
Guess I'm Done with Discord - stargrave
https://wowana.me/blog/guess-im-done-with-discord.xht
======
jrockway
Discord's phone verification is awful. They are using some super old database
of what provider is associated with your phone number. I ported a Google Voice
number to Verizon and they said I can't use it for phone verification because
it's Grand Central, a company that went out of business before Discord even
came into existence.

I pay them $99 a year, and their customer service treated me like shit for
this. What do I care if someone hacks my account and destroys the large
community that I moderate? That's their problem, not mine. But I doubt they
care.

~~~
snek
That's Twilio's database, not Discord's. Maybe it's fair to be upset at
Discord for using Twilio if Twilio can't keep their database up to date, but I
don't think there are that many alternatives to Twilio.

------
ChuckMcM
I am more and more thinking of this as a symptom of the "Data wars." I define
that as the conflict between how much data someone is willing to share in
exchange for a 'free' service.

The services aren't free of course, they pay their overhead and costs by re-
selling the data they collect about their users. And as other sources of
revenue (like ads) have lost value the data service has filled in. And since
the data buyers know that the service provider is in a weak negotiating
position they keep pressing on them to get more and more datamilk out of their
data cows for the same amount of money.

The pressure is on to create a low friction pay as you go service for these
things that don't extract data.

~~~
cpdt
Since the OP is specifically talking about Discord, it’s worth mentioning that
what you’re talking about doesn’t seem to be the case for them - they make
money from Nitro subscriptions and their game store, and state in their
privacy policy that they are “not in the business of selling your information”
([https://discordapp.com/privacy](https://discordapp.com/privacy), in the
section ‘Our Disclosure of Your Information’).

So relating back to the post, their justification doesn’t necessarily make it
right, but I think it’s incorrect to attribute it to a malicious cause.

------
esotericn
It's frustrating to be a power user in general with these sort of 'automated
lockout detection' mechanisms.

I've lost count of the number of times I've tried to log in to, I dunno, eBay
or whatever, and computer says no, and I have to call some bloody line and
speak to someone who hates their job and doesn't understand what I mean when I
talk about IP addresses.

I wish that these services had a way to check some box and say "look, I really
know what I'm doing, let anyone with the correct password/SSH key/whatever
in".

If it gets hacked, _then_ I can go through all of that shit. In this case
we're talking about a bloody chat server for christ's sake.

~~~
Pfhreak
You think the right set of people will check that box? And that if they do get
hacked they won't cost the company a ton of resources in support/lawsuits/etc?

~~~
esotericn
I mean, in practice, the 'right set of people' just don't use the service, so
you're probably right.

I've probably made about ten discord accounts with random names to join some
one off server, then gone back to IRC, because it just works.

------
kart23
Tor breaks a lot of shit for me, and I dont even bother with captchas becuase
it usually just flags me as a bot. So I dont think this is particularly
surprising or out of the ordinary.

But yeah, discord used to be held in high standards by me and plenty of other
gamers, but they have made it clear that they cannot handle tough situations,
and dont really care about their userbase. Someone should start a privacy
focused phone number as a service, acces to texts online and through an app.
Allow people to basically have a spam phone number that they can give out to
online services, but make people pay for it obviously. Like 10minutemail but
long term and for texts only.

~~~
thekyle
I mean it's not exactly privacy focused but if you just use it for spam then
Google Voice or Skype numbers would work fine for this.

~~~
481092
Many sites don't accept Google Voice or VOIP numbers unfortunately. Or
fortunately, depending, as it'd be easier to use GV for text spamming.

------
gigel82
Why the insistence on Tor? Just use a normal VPN. Tor exit nodes are limited
in number, and the same IP probably ends up being used by thousands of
people... I assume a lot of them use it for nefarious reasons so you just end
up in the same bucket. To some extent VPN providers can get hit by this too,
but it's easy to just switch outbound IPs (for most of them). And if you want
more than that, get a cheap VPS and install OpenVPN on it (you get your own
unique exit IP address) - pay with bitcoin for the privacy aspect, also a good
place to install an ad-filter, a secure DNS proxy (DOH) and so on.

I also don't understand the 2FA point, that says nothing about your accounts'
intentions.

The account history is an interesting point... if you have a long-standing
history with no reports of inappropriate actions, they should factor that in
somehow into their algos.

~~~
wowaname
>Why the insistence on Tor?

Short answer: I'm a privacy activist. That should be a valid enough reason for
this context.

>I also don't understand the 2FA point, that says nothing about your accounts'
intentions.

No, but it shows my account is secured from intruders, which means reCAPTCHA
is just an additional nuisance to me, the legitimate account holder.

>The account history is an interesting point

Yeah, and they just glance right over it. It doesn't mean anything for my case
that I've been an active user with this account for almost two years (I had a
previous account for a bit and then left Discord because I was not in any
communities worth sticking around for). Never have I done anything wrong on
Discord's platform; haven't uploaded any lolis or evaded any bans (I believe I
was only banned from one guild, even). They just don't seem to want me as a
user, and that's fine.

------
Pfhreak
> I refuse to provide phone verification as I believe it is Discord's fault
> for flagging my account...

> I will be communicating with a couple communities with which I'm involved to
> explain that I am unable to use Discord

Does this person not have a phone? 'Unable' seems like a stretch. If this
person said, "I don't want to provide my phone number to Discord, so I'm going
to stop using it" I'd understand.

Their opening email also strikes a pretty aggressive tone -- calling Discord
anal, insulting, "spit in my face" then goes on to make a number of demands of
the company? I'm not super surprised the customer service rep on the other
side didn't go out of their way to help.

~~~
wowaname
Just a note: I do not ask to have my blog entries submitted to this site,
precisely because the comments I receive here are very assumptuous and
negative. I have had prior interactions with Discord which influenced the tone
of my E-mail. My blog post is simply presented as-is and I really do not care
what others have to say about it, but I have no control over what is submitted
here. I just want people to keep this in mind should future posts of mine be
submitted, before someone points out "hey, you got onto Hacker News again" and
I have to be subjected to a bunch of people not getting the full picture (and
even some people complaining how _pink_ my site is... grow up).

~~~
pschastain
Personally found the post interesting. I don't use Discord but I also refuse
to give my number out for verification purposes - as you noted there are other
ways to verify a users identity.

Hopefully you don't get too much grief for being a female on the internet with
an opinion :-/

~~~
wowaname
I don't capitalise on my sex/gender; I just prefer the use of neutral language
when talking about anyone of unknown gender. In any case; I signed up for this
when deciding to put my ideas online, and it has given me a chance to connect
with a lot of nice people, despite also having to take the negative audiences
along with it. I definitely am surprised that my blog attracts as much
positive attention as it does; I never really wrote with the assumption that
I'd have far reach. But, it's nice that others out there do care about some of
the things I do.

Currently Discord doesn't require a number if you use your home IP to connect,
but that could change at a moment's notice with their opaque methods of
operation. I've used Tor with Discord for months without any issue until
recently. So, it's probably better not to start using it now than to take that
risk and be upset when they do find a reason to demand your personal
information.

------
elmerfud
This is a typical response from service companies in the Internet age. They
don't care about truth, or what actually happened, the algorithm says you're
bad then you're bad. There's no human to appeal to, no human oversight of if
their algorithm is right or wrong. They use another algorithm to check it,
which tells them that you must be a bad actor.

I've had my own issues with Lyft that are similar. Banned from using their
service even though I've never actually ordered a ride from them. Banned upon
sign up. No review, no appeal, they don't even follow their own terms of
service.

I'm not one to normal advocate for government regulations and oversight, but
there's way to much consumer abuse for these Internet age services. Consumer
protections can't come soon enough.

~~~
Judgmentality
Assuming you're willing to share, how did you get banned from Lyft without
ever ordering a ride?

~~~
scrollaway
Dunno about GP but I had a similar experience with Lyft, which had to do with
the type of card I registered to Lyft. I don't remember the specifics but my
case wasn't particularly weird… I was using an EU mastercard of some kind and
they decided it was a bad one so they banned me. This all happened without
ordering a ride.

Had a similar experience with Uber, except that Uber actually eventually fixed
it. Lyft was… unhelpful.

------
simonblack
Social media gets less and less "social" every day.

My last remaining social media with input from me is HN. But I accept that,
sooner or later, HN will be just as intrusive, aggressive, just plain nasty
and censoring as the rest of them. And then it will be time for me to "go
completely dark" as far as my contribution to the internet is concerned.

------
steve19
I like that for privicy reasons they won't tell you why you were banned. Whose
privicy?

Does that just mean "our black box NN has banned you and we won't know or care
why" ?

~~~
ljm
Their own privacy most likely. Don't want to reveal the techniques used to
identify the accounts they ban, so the scammers can't learn from it.

------
Havoc
Point 2 in particular rings true.

...If you can't filter out your core user base with 2FA (!!!) from bullshit
like recaptch then you've got real problems

~~~
snek
2FA is account security, not proof of being a good human user. TOTP is a very
simple algorithm (python impl:
[https://github.com/pyauth/pyotp](https://github.com/pyauth/pyotp)) that can
be easily automated. After all, your phone telling you the code to type in has
automated it.

~~~
Havoc
Yeah

That risk is acceptableness to me though

------
nullandvoid
Strange I was just thinking about this issue the other day

Discord is a bit of a haven for spammers / scammers with my own account having
received messages from several hundred random accounts ( to be fair the user
is normally deleted before I read the message )

As a discussion / personal curiosity point how would the HN community
reccomend discord handle this level of spam going forward?

~~~
giancarlostoro
It becomes extremely obvious when someones sharing a link to thousands of
users they have never spoken to before. Idk about how you use Discord but I
can only send so many messages to so many people in a few minutes.

------
mostlysimilar
I understand the frustration on the part of the user and I dislike that we're
all being forced to give up our anonymity to use these platforms... but also
the tone of both emails was quite antagonistic. They may have had slightly
better luck if they'd been friendlier and not attempted to school the Discord
staff on how their app should behave.

~~~
jacquesm
> but also the tone of both emails was quite antagonistic

The customer is always right.

> They may have had slightly better luck if they'd been friendlier and not
> attempted to school the Discord staff on how their app should behave.

Or not. Besides, it should not matter, either they did something bad or they
did not, the tone of the message may upset the recipient but when you ban
someone just like that _you can expect them to be upset_ and your first line
support people should be able to take that sort of heat in stride.

Sucking up to support staff when your account has been banned for no
particular reason should not be a pre-requisite for having it dealt with
professionally, in fact a good first line support worker will be able to de-
escalate such a situation quickly by showing some competence and making sure
the user is dealt with as they should.

~~~
wowaname
For free services, I'm the product, not the customer. I understood this and
used Discord regardless, because at the time it was the easiest way to talk to
certain communities (mostly gaming related).

If I was using Nitro, I'd have to agree with you, but I had a clear stance not
to give a dime to a company I do not support.

~~~
jacquesm
> For free services, I'm the product, not the customer.

That's been beaten to death by now. Let's start with that I don't agree with
it. If the service is free the price is $0, that does not suddenly transform
the person who the _product_ is being delivered to into the product itself. It
merely changes the revenue stream into another one that is invisible to the
customer. The company then has many options in order to get paid, none of
which involve selling the customer. They might sell data _about_ the customer
(illegal in many places if that data has been collected for different
purposes), or they might attempt to upsell the customer on a different
service.

But in no way does the actual customer get sold.

The whole thing smacks of defeatism: we don't pay so therefore we have no
rights as customers so don't whine. But that simply isn't true, users are not
cattle to be sold at auction and companies should not treat them as such. And
users should not tell each other that they only got what they deserved.

~~~
wowaname
Perhaps I shouldn't have used that phrase, but I felt it would resonate with
people more immediately than any other choice of words. In any case, I don't
pay for Discord so I am definitely not a customer, whether or not I or my data
is a "product".

~~~
ncmncm
There is nothing wrong with the expression or the idea behind it. We all know
what it means, and what you mean when you say it. We all (seem to) need the
reminder.

It would be nicer not to be the product, but the world isn't always nice.
Sometimes it is.

------
Prohias
If the only deal breaker is your phone number, this is going to be an issue
for you moving into the future with many service providers. Consider leasing a
number through Twilio, it will save you from frustration.

~~~
wowaname
I'm probably going to leave phone companies entirely, when I'm no longer on my
family's plan, and set up a VoIP number because it'd give me hands-on
experience with how VoIP works and it seems more cost-effective for my use
case. I'll remember Twilio if I _need_ it for any verification purposes, but
it's definitely a sad state of affairs that phone numbers are seen as a
mandatory identification step in this day and age. I understand that it's an
easy choice for some companies to make, but it doesn't mean I have to be happy
with it.

------
jhgg
Hey. I work at Discord - and actually, this system is a thing I work on - and
code my team wrote caused your account to be locked. If my team is doing a
good job, you won't notice us. If we're doing a bad job, you might get some
spam, or your account may be blocked for false positives.

Discord gets a lot of spam. We've disabled, and/or challenged millions of
accounts for trying to use our platform for unsolicited spam (trying to
advertise their service, sex bots, crypto spam, etc...). Our anti-spam systems
continue to evolve - just as the spammers who target our platform continue to
evolve. The spam attacks against our platform vary in terms of how elaborate
and skilled they are. Some are very obvious in terms of a detection
perspective, and some are not. As such, we use a blend of signals, heuristics
and machine learning algorithms to determine whether someone is spamming on
our platform. Additionally, we look at where spam is originating from as an
input to our heuristic.

One such source is TOR exit nodes - and as such, our system considers content
created (DMs opened, etc..) from people using TOR exit nodes with more
stringency than other sources. As such, if you are using TOR, it is definitely
more likely that you may get challenged either via captcha, or phone
verification. The system is definitely not perfect - and unfortunately in OP's
case, it flagged the account for phone verification.

To address the 3 demands in OP's email:

> 1\. Discord's anti-spam isn't so anal,

I'm not entirely sure what this means, nor what actionable steps I can take.
You are using TOR, a source of a great amount of spam/attempted spam on our
network.

> 2\. my account (and other accounts in good standing and with proper 2FA) is
> exempt from such checks

Having 2fa is not a strong signal as to whether or not an account is
legitimate. It is very trivial to automate setting up 2fa on an account.
[https://github.com/pyauth/pyotp](https://github.com/pyauth/pyotp) can be used
to both generate and validate 2fa codes. It'd be trivial to hook that up to
the registration flow to enable 2fa - and if that was a way to 'bypass' our
anti-spam measures, it'd surely be exploited.

> 3\. I don't have to solve a Google reCAPTCHA for an account I have taken
> every step to protect against bruteforcing. Using Tor is not a crime; don't
> treat it as such.

Malicious actors constantly attempt to brute-force logins on our system -
generally from public password dumps or other leaks. A lot of these brute-
force attempts come from TOR, and other public proxies. In order to avoid
information disclosure, we always captcha logins from these kinds of IPs,
regardless of whether or not an account exists with the e-mail in question,
whether the login credentials are correct, or there is 2fa enabled on the
account. So, the "captchas" you notice are not really specific to your
account, but rather, the origin of the login. Using TOR is not a crime, you
are right - but - it's also our responsibility to our users to make it
reasonably hard for their accounts to get compromised on our platform (even if
they don't employ the best security practices - and reuse their passwords
across the internet.)

Finally, I'd like to address: "Discord has shown to be hostile toward FOSS and
privacy for a while now" and understand why that is.

As a company, we have tried to give back to open source software (either by
financial sponsorship, or by contributing our bugfixes/changes upstream.) We
also attribute all open source projects we use in our software here:
[https://discordapp.com/licenses](https://discordapp.com/licenses).
Additionally, we host many open source communities on our platform:
[https://discordapp.com/open-source](https://discordapp.com/open-source). And
finally, we try to open source software we make which may be useful to the
eco-system in general:
[https://github.com/discordapp/](https://github.com/discordapp/).

As for privacy, we've stated that we don't sell your data. When you verify
your phone number, we ONLY use it for the purpose of anti-spam, and it is
never shared with anyone (aside from twilio, which sends you the SMS),
especially for the purpose of financial gain. We're pretty up front about how
we make money (freemium model:
[https://discordapp.com/nitro](https://discordapp.com/nitro), in-app commerce:
[https://discordapp.com/sell-your-game](https://discordapp.com/sell-your-
game)). We provide privacy controls: [https://support.discordapp.com/hc/en-
us/articles/36000410991...](https://support.discordapp.com/hc/en-
us/articles/360004109911), and allow you to request an export of all the data
we have stored on your account: [https://support.discordapp.com/hc/en-
us/articles/36000402769...](https://support.discordapp.com/hc/en-
us/articles/360004027692-Requesting-a-Copy-of-your-Data)

I know this reply won't satisfy everyone, but hopefully, being truthful and
upfront about this will help!

~~~
ajfjsiqjwisjais
>Malicious actors constantly attempt to brute-force logins on our system -
generally from public password dumps or other leaks. A lot of these brute-
force attempts come from TOR, and other public proxies. In order to avoid
information disclosure, we always captcha logins from these kinds of IPs,
regardless of whether or not an account exists with the e-mail in question,
whether the login credentials are correct, or there is 2fa enabled on the
account. So, the "captchas" you notice are not really specific to your
account, but rather, the origin of the login. Using TOR is not a crime, you
are right - but - it's also our responsibility to our users to make it
reasonably hard for their accounts to get compromised on our platform (even if
they don't employ the best security practices - and reuse their passwords
across the internet.)

Solution: add a checkbox "disable account security measures", so a user who
doesn't want CAPTCHAs when logging into their account doesn't see them. It
would have a warning so any user selecting it would know what they're doing.

~~~
jhgg
No, I don't believe that adding the ability to reduce the security of your
account is necessarily a good idea.

~~~
ajfjsiqjwisjais
A user can already choose to reduce their account security, by reusing
passwords, choosing common passwords, not using 2fa, etc. Allowing a user to
choose to not have to complete a CAPTCHA before a login attempt, or allowing
the user to choose to not require their account to have a phone number in case
of suspicious logins, is reasonable, and would make many people who care about
their privacy respect Discord much more.

------
Havoc
I've been waiting for this in a way.

This surge in adopt is pretty classic. It feels artificially hot / running at
too high temps if that makes sense.

I don't see a superior product so don't see this crashing, but Discord is
going down only from here

------
buboard
I want to be done with discord. The only value i find is the notifications
when you have an @reply. Isn't there someone that has done this for freenode
or other IRC ?

~~~
kadoban
I used to use a bouncer, vnc, which there's a plugin for push notifications.
Now I use matrix.org, which bridges to freenode and many (all?) other IRC
servers and does notifications well. Quite happy with it, personally.

~~~
banger180
Yep, I wished matrix would replace discord and all other proprietary crap.
Unfortunately the UX is still a bit lacking, but if you somewhat know what you
are doing it's great.

------
pfisch
1)You're not a paying user

2)You use proxies/tor which probably makes your concerns the concerns of 0.01%
of the user-base.

Why should a company whose primary motive is to be profitable go so far out of
their way for you, a non-paying client whose concerns represent basically none
of the legitimate user-base?

~~~
wowaname
The post is entitled "Guess I'm done with Discord", not "I'm entitled to my
Discord account and everyone who disagrees with me is an idiot." As I said in
another comment, my post was purely informative and not even in a format that
would be digestible by people who do not know me.

~~~
ncmncm
Thank you for the informative posting. I have had no contact with Discord, so
I learned something.

------
ricardbejarano
A private company has the right to choose where its traffic comes from,
nothing surprising here.

There are legitimate reasons to block TOR traffic, and even if there where
none, they'd still have the right to block anyone of their users.

There are plenty of alternatives, simply remember not to choose one ran by a
private company again.

~~~
wowaname
Luckily I never had all my eggs in Discord's basket, and thankfully so. I will
remember this, and I know they are welcome to discriminate against Tor or any
other traffic, but that just means they opt for lazy solutions and don't care
about false positives. I host websites and online services (at a _much_
smaller scale than Discord, at that) and I know how people use Tor to abuse
services. But, I also know that there's a comparable number of incidents
coming from traditional ISPs, hosting ranges, dynamic home IP addresses,
public proxies... you name it. This is extremely apparent in the form of
E-mail SPAM.

I just believe that placing bans or flags on IP addresses is not the answer,
and I will work on my own software and services with this ideology in mind.
Ironically, Discord did have what I believe to be a stellar answer to guild
moderation: invite links. They allowed a whitelisting model for private
guilds, as well as varied forms of controlled access for more-public guilds.
I'd like to see this kind of control everywhere.

