Why you shouldn't trust Discord

Index

Here's the index of all the sections in this post. The sections' ordering is not related to how important they are. If you only read one section, perhaps make it "Discord staff are absolutely untrustworthy", or perhaps "Actual despicable actions and despicable people are not stopped", or you're privacy-minded, "Discord's business model".

If you have the time and energy, I highly suggest actually reading the entire post in order. Firefox's reader mode suggests a reading time of about 30 minutes, and there's many links in here that will each add a few minutes to that time.

My perspective

Here's a little background about where I come into this. I joined Discord in mid-2016, pretty early in its life, and since then I've used it to make a lot of friends and deal with tough times. I've enjoyed using Discord and I've seen it introduce a lot of features over time like the new server settings screen, channel categories, server folders, the audit log, and paid subscriptions, which I have paid for. I've participated in the API chats and I've developed several bots, one of which has been seeing active development for 2 years, is in 2200 servers and counting, and has 466 hours of code from me since I started counting in 2019, all done at no personal gain for myself. All done because I wanted people to be happy on Discord.

I used to like Discord. I used to call myself a fan of Discord. But now, I can't put its problems behind me any more.

I've moved my communities off Discord, or bridged them with Matrix, or transferred them to other people and left them. I'm down to 3 servers from 86, all of which are bridged, so I don't have to open Discord to see them. I'm in the process of purging all of my messages. I likely won't delete my account, because I do occasionally need to log in to attend to something, and deleting my account would do basically nothing. More on that later.

Here's why I'm ditching Discord.

The product is poorly managed

There are so many outstanding bugs in Discord that we've all just collectively forgotten about over time. Here's a cute list of a few at the front of my mind:

These are not new issues. The calling issue has happened since the beginning of time. The theme issues have happened since the beginning of time. The note limit has existed since the beginning of time. The server member limit issue has existed since the server explorer was added.

I'd post more examples, but they're harder to find because a few months ago Discord staff wiped the bug report boards, deleting several years of issue reports. These issues still persist to this day.

These are not big issues. They do not affect how I use the app day-to-day. However, they are evidence of a much more serious problem: Discord staff either do not care about these issues, are too overworked and understaffed to deal with them, or are simply too incompetent to fix them. More on this later.

There's more evidence of incompetence. For a while we had server audit logs, which let you track if somebody deleted a message — but not if somebody used the bulk delete messages endpoint. That wasn't tracked at all. Oops. It's a thing now, but we've gone at least one or two years without it. Oops.

So what have staff being doing instead of polishing these issues and making the app actually look professional? They've been changing the mobile UI, clearly without consulting people that actually use the app, and everyone hates it. Oops.

Subsection: Disabilities

Perhaps the longest outstanding issue in the app was the contrast ratio of ordinary text. On light theme, the text contrast against the background was somewhere around 2.2:1 (the minimum to be WCAG AA accessible is 4.5:1), meaning it was extremely difficult to actually read text in the app designed for reading text unless you have perfect vision and an accurate monitor. This was eventually resolved for most parts of the app, but shortly afterwards they changed embed titles from perfectly fine to not accessible, which is terrible and shows that they don't actually care and that they haven't changed.

The pattern of complete disregard for disabilities continues when they made messages highlight when you hovered them with the cursor. As you scroll this page right now, I'm sure that your mouse is hovering over it somewhere. Now imagine that the colours of the paragraph you were hovering over significantly changed as you scrolled and moved the mouse. I actually would have quit using Discord immediately if I didn't have the technical knowledge to figure out where the styles came from and modify the colours to make it not do this — which is actually against terms of service. I have to break terms of service to make the app usable. Cool.

If you don't see why this is a big deal, it's incredibly distracting for people who have austism, ADHD, or related issues. For me, my mind focuses too much on what is happening on screen, making it impossible for me to actually read and understand the messages. I actually cannot use the app with that setting turned on.

Do you lack the fine motor control to use the mouse pointer? Perhaps you don't have hands to move it with, or perhaps tremors prevent you from pointing accurately. Sucks to be you, because the app is almost unusable with the keyboard. You cannot use the tab key to move around different sections, because it's been overridden to always focus the text field. Even if you could use the tab key, the focus ring is overridden to be invisible, so you have no idea what will be activated when you press Enter. You might think that it's hard to make entirely keyboard accessible UI. It might be hard, but it's definitely not impossible. Look at Visual Studio Code, an app with similar layout, that is completely keyboard accessible.

Subsection: The mismanagement of server screen share

In the beginning, there were no video calls. Then video calls and screen share was added to DM and group DM calls, and people were happy. They wanted server video calls, but didn't have them. Not a huge deal.

Then somebody discovered that you could fashion a link which would transport you inside the voice channel, which had extremely good UI for video calls and screen sharing, and it worked. Video call and screen share in servers existed and it worked perfectly.

Then nothing changed about this for 18 months. Screen share still appeared to be DMs only, while still functioning perfectly in servers if you know how to make the link. 18 months of this being a hidden feature that was completely functional.

Then Go Live came out, and at first, it sucked. Originally it would only let you screen share registered games, and not video call. Then it would let you screen share any application, but not video call. And finally, more than 6 months after the launch of Go Live, they added buttons to open video call and screen share with the current channel. It took a total of 2 years to make this extremely useful and perfectly functional hidden feature into a visible feature.

Subsection: Communication

Discord is a communications app. You think this would let the staff effectively communicate important information to you, and perhaps you could opt in or out of specifc channels, like update notes, developer announcements, technical analysis, stuff like that. Not so. Communication with Discord is unbelievably disorganised.

Discord has a blog. Discord has the outage reporter. Discord has email lists. Discord has Twitter. Discord writes on GitHub. Discord has pretty much everything except, well, Discord. The only messages that you can be sure to receive are the SYSTEM messages if they decided that it's time to show them your passport. The information that's sent through these different communication routes is also different, so you need to subscribe to all of them. There's also about a billion satellite servers that you have to join to get important information, especially if you're a bot developer. A lot of important information about bot verification, a move which will literally lock people out of the platform if they don't understand what to do, I only find out about when random people post it in servers that I happen to be in. Apparently there's a "Discord Developers" server where they post announcements about this. I have no idea how to get into that server.

Downtime

Discord wants to be the communication route that you can use for everything. This is a bit hard when they're having technical problems at crucial moments. If the servers go down, you can't log in, you can't read any old messages, you can't queue messages to send later, and you often can't receive updates about what's happening. All you can do is wait and hope that it comes back eventually.

Check out the status page.

You see a couple of orange lines. You think, well that's okay, it's up most of the time? This isn't helpful. Discord needs to be up all of the time if it wants me to take it seriously. I understand that writing code is hard, and I'm aware that I sound demanding here, but I just cannot adopt Discord for communicating if I cannot rely on it to be available when I need it now. If it's down for half an hour, that's not a long time in the big picture, but it's a long time in the moment when I have a message that I need to send right then.

By the way, I run a reasonably sized bot, and I see a fair number of times where a series of requests to Discord result in 502 Bad Gateway, but aren't noted on the status monitor at all.

Around the end of last year they made a blog post (that isn't linked anywhere, you just have to find it on your own or wait for your network of friends to eventually get it to you) saying that they're aware that they need to do better, and they're prioritising reliability fixes and writing reports about issues that they face. We're halfway into the year and we have received zero writeups of issues that they have faced. Ok.

Discord does not care about you

Discord does not care about you, Discord staff do not care about you, and Discord staff especially does not care about you if you are a big contributor to their ecosystem, for example by creating bots, or server lists, or other tools that simply help their platform while bringing you very little. This sounds backwards, and it's true.

Please do go and read my other post about passports. The passport thing was the final straw that made me actually seriously start moving my things off Discord.

Here's some drama from the end of 2019, which was caused by Discord staff being bad and not documenting some behaviour that led to a lot of people getting @everyone'd by bots, and the developers of those bots having actually no way to stop this. I don't have the energy to explain this to a reader of an unknown level of technical skill. The final response to this issue is "just sanitise your bot's eval and adjust server permissions and wait until everyone forgets about it". Bot owners do not have the ability to sanitise it or adjust the server permissions. You'll note that the issue was locked so nobody else could comment on it after that point. This response is actually horrifying. (This was later reviewed and the allowed_mentions field was added to solve it, which is something that honestly should have existed from the start.)

Have you ever joked about being under the age of 13? Perhaps in a private server or direct message you've seen a question like "what don't you understand? are you literally 2 years old?" and responded, as an obvious joke, "yes". This is enough to get your Discord account locked, and deleted after 14 days unless you send them photo ID with your birthday. Not everyone has photo ID with their birthday on it, for example, actual 14 year olds. Also, not everyone wants to send photo ID of them to a private company to store for an undefined amount of time and use for undefined purposes.

For example, this person, who doesn't have ID to prove their age, so their account will be deleted. Bye.

For example, these / two people, who have ID, but Discord just didn't respond to their requests. Bye.

You might think that this issue doesn't matter because these people are probably not very important, and it would never happen to you, right? That's a bad take and is false.

Here's a lead developer of the world's largest Discord bot development library saying that this happened to them. Discord can decide it's time for you to go at any moment, and when that happens, you're just gone.

Discord staff are absolutely untrustworthy

And it's both the support team and the developers.

Remember how I suggested that the developers were either overworked, understaffed, just plain incompetent, or didn't care at all? You've seen a bit of that in the above section. Let's talk about it more.

Client mods, such as custom themes or plugins to add extra useful behaviour and fix issues, are against Discord's terms of service. I won't debate whether they should be allowed or not at this time, so let's just assume that they're disallowed and the punishment for using them should be consistent and fair.

Discord does not go out of their way to detect client mods, so you can usually get away with them unless you're doing something like mass joining servers faster than a human could. However, you will most likely be banned or reprimanded if a staff member happens to see you publicly post a screenshot from an obviously modified client.

I saw an exchange where a staff member saw a modified screenshot, and banned the person's entire account, then unbanning it after 2 minutes, as a joke.

I don't think this is a very funny joke, and it shouldn't be taken lightly.

This shows that staff have the power to do whatever they want, and there don't seem to be any review processes about reasonable use of power. Someone deciding that nope, I'll just ban you on the spot, but temporarily, as a joke, is NOT a normal thing that any platform should allow. I have sent somewhere in the magnitude of one million messages in my time on Discord, and made many friends. If someone can take away my access to talk to my friends just like that... and good luck finding the people's tags or server invite links to get back to talking with them again. If Discord is your life, then you're attached to your life by a spider's thread of security.

I really hate to use the phrase "power trip", I really do, but this part qualifies.

Discord Trust and Safety Employee Abuses Administrative Power for Personal Gain

A few of the things on this website are jokes, but this article is serious, and highlights a lot about how Discord's staff operate. I don't endorse everything that the article says, but the subject matter is important.

Just like how there was no review process for that client mod ban, there is also no review process for reading conversations in anyone's private servers or direct messages. Not only do the admins have graphical tools to do this, they can always just poke around in the database and do whatever they want.

Metadata collection

Discord collects an obscene amount of data about everything you touch in the app. I've outlined this data in a reddit post, but I have a couple of things to say before I write the link.

Okay, here's the post. The title is specifically designed to make as many people as angry as possible. Enjoy.

Please also see this report from somebody else.

Actual despicable actions and despicable people are not stopped

Remember when reddit changed their icon to be black and vowed to do something about racism on the site, because it's politically and economically convenient to say that they care? I... I don't think I have the words to describe how I feel about this. If you're not familiar with how subreddits are moderated, please read the replies to that link.

Yeah, so Discord is the same deal. Who could have possibly predicated that turn. Oh dear, oh god.

lol

lol

Look up "charlottesville discord". I'll wait. The server had been organising for a long time, and only got banned once they actually killed people, presumably so Discord could have good PR.

Forbes also wrote a good thing around the start of 2019. Please don't think that Discord has fundamentally changed in that time, because it hasn't.

Please note that banned users can simply create a new account and reconnect with their old pals, and banned servers can simply be re-created and its old members re-invited. There are no consequences or protections from doing this.

There's a LOT of stuff like this happening. I decided to only post a few. You can use search terms like "discord child grooming", and similar, if you want to find more. Also see "discord catching predators" on YouTube.

One person took the time to compile a montage of screenshots obvious child grooming and bullying. The server wasn't banned.

People who report these servers are frequently banned.

I'll direct you to Austin Huang's response to my post for even more about this.

Meanwhile, a different particular server, which is targeted at underage people dating underage people, and is well moderated against child predators to protect against the obvious, was deleted, not because they did anything wrong, but because there was the potential for people to do something wrong. The server was well moderated specifically to stop this. At this point, what is a candidate for immediate deletion? A person under the age of 18 who might take explicit pictures of themselves at some point in the future, despite having never done so before? Any person of any age who might discover and post illegal pornography at some point in the future, despite having never done so before? I have no idea.

You know how breaking rules is called "crossing the line"? It seems the line has vanished. Normally, people would ensure that they know where the line is and that they don't cross it. In Discord's case, that's not good enough: they'll ban you if they think that you might cross the line in the future. There's literally nothing you can do to keep yourself safe. It's their choice about whether you stay online or not.

Despite their desire to terminate accounts for no particular reason, people who share racist hate and fascist education continue to have a home on Discord. Note that if a reporter is talking about groups that they managed to find, it clearly wasn't that hard to find them, and there are most definitely more where they came from.

Discord's business model

Get this into your head and keep it there: DISCORD IS NOT PROFITABLE.

It's basically confirmed here if you want to listen to the staff members for all your information, but if you understandably don't, there's a very obvious reason why Discord is not profitable that doesn't require asking any questions:

Being a completely free, no ads, unlimited capacity, permanent, easy-to-use and accessible anywhere file storage and CDN is not a good business model.

Besides file storage, they're obviously paying a lot of money for the hardware to handle 2.5 million concurrent voice connections (article from Sep. 2018), not to mention text chat, typing indicators, presence updates, and everything else that goes into the system. Discord is not cheap to run.

So how do they have money? Well, a tiny subset of users pay a few bucks a month for more features on a premium plan that wasn't even available for the first 2 years of Discord's life. And their failed game store that probably cost more money to set up than the amount it gained in new subscriptions, since games from the game store were available on one's existing subscription, not individually purchased. Did you even remember that Discord tried to run a game store? That's understandable if you don't.

And that's all the money that they accept from users.

The rest of the money comes from investors. Investors give Discord money at the start in the hopes that Discord will be a good product. Please take a moment to think about the definition of "invest" — it's when you get more money out at the end than you put in at the start. Sooner or later, these investors are going to want to be paid out, and they'll want to be paid out more than they first put in. This requires Discord to actually get more money from its users than it pays to run the service.

It is not getting more money from its users than it is paying to run the service.

So how are the investors going to make their money? Clearly, at some point, Discord will need to implement aggressive monetisation. This is a fact. This WILL happen.

Here are some options that I can think of:

That last bullet point is probably the most likely.

If you've talked to people on Discord about anything personal, thinking it's private, Discord still holds a copy of everything. They know your interests, your activities, your relationships, your desires, your secrets, your fears your life. Companies will pay a LOT of money for access to that information. It wouldn't be too hard to aggregate either, just run some machine learning on it and yay you did it for like 90% of people. This isn't new. Google, Facebook, and many others are already employing techniques like this to determine your interests from the websites you visit and from the way you interact with their content.

Yes, I think that will happen. I'd like to think that it won't happen, I'd really really like to be able to give Discord that much trust, but they've done nothing to deserve my trust. We know that they don't care about privacy (see also the security section coming further down on). We know that they need money. We know that they will need a way to get rich quick.

(Incidentally, recall that staff members also have full database access as well as a tool to easily view conversations, so if they had a grudge against you, they can personally go and look up everything about your life that you've been foolish enough to share with people you trust. If you think the staff members are honourable and trustworthy enough to not do this, clearly you haven't read the sections above.)

Even if Discord, out of the goodness of their hearts, actually does not want this to happen, there's a thing called "takeover", when a business acquires another business along with all of its assets, users, and data. This is a pretty common thing to happen to failing businesses.

What can you do about this? I'll suggest some defenses a few sections down, so just keep reading.

Security issues

Discord has a bunch of security and privacy holes. Are you surprised? You shouldn't be, having seen the quality of the app and its longstanding issues that I mentioned right out of the gate. If that's the level of detail that they give to user-facing parts, what do you think happens to the security issues that they no doubt try to keep secret?

I only know about a couple of security issues, because of course Discord wouldn't publish them publicly!

Do you know the server widget? That used to expose user IDs, usernames, and avatar hashes of every single person online in the server. Anybody could query this information if they knew the server ID. That's a security issue, because given enough server IDs, you can tell which people are in which servers without even having to join those servers.

A friend found this one. The actual vulnerability was that you could edit any person's message, with no permissions needed, by sending a custom API request, which is not difficult at all to do. Supplying {flags: 4} with your edit payload allows you to edit messages sent by other people. Cool ideas for this:

We have no idea if this was actually exploited in the wild or not. Given the severity of this bug, and that Discord operates a bug bounty program, you'd think there would be a sweet reward for this. In fact, the person who discovered it got a couple of codes for premium subscriptions.

I only know about this because I happen to be friends with the person who discovered it. I wonder how many bugs there are of similar severity that nobody knows about.

You were waiting for this one. I was just saying that the server widget could be used for mass data harvesting, and... oopsies! Some people already did this. It would really funny if they weren't fascists. Try looking up your own profile and see what it knows about you. This site is definitely logging messages in the listed servers, it's just not making them public. For a fun time, try clicking the "request removal" link. Here's someone else's more in depth post about the history of Discool.

https://h0nda.pw/2020/01/intercepting-discord-attachments-in-private-channels/ This link is dead right now, but it used to work. Funny vulnerability that I don't think is patched.

So what can you do about the data collection?

Delete your account. Just kidding. Tracr/Discool won't remove your information, and neither will Discord, actually. Here's what deleting your account does:

Yeah, that's it. It doesn't delete any of your messages. It doesn't remove or replace the permanent user identifier that your account has. All of your data remains on Discord, and can still be read by anyone.

You've actually just screwed yourself over, because now you can't log in to delete your messages.

No, Discord staff will not delete all of your messages on request. You'll have to go through and manually delete them one by one.

You could try using a selfbot or a script, but if you trigger their automatic detection systems, which mass deleting messages does, then you could be locked out of your account without the ability to delete anything more.

If you're in a server, it's okay to use bots to bulk delete your messages, but of course this doesn't work in direct messages.

So what can you use instead of Discord?

This post is about Discord, not alternatives to Discord. I'll probably make a follow-up post highlighting how you can effectively move off Discord soon. For now, here's a list of potential alternatives. The ones I like most are first in the list.

Text chat

Matrix, XMPP, Rocket.Chat, Slack, Mattermost, Skype.

Voice, video, and screen share

Mumble, standalone Jitsi, Matrix+Jitsi, Peercalls, Houseparty.

Are these better or worse than Discord?

I think in several ways Matrix is better, once you get used to the UI. You have read markers, end to end encryption, and of course it's an open protocol and the clients are free software, so you can make it do whatever you want and fill in any gaps in functionality without fear of being banned, unlike Discord.

Mumble is literally just a better experience than Discord's voice chat in every way. Better audio quality, open source/open protocols/free software, the apps suck less (especially on mobile), and you can join a call instantly without needing to sign up.

Final thoughts

I'm glad I decided to move off Discord because it's given me the chance to evaluate other platfroms where I have the freedom to do what I want, talk to who I want, own my own messages and metadata, and have the ability to change things I don't like and make them better.

It took 4.5 hours and 4986 words to write the initial post of this, but I've edited it a couple of times to add more information since then.

https://cadence.moe/i/7f4f97

— Cadence

Other readers would like to share

← Previous: EmailNext: Matrix spoilers →