hot water for its own data sharing earlier this year. Discord sends data to Google Analytics, but I didn’t see evidence of data going to other third-party websites.

Likewise, my analysis of Discord’s Android app didn’t reveal much concerning activity. The company does appear to send data to two external services — Adjust and Google’s Crashlytics. This data could potentially be used to target ads. But it’s more likely that Discord is using these services for its own internal analytics or to spot and fix stability issues with its app.

The large dump of my Discord data (which any Discord user can access for their own account) revealed the same pervasive internal tracking of user activity that I expect to see with any modern app. Every interaction, message sent, or channel joined is logged.

But unlike with my Facebook data dump, which revealed third-party connections to more than 1,000 companies, I saw no evidence that Discord was sharing my user data with others. Discord also has a surprisingly comprehensive tutorial explaining the specifics of its data dump—a rare move that should be applauded. And it allows users to opt out of much of its internal logging.

All these steps only allow me to see the data that Discord is gathering or sharing through my browser or app, as well as the personal data it has chosen to disclose to me. It’s possible that the company could still be sharing data with advertising partners through its backend. That kind of sharing wouldn’t be visible unless I had access to Discord’s servers.

But in my experience, most companies that share data privately also use public tracking and sharing methods, like the Facebook integrations I’ve found on hundreds of other websites. Discord’s services appear refreshingly free of these obvious interconnections.

That’s strange, because according to Caltrider, Discord’s privacy policy makes it “sound like the company is sharing data with third parties.” Notably, the policy does state clearly: “We do not sell the personal information of our users.” But in online advertising, “sell” and “share” are often slippery concepts.

A company may “share” data with a third party to target ads to its users. Even if the company then makes money through those ads, the data transfer may be considered “sharing” instead of “selling,” since the company made profits through the ads, not the transfer of the data itself.

Discord’s policy does allow for sharing “your information with our Related Companies,” which include Discord’s “affiliates.” And the policy says that Discord integrates with Facebook’s SDK and “may collect information for optimizing advertising campaigns outside of the Service” (though, again, I saw no evidence that this was happening).

Challenges still lie ahead, and improvements are still possible — especially as Discord scales.

Discord might have left that language in its privacy policy so it could keep the option to transfer data to third parties (or to target ads on Facebook) down the road. But if the company is actually abstaining from transferring customer data to third parties right now, it should consider updating its privacy policy to reflect this. That might give users peace of mind and would be a bold step toward privacy in a world where corporate data sharing has become ubiquitous.

Overall, both Caltrider and I walked away from our research on Discord with the impression that the company is genuinely trying to improve privacy and security. Part of that may be tied to its overall business goals. In late June, Discord announced that it had raised more than $100 million in a new funding round. The company was probably finalizing the round right as Mozilla’s report came out — this alone may have accounted for its remarkable speed in fixing its password issue. The new round values Discord at $3.5 billion.

A big part of this valuation is based on a major pivot in Discord’s business model. According to TechCrunch, “Discord wants to be more than just a place for gamers.” Fueled by a surge of online activity during Covid-19 lockdowns, the platform has fast become “a Slack for users’ social lives.” Catering to the needs of everyday users is a much better business prospect for Discord than tailoring its services to a niche audience of sometimes combative gamers.

To this end, Forbes reports that Discord has been cracking down on hate speech, alt-right groups, and white supremacists on its platform. While parts of Discord are “still a place rife with gaming’s school-yard culture,” Forbes says that the app also now attracts Black Lives Matter protesters, as well as people interested in casual chats with friends or family members.

Caltrider largely agreed with this. In her words, Discord “seems keen on getting kids, book clubs, and overall a broader user base.” While the service “isn’t designed for sensitive, encrypted communication,” it’s probably a reasonably safe and private space to gather with friends and discuss Little Fires Everywhere.

If Discord’s new direction means the company is leaning into privacy and security, that’s an excellent thing. While I don’t have a window into the company’s internal operations, all my investigations suggest that it’s moving in this direction.

Challenges still lie ahead, and improvements are still possible — especially as Discord scales. Venture investors might put pressure on the company to monetize user data down the line, a siren song it should continue to resist. And there are security updates it could make right now. According to Caltrider, “The best thing Discord could do at the moment is roll out two-factor authentication to all users,” making it a requirement to use the service.

But overall, Discord appears to be actively engaged in protecting the privacy and security of its users and moving in the right direction. In an era where user privacy is often casually traded away, Discord’s new direction is refreshing to see.

Discord
Privacy
Cybersecurity
Security
Technology
Recommended from ReadMedium
avatarGhostByte
How to use OSINT for Detailed Personal Information Searcher

4 min read
avatarSathyaprakash Sahoo
Here’s Why I Don’t Suggest People to Get into Cybersecurity

What Most Won’t Tell You About a Career in Cybersecurity

8 min read
avatarHarendra
11 Open-Source SaaS Killer — Selfhost With Docker

Selfhost Supabase, Grafana, Uptime Kuma, NocoDB, Dokku, Appwrite, N8N, Redash, Jitsi, Plausible and Nextcloud with docker

6 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarJano le Roux
Is Apple Silently Plotting To Buy OpenAI?

It sure as hell looks like it.

4 min read
avatarAustin Starks
I used OpenAI’s o1 model to develop a trading strategy. It is DESTROYING the market

It literally took one try. I was shocked.

8 min read