PSA: Don't base your business around Discord.7yr account banned for posting ASNs
Well just a few days ago I found out that my account of 7 years was just banned without a warning for a very obvious error on their part. Just hours before my account was banned I posted a list of ASNs (basically ISPs) connected to a non-discord server I had that looked like this:
22773 ASN-CXA-ALL-CCI-22773-RDC, US
5432 PROXIMUS-ISP-AS, BE
577 BACOM, CA
To someone who doesn't know what ASNs are, they would probably assume they are addresses. This is not personal information, and there's no way to tie this information to any individual.
I opened a ticket and the only reply I get is that the ban will not be reversed and that the account will be deleted in 14 days. I've tried posting on Twitter and they have selectively ignored me while replying to everyone else. Any submission I make on the subreddit gets instantly deleted.
Screenshots for proof.
https://pbs.twimg.com/media/F49XZ4zaEAA_7mR?format=png&name=small
https://pbs.twimg.com/media/F49XZ4zaEAErD3J?format=png&name=small
https://pbs.twimg.com/media/F49XtAiaEAMmDdK?format=png&name=900x900
This also isn't the first issue we've had with Discord. They threatened to delete my server a few years ago because 1 person said they were underage amongst thousands of lines of chat and we did not see it and ban them. They refused to tell us who it was so I had to spend hours looking through chat to find the offending user.
Think twice before you decide to base your business around Discord.
178 comments
[ 3.5 ms ] story [ 202 ms ] threadThat said, group-chat-based support seems like the wrong solution in the first place - simply because Discord is a silo and they don’t make it easy to get your own data back out of it (this page is an infuriating read: https://support.discord.com/hc/en-us/articles/360004027692-R... ). Also, the fact that Discord themselves are using ZenDesk for their own support (instead of, y’know… using Discord) is another reason to not use Discord like this.
Orgs using Discord today are giving me the same vibes as those SaaS that thought they could do everything with only Redis and NodeJS (with no RDBMS in sight) - yes, it works and might even work very well in some cases, right up until it doesn’t and there’s no plan B.
And really, to your point—Discord is a general-purpose platform, not a technical platform or business platform, and its CS agents probably aren't equipped to deal with complex technical or business problems. It's kind of on OP for trying to use it that way.
CS agents are literally there so the rest of the company can avoid dealing with customers. If that means worse results for the customer then ire at the support agent makes sense. Don't take a job making the world worse if you don't like beeing blamed for that. Is the company forcing to make peoples life worse rather than better? Quit. Not always that easy, I know, but that's hardly the customer's fault either.
These warnings are like "make backups", "use a password manager". Afaict, people are either going to, and have, or they're going to be lazy and assume it won't hurt them until it does.
You can confirm the contents of the message from the people talking about it here https://pbs.twimg.com/media/F49XZ4zaEAErD3J?format=png&name=...
And yes this is also a campaign to get my account unbanned and also a PSA that you should be thinking about alternatives to Discord like Slack. The moderation and support system displayed here is atrocious.
I use Discord with a variety of clients, and there’s _a lot_ of technical logs, including lists of locations, and in some cases even addresses. I’ve never had an issue. I also run a small community of a few thousand users, and haven’t seen anything like this… unless someone was reported.
In any case, commiserations, and I hope you weren’t the only owner/admin of some servers.
There are a few competitors that are really jealous of our success.
So I'm guessing you posted ASNs of (in your words, basically ISPs) of some players on your server, indicating generally where they live. Was it connected to specific people? I can see why Discord would consider that private info.
And it was also not "malicious" as described by their email to me.
What we're also missing is the context. Did you share the ASNs for the purposes of, say, debugging a network connection? For statistical purposes? Or was the message more "look at the people connecting to my server, j/k these are just ASNs"? The tone you use matters too: by sharing ASNs, you could easily be hinting that you have people's real IPs, and that could be taken the wrong way.
I don't doubt that Discord overreacted here, but I certainly think there's a high chance that your message could have been misinterpreted as a threat to privacy.
If I say *Comcast* are you going to be able to track me down? No. There are millions of Comcast subscribers. Even if it was an ISP of 1 customer, that still isn't personal information. If the ISP happens to leak the customer information from social engineering, that's on the ISP, not me.
All ASNs are considered to be public information. You are required by internet registry rules to be listed in a public database for everyone to see. As far as I can tell, most people would agree that listing stats like this is not considered personal information.
I did not joke about it in any way. I showed people a list to demonstrate that we had a lot of users from Asia yet they did not use our servers in Asia. Even if I did joke about it, it still doesn't make this personal information.
> You are required by internet registry rules to be listed in a public database for everyone to see.
No. The list of all ASNs are.
I think you need to take "information connected to people" more seriously and if this is the way it has to happen, that's not the worst outcome for you.
If everyone agreed with you, this post would have been deleted off hacker news as well.
If you follow the logic of "information connected to people" however indirect, nobody would be allowed to post any visitor statistics and that is clearly absurd.
You seem to have made your mind up that your situation isn’t a problem, but haven’t given us enough context to evaluate that ourselves.
Could you tell us a bit more about that context? What "players" were these ASNs in reference to? Why did people in your server seem taken aback when you posted them? What was the discussion about when you made this comment? Why post ASNs at all? You said it was to prove people in Asia weren't using your Asian servers, what does that mean exactly?
To be clear, I've heard of lots of bad moderation calls from Discord, and I'd be nervous about building on them too. My mind remains open. But I agree with the sibling comment's characterization that you seem evasive - and that raise a red flag for me.
I agree with my sibling comments, your evasiveness isn't helping us make up our own opinions on this matter.
If he's lying, then such a campaign would be doomed to fail since Discord can see what we cannot. So what would be the point?
I think you've conflated legal and ethical obligations here; you seem to be using that to draw to an unfair conclusion.
From my perspective, the post warns against using Discord due to them (reportedly) banning the OP for innocent activity. I believe the warning is fair, as it dissuades other people from using the platform to host important content, which would be at risk of the same treatment.
While Discord clearly do not have any legal obligations to serve the user in question, this is already known. Stating it here doesn't contribute to a meaningful discussion -- no chat applications I know of are legally required to serve their users (unless, of course, they have entered into a binding contract with said users, perhaps through B2B services, etc.)
Nevertheless, the post does give off Stripe support vibes. I don't believe Discord staff monitor Hacker News, so I don't think this would result in any meaningful result for OP.
I think what I meant to say was more something along the lines of “does anyone really build a business around Discord?”
We’ve been seeing time and time again, especially in recent times (Twitter, Reddit, Apollo) that building something on top of another platform can often end in tears.
This being said, I do believe that if you’re building an integration, you might end up in a different spot than random end-users. Although the way Discord handled API changes and the whole bot scope debacle doesn’t inspire confidence.
And I say this as someone who maintains a Discord bot.
Reflecting on this all, I don’t believe this user got banned out of a random regex match. I think this user’s messages got reported for doxxing, and the moderator who reviewed it concurred.
This is a different situation than something like app stores where if Apple bans you, that's the end of your company. Users simply cannot get your app from somewhere else, at least not without giving an Android vendor $1000. Nobody will do that.
That should be understood reality if you use any third-party platform.
Also it is open to question was it this activity. Or something else. Or just being present or member of some server where something against ToS happened.
"Your account maliciously shared or participated in the sharing of the personal or private information of another user."
It was also the only message of mine that was deleted in the past week.
We use Discord as a primary support and community channel and it never crossed our minds to make a contract with them, but now I'm thinking about it..
All that to say the warning won't stop people.
Then again, so did Tumblr.
Every time I see a business inviting me to a Discord, I feel like I'm putting myself in a position to be mistreated either by the platform or by the company inviting me. I feel like they don't quite understand sound business principles like Platform Risk.
If keeping up the business afloat is your mission as a business owner, why'd you base your business off a platform you don't control? You might assume a Platform Risk, and be fully aware of it (and in the meantime, capture the capital to have your own platform or contract services from another platform less volatile), or you might not be aware of it at all, or if you're aware, you just play dumb and say "it won't be a problem, that happens to others, not to me".
I just get discouraged, I never end up joining these Discord communities and I don't buy the product/service the company is selling, I feel it distasteful.
In these SaaS days where providers can get away with not having a proper Support department or they are too big for you to go ahead and sue them face-to-face... why'd you put your neck on the line this way? It feels so needless.
>If keeping up the business afloat is your mission as a business owner, why'd you base your business off a platform you don't control? [...]
Why is discord any different than other platforms like office365 or AWS? Do you feel the same about companies using those platforms as well?
As terrible as AWS and Microsoft are as companies, at least they have an established reputation in B2B software. It’s an apples to apple-flavored candy comparison.
AWS originated in providing servers for a book business that grew from there, Microsoft originated from writing a interpreter, but both of them excel in other areas today as well. It's not impossible to start with something (chat for gaming), gain expertise (chat for large groups) and then apply it elsewhere (chat in the workplace).
I understand what you meant, but it's not quite applicable in this case. Chat for gaming (and approach) is not an adjacent market of workplace/enterprise chat.
Just imagine Slack or Microsoft Teams going for gaming chat; you can quite imagine that repurposing of product not happening.
If that ended up being more popular, they definitely would. But I don't think that'd happen either.
What is the complaint here, that they're offering a much cheaper service with less credibility?
Discord's marketing is too powerful for these business owners to consider safer, more reliable alternatives. Same story with Stripe, and similar services that cut lifelines with no recourse other than outcry in public forums like HN and Reddit.
If they have to learn the hard way, so be it.
For example, ensure you have a backup email address for those you communicate with on Discord, and convey an alternate communication method (Meet us on Matrix at XYZ!), or on the payments side plan on how to handle a PAN Data Export with a pre-selected vendor that is experienced in ensuring Stripe exports this data to them. From what I have heard, nearly half of all data exports from Stripe fail to occur, so you need to be your own advocate to ensure the stable hosting of your payment card data.
One could always understand the tradeoff (this ban happy service brings me more public, exposes me to leads, as opposed to: they ban on the slightest mistake and are misunderstanding), but as every risk: It should be managed with any of the four basic risk management actions:
- Elimination: which in this case, would be to not use that service at all
- Mitigation: reduce the risk the most (your example of backup exports, etc)
- Acceptance: being aware and recognize maybe alternatives are more costly than accepting the risk
- Transfer the risk: let someone else handle the risk for you (insurance, for example)
If something like this happened at AWS they'd nuke the services that were running and probably reach out to the account owner (if the automated service didn't do so as part of the nuke). The account owner's databases or Terraform scripts wouldn't be deleted by a set of EC2 instances being taken down.
AWS has its own problems but they do try and stay out of content moderation where possible through their "Shared Responsibility Model" (which also means they don't do things like backups for you).
Even comparing Discord to Slack: Slack has export capabilities.
With Discord... you might have to strong-arm them into a GDPR claim or similar, so, vendor lock-in in a B2C SaaS is a thing.
Because their businesses/jobs are so tightly tied to AWS etc, they just tell themselves everything is fine. (What else can they do? Quit and be a full time open source developer?)
The difference is that Microsoft and AWS don't take on an active role in moderating what happens between the company and its users.
But yes, in a way they are similar and I do feel uneasy each time we take on a dependency on some AWS-specific feature where we could easily have build the component to be independent.
No one else seems to care though. Even worse, the CEO wants us to dig deep into AWS, because that somehow will make the customers trust us more.
https://www.newsweek.com/amazon-web-services-parler-lawsuit-...
Aww, so innocent sounding. AWS was such a big bully in terminating their relationship with that client. It's not like anybody died as a result of that extremist speech they were popularising, right?
It is different. Really
Discord seems run by people with a vague understanding of security, attack vectors, let alone security best practices.
(or maybe they are heavily biased towards the gaming audience - but regardless)
Because they seem to be very competent when it comes to software creation
But in terms of identity management, they're awful
Whatever the reason discord has for not asking me for PII, it's not incompetence. This isn't a bug or oversight, I am certain of that.
Hanlon's razor doesn't argue you should accept "it was an accident" as a given excuse. Hanlon's razor states, that without evidence, it's safer/more likely to be correct, for you to assume incompetence than it is to assume maliciousness. I have also used an unknown domain for emails, as well as never given them a phone number. Just because you can't figure out the entirety of the logic doesn't mean they're intentionally trying to gaslight users (which is an absolutely insane take). Especially when there's plenty more signal they could possibly be using to determine if the account is likely malicious. Off the top of my head, I'd hope that list includes, number of IP addresses per session, number of sessions per IP, amount of maliciousness from current ASN, number of user reports, number of servers connected to, maliciousness of the servers for each user, knowledge source IP is a VPN, amount of abuse from the VPN provider.
You suspect discord is being malicious, or attempting to gaslight users, but not because you have any evidence they are, but instead because of a lack of ability to imagine how it could function the way it does with the limited slice of information you're already aware of. Some system, or some code not doing what you expect is more likely than some Trust and Safety team all got together and decided to gaslight people...
Yes, amd that is wrong as soon as you are dealing with someone expecting you follow Hanlon's razor. Hence making it useless outside personal relationships with people you know not to be inherently malicious.
So sure, if your friend ends up doing something that hurts you give them the benefit of the doubt. If a corporation does - well, there's a sucker born every minute but you don't have to be one.
> You suspect discord is being malicious, or attempting to gaslight users, but not because you have any evidence they are, but instead because of a lack of ability to imagine how it could function the way it does with the limited slice of information you're already aware of. Some system, or some code not doing what you expect is more likely than some Trust and Safety team all got together and decided to gaslight people...
No you are trying to pass off apathy as incompetence when it is very much malicious. So is penny pinching at the expense of how users are treated - if your automated systems are crap then hire humans to review their decisions and don't take action on users until you can actually be confident about the accusations. Or you know, at the very least let users know that they are subject to some kind of restriction, tell them why and provide them with real means to appeal false positives.
They are getting worse and worse towards their users. The “platform” was never designed for this, it’s painfully obvious. There’s no knowledge base, no support system, no sense of organization, no professionalism, just bots doing “stuff” as a product. Is FastAPI that hard? Is building a customer portal that difficult?
I guess I’m showing my age but I use discord for gaming and chatting with friends, not to balance my checkbook or pay my bills or assist my coding or design architectural diagrams. Occasionally it will help me make a pretty image that would otherwise take me weeks… Or help be brainstorm a sketch of a creature. However, the UX of discord is problematic towards anything other than a gaming community.
Discord was built with a core target market and really they've nailed it. But I really have to wonder what a business is doing when they have their support chat or whatever on discord. I have no idea why someone thinks a chat platform that talks about school clubs, gaming groups, and art communities is the place to conduct business. To me, it's a bit of a red flag when a company chooses a tool that is clearly not designed for business and doesn't even try to pretend like it is when there are tons that are.
If you’re from a small town with a local ISP, associating that town with your first name could be enough to specifically identify you, with the help of yellow-pages directory sites. Even just knowing someone’s state or country is a data point that can be used to narrow down their identity. For the privacy minded, this could be very unfortunate.
I’m not sure why you would be publicly posting the ASN from which a user is connecting anyway? Could you explain the context a bit more here?
I think the point is still relevant though: if these are the ASNs connected to a server which you know has 10 active users, for example, then there is still a potential privacy concern.
This is a clear case of gross negligence by Discord.
Even if there was a potential privacy concern, that does not warrant an instant ban with no warning especially from a 7 year old account that is in charge of a Discord server for thousands of users and paying Discord $95/month in the form of boosts.
I agree. This is clear because you’ve explained the context wherein you were posting those ASNs, and it is obviously not something anybody would have an issue with because
I understand you have whatever situation with Discord and are upset. It's just the same with Facebook, Reddit, etc.
- make sure you have at least 3 aged accounts that have full administrative privileges. When one gets banned make/buy a new one immediately.
- never use a business account for personal reasons
- use a third party service for the sms verification, and a unique email for each account.
These three rules have kept me out of trouble in spite of repeated bans.
It not only makes Discord an unaccountable gatekeeper of business communications and data, as demonstrated here, but also unfairly forces customers to either accept Discord's terms and conditions (which are not what they signed up for) or be left behind as second-class citizens.
Good luck, bottiger1. I hope you get it resolved.
https://pbs.twimg.com/media/F49XZ4zaEAA_7mR?format=png&name=...
https://pbs.twimg.com/media/F49XZ4zaEAErD3J?format=png&name=...
https://pbs.twimg.com/media/F49XtAiaEAMmDdK?format=png&name=...
Can anyone tell me why they would ever use it for anything remotely serious? Can you tell me why you'd want to stake your livelihood on a walled garden designed for video game voice chat and sharing rickroll videos?
Not only that, I can't take seriously a business that uses discord. Like, what are you doing? Are you selling curated rickroll videos? God-tier cat memes? Do you do shitpost editing and enhancing? Like that what the fuck are you doing that your business needs to use discord, an app for vidya gaymen? It just gives me this puerile vibe, like this "hello fellow kids" kind of thing.
I'm genuinely curious what this app does for your business that seemingly couldn't be fulfilled by anything else.
Slack is basically just business email but IMing instead of email, if you know what I mean. It's very business. Business happens there. Synergy and collaboration and so on.
Discord, meanwhile, grew out of some combination of gaming/tech IRC servers and gaming ventrilo and teamspeak servers. It's a completely different vibe and clientele that just happens to have a very similar feature set to slack.
So having a discord for anything that's gaming or programming/techy-adjacent makes a lot of sense and there's a big preexisting community there. I launched an OSRS plugin and we set up a discord channel for it. It was a niche thing, very niche, and we never really took it very far (it was sort of partly just an excuse to try out using managed k8s for the backend server that the plugin was a client for). We did 0 marketing aside from listing in the OSRS plugin marketplace and putting the discord link in the description.
Suddenly me and my pal had like 100+ people in our discord and as many users of our site. With 0 marketing and a very simple MVP.
And we didn't do any BI or anything but afaict the attach rate of discord joining to using our plugin at least once was very high, well over 50%. People even asked a few questions and said the project was cool.
So yeah. While I wouldn't literally run my business on it, as a "fan site" it's very useful and valuable.
For the record this is exactly where Slack came from as well.
From Wikipedia:
> Slack originated as an internal communication tool used within Stewart Butterfield's company, Tiny Speck, during their work on the development of Glitch, an online game. These communication tools were initially built around the Internet Relay Chat (IRC) protocol and included scripts designed to automate and organize file exchanges among their development team.
> In August 2013, Slack was launched to the public and continued to maintain compatibility with IRC, reflecting its origin. Additionally, it was also compatible with XMPP messaging protocols.
https://en.wikipedia.org/wiki/Slack_(software)
It was a way to onboard tech people and once they were big enough they closed the door for those audience.
Which really hurt me because i live in a country with a small tech community and was happily interacting with them using irc, until slack changed into a walled garden.
Aka, not behaving in a user hostile way.
Dropping irc was more about control than it was about adding features.
It was a pretty user-hostile way to reduce the number IRC bridge users (to then justify killing it), especially given it took them many years after to get the Electron client to the point where it wasn't a laptop-killer.
[username] reacted to message [username]: [message]
> In a business context that means missing critical acknowledgements of messages and generally forced our IRC bridge users to switch.
I'm not sure I'd willing call an emoji reaction to a "business critical message" acceptable. Either it's critical, and an emoji reaction (which currently doesn't generate a notification) isn't sufficient, or it's not critical, and someone (I don't mean you, speaking rhetorically) is wound *way* to tight! :D
> Surely you can see the issue with having some features just not work for some people?
No, I honestly don't. If I'm using IRC, even after slack warns me about missing and unsupported features. That's likely what I want! What if I don't want to see reactions when I'm trying get work done, but I am willing to be interrupted to answer questions, etc? Also, that example is easy to solve for IRC (see above)
People using it for polls is nice, and I think reactions are a useful feature. But there's no reason you can't make a "best effort" to support something people want to use. If I need to react, I'll grab my phone, (or open a browser). Meanwhile I can have access to the information that's *actually* important... text messages.
Apple does this for iMessage and as far as I can tell (I don't live in the US) it's widely hated and believed to be deliberately annoying to Android users.
Do you really want 20 or those notifications for popular messages? Are you going to count them up for polls?
RIP, volunteer project's Revolt server, 2022 - 2022.
You seem very dismissive of it, but what about businesses running on other chat platforms like Whatsapp, WeChat, QQ, etc?
Sure, it CAN be fulfilled by anything else, but is that where your customers are?
I would treat them as a risk. You can work with them, but you have to consider that they can fail you randomly, and have some kind of backup plan or insurance. It is ironic since one of the big selling point of, say, cloud providers is that unlike using your own computers that can catch fire, they can guarantee data integrity and availability. But it is kind of a moot point if they can ban your account randomly because you triggered their bots.
22773 ASN-CXA-ALL-CCI-22773-RDC, US
5432 PROXIMUS-ISP-AS, BE
577 BACOM, CA
This is the layout of what was posted. These are not even addresses.
I find it kind of crazy that people here are doing all these mental gymnastics to justify Discord's behavior.
ISPs are not considered personal information. There is no reasonable way to de-anonymize it when there are thousands to millions of customers per ISP.
I really hate how Discord intentionally co-opted the word "server" in order to imply that one can somehow own or control a Discord account.
Discord Inc owns and controls all the servers. There's no such thing as "your Discord server", there are only accounts on Discord's SaaS platform, which they can restrict/censor/ban/nuke at any time for any reason.
It is not possible for individuals to self-host Discord.
Then the Instagram account gets killed because it's not intended to be used as an eBay, and these naïve business owners didn't know any better.
We are in these times where kids don't grasp the concept of "C:\" drive. They just save all files and don't know what a directory hierarchy is. They conceive Instagram as a web builder, much like Wix.