Discord's phone verification is awful. They are using some super old database of what provider is associated with your phone number. I ported a Google Voice number to Verizon and they said I can't use it for phone verification because it's Grand Central, a company that went out of business before Discord even came into existence.
I pay them $99 a year, and their customer service treated me like shit for this. What do I care if someone hacks my account and destroys the large community that I moderate? That's their problem, not mine. But I doubt they care.
That's Twilio's database, not Discord's. Maybe it's fair to be upset at Discord for using Twilio if Twilio can't keep their database up to date, but I don't think there are that many alternatives to Twilio.
I am more and more thinking of this as a symptom of the "Data wars." I define that as the conflict between how much data someone is willing to share in exchange for a 'free' service.
The services aren't free of course, they pay their overhead and costs by re-selling the data they collect about their users. And as other sources of revenue (like ads) have lost value the data service has filled in. And since the data buyers know that the service provider is in a weak negotiating position they keep pressing on them to get more and more datamilk out of their data cows for the same amount of money.
The pressure is on to create a low friction pay as you go service for these things that don't extract data.
Since the OP is specifically talking about Discord, it’s worth mentioning that what you’re talking about doesn’t seem to be the case for them - they make money from Nitro subscriptions and their game store, and state in their privacy policy that they are “not in the business of selling your information” (https://discordapp.com/privacy, in the section ‘Our Disclosure of Your Information’).
So relating back to the post, their justification doesn’t necessarily make it right, but I think it’s incorrect to attribute it to a malicious cause.
It's frustrating to be a power user in general with these sort of 'automated lockout detection' mechanisms.
I've lost count of the number of times I've tried to log in to, I dunno, eBay or whatever, and computer says no, and I have to call some bloody line and speak to someone who hates their job and doesn't understand what I mean when I talk about IP addresses.
I wish that these services had a way to check some box and say "look, I really know what I'm doing, let anyone with the correct password/SSH key/whatever in".
If it gets hacked, _then_ I can go through all of that shit. In this case we're talking about a bloody chat server for christ's sake.
Yeah, you wish for too much. I remember losing MAL account (yeah, don't judge me) which I had for like 10 years (probably longer, really), not because I didn't have the correct password — I did, but because they fucked up with security not long before that and I suddenly needed to verify it was me via some email account I didn't use for the same 10 years. I mean, really, somebody stealing my MAL account? Why anybody would need that, even I don't need that, it was just silly losing my account I had for so long, because they care so much about me not losing my stupid account. So, fuck MAL. And fuck twice any service, that needs to verify my email/phone/passport name more, than it needs my money I am ready to pay for pizza delivery or whatever.
You think the right set of people will check that box? And that if they do get hacked they won't cost the company a ton of resources in support/lawsuits/etc?
I think the "check box" in this case should be the act of opting into 2FA. I've expressed this to Discord before when asking why they require reCAPTCHA upon login, even for an 2FA-enabled account like mine.
You have to remember that even if you don't care about your account getting hacked, hacked accounts are a nuisance for other users of the platform as well.
Tor breaks a lot of shit for me, and I dont even bother with captchas becuase it usually just flags me as a bot. So I dont think this is particularly surprising or out of the ordinary.
But yeah, discord used to be held in high standards by me and plenty of other gamers, but they have made it clear that they cannot handle tough situations, and dont really care about their userbase. Someone should start a privacy focused phone number as a service, acces to texts online and through an app. Allow people to basically have a spam phone number that they can give out to online services, but make people pay for it obviously. Like 10minutemail but long term and for texts only.
Google captcha is particularly egregious because it will flag you as "never allow in, ever" but not give any indication of this, and still will happily have you solving captchas (that is, working for Google, for free) for 30+ minutes, until you catch on that they aren't ever going to let you past.
Captcha v3 is even worse in this regard, because it silently flags you while appearing to let you in...
I never said the system was flawless, simply that the idea of continuing to present checks instead of explicitly saying "you're blocked" was a clever idea.
Yeah, those are great, but I could easily see a situation where google bans you from using voice for an equally opaque reason, and then you're really screwed with all your 2fa for a while. Something more privacy focused and reliable for people like op.
Why the insistence on Tor? Just use a normal VPN. Tor exit nodes are limited in number, and the same IP probably ends up being used by thousands of people... I assume a lot of them use it for nefarious reasons so you just end up in the same bucket. To some extent VPN providers can get hit by this too, but it's easy to just switch outbound IPs (for most of them).
And if you want more than that, get a cheap VPS and install OpenVPN on it (you get your own unique exit IP address) - pay with bitcoin for the privacy aspect, also a good place to install an ad-filter, a secure DNS proxy (DOH) and so on.
I also don't understand the 2FA point, that says nothing about your accounts' intentions.
The account history is an interesting point... if you have a long-standing history with no reports of inappropriate actions, they should factor that in somehow into their algos.
Short answer: I'm a privacy activist. That should be a valid enough reason for this context.
>I also don't understand the 2FA point, that says nothing about your accounts' intentions.
No, but it shows my account is secured from intruders, which means reCAPTCHA is just an additional nuisance to me, the legitimate account holder.
>The account history is an interesting point
Yeah, and they just glance right over it. It doesn't mean anything for my case that I've been an active user with this account for almost two years (I had a previous account for a bit and then left Discord because I was not in any communities worth sticking around for). Never have I done anything wrong on Discord's platform; haven't uploaded any lolis or evaded any bans (I believe I was only banned from one guild, even). They just don't seem to want me as a user, and that's fine.
> I refuse to provide phone verification as I believe it is Discord's fault for flagging my account...
> I will be communicating with a couple communities with which I'm involved to explain that I am unable to use Discord
Does this person not have a phone? 'Unable' seems like a stretch. If this person said, "I don't want to provide my phone number to Discord, so I'm going to stop using it" I'd understand.
Their opening email also strikes a pretty aggressive tone -- calling Discord anal, insulting, "spit in my face" then goes on to make a number of demands of the company? I'm not super surprised the customer service rep on the other side didn't go out of their way to help.
In that sense, bureaucracies are aggressive by default; that they use friendly language doesn't change this.
Imagine that one day, your car locks you out, and there's a smiley face and it says "oh hey, just call this number dude". Is that any less aggressive simply because it's 'friendly'? Of course not.
In many ways it's worse - because it's almost sarcastic (it's not _really_ that way, of course, because the customer support agent in this scenario is a robot, but it sure feels like it).
Yep, lots of people are stuck on the civility of words these days, and completely ignore the civility of actions and their consequences.
People get mad and yelling about a war, absolutely unconscionable and should be disregarded and ignored, however thousands of people dying in said war, well at least nobody said bad words publicly about it, everyone was polite and civil when the decision that they should all die was made.
Just because some automatic process has chosen to discriminate against you, for whatever reason (that mysteriously nobody ever seems to be able to disclose), doesn't make it any less of a hostile, uncivil act.
But yet getting angry about it puts you in the wrong?
Just a note: I do not ask to have my blog entries submitted to this site, precisely because the comments I receive here are very assumptuous and negative. I have had prior interactions with Discord which influenced the tone of my E-mail. My blog post is simply presented as-is and I really do not care what others have to say about it, but I have no control over what is submitted here. I just want people to keep this in mind should future posts of mine be submitted, before someone points out "hey, you got onto Hacker News again" and I have to be subjected to a bunch of people not getting the full picture (and even some people complaining how pink my site is... grow up).
Personally found the post interesting. I don't use Discord but I also refuse to give my number out for verification purposes - as you noted there are other ways to verify a users identity.
Hopefully you don't get too much grief for being a female on the internet with an opinion :-/
I don't capitalise on my sex/gender; I just prefer the use of neutral language when talking about anyone of unknown gender. In any case; I signed up for this when deciding to put my ideas online, and it has given me a chance to connect with a lot of nice people, despite also having to take the negative audiences along with it. I definitely am surprised that my blog attracts as much positive attention as it does; I never really wrote with the assumption that I'd have far reach. But, it's nice that others out there do care about some of the things I do.
Currently Discord doesn't require a number if you use your home IP to connect, but that could change at a moment's notice with their opaque methods of operation. I've used Tor with Discord for months without any issue until recently. So, it's probably better not to start using it now than to take that risk and be upset when they do find a reason to demand your personal information.
If you're worried about the full context not being understood, maybe add the necessary details? It doesn't have to be every possible detail, but you seem to have a clear idea of what context is missing, judging by your comment. So why not add it?
Also, if your blog isn't meant to be read by people that don't know the context of your life already, making it public seems like an odd choice, especially when you say things that might be taken the wrong way.
Also. If you really didn't care about what others said about it, why are you responding to such comments and displaying indignation? Why are you here at all?
And re: the blog being pink, do you really think it's because there's an "adults/men can't like pink" prejudice going around on this very liberal site? Or maybe it's because pink (unless done right) is like neon green: not a very aesthetic choice?
>If you're worried about the full context not being understood
>if your blog isn't meant to be read by people that don't know the context of your life already
People who have followed me online enough to have my blog in their feedreader or bookmarks, they'll all know why I'm approaching the issue how I do. You seem to blame me for your and others' eagerness to jump into discussions about things I didn't even link on here. Hacker News was never my target audience. That aside, reading the newer comments I can see a lot of people who do actually take a bit more time to see my background and develop a fuller opinion on my blog piece, so evidently I already must have all the information needed to come to an informed conclusion about what I write. Maybe it's just a problem for most people to assume ill-intent out of my writings that aren't even meant to attack anyone.
>why are you responding to such comments and displaying indignation? Why are you here at all?
If someone defames your image, you're telling me you would just shut up about it? You'd just let people keep kicking you in the gut while you're minding your own business? Again, stop excusing your negative actions.
>not a very aesthetic choice?
https://wowana.me/about.xht which is very clearly linked on the site, explains that I'm happy with the theme. It's my website; it only matters if I myself am content with how it looks. There's reader mode in many browsers now, I offer an Atom feed for consumption in a reader that strips that styling, and better yet, people like you don't have to read my site if you have nothing good to say about it.
> Does this person not have a phone? 'Unable' seems like a stretch. If this person said, "I don't want to provide my phone number to Discord, so I'm going to stop using it" I'd understand.
If I say "I am unable to do X" that might mean "My conscience compels me to refuse to do X" or "I literally cannot do X". Both interpretations are valid.
> Their opening email also strikes a pretty aggressive tone -- calling Discord anal, insulting, "spit in my face" then goes on to make a number of demands of the company? I'm not super surprised the customer service rep on the other side didn't go out of their way to help.
I suppose I agree with you that the email is rude. Then again, I don't mind giving out my phone number and email even though companies are using these things to track me, build a profile, and spam me. I'd rather that they didn't; I think it's corrosive behavior. But it doesn't affect me much and so I put up with it. Point is, the writer of these emails could be seen as heroic because he or she has principles and is refusing to back down (despite the rudeness).
Like I said, I have similar principles but I'm not too fussed about them. This worries me sometimes. This level of invasion of privacy isn't the hill I'm willing to die on but I hope there is a hill I'd die on. If not, I'm an unprincipled person.
Discord's been an abusive member of the community for a long time. They distort nomenclature, mislead about their intentions, and aren't able to show that they protect personal information.
As a light and funny example, Discord doesn't comply with the OpenSSL license.
The OpenSSL license for Discord's bundled versions of OpenSSL [0] has two conditions which are being violated. When they advertise the features of their client, or offer binaries of their client for download, they do not include the verbatim text, "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
They know that they are violating this license; they don't care. They are free to clean up their act at any time.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
I'm not a lawyer, but my interpretation of "this software" is OpenSSL, which wouldn't apply this clause to all advertising of discord features. It would be when they run advertisements that reference discord features that rely specifically on OpenSSL features. Which, isn't going to be that often, right?
> They know that they are violating this license; they don't care. They are free to clean up their act at any time.
Is this a known issue that's been brought up before? I've never heard of it, and would be interested to read up on it! I'm especially curious as to their response.
We are not aware of non-compliance with the OpenSSL license. We attribute usage of OpenSSL in our licenses page (along with all the other OSS projects we use.) https://discordapp.com/licenses - reproducing the copyright notice as required by condition 2 of the license:
> Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
As for condition 3, I am unable to locate any marketing materials which mention the usage of OpenSSL. However, if any such material exists that is in non-compliance we are very interested in ensuring that we are in compliance.
I don't know any of the specifics of what's going on here, but phone verification is sometimes very tricky even for willing people, with a phone, and from western countries. I can't get a Lyft even when in the US because their verification system only works for US phone numbers and I have a British one!
He says he's using tor to access Discord. While there's nothing inherently wrong with that, the IP addresses of his exit nodes are probably flagged as frequent sources of abuse.
People underestimate how hostile the internet truly is. I run a small website for a friend-- I'd say 90% of our traffic is spam/exploit fishing. I have at times blocked whole countries because we didn't have any business in that region and the abuse would not stop.
If you couldn't gather from my name on the sidebar and the overall site theme, I'm not a guy :p
And yes, you're right about Tor IPs being flagged at greater frequency. That's fine, but I've had a clean account for over a year and have had no prior incidents. And a lot of abuse comes from IP addresses not related in any way to Tor, as well.
Not at all, the author uses Tor to anonymize their location and probably system footprint. If you read the response the only "acceptable" phone number is a mobile phone. It de-anonymizes you because mobile providers hand out this sort of information for cash.
The only reason for the phone number request, based on the requirements of what kind of phone numbers are acceptable (no VOIP, no landlines) is that they want to be know where this user is when ever they use the service, or how to locate them.
> It de-anonymizes you because mobile providers hand out this sort of information for cash.
No, the mere fact of the phone companies even having that information de-anonymizes you.
Suppose someone doesn't like what you have to say, sues you, and subpoenas the phone company for your information - that they don't sell it won't save you. Or you say something that upsets the phone company, its parent company, or one of its subsidiaries. It launches an internal investigation, and finds you [1]. All without selling or even sharing your information.
My comment was linking to a page explaining the term anal-retentiveness, which the parent poster clearly isn’t aware of, and is apparently flagged so no one can see it; what are you talking about?
This is a typical response from service companies in the Internet age. They don't care about truth, or what actually happened, the algorithm says you're bad then you're bad. There's no human to appeal to, no human oversight of if their algorithm is right or wrong. They use another algorithm to check it, which tells them that you must be a bad actor.
I've had my own issues with Lyft that are similar. Banned from using their service even though I've never actually ordered a ride from them. Banned upon sign up. No review, no appeal, they don't even follow their own terms of service.
I'm not one to normal advocate for government regulations and oversight, but there's way to much consumer abuse for these Internet age services. Consumer protections can't come soon enough.
To be fair, I don't think humans have any way of verifying that you're trustworthy. Anyone can send email from your email address. Anyone can fake a driver's license. Anyone can get a phone number that meets their criteria. Knowing who someone is on the Internet is nearly impossible. Knowing whether or not to trust someone once you know who they are is nearly impossible.
There is no system of human <-> corporation trust in the real world. The best we have, maybe, is some record of how often you pay bills on time.
Tech companies kind of have to have these automated bans, because it's easy to create new identities on the Internet and the government doesn't care that you're defrauding a tech company. If you defraud a bank, the government pays the full cost of prosecuting and incarcerating you. If you spam Discord... nobody cares. It's Discord's problem, not the taxpayers' problem. So they really have no choice here. The world sucks. Get a helmet.
Having said that, banning people with a valid authentication token because of their IP address is simply the wrong algorithm. I can see why you might rate limit authentication attempts over Tor... but if you get your username/password right on the first attempt and provide the correct second factor... you should probably rate limit that valid session with a per-session rate limit key, rather than a per network endpoint key. (The era of IP address based rate limiting dies with IPv6 anyway, so they'll need a better plan someday.)
> To be fair, I don't think humans have any way of verifying that you're trustworthy. Anyone can send email from your email address. Anyone can fake a driver's license. Anyone can get a phone number that meets their criteria. Knowing who someone is on the Internet is nearly impossible. Knowing whether or not to trust someone once you know who they are is nearly impossible.
Honestly I can't be 100% spiteful toward Discord. Their customer service at least allowed me to easily begin the deletion process for my now-useless account. Compare this to Twitter, Google, or Yahoo!, where it's actually really difficult to get in touch with a human that doesn't spam canned replies at you and close your ticket soon after. (I'm especially disgusted at Yahoo! which seems to handle E-mail abuse related issues in the same customer support department as general account inquiries. Makes it really difficult to report spam as a fellow postmaster.)
It's a shame about your experience with Lyft. I'll have to remember this if I ever need a car ride, but seeing how all of these crowdsourced transportation initiatives are popping up with similar policies and disrespect toward open platforms (locking you into their apps, for instance) it might be better for me to consider conventional transportation entirely, if I'm ever stuck without a car and I can call up a normal taxi.
>I'm not one to normal advocate for government regulations and oversight
Yeah, I'd like to say that, this is capitalism and customers can naturally choose the right choice and stop supporting unethical companies, but this is hard especially with the network effect in play with things like Discord. Everyone's on Discord (or Facebook, or Snapchat) and suddenly a person is in the wrong for "not just signing up and using it" because their friends use it just fine. If consumer protections forced Discord to release a way to self-host servers (rather than calling guilds "servers") and made Discord fix their login and anti-spam mechanisms, and allowed users to have third-party apps to access the service, then I wouldn't complain. I still wouldn't like the concept of Discord because I'm a believer in federated networking, but it'd definitely be an improvement over the current state. These consumer / online service laws would also have great effect on financial and educational websites, which have rampant anti-consumer and security issues plastered all over their Internet presence. It's really upsetting to see how many corners people are willing to cut at others' expense.
Dunno about GP but I had a similar experience with Lyft, which had to do with the type of card I registered to Lyft. I don't remember the specifics but my case wasn't particularly weird… I was using an EU mastercard of some kind and they decided it was a bad one so they banned me. This all happened without ordering a ride.
Had a similar experience with Uber, except that Uber actually eventually fixed it. Lyft was… unhelpful.
I have no idea how I was banned or for what reason. I signed up for an account, verified, added my credit card (amex platinum), and then could never order a ride. Opened a support case with them and they told me I was banned, they could not, would not provide any details as to why. No appeals allowed despite what their tos says and they stopped responding to the support case.
Black hole of the Internet age.
I really wish I knew what it was. I use Uber mostly without issue. Same email, phone and CC. Occasionally Uber does wacky things like block my account due to fraud, but they always manage to fix it. I've figured out with Uber it's always due to travel. For example I'll order rides in Peru and then 7 hours later I'll have rides in the US, and not to my house or in my home area. Still wish they had a phone number because it can take weeks for them to unblock my account.
I had a similar experience with two other services.
Digital Ocean banned be as soon as I registered. I verified my email, then was asked to confirm some personal info, as I was filling their form, I got an email telling me my account was disabled permanently and it was final. (I went on to use Linode and Scaleway after that.)
And Pokemon Go, which I never installed on any of my phones, I got an email saying my account was banned. I wonder what account, since I never signed up to their services.
> but there's way to much consumer abuse for these Internet age services.
a) Government programs are programs, written in the language English. So let's be careful what services we launch with the stroke of the Presidential pen. They could be a cure worse than the disease.
b) Whither capitalism? A remedy to consider in parallel with government regulation would be some actual competition. How do we get the functionality we want without quite so much Orwellian peril?
There are very much examples of bad regulation but there are also good regulations to. While I'm a believer in capitalism, totally unregulated capitalism results in consumer abuse and stifles innovation.
Good consumer protections can actually benefit companies and the market in ways they don't expect until it happens. The Magnuson–Moss Warranty Act is an example of what I consider good consumer protections, and benefits the market as a whole.
Social media gets less and less "social" every day.
My last remaining social media with input from me is HN. But I accept that, sooner or later, HN will be just as intrusive, aggressive, just plain nasty and censoring as the rest of them. And then it will be time for me to "go completely dark" as far as my contribution to the internet is concerned.
For privacy reasons implies either what you are suggesting or that they are contacting Discord from an email address not affiliated with the account in question.
2FA is account security, not proof of being a good human user. TOTP is a very simple algorithm (python impl: https://github.com/pyauth/pyotp) that can be easily automated. After all, your phone telling you the code to type in has automated it.
Strange I was just thinking about this issue the other day
Discord is a bit of a haven for spammers / scammers with my own account having received messages from several hundred random accounts ( to be fair the user is normally deleted before I read the message )
As a discussion / personal curiosity point how would the HN community reccomend discord handle this level of spam going forward?
It becomes extremely obvious when someones sharing a link to thousands of users they have never spoken to before. Idk about how you use Discord but I can only send so many messages to so many people in a few minutes.
I understand the frustration on the part of the user and I dislike that we're all being forced to give up our anonymity to use these platforms... but also the tone of both emails was quite antagonistic. They may have had slightly better luck if they'd been friendlier and not attempted to school the Discord staff on how their app should behave.
> but also the tone of both emails was quite antagonistic
The customer is always right.
> They may have had slightly better luck if they'd been friendlier and not attempted to school the Discord staff on how their app should behave.
Or not. Besides, it should not matter, either they did something bad or they did not, the tone of the message may upset the recipient but when you ban someone just like that you can expect them to be upset and your first line support people should be able to take that sort of heat in stride.
Sucking up to support staff when your account has been banned for no particular reason should not be a pre-requisite for having it dealt with professionally, in fact a good first line support worker will be able to de-escalate such a situation quickly by showing some competence and making sure the user is dealt with as they should.
This meme needs to go away. The customer is not always right, and it's deeply unhealthy for businesses to adopt this attitude. Even very customer centric businesses do not adopt this mantra.
I mean the statement has never been about infallibility or anything it just means “the customer’s feelings are always valid” but was coined before such language was common.
Some say it means "the customer's spending (or refusal to spend) is inarguable reality," without dragging the customer's feelings into the picture. Granted an angry customer is less likely to buy.
For free services, I'm the product, not the customer. I understood this and used Discord regardless, because at the time it was the easiest way to talk to certain communities (mostly gaming related).
If I was using Nitro, I'd have to agree with you, but I had a clear stance not to give a dime to a company I do not support.
> For free services, I'm the product, not the customer.
That's been beaten to death by now. Let's start with that I don't agree with it. If the service is free the price is $0, that does not suddenly transform the person who the product is being delivered to into the product itself. It merely changes the revenue stream into another one that is invisible to the customer. The company then has many options in order to get paid, none of which involve selling the customer. They might sell data about the customer (illegal in many places if that data has been collected for different purposes), or they might attempt to upsell the customer on a different service.
But in no way does the actual customer get sold.
The whole thing smacks of defeatism: we don't pay so therefore we have no rights as customers so don't whine. But that simply isn't true, users are not cattle to be sold at auction and companies should not treat them as such. And users should not tell each other that they only got what they deserved.
Perhaps I shouldn't have used that phrase, but I felt it would resonate with people more immediately than any other choice of words. In any case, I don't pay for Discord so I am definitely not a customer, whether or not I or my data is a "product".
There is nothing wrong with the expression or the idea behind it. We all know what it means, and what you mean when you say it. We all (seem to) need the reminder.
It would be nicer not to be the product, but the world isn't always nice. Sometimes it is.
You are still supporting Discord by using it and Discord still needs non-paying members. Without those members, Discord won't be as popular and the paying members wouldn't stick around.
By all means, you are still providing value to the service and they need you as much as their paying customers. However, a lot of companies lose sight of this logic once they go big.
Most of these "free services" are very far from free. They cost (and sometimes cost a lot). It's just that what they charge isn't in the form of currency.
Sure, but customers being pissed off when their accounts are terminated is fairly predictable. The customer being always right is a long established business dogma, the reason is simple: the customer is the person that ultimately powers the business, without the customer there is no business so if you want to stay afloat you'd better make it so that the customer has their expectations met.
Someone else suggested I should have done the same, but again, I've had prior issues with Discord and really just wanted to be done with it. This account issue set me back a little, and I can't participate in some communities I'd like to, but I've already talked to moderators for some of the guilds that I played a big part in, and they were happy to set up a Discord to Matrix relay for their main channels.
Matrix isn't great, but it's open-source and it allows me to connect however I please. I have my own Synapse homeserver set up; might consider Construct as well, once it matures. And Matrix is the only platform I have run into that even has easy bridging with Discord and so many other services.
Yes, I believe Hacker News feedback to a blog post that was not designed for feedback is unfair to me, but I guess this means that a follow-up post saying what I am doing in response to leaving Discord is in order.
Yeah, I'm running my own homeserver. (Incidentally it decided to use up all my memory today and crash, so I'm hoping these performance issues with Synapse are fixed or one of the talked-about alternatives comes into fruition.)
If the only deal breaker is your phone number, this is going to be an issue for you moving into the future with many service providers. Consider leasing a number through Twilio, it will save you from frustration.
I'm probably going to leave phone companies entirely, when I'm no longer on my family's plan, and set up a VoIP number because it'd give me hands-on experience with how VoIP works and it seems more cost-effective for my use case. I'll remember Twilio if I need it for any verification purposes, but it's definitely a sad state of affairs that phone numbers are seen as a mandatory identification step in this day and age. I understand that it's an easy choice for some companies to make, but it doesn't mean I have to be happy with it.
Hey. I work at Discord - and actually, this system is a thing I work on - and code my team wrote caused your account to be locked. If my team is doing a good job, you won't notice us. If we're doing a bad job, you might get some spam, or your account may be blocked for false positives.
Discord gets a lot of spam. We've disabled, and/or challenged millions of accounts for trying to use our platform for unsolicited spam (trying to advertise their service, sex bots, crypto spam, etc...). Our anti-spam systems continue to evolve - just as the spammers who target our platform continue to evolve. The spam attacks against our platform vary in terms of how elaborate and skilled they are. Some are very obvious in terms of a detection perspective, and some are not. As such, we use a blend of signals, heuristics and machine learning algorithms to determine whether someone is spamming on our platform. Additionally, we look at where spam is originating from as an input to our heuristic.
One such source is TOR exit nodes - and as such, our system considers content created (DMs opened, etc..) from people using TOR exit nodes with more stringency than other sources. As such, if you are using TOR, it is definitely more likely that you may get challenged either via captcha, or phone verification. The system is definitely not perfect - and unfortunately in OP's case, it flagged the account for phone verification.
To address the 3 demands in OP's email:
> 1. Discord's anti-spam isn't so anal,
I'm not entirely sure what this means, nor what actionable steps I can take. You are using TOR, a source of a great amount of spam/attempted spam on our network.
> 2. my account (and other accounts in good standing and with proper 2FA) is exempt from such checks
Having 2fa is not a strong signal as to whether or not an account is legitimate. It is very trivial to automate setting up 2fa on an account. https://github.com/pyauth/pyotp can be used to both generate and validate 2fa codes. It'd be trivial to hook that up to the registration flow to enable 2fa - and if that was a way to 'bypass' our anti-spam measures, it'd surely be exploited.
> 3. I don't have to solve a Google reCAPTCHA for an account I have taken every step to protect against bruteforcing. Using Tor is not a crime; don't treat it as such.
Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)
Finally, I'd like to address: "Discord has shown to be hostile toward FOSS and privacy for a while now" and understand why that is.
As a company, we have tried to give back to open source software (either by financial sponsorship, or by contributing our bugfixes/changes upstream.) We also attribute all open source projects we use in our software here: https://discordapp.com/licenses. Additionally, we host many open source communities on our platform: https://discordapp.com/open-source. And finally, we try to open source software we make which may be useful to the eco-system in general: https://github.com/discordapp/.
I still heavily disagree with the "Discord <3 Open Source" statements.
3rd party clients (eg. Ripcord) that were shared on reddit were quickly shot down with a We don't allow or support 3rd party clients or modified versions of the client.
Do you actively hunt for Discord users with a 3rd party client or is it more of a "we don't hurt you unless you abuse our API"-deal?
>Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)
Solution: add a checkbox "disable account security measures", so a user who doesn't want CAPTCHAs when logging into their account doesn't see them. It would have a warning so any user selecting it would know what they're doing.
See this from a provider standpoint and you will immediately groan at the users setting up their accounts for easy collection from spammers, who in turn use those accounts to spam your service to oblivion. You'll have to deal with the cleanup, not the spammers, not the compromised users. A lot of users don't value their accounts, and this is precisely why we have so many account breaches happen to this day.
A user can already choose to reduce their account security, by reusing passwords, choosing common passwords, not using 2fa, etc. Allowing a user to choose to not have to complete a CAPTCHA before a login attempt, or allowing the user to choose to not require their account to have a phone number in case of suspicious logins, is reasonable, and would make many people who care about their privacy respect Discord much more.
First of all, thank you for the reply. Yes, my ticket was fairly … to the point and I did not make an effort to be polite, but Discord's support team does perform a good job in terms of timely and complete responses. As I said, starting the account deactivation/deletion process over E-mail was not a hassle (compare that to Twitter, eh…) and I have even been able to start a transfer of my own guild over to a trusted member, so the guild does not die with my absence. But with the current route Discord is taking, I cannot wish it as a company the best of luck. I'll respond to some of your points.
>anti-spam
My impression would be that an aged account with a good reputation would be held to much less scrutiny than a new account, regardless of my method of accessing the service.
>regardless of whether […] there is 2fa enabled on the account
Clue me in on this one because I do not understand how a bot surfing for accounts would be able to guess this code in a configured number of attempts. Many login forms have a number of tries before the account is temporarily locked and the user is notified of a potential breach. This is no substitute for a good password, but it's one additional safeguard, and it's one that doesn't depend on a nonfree CAPTCHA service. I'm trying to de-Google lately and I've been pretty successful; one of the few services I use anymore is GDrive and that's only because I have unlimited storage and GPG at my disposal. Discord isn't owned by Google, so my decision to abandon Google's services shouldn't have weighed in on my decision for third-party services.
>it's also our responsibility […] (even if they don't employ the best security practices[…].)
I understand, but there's a line one has to draw for things like this. I'm not a fan of password requirements but employing a minimum password length (if Discord doesn't already do so) would be a good start. As a public service provider, I understand the issue with compromised accounts, and how they can be used for spam and harassment, but I still believe there are smarter ways to go about this than punishing people for using the wrong IP address to log in.
>hostile toward FOSS
>we have tried to give back to open source software
That doesn't really mean much when Discord openly detests third-party FOSS clients and will not make its server available at least in a similar capacity to GitHub's self-hosted solution (I don't think GitHub is appreciative of FOSS either, and they prefer to capitalise from the walled garden they've created rather than truly express the libre ethic, but hosting servers has been a long-requested feature especially from established communities who don't wish to rely on Discord's infra).
>and privacy
>we've stated that we don't sell your data
I'm a cryptoanarchist. If an organisation has my IP address, they have my IP address. If they have my phone number, they have my phone number. Discord may have my intentions at heart, its servers may be kept updated and secure from most threats, but Discord is a high-profile platform now, and we're all no stranger to hackers leaking database information from a zero-day or some other oversight. I cannot trust words and policies, I can only fully trust audited code and myself. So, no, in this light Discord does not appreciate the concern for privacy if it does not make exceptions for verifying accounts by other, more private means.
I wish I could give an answer on how to moderate a platform without negatively impacting people, but to reuse your words, there isn't an answer that satisfies everyone, and there will always be shortcomings for any solution, whether it's a setup cost or a long-term conditioning of users to create better passwords. In fact, I talked about passwords specifically in another blog post [1] so I can only hope they are eventually phased out for something less prone to user error. Despite what we're stuck with, I do genuinely believe Discord could tune their spam and login mechanisms such that false positives are kept to a minimum.
>My impression would be that an aged account with a good reputation would be held to much less scrutiny than a new account, regardless of my method of accessing the service.
"Good" accounts turn bad pretty quick. We have some betterments to make around taking account age into consideration - but it's also a well observed event that a prior good account gets compromised, moves between continents and starts sending out spam. We've also observed spammers register accounts, sit on them for a while (we've observed some age for over a year) before using them for spam. So, if we notice an "account traveling around the world at an unreasonable speed" we use that as a signal as well - and it is a very common pattern, almost exclusively exhibited by spam accounts, but also the few users whom connect via tor.
>That doesn't really mean much when Discord openly detests third-party FOSS clients and will not make its server available at least in a similar capacity to GitHub's self-hosted solution
In an ideal world, it'd be nice to support 3rd party clients - but unfortunately - we've observed on many occasions where 3rd party clients have malicious plugins that lead to account compromise. Additionally, having to support 3rd party clients can be problematic from an anti-spam perspective, as it muddles the line between "here's an obviously fake client" and "here's a legitimate 3rd party client." I actually wonder if this is why twitter struggles at anti-spam so much (but I don't know nor have talked to anyone at twitter to verify this.)
I also don't really understand why we have an obligation to offer a self-hosted solution. An advantage of our business is our server infrastructure - and although we occasionally blog about how we do things, maintaining an open source release is neither good for business, nor is it for product velocity - and definitely not something we can support given the available engineering resources. We are a very small team of engineers. For the first 3 years of the product, the infrastructure team at Discord was 2-4 people, in the current day, the IC's on the Core Infra team at Discord is less than 5.
I think a lot of people have this misconception that we are a huge company with a bunch of engineers - however, unlike a lot of valley startups, we actually hire very slowly, and deliberately - and relative to other products in our space, our team is exceptionally small. From what I hear, our entire engineering department is the size of the mobile department at another company in the voice/text chat space. As such, we work efficiently and deliberately - with the goal to build a good product, and also to ensure that we're successful as a business in the long term. These values mean that we do have to make trade-offs. But we do so in the interest of our users. Discord as a product is one that I'm passionate about working on, and a product that I use daily to play games with and talk to my friends.
> If they have my phone number, they have my phone number.
Have you considered using a burner phone? Very easy to pick one up from your local convenience store for a few bucks - and will work with phone verification on our product just fine - and will work with others that employ similar anti-spam solutions.
> Despite what we're stuck with, I do genuinely believe Discord could tune their spam and login mechanisms such that false positives are kept to a minimum.
I do agree! We are actively hiring for this position: https://discordapp.com/jobs/4286902002 - there are many betterments to be made, but we need more people such that we can work on em!
I want to be done with discord. The only value i find is the notifications when you have an @reply. Isn't there someone that has done this for freenode or other IRC ?
https://www.irccloud.com/ does what you want (they have an app). If you use IRC heavily, I do recommend paying for it - it's useful and they fund IRCv3 among other things.
I used to use a bouncer, vnc, which there's a plugin for push notifications. Now I use matrix.org, which bridges to freenode and many (all?) other IRC servers and does notifications well. Quite happy with it, personally.
Yep, I wished matrix would replace discord and all other proprietary crap. Unfortunately the UX is still a bit lacking, but if you somewhat know what you are doing it's great.
The amount of flak you are getting from a supposedly informed audience is discouraging to me. The fact you value your privacy has turned you into a pedo in some people's views. Stick to your guns - discord has the right to be just another data-mining operation and you have the right to draw a line and say, no more.
2)You use proxies/tor which probably makes your concerns the concerns of 0.01% of the user-base.
Why should a company whose primary motive is to be profitable go so far out of their way for you, a non-paying client whose concerns represent basically none of the legitimate user-base?
The post is entitled "Guess I'm done with Discord", not "I'm entitled to my Discord account and everyone who disagrees with me is an idiot." As I said in another comment, my post was purely informative and not even in a format that would be digestible by people who do not know me.
Luckily I never had all my eggs in Discord's basket, and thankfully so. I will remember this, and I know they are welcome to discriminate against Tor or any other traffic, but that just means they opt for lazy solutions and don't care about false positives. I host websites and online services (at a much smaller scale than Discord, at that) and I know how people use Tor to abuse services. But, I also know that there's a comparable number of incidents coming from traditional ISPs, hosting ranges, dynamic home IP addresses, public proxies... you name it. This is extremely apparent in the form of E-mail SPAM.
I just believe that placing bans or flags on IP addresses is not the answer, and I will work on my own software and services with this ideology in mind. Ironically, Discord did have what I believe to be a stellar answer to guild moderation: invite links. They allowed a whitelisting model for private guilds, as well as varied forms of controlled access for more-public guilds. I'd like to see this kind of control everywhere.
I pay them $99 a year, and their customer service treated me like shit for this. What do I care if someone hacks my account and destroys the large community that I moderate? That's their problem, not mine. But I doubt they care.