Jeff Phillips, Code Siren, LLC
28 December 2023 - Industry
Introduction
Discord lurks in the flickering shadows of the internet, where pixels whisper secrets and whispers morph into malware. Birthed in 2014 by Jason Citron and Stan Vishnevskiy, two ambitious figures with a history of data privacy stumbles, Discord promised a haven for gamers, a playground of voice chats and vibrant communities. Nevertheless, beneath the surface, a sinister melody plays.
[1]
Like a siren song luring sailors onto treacherous rocks, Discord's initial charm has transformed into a breeding ground for digital predators often targeting children. Its massive user base, 560 million souls strong, now attracts gamers, crypto enthusiasts, artists, and people seeking digital connections. According to BankMyCell, Discord had approximately 26.5 million daily active users in October 2023,
[2] accessing more than 19 million servers.
[3]
Tencent Holdings Ltd. (US OTC: TCEHY), the tech behemoth with close ties to the Chinese Communist Party ("CCP"), holds a sizable stake in Discord's dark carnival. Murmurs of potential data espionage, a specter hovering over every chat, every file shared. Then there is the malware, slithering through Discord's Content Delivery Network like venomous snakes. Phishing scams dangle promises of free games and exclusive access, only to snatch login credentials and digital wallets in a digital sleight of hand.
With their past data breaches and privacy faux pas, Discord's founders offer little solace. They built a platform that thrives on engagement, even if it means turning a blind eye to the shadows lurking within. Discord is not just a platform for playful banter and pixelated adventures; it is a digital coliseum where your data, privacy, and identity are the prizes.
[4]
Background
Discord was created in 2014 by Jason Citron and Stan Vishnevskiy, two young entrepreneurs who wanted to replace TeamSpeak and Skype with a more accessible, fun, gaming-oriented communications platform. Citron and Vishnevskiy released a beta version of Discord in March 2015, and it quickly became popular among gamers. Discord was officially launched in May 2015.
[5]
Discord was initially marketed as a gaming communication tool but quickly expanded to other communities. People of all ages and backgrounds now use Discord for various purposes, including gaming, education, business, and social networking.
Discord is known for its VoIP and text features, including servers, channels, roles, and bots. Servers are communities where users can chat, voice chat, and share files. Channels are organized within servers and can be text, voice, or video channels. Roles allow server administrators to assign different permissions to users. Bots are automated programs that are added to servers to perform various tasks.
With all the accomplishments, Discord has also become a victim of its focus. Discord's success in attracting gaming and cryptocurrency communities has made it a prime target for malware and phishing campaigns. These users are seen as worthy targets because they may have valuable (digital) assets that can be stolen. These digital assets have converted Discord into a breeding ground for cybercrime. Phishing attacks, malware distribution, and illegal activities are rampant on the platform, posing a significant threat to users.
The Founders
Jason Citron is a serial entrepreneur and the co-founder and CEO of Discord. He is also the co-founder and former CEO of OpenFeint, a social platform for mobile games. OpenFeint was one of the first social platforms for mobile games, and it helped promote social gaming on mobile devices. OpenFeint provided a social networking platform for various games, including Angry Birds, Fruit Ninja, and Words with Friends.
Stanislav Vishnevskiy is the co-founder and Chief Technology Officer of Discord. Stan helped conceive, design, and create the platform. Before Discord, Vishnevskiy developed tools for MMOs, including Final Fantasy XI2, before working as a Lead Software Engineer at GREE, Inc.
In April 2011, the Japanese-based company GREE bought OpenFeint for US$104 million. That same year, shortly after the acquisition by GREE, OpenFeint was sued in a class action lawsuit alleging unauthorized access and disclosure of user information. The lawsuit alleged that OpenFeint's business plan included accessing and revealing personal data (without authorization) to mobile-device application developers, advertising networks, and web analytic vendors that market mobile applications. Citron left OpenFeint later that year.
[6]
The class action litigation was later settled out of court, but it raised concerns about Jason Citron's business ethics and OpenFeint's privacy practices. In response, OpenFeint updated its privacy policy and implemented new measures to protect user information.
[7]
Discord's Foundation
Citron and Vishnevskiy were both gamers and frustrated with the existing communication tools. They wanted a tool that was easy to use, reliable, and could handle text and voice chat, so they began working on Discord in 2014. The two founders released a beta version of the app, and by March 2015, it quickly became popular among gamers. Discord was formally released to the public in May 2015.
Discord's early days were a wild west of data privacy. Leaks and breaches were par for the course, casting a long shadow over user trust. In 2016, a vulnerability exposed millions of email addresses and IP addresses, leaving users vulnerable to spam and targeted attacks. A year later, another breach compromised login credentials, forcing mass password resets and leaving a bitter taste in users' mouths. These were not isolated incidents; smaller breaches and data leaks peppered Discord's early years, creating a climate of constant anxiety and raising questions about the platform's commitment to user safety. Even co-founder Vishnevskiy's data was compromised in a 2018 breach, highlighting the systemic weaknesses in Discord's early data security infrastructure. It was a rocky road, paved with good intentions but riddled with potholes of negligence, leaving users to wonder if their digital identities were truly safe within the platform's walls.
[8]
Privacy Concerns
Discord's data collection labyrinth collects a vast amount of user data, including messages, voice logs, IP addresses, device information, and browsing activity. This data collection goes beyond mere functionality, raising concerns about the platform's motives. The privacy policy, while technically transparent, is lengthy and convoluted, making it difficult for users to understand what data is collected and how it is used. This information asymmetry creates an environment where users surrender control over their digital footprint without fully realizing the consequences.
Third-party entanglement and integrations with numerous services, often for seemingly innocuous features like game authentication or social media integration, present another privacy conundrum. Each third-party introduces a new data access point, increasing the vulnerability of user information. Moreover, Discord's vague "limited data sharing" policy offers little assurance regarding the extent and purpose of data shared with these partners. Users are left to trust that Discord upholds ethical boundaries with every external connection, exposing them to potential privacy breaches and unforeseen data misuse.
The bot and surveillance bonanza is a colorful description of Discord's vibrant bot ecosystem, which presents a significant privacy risk while adding to platform functionality. Bots often require extensive permissions, granting them access to user data beyond their intended purpose. Malicious bots disguised as helpful tools can easily exploit these permissions to collect sensitive information or spy on user activity. Discord's lack of granular control over bot permissions and limited bot oversight leaves users vulnerable to data hijacking and covert surveillance within supposedly trusted servers.
Discord lacks end-to-end encryption for messages and calls, an essential feature for secure communication platforms. This lack of security means all user data remains accessible to Discord, potentially subjecting it to government requests, data breaches, or internal misuse. While Discord claims
data is stored securely, the absence of end-to-end encryption leaves users at a disadvantage compared to platforms like Signal or Telegram, where privacy is prioritized through cryptographic protection.
The platform survives and thrives on fostering vibrant communities, often attracting marginalized groups seeking safe spaces. Nevertheless, the platform's over-aggressive moderation tools are a breeding ground for harassment, discrimination, and data leaks. Malicious actors can exploit loopholes in the moderation system to target vulnerable users, collect private information, and spread harmful content. Discord's focus on community-driven moderation without robust privacy safeguards puts the onus of data protection on individual users rather than ensuring a secure environment for all.
Discord's data collection practices, third-party integrations, bot vulnerabilities, lack of encryption, and inadequate community moderation all contribute to an alarming disregard for user privacy. Each point raises questions about user agency, transparency, and control over personal data within the Discord ecosystem.
[9]
Discord's Privacy Paradox: A Metadata Mosaic to the Gamification of Privacy
While Discord does not explicitly sell user data, its data collection practices paint a detailed picture of user behavior. This "metadata mosaic" includes everything from server join times to emoji usage, revealing valuable insights about user preferences, social circles, and mental states. This information goldmine can be used for targeted advertising, profiling for potential security risks, or even influencing user behavior through subtle nudges and algorithmic manipulation. Despite the lack of direct data sales, the intricate metadata Discord collects raises alarms about user autonomy and the potential for exploitation.
The opaque algorithm orchestration of Discord's Content Delivery Network ("CDN") plays a significant role in shaping user encounters, from content recommendations to server suggestions. However, the inner workings of these algorithms continue to be shrouded in secrecy. Users do not understand how their data is used to personalize their feeds or prioritize certain content. This lack of transparency creates a power imbalance, where Discord dictates what users see and interact with, potentially limiting their exposure to diverse viewpoints and fostering echo chambers. The opaqueness of algorithmic decision-making on Discord undermines user trust and raises concerns about potential manipulation and bias within the platform.
Discord constantly introduces new features and functionalities, often requiring additional data permissions. This "feature creep" can lead to privacy fatigue, where users become numb to the constant requests for access to their data and click "agree" without fully understanding the implications. This normalization of data collection creates a dangerous precedent where user privacy becomes an afterthought in the pursuit of platform growth and engagement. Discord must balance offering compelling features and respecting user privacy boundaries to avoid breeding apathy toward personal data protection.
With its badges, points, and leaderboards, the gamified Discord interface can incentivize users to share more data and engage in activities that compromise privacy. The desire to climb the social ladder or unlock exclusive features can unwittingly cause users to surrender control over their personal information.
This gamification of privacy exploits basic human psychology to encourage data sharing, raising ethical concerns about manipulating users into sacrificing their privacy for virtual rewards.
Discord's privacy issues move beyond the data-selling model to highlight the concerns surrounding metadata collection, algorithmic opacity, privacy fatigue, and the gamification of privacy. By shedding light on these less-discussed aspects, we can gain a more nuanced perception of the challenges surrounding user privacy on Discord and advocate for more transparent and user-centric data practices.
Security Issues
Attackers use Discord's CDN to distribute malware, host phishing sites, and store illegal content. A perpetual problem with Discord's CDN is that it is not designed to distinguish between legitimate and malicious files, enabling attackers to upload and distribute malicious files. Due to Discord's architecture as a distributed network of servers, it is not always clear which server is hosting a particular file.
[10]
Discord can be used as a web-based application accessed through a web browser (i.e., over HTTP/HTTPS) or by installing their proprietary client. Discord's architecture appeals to malicious actors because it can often access corporate and non-corporate networks. Additionally, Discord traffic can be blended in with other network traffic, making it difficult for security software and researchers to detect.
[11]
Malicious actors can exploit various vulnerabilities in Discord to access sensitive data, launch attacks, or disrupt operations. Some common types of Discord-based attacks include:
⦁ Cross-site scripting (XSS} attacks allow attackers to inject malicious code into Discord that other
users can execute. This code can steal cookies, redirect users to malicious Discord servers, or take control of Discord user accounts.
[12]
⦁ Crosssite request forgery (CSRF) attacks allow attackers to trick users into performing unwanted
actions on Discord, such as transferring money or changing passwords. CSRF attacks can be carried out by sending Discord specially crafted links or forms.
[13]
⦁ SQL injection attacks allow attackers to inject malicious SQL code into database queries. This code
can be used to read or alter data in the database or even execute arbitrary commands on the database server.
[14]
⦁ Command injection attacks allow attackers to inject malicious commands into the operating
system commands that Discord executes. This code can be used to gain control of the operating system, steal data, or launch attacks on other Discord users.
[15]
Malicious actors can abuse Discord in five main ways:
1) Attackers use Discord to distribute malware by uploading infected files to Discord servers or sending links to malicious websites in Discord messages. Malware can be disguised as legitimate files, such as game mods, cheats, or software cracks. Once a victim downloads and executes a malicious file, their computer can be infected with malware.
[16]
2) Malevolent actors use Discord bots to collect sensitive information from users, such as their login credentials, credit card information, and personal files. Bots can be programmed to scrape Discord servers' data or trick users into revealing sensitive information. Once a malicious actor has obtained sensitive data, they can use it for various malevolent purposes, such as identity theft, financial scams, and blackmail.
[17]
3) Attackers use Discord servers to host phishing stings. Phishing scams are constructed to trick users into revealing PII, such as their login credentials or credit card numbers. Malicious actors can create Discord servers that look like legitimate websites or services. They may then use these servers to send phishing messages to users.
[18]
4) Discord has become synonymous with the spreading of factual distortions. We define this disinformation as false or deceptive information spread intentionally to deceive people. Malicious actors can use Discord to spread misinformation and disinformation by creating fake news articles, sharing propaganda, and impersonating real people.
[19]
5) Cybercriminals use Discord as a centralized planning tool within their organizations and often use the platform to coordinate and plan attacks. Discord servers have become central hubs for communication and planning between attackers. Malicious actors can use Discord to share information about targets, discuss attack methods, and coordinate their activities.
[20]
Here are some additional reasons why malware attackers target Discord users:
⦁ Discord is a popular platform with a large user base of potential victims for attackers to target.
⦁ Discord is relatively easy to use and set up. The platform makes it easier for attackers to create
bogus accounts, program malicious bots, and populate servers that they can use to spread malware.
⦁ Discord has a lenient content policy. Attackers leveraging these lax controls can spread malicious
content more easily on Discord than on other platforms with strict content policies.
As a result of all of these factors, Discord has become a major hub for cybercriminal activity. Attackers are constantly developing new ways to spread malware. Discord's permissive content policies enable malware distributors to distribute malicious content in an unprecedented fashion. Much of this stems from Discord allowing users to share files and links freely, even if those files or links are malicious.
[21]
Discord's Malware Economy
Potentially reaching hundreds of millions of US dollars annually, Discord's malware economy is so large and entrenched that eradicating malicious actors might be impossible.
[22]
A visualization of just a small portion of the malware files hosted on Discord's content delivery network (CDN). Red-colored entries are files determined to be malicious.
APTs and Discord
A new trend of nation-state hackers using Discord for potential cyber-espionage and targeting critical infrastructure. Cybercriminals have long abused Discord for hosting malware, stealing data, and exfiltrating information. However, this is the first time nation-state actors or an advanced persistent threat (APT) have been detected exploiting its features.
In June 2023, a malware sample was distributed via a phishing email impersonating a non-profit organization in Ukraine. The malware used a Microsoft OneNote file to execute a Visual Basic Script that downloaded a PowerShell script from GitHub. The PowerShell script then used a Discord webhook to send system metadata to the attacker. The researchers who analyzed the sample said this could be an early stage of a more sophisticated campaign.
[23]
Sophisticated APTs utilize common malware families that function on Discord's CDN and webhooks for malicious purposes. Some of the examples are SmokeLoader, PrivateLoader, GuLoader, RedLine, Vidar, Agent Tesla, Umbral, Mercurial Grabber, Stealerium, Typhon Stealer, and Venom RAT.
[24]
The abuse of Discord's functionalities introduces a new layer of intricacy to the threat landscape, and we advise users to be particularly careful when using the platform.
Discord, Tencent, and the Chinese Communist Party (CCP) Influence
Discord finds itself in a precarious dance regarding user privacy. While Discord supposedly enjoys robust independence under its founders, a stake held by the Chinese tech giant Tencent casts a long shadow.
Tencent is a Chinese multinational technology conglomerate and holding company headquartered in Shenzhen, China. It is one of the highest-grossing multimedia companies in the world based on trailing twelve-month revenue of $85.0 billion.
[25]
While seemingly small in relation to Tencent's balance sheet, Tencent's stake in Discord becomes more complex when considering the landscape of Chinese internet regulations. The 2016 Cybersecurity Law
[26] and the 2018 National Intelligence Law have empowered the Chinese government with extensive control over domestic tech companies, potentially influencing how they handle data, even for overseas ventures like Discord.
[27]
The Cybersecurity Law mandates data localization within China for certain types of information, raising concerns that user data from Discord's servers in other countries could potentially be transferred and stored inside China, subject to CCP access. While Discord currently holds most data in the US, future policy changes or legal pressure could alter this, putting user privacy at risk.
[28]
The National Intelligence Law further complicates matters. It compels Chinese organizations and citizens to cooperate with national intelligence work when requested, opening a potential avenue for the CCP to pressure Tencent to surveil or censor Discord users, even those outside China. This regulatory obligation creates a chilling effect on free expression and raises concerns about targeted harassment or information control for users critical of the Chinese government.
[29]
While Discord's current policies and practices regarding user data may not directly reflect these Chinese regulations, the mere existence of such laws amplifies Discord's uncertain future. The potential for impending changes or hidden influence from the CCP remains a significant concern for users who value privacy and independence of expression.
Moving forward, Discord must maintain rigorous transparency regarding its data handling practices and resist any pressure to compromise user privacy or freedom of expression under the influence of Chinese regulations. Users, meanwhile, must remain informed and vigilant, demanding clear assurances from
Discord about their data security and exercising caution when engaging in sensitive conversations on the platform.
The primary concern lies in the probability of CCP intrusion. With its tight grip on Tencent, the Chinese government possesses leverage to exert pressure for access to Discord user data or influence content moderation policies. This unwanted foreign government oversight could mean increased surveillance, censorship of politically sensitive topics, or even targeted harassment of users for expressing dissent. This scenario, though hypothetical, becomes unnerving when considering the CCP's track record of internet control and human rights violations.
[30]
One of the ways that the CCP could potentially misuse access to Tencent and Discord's user information is through social credit scoring. This system, widely implemented in China, assigns scores to individuals based on their behavior and activities, which can significantly impact their daily lives. With access to unencrypted Discord data, it is conceivable that the Chinese authorities could extend this system to monitor and score individuals worldwide. This potential monitoring could be done subtly, without overtly disrupting the Discord community, by simply keeping tabs on users' activities and interactions.
Moreover, the potential for misuse of Discord data extends beyond China's borders. Given the global nature of Discord's user base, the information gathered could be used to build social credit scores for individuals outside of China. This soft power oversight could allow the Chinese authorities to exert influence or take action in other countries using the information collected from Discord. This possibility underscores the importance of robust data protection measures to safeguard user privacy.
Beyond the direct influence of the CCP, Discord's data becomes a point of vulnerability. While the platform primarily stores data in the US, servers in other countries raise the specter of data access by other governments. Discord's use of antiquated TLS encryption while hypothetically securing data in transit does not offer the complete protection of end-to-end encryption. This lack of absolute data security further fuels user anxieties about privacy under Tencent's watchful eye.
[31]
Navigating this precarious landscape requires Discord to tread a delicate path. Balancing the demands of a powerful investor with the trust and security of its global user base will be challenging. Users, meanwhile, must remain vigilant, demanding transparency in data practices and scrutinizing any potential policy shifts that could compromise their privacy and freedom of expression. Discord hopes to maintain its reputation as a safe and open platform in the face of these formidable challenges only through active awareness and an unwavering commitment to user autonomy.
Discord's Trust & Safety: Overzealous Guardians or Cancel Culture Puppets?
With Discord's popularity, the platform has become a battleground in the ongoing debate between online censorship, free expression, and cancel culture. At the center of the storm stands the platform's Trust & Safety department, often accused of wielding an iron fist regarding moderation.
Anti-free speech advocates for stricter online spaces applaud Discord's Trust & Safety team for creating a so-called safer environment for users, particularly marginalized groups vulnerable to harassment and abuse. They point to the swift takedown of hateful content and the zero-tolerance policy against discriminatory language as evidence of Discord's commitment to ostensible inclusivity. This authoritarian approach, Discord argues, fosters a more welcoming and respectful atmosphere for all.
[32]
However, libertarians and privacy advocates paint a different picture. They accuse the Trust & Safety department of operating with an almost Orwellian level of control, silencing dissenting voices and stifling open discourse in the name of political correctness. The opaque nature of the moderation process, with decisions often made behind closed doors and appeals met with radio silence, fuels accusations of bias and arbitrariness.
[33]
Examples of Discord users having been banned for innocuous jokes deemed offensive by overzealous moderators are common. Niche communities face suspension for discussions considered controversial, even if conducted respectfully. The ever-expanding list of forbidden topics, encompassing everything from sensitive historical discussions to edgy humor, has left many users feeling like they are walking on eggshells.
This hyper-vigilance, critics argue, creates a breeding ground for cancel culture. Minor infractions can snowball into online witch hunts, with communities wielding the threat of reporting as a weapon to silence those with inoffensive opposing viewpoints. The chilling effect of such tactics stifles debate and undermines the principles of open communication that Discord was built upon.
[34]
Finding the right balance between online safety and free expression is a complex challenge. Discord's Trust & Safety department raises serious concerns about censorship and cancel culture. In the future, the platform must strive for greater transparency, consistency, and due process in its moderation practices (especially when small enterprises invest hundreds of thousands to millions of dollars in promoting their online communities}. Instead, Discord appears happy, appeasing and ensuring an imagined safer online experience at the expense of open dialogue and diverse perspectives.
[35]
Why Discord Falls Short of Building Business Communities
While Discord's vibrant chat rooms and playful atmosphere might seem enticing for building online communities, it often falls short for serious enterprise and business needs.
[36]
Discord's 19 million servers are largely steeped in gaming culture, with features like animated emojis, voice channels, and casual banter. While enjoyable for gamers, this informality can quickly devolve into unprofessionalism and hinder business-focused communication. Imagine pitching a new product to a dedicated community of existing clients amidst animated cat gifs and ear-splitting voiceovers – hardly the recipe for success.
While once boasting a young adult user base, Discord's demographics are increasingly migrating toward teenagers and pre-teens. This evolving audience poses a significant challenge for enterprises targeting older consumers or B2B interactions. Building a serious business community on a platform overrun by memes and Fortnite discussions is unlikely to yield valuable results.
Data security worries loom large for businesses navigating Discord. Sensitive information and intellectual property shared on the platform are at risk without the robust control and encryption that dedicated enterprise platforms require. Furthermore, Discord's moderation tools, geared towards casual community management, might be insufficient for tackling issues like phishing scams or confidential data leaks, potentially exposing businesses to significant risks.
[37]
Discord shines in facilitating real-time interactions but lacks the sophisticated features and tools required for structured workflows, document sharing, and knowledge management essential for most businesses. Additionally, customizing Discord to reflect a professional brand identity is a struggle. The platform's playful aesthetic clashes with the polished image most companies strive to achieve.
Enterprises should consider dedicated platforms designed for secure, focused, and brand-aligned communication, ensuring their communities thrive in a professional environment conducive to growth and success. A siloed alternative platform with a less distracting environment is more suitable for businesses.
[38]
Conclusion
Discord, the once niche platform for gamers, has risen to prominence as a multifaceted communication hub. While its strengths in community building and real-time interaction are undeniable, a shadow of concern looms when considering its approach to user privacy. Despite Discord's efforts to balance functionality with privacy, several challenges remain, leaving users grappling with the true cost of convenience.
[39]
One key concern lies in the vast (19 million active servers, as of December 2023
[40]) and often opaque data collection practices. Beyond messages and voice logs, Discord captures intricate details of user behavior, painting a detailed picture of online personas. This "metadata mosaic" raises questions about user autonomy and potential for exploitation, even without direct data sales. While some may deem the trade-off for a feature-rich platform acceptable, others rightfully worry about the implications of surrendering such granular insights into their digital lives.
Furthermore, the algorithmic heart of Discord remains shrouded in mystery. Users navigate a curated reality shaped by hidden algorithms, influencing everything from content recommendations to server suggestions. This lack of transparency erodes trust and control, fostering anxieties about manipulation and echo chambers. Discord's power to mold user experiences within its walled garden without revealing its inner workings creates an unsettling power imbalance that demands greater transparency and user agency.
Discord's future success ultimately hinges on its ability to reconcile its undeniable appeal of an easy-to- use User Interface with the lack of pressing concerns surrounding user privacy. Addressing the opacity of data practices, prioritizing user control over personal information, and fostering greater transparency in algorithmic decision-making are crucial steps toward building a platform that empowers users to connect freely without sacrificing their right to digital privacy. Only then can Discord truly earn the trust of its diverse community and thrive in the increasingly privacy-conscious landscape of online communication.
[41]
In conclusion, while Discord offers undeniable value for certain communities, its inherent informality, shifting demographics, security limitations, lack of business-centric features, and rampant identity theft make it risky for enterprises and businesses seeking to build and engage professional online communities.