Tell HN: Discord Ignores Right to Erasure
['event_type', 'event_id', 'event_source', 'user_id', 'domain', 'freight_hostname', 'freight_id', 'ip', 'day', 'chosen_locale', 'detected_locale', 'user_is_authenticated', 'browser_user_agent', 'browser', 'browser_version', 'cfduid', 'os', 'client_build_number', 'release_channel', 'city', 'country_code', 'region_code', 'time_zone', 'isp', 'message_id', 'channel', 'channel_type', 'is_friend', 'private', 'num_attachments', 'max_attachment_size', 'length', 'word_count', 'mention_everyone', 'emoji_unicode', 'emoji_custom', 'emoji_custom_external', 'emoji_managed', 'emoji_managed_external', 'emoji_animated', 'emoji_only', 'num_embeds', 'attachment_ids', 'has_spoiler', 'probably_has_markdown', 'user_is_bot', 'sticker_ids', 'message_type', 'system_locale', 'components', 'is_first_message', 'cfduid_signed', '_source_job_id', '_ingest_ts', 'rendered_locale', 'accepted_languages', 'accepted_languages_weighted', 'primary_accepted_language', '_hour_pt', '_hour_utc', '_day_pt', '_day_utc', 'client_send_timestamp', 'client_track_timestamp', 'timestamp']
The actual files are 75 megabytes of text(!) data.
This, to me, is clearly not reasonable under CCPA or GDPR. Even if it were, they have not responded to my emails, even though the 30 day limit has long passed. What can I do?
96 comments
[ 5.1 ms ] story [ 127 ms ] threadI had to make a new account and set all the servers and such back up.
They are required to explain themselves. Per GDPR Article 12 Paragraph 4, even if they do not delete any data they owe you a response. This would include the legal justifications for not erasing the data.
Separately, OP starts with a complaint about deletion; then complaints about not being able to opt-out (a different discussion than deletion); then states that OP finds this unreasonable under GDPR and CCPA -- which, given Discord is an American company, I struggle to figure out how both would ever apply. Only zero or one will apply to OP.
And finally, as you point out, the GDPR right to deletion is not absolute. The data subject has rights, but companies have a legitimate interest in keeping the context of a discussion around, and are also allowed to consider the legitimate interests of others. An analysis would be required to figure out if it is an overriding interest.
Yes, but (at least under GDPR) it is reasonable to demand that Discord removes everything not needed for following legitimate interest of others (e.g. IP address, browser user agent).
Why are you discussing the size of the data -- it makes no difference if you record an IP address once or a billion times?
If you are in the EU, your contract is with Discord Netherlands BV.
Source: I've helped several, and talked to peers who work in data protection.
If they didn't, you can file a complaint for CCPA or GDPR violation.
A company of that size shouldn't be fucking around with GDPR deletion requests, they're not "nice to have" features. They're must-have-or-else features.
This is why every company takes it seriously. You can’t hide from the fines even with corporate restructuring.
If Google fucks up, the fine is based on the global revenue of Alphabet Inc.
This effectively means it any private server admin decides to ban a user they get to keep their content up without their consent as the user no longer has access to delete it. Discord will support the server admins in this. I’m pretty sure this is illegal under GDPR as the necessity of collecting such data is very unclear and the argument for deleting it is quite strong. Lots of servers have all kinds of selfie posts and some adult servers even encourage sharing adult selfies. The idea that they get to keep this content against the will of the user is extremely suspect.
Discord relies on basic posts and basic channels to host things like community rules and bot-powered role assignment questions.
When the person who sets those up leaves, transfers ownership, or is booted... they all still remain on the Discord Server. (Arguably if they were deleted it would cause some chaos. But that's solved with better features, like the "Community" feature that lets you put rules in welcome splash page.)
While a user can always delete their own content (likely it's not actually deleted, but deleted from public eyes), once they leave a chat, or are removed from a Discord Server, they lose the ability to interact with messages they posted. I can see a problem if I post something in what was marked "private channel" and then after I'm booted the admin makes it a "public channel" -- or changes the "see chat history" flag that allows new users to see messages from before they were members.
Anyway I get it creates problems for Discord, but it's all all solved by building out a "community rule channel" type, as they've started to do with their "Communities" -- separating the server management content from the individual user-generated content is a good first step.
I'm going to fire off a delete my data request and see how it goes. Guessing 3-4 months before I have any sort of update. =P
Needless to say the deletes only highlighted my activity and put all messages into view again… for less people but still. Part of me things maybe those types of bots should be forbidden? I’m not sure though. I come from the IRC era where everyone logged everything and there was no edit or delete.
Images, a little less so.
Video--I would expect them to eventually evict this.
It's currently the most useful search function i ever seen in IMs
I had recently bought a new domain name, to migrate e-mail to and move away from GMail. When I changed my Discord account's e-mail address (which worked), I was booted out of Discord as soon as I clicked the confirmation link in the new inbox.
When I tried to login again, I was told that "something fishy is going on", and was prompted for my mobile phone number.
Unwilling to hand this over, or to deal with a company holding one of my accounts to ransom trying to extort yet more unnecessary information out of me, I asked them to delete my account. After all, I have no use for an account that I cannot use.
I had to ask three times in the ticket before they actually entertained the notion (I was one e-mail away from CCing the Information Commissioner's Office), and then had to reply in very specific employee-provided verbiage to the tune of that's what I actually wanted.
The ticket was updated to say that this would take up to 14 days. I then got an e-mail the following day saying that it would take up to 15 days.
This does not strike me as a company that gives a damn.
Of course you cannot contact support without an account either. Well, their dead database entry then.
With voip numbers being basically banned in 7 out of 10 services, I’m too privileged to be trying these infinite workarounds aside from just adding another line
Since I’m not trying to be anonymous (to a subpoena) but nobody else can tell the user is the same and assume people won’t bother with paying for an additional phone number or device, so its fine, for now
Iphones have dual sims though
Discord, and all free chat services, rely on selling data for their revenue. What makes them ultra-filthy, in my mind, is that even if you pay you don't get any special treatment. You are literally just giving them money to sell your data. "Hey guy breaking into my house to steal my TV, here's $5!" That's sort of what being a "booster" feels like.
I'm sure Discord knows which side of its bread is buttered. It wasn't architected to have deletion in mind. Like think about all the private messages, messages in public channels, message threads... (you can individually delete some of those, but not channels you no longer belong to), but it's really impossible to glue an export of one-user's messages back together in a way that has context.
Something like "SnapChat" or "Signal" where you could set messages to have expiration dates would have been a perfect move for Discord. Gamers don't need years of Meme Sharing history stored forever.
Having a business model like Slack... where users have to pay for their own groups. Discord deals with kids, and people for whom $5 is a blocker to entry.
I love a lot of things about Discord, I love Push To Talk, and I wish every service used this. (Microsoft Teams, Slack, Google Meet... why don't you have a Push To Talk option?!)
Anyway, Discord is convenient, has a ton of great UX features that Slack and Teams could learn from. But at the end of the day free is never worth it. You're the product.
EDIT: I ran a Discord server with 20k+ users at one point. And we came to find out that the "owner" of the Discord was someone who had set it up years back and just sort of faded away. Enough of us had Admin it didn't matter, but there are some things only the Owner can do. It took over 4 months to get Discord support to transfer ownership. I was a paying customer. Their support is really wanting. Impossible for it not to be, they don't have any sort of ID verification and nobody to default back to, "Well, it's my credit card..." total cluster fuck. With what I learned... I'm pretty sure I could get access to any Discord server whose owner had been gone for more than 30 days. Just create a fake account similar in name to the last one, "Yeah, I'm Bob, I lost access to my old account..." That's essentially all we had to do, that and wait for the email they sent the original "Bob" to not get a response. Pretty easy when so much of Discord messages go straight to a spam / updates folder nobody ever checks.
[citation needed]
What's the most they can do in theory -- like issue a court order for a fine? (Practically are they doing this for >top 100 companies?)
And suppose a fine is issued, what's the enforcement? Do US courts or US banks actually enforce these orders? Are there historical cases of this?
In theory maybe they can apply to their local (European) ISP to block your site. Have they done this historically?
I'm asking because to a degree, some laws about the Internet feel like international law. That is, there's no good enforcement of it because the state (the monopolist on violence) doesn't generally care about these laws.
The European state can obviously enforce GDPR, but if you're outside the practical reach of the European state, what real incentive does that company have to care (beyond standard "moral" reasons).
> The GDPR requires non-EU entities handling EU data to appoint a representative in the EU
What if the non-EU entity fails to establish an EU representative?
> [Anticipating my comment] Basically, their method of non-EU enforcement seems to be "we'll figure it out".
Oh OK, that's what I thought.
This doesn't really surprise me.
I can't shut off the privacy setting for DMs since I moderate a few of them. So I'm left vulnerable to getting DMs with wildly inappropriate/illegal content.
Of the three or four times it's happened and I've subsequently contacted Discord, I've gotten nothing back. No acknowledgment, no response - complete silence.
I can understand the confusion. That said, Discord and similar places have genuine grooming going on, largely unfettered.
1. Accumulate a large volume of data where its value is based on sheer size. Their "revenue model" could be a red herring for a later acquisition based on the monetary value of their datasets.
2. Analyze the data in-house and sell predictions, not the data itself which could skirt some privacy laws
Sure there are good communities in there but I don't imagine they are distributing illegal things or want their existence be secret?
But I can see a lot of value in the existence of the mountain of metadata, sure.
A server doesn't have to be communicating secret or illegal information for their data to be valuable.
What makes it valuable? You have millions of users age 20-40. They are conversing about their tastes, interests, and other personal identifying information through text and voice. Text is easy to parse. Voice isn't much harder. Just identify keywords and then start transcribing voice conversations. Now it's in text form. Run analysis for marketing purposes, sell to literally any company that does market analytics.
Certainly not. I am being dismissive because that's what I mostly have seen Discord being used for -- game coordination.
I don't dismiss there's some valuable data there, I am just very skeptical that most companies are even able to capitalize on it the way you say they might. That requires competence, and time, and budget resourcing, and most companies suck super badly in that.
It's a bit frightening how ubiquitous Discord is becoming.
Your vision of what Discord is, is flat out wrong.
uBlock catches a lot of trackers, too.
I use TrackerControl [0] and DDG browser's tracker blocking feature. Discord is one of the worst offenders. I simply uninstalled the app.
[0]: https://trackercontrol.org/
I'm often surprised by how responsive dang is despite being an individual whenever I email HN.
The only thing you can do is complaint to relevant authority in your country.
Dang is actually a General AI robot built by sama as a hobby.
I kid, he's actually just a really great person who cares deeply about HN and it's community. And also one of the nice things about HN is that it's not trying to make money, so WE are actually the customers.
This timeline is broken. I’d like to visit another, please.
On Discord it would be impossible for a person to read through just all newly created Discord channel names. It handles over a million messages per minute.