Tell HN: Discord Ignores Right to Erasure

 1 year ago
source link: https://news.ycombinator.com/item?id=31397156
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Tell HN: Discord Ignores Right to Erasure

Tell HN: Discord Ignores Right to Erasure
204 points by btdmaster 4 hours ago | hide | past | favorite | 70 comments
I have contacted Discord for right to erasure on 2022-02-26 and I have received no response. For context, they have stored metadata on almost all interaction with the following keys for over 4 years (i.e. since account creation) with no way to opt out:

['event_type', 'event_id', 'event_source', 'user_id', 'domain', 'freight_hostname', 'freight_id', 'ip', 'day', 'chosen_locale', 'detected_locale', 'user_is_authenticated', 'browser_user_agent', 'browser', 'browser_version', 'cfduid', 'os', 'client_build_number', 'release_channel', 'city', 'country_code', 'region_code', 'time_zone', 'isp', 'message_id', 'channel', 'channel_type', 'is_friend', 'private', 'num_attachments', 'max_attachment_size', 'length', 'word_count', 'mention_everyone', 'emoji_unicode', 'emoji_custom', 'emoji_custom_external', 'emoji_managed', 'emoji_managed_external', 'emoji_animated', 'emoji_only', 'num_embeds', 'attachment_ids', 'has_spoiler', 'probably_has_markdown', 'user_is_bot', 'sticker_ids', 'message_type', 'system_locale', 'components', 'is_first_message', 'cfduid_signed', '_source_job_id', '_ingest_ts', 'rendered_locale', 'accepted_languages', 'accepted_languages_weighted', 'primary_accepted_language', '_hour_pt', '_hour_utc', '_day_pt', '_day_utc', 'client_send_timestamp', 'client_track_timestamp', 'timestamp']

The actual files are 75 megabytes of text(!) data.

This, to me, is clearly not reasonable under CCPA or GDPR. Even if it were, they have not responded to my emails, even though the 30 day limit has long passed. What can I do?

The same Discord that told me to just use someone else's phone to verify my account when they kept saying my phone number was invalid?

This doesn't really surprise me.

Discord support is non-existent like every other digital company. Customer support in 2022 is a cost center.

I'm often surprised by how responsive dang is despite being an individual whenever I email HN.

> I'm often surprised by how responsive dang is despite being an individual whenever I email HN.

Dang is actually a General AI robot built by sama as a hobby.

I kid, he's actually just a really great person who cares deeply about HN and it's community. And also one of the nice things about HN is that it's not trying to make money, so WE are actually the customers.

This is why we need a TNG style star trek utopia. This nice thing exists because its not being monetised because it has patrons. If we remove the need for money and thus patrons, everything can be better.
Pretty sure he/she has a team that he/she only a public face of
The "comments" link in the top navigation takes you to all comments on HN, across all posts. It would be hard, but perhaps feasible to read through all the content that is posted.

On Discord it would be impossible for a person to read through just all newly created Discord channel names. It handles over a million messages per minute.

Discord has been hoarding data like Smaug for years.
Idk why but this visual made me giggle. I totally agree though, and have a hard time conversing with people who don't believe Discord is accumulating one of those most valuable, granular, personalized datasets in existence.
Valuable? To whom? To whoever wants to spy on millions of 14 years olds cursing each other over the most insignificant petty squabbles one can imagine?

Sure there are good communities in there but I don't imagine they are distributing illegal things or want their existence be secret?

But I can see a lot of value in the existence of the mountain of metadata, sure.

I wonder why. Maybe they have plans to train a neural network on it or something.
A couple of main reasons are:

1. Accumulate a large volume of data where its value is based on sheer size. Their "revenue model" could be a red herring for a later acquisition based on the monetary value of their datasets.

2. Analyze the data in-house and sell predictions, not the data itself which could skirt some privacy laws

I think the main problem most people have when deleting their discord accounts is that their public messages are still available to read for everyone just with the username "Deleted User" instead of your own. So it's still pretty identifiable the only way to get rid of them is to delete them by hand or with https://github.com/victornpb/undiscord . Discords rate limits are pretty harsh so with a lot of messages it's gonna take a while 1500 worked without getting timeouts.
What's worse is your unique ID is attached to the deleted user. The only thing you delete is the username which you could have done so by changing it to a generic one.
Contact your local data protection authority
I had trouble getting Discord to respect the law regarding automated account termination. I contacted my local data protection authorities and then contacted Discord through several channels and informed them that I had contacted the authorities. Within a day, they reinstated my account without a word.
That is the default now for big companies, it seems. They think they are invincible, and that one measly user cannot harm them. You have to basically threaten them to get them in legal trouble with a bigger player like the EU, so that they listen. This is because all their incentives are tied to profit, instead of ethics of freedom and consent. Unless you have something, that could harm their profit, they will try to abuse you.
They wouldn't even tell me what I had supposedly done wrong when they terminated my account, and said that they investigated the claim and upheld the termination... That is, when they eventually responded.

I had to make a new account and set all the servers and such back up.

Thank you for the suggestion, I have already done this as soon as I could (late March) and they have not yet responded either.
I had a similar experience with California prop 65 (requires business to add a label to products that contain carcinogens). The business itself was way more responsive than the government agency, nothing happened but it was surprising that even handed a trove of evidence & emails about a clear food safety violation they didn't really do anything. Well I guess not surprising haha.
Not really surprising at all. It's incredibly common for legislatures to pass laws requiring something that would take resources to enforce, but not budgeting for those enforcement resources. It's called an unfunded mandate.
My experience is that vague prop 65 warnings just ended up on virtually everything. I guess the CA legislature tried to address that, but I don't live in California so I have no idea how much improvement there's been, if any.
I assume you're in Calif based on the above? The ICO in the UK is usually pretty good if you report.
I suspect getting the word out on here etc is much more effective than any effort they're likely to put into it if you did.
Also had this issue with an old account. They "deleted" the account, but to this day I can still see (from a different account) that my name is tied to that account, and that account is then tied to messages I sent from it. Have contacted local authorities about it in the past, but it seems that they have limited jurisdiction/care.
This is one reason I never user their Desktop Apps and simply use browser.
Well, considering that discord doesn't care about the grooming circles. You're an afterthought.


Or the child porn that gets DMed to me from bots that have joined larger servers I'm also a part of.

I can't shut off the privacy setting for DMs since I moderate a few of them. So I'm left vulnerable to getting DMs with wildly inappropriate/illegal content.

Of the three or four times it's happened and I've subsequently contacted Discord, I've gotten nothing back. No acknowledgment, no response - complete silence.

If it's actual CSAM, I wonder if notifying the authorities that Discord isn't removing it would do anything?
> doesn't care about the grooming circles

You can take your hatred of LGBTQ and go fuck yourself.

We LGBTQ are NOT child sex predators.

As a fellow LGBTQ, there are child predators on the internet that are quite pervasive. "Grooming" isn't a dogwhistle here.
This is probably not LGBTQ related. If you join virtually any game groups like Roblox or similar (less "adult" games like Elden Ring for example) you will have people trying to do this, more so if your account appears young.
Yep, Discord has been a hunting ground for child predators since it got popular as a chat system for gamers (many of whom are children). This has been a problem since long before a certain American political faction started throwing the word "grooming" around to mean "not heteronormative," and in my opinion it's probably best to avoid legitimizing that rhetoric by responding to it.
Yeah. You're probably right. We're collectively a little on edge right now about the term "grooming", thanks to the astronomical rise of right-wingers using it to describe all trans people and their occasional hobby of, y'know, existing in society while being trans.
The Right to Erasure is not absolute. There are a large number of reasons why they may not be required, or even allowed, to erase some or all of those data points.

They are required to explain themselves. Per GDPR Article 12 Paragraph 4, even if they do not delete any data they owe you a response. This would include the legal justifications for not erasing the data.

I suspect btdmaster is American and, as such, has no GDPR rights wrt Discord, an American company. I don't believe in that case that Discord is required to explain themselves.

Separately, OP starts with a complaint about deletion; then complaints about not being able to opt-out (a different discussion than deletion); then states that OP finds this unreasonable under GDPR and CCPA -- which, given Discord is an American company, I struggle to figure out how both would ever apply. Only zero or one will apply to OP.

And finally, as you point out, the GDPR right to deletion is not absolute. The data subject has rights, but companies have a legitimate interest in keeping the context of a discussion around, and are also allowed to consider the legitimate interests of others. An analysis would be required to figure out if it is an overriding interest.

There is no need to assume that, I am covered by GDPR. I listed what the data in question is - tens of megabytes of text providing IP address, location, ISP, etc. is sufficient to personally identify perhaps even better than a name or similar, in entropy-bit terms.
Then why are you rambling about CCPA? Why are you not clearly stating which country you are in and which DPA you are covered by?

Why are you discussing the size of the data -- it makes no difference if you record an IP address once or a billion times?

Discord is registered in California, so it would concern them even given limited GDPR enforcement. Data size matters since it changes, and there is information even in the knowledge of no change happening. I would rather not share my location, and I do not understand how that would help given I have already contacted my DPA.
CCPA applies to California residents. You are very unlikely to simultaneously be a California resident and an EU/UK resident. So discuss the law that applies.

If you are in the EU, your contract is with Discord Netherlands BV.

it's not like they'll have different user account behaviours for someone living in California at the moment, compared to someone living in the EU.
> The data subject has rights, but companies have a legitimate interest in keeping the context of a discussion around, and are also allowed to consider the legitimate interests of others. An analysis would be required to figure out if it is an overriding interest.

Yes, but (at least under GDPR) it is reasonable to demand that Discord removes everything not needed for following legitimate interest of others (e.g. IP address, browser user agent).

Those can likely be maintained for anti-abuse purposes as well, particularly if OP got blocked. Separately, (1) Discord claims some of this is deleted at 14 days; and (2) good luck getting an overwhelmed DPA to take seriously your complaint that a company stores browser user agent longer than they ought to.
I had a Discord account a couple of years ago. It was more than a year old when I lost it.

I had recently bought a new domain name, to migrate e-mail to and move away from GMail. When I changed my Discord account's e-mail address (which worked), I was booted out of Discord as soon as I clicked the confirmation link in the new inbox.

When I tried to login again, I was told that "something fishy is going on", and was prompted for my mobile phone number.

Unwilling to hand this over, or to deal with a company holding one of my accounts to ransom trying to extort yet more unnecessary information out of me, I asked them to delete my account. After all, I have no use for an account that I cannot use.

I had to ask three times in the ticket before they actually entertained the notion (I was one e-mail away from CCing the Information Commissioner's Office), and then had to reply in very specific employee-provided verbiage to the tune of that's what I actually wanted.

The ticket was updated to say that this would take up to 14 days. I then got an e-mail the following day saying that it would take up to 15 days.

This does not strike me as a company that gives a damn.

That seems to be common practice by now. Had nearly the exact same thing happen with a Microsoft account. I posted a technical question on their forums and did not give out my mobile number on account creation. Account was locked shortly after without any explanation. Then decided it was not worth it and tried to delete the account. I would have needed to give my mobile number again to even get the option to delete it...

Of course you cannot contact support without an account either. Well, their dead database entry then.

Yandex does a similar thing, after a certain period "a password leak" (bs) is detected and you have to provide a phone number.
At this point I just buy new phone mobile number lines as an overhead cost

With voip numbers being basically banned in 7 out of 10 services, I’m too privileged to be trying these infinite workarounds aside from just adding another line

Since I’m not trying to be anonymous (to a subpoena) but nobody else can tell the user is the same and assume people won’t bother with paying for an additional phone number or device, so its fine, for now

Iphones have dual sims though

Honest question: unless you're top 100 market cap companies in the world, what's actually the practical consequence of not following GDPR as a non-European company?

What's the most they can do in theory -- like issue a court order for a fine? (Practically are they doing this for >top 100 companies?)

And suppose a fine is issued, what's the enforcement? Do US courts or US banks actually enforce these orders? Are there historical cases of this?

In theory maybe they can apply to their local (European) ISP to block your site. Have they done this historically?

I'm asking because to a degree, some laws about the Internet feel like international law. That is, there's no good enforcement of it because the state (the monopolist on violence) doesn't generally care about these laws.

The European state can obviously enforce GDPR, but if you're outside the practical reach of the European state, what real incentive does that company have to care (beyond standard "moral" reasons).

Thanks that's useful. From the post:

> The GDPR requires non-EU entities handling EU data to appoint a representative in the EU

What if the non-EU entity fails to establish an EU representative?

> [Anticipating my comment] Basically, their method of non-EU enforcement seems to be "we'll figure it out".

Oh OK, that's what I thought.

Discord is particularly bad on erasure as they have a TOS that gives them a perpetual royalty-free license to your photos and use this license to allow leaving photos from users up in discords they have been banned from.

This effectively means it any private server admin decides to ban a user they get to keep their content up without their consent as the user no longer has access to delete it. Discord will support the server admins in this. I’m pretty sure this is illegal under GDPR as the necessity of collecting such data is very unclear and the argument for deleting it is quite strong. Lots of servers have all kinds of selfie posts and some adult servers even encourage sharing adult selfies. The idea that they get to keep this content against the will of the user is extremely suspect.

> The idea that they get to keep this content against the will of the user is extremely suspect.

Discord relies on basic posts and basic channels to host things like community rules and bot-powered role assignment questions.

When the person who sets those up leaves, transfers ownership, or is booted... they all still remain on the Discord Server. (Arguably if they were deleted it would cause some chaos. But that's solved with better features, like the "Community" feature that lets you put rules in welcome splash page.)

While a user can always delete their own content (likely it's not actually deleted, but deleted from public eyes), once they leave a chat, or are removed from a Discord Server, they lose the ability to interact with messages they posted. I can see a problem if I post something in what was marked "private channel" and then after I'm booted the admin makes it a "public channel" -- or changes the "see chat history" flag that allows new users to see messages from before they were members.

Anyway I get it creates problems for Discord, but it's all all solved by building out a "community rule channel" type, as they've started to do with their "Communities" -- separating the server management content from the individual user-generated content is a good first step.

I'm going to fire off a delete my data request and see how it goes. Guessing 3-4 months before I have any sort of update. =P

Instead of a "community rule channel", I would love to see shared-ownership (or no ownership, however you would like to look at it) posts. A post that users of a certain role can all edit and isn't bound to a single account. This is currently generally done by using a bot to make and edit posts with, but the UX of using a bot versus normal discord editing is very poor.
ive tried several times. nothing will happen. just run the discord delete monkeyscripts etc
As per the GDPR they _must_ respond within 30 days and cannot ask for a fee.

If they didn't, you can file a complaint for CCPA or GDPR violation.

A company of that size shouldn't be fucking around with GDPR deletion requests, they're not "nice to have" features. They're must-have-or-else features.

I never understood why Discord servers keep messages indefinitely. Especially with no way to delete them in bulk. I also had an issue with support where I lost access to my email address, but still had username, password, and 2fa. Went to change email in my account and it sent the code to the old address.
Discord isn't ephemeral like IRC, that's a big part of why people like it. Why would they auto-delete old messages?
Why should they keep so much data that just raises their storage bills?
Text storage is cheap. If the average message is one kilobyte (random estimate) when stored, it would take a billion of them to reach a terabyte. When we calculate the cost based on a consumer getting a 20 TB WD Red for $500 (Discord would be paying even less), that's 20 billion messages for $500, or 2.5 cents per million.
Because it's great to be able to find that one link someone mentioned, or the thing talked about a year ago, etc. Same reason one might keep their texting history for as long as possible.
They even specifically make a powerful search function to make looking up things easy. You can make a combine query of something like `post by me` `contains image` `in certain channel` `before 2020/03` `contains certain text`. And it will filter out any matching result for you.

It's currently the most useful search function i ever seen in IMs

Text is very cheap.

Images, a little less so.

Video--I would expect them to eventually evict this.

Both Twitter and Facebook keep messages/posts indefinitely with no (official) way to delete them in bulk.
You are thinking of Discord like IRC. It's not. Think of Discord like a forum/wiki instead. That better represents what Discord is, and how people generally use it.
Had the same issue. After like 6 months they finally got back to me. These companies should have account deletions automated.
How did that go? Did you get your data removed?
And we can guarantee Discord has already sold your chat logs 200 shadier places. Why bother with an GDPR compliance in one area if they aren't going to in others. Guessing it's just a matter of time before they get sued into compliance.

Discord, and all free chat services, rely on selling data for their revenue. What makes them ultra-filthy, in my mind, is that even if you pay you don't get any special treatment. You are literally just giving them money to sell your data. "Hey guy breaking into my house to steal my TV, here's $5!" That's sort of what being a "booster" feels like.

I'm sure Discord knows which side of its bread is buttered. It wasn't architected to have deletion in mind. Like think about all the private messages, messages in public channels, message threads... (you can individually delete some of those, but not channels you no longer belong to), but it's really impossible to glue an export of one-user's messages back together in a way that has context.

Something like "SnapChat" or "Signal" where you could set messages to have expiration dates would have been a perfect move for Discord. Gamers don't need years of Meme Sharing history stored forever.

Having a business model like Slack... where users have to pay for their own groups. Discord deals with kids, and people for whom $5 is a blocker to entry.

I love a lot of things about Discord, I love Push To Talk, and I wish every service used this. (Microsoft Teams, Slack, Google Meet... why don't you have a Push To Talk option?!)

Anyway, Discord is convenient, has a ton of great UX features that Slack and Teams could learn from. But at the end of the day free is never worth it. You're the product.

EDIT: I ran a Discord server with 20k+ users at one point. And we came to find out that the "owner" of the Discord was someone who had set it up years back and just sort of faded away. Enough of us had Admin it didn't matter, but there are some things only the Owner can do. It took over 4 months to get Discord support to transfer ownership. I was a paying customer. Their support is really wanting. Impossible for it not to be, they don't have any sort of ID verification and nobody to default back to, "Well, it's my credit card..." total cluster fuck. With what I learned... I'm pretty sure I could get access to any Discord server whose owner had been gone for more than 30 days. Just create a fake account similar in name to the last one, "Yeah, I'm Bob, I lost access to my old account..." That's essentially all we had to do, that and wait for the email they sent the original "Bob" to not get a response. Pretty easy when so much of Discord messages go straight to a spam / updates folder nobody ever checks.

> And we can guarantee Discord has already sold your chat logs 200 shadier places.

[citation needed]

I wouldn't be surprised. And also, you should assume it, since Discord is not e2e encrypted.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact


About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK