August 4, 2021
Explored in Discord: Strong Indicators of Privacy-Compromising Acts
Remote work can be a chore, especially if you are forced to use a corporately-approved application.
As you may have experienced yourself, the general public prefers more user-friendly options to connect with co-workers, with Zoom, Telegram and WhatsApp being the go-to places for group calls and quick messages. While everyone who cares about privacy is already a long-standing member of the Zoom hate club, an alternative connectivity platform gets a pass even from the more educated users.
Talking about Discord – a free gaming-oriented voice and chat application that can be described as an ‘informal Skype’ with theme servers.
The Inner Workings of Discord
Let’s discuss why Discord is not the best place to gather for work projects.
As some developer feelings could be hurt in this blog post, I will stick to an approach that they would find logical. I will not be bashing the platform with personal opinions, instead stating discoveries made by security researchers and curious users who carried out a couple of practical tests.
For example, researchers David Wells and Joseph Bingham focused on the audio/video component of the Discord desktop client to understand how the voice call protocol works. To do that, they created a python client to mock video and audio calls themselves.
They found out that Discord client interacts with four different servers to establish a two-way call with the desired client, and more importantly, there are some indicators that it can decrypt audio and video calls on the fly.
How did they come to this conclusion? They created a malformed audio packet, encrypted it, and sent it along with their existing mock audio stream. The server dropped the malformed audio packet from a mocked client and passed through only the “valid” audio data.
This happened multiple times at different points of the call too. That may suggest that there is some man-in-the-middle decryption, validation, and filtering happening at Discord servers in real-time. While this could be done to enforce content guidelines or validate call quality, decryption in real time would not sit well with privacy-oriented users.
Not a surprise that people don’t read privacy policies, and no surprise that more people tried more tests after this research to prove Discord’s shady practices.
More Reasons to Stay Away from Discord
Of course, there would be more dirt on Discord.
Apparently, some indicators are suggesting that Discord is lying about removing deleted files. You can post a test image on a Discord server you own, delete the picture and the Discord server to still find the image accessible via its direct URL.
Even when the server is entirely wiped, no data is lost as long as you have a direct link. In some cases, the image will indeed be inaccessible, but the mere fact of inconsistency and a chance to see something that was meant to be erased a long time ago is very concerning.
The “soft deletion” practice is not a rare occurrence with many popular platforms, so it’s better to assume that everything you have ever uploaded online will be saved and hidden instead of being deleted.
Apart from these practices, vocal users shared that Discord can also do the following:
- Delete your account at any time and for any reason;
- Force you to enter a phone number and proceed with verifications if you use Tor or VPN;
- Provide messages to any third party without any legal obligation or requirement to inform you.
On top of all that, Discord silently tracks all your activity by default, collects your IP address, device UUID, and email address. One could say that there’s no decisive “slam-dunk-like” argument to prove that Discord is invasive, but just not having end-to-end encryption in 2021 puts Discord to shame.
I’m not telling you to stop using Discord, but I wouldn’t recommend it for work projects. Better be safe than sorry!