Hey. I work at Discord - and actually, this system is a thing I work on - and code my team wrote caused your account to be locked. If my team is doing a good job, you won't notice us. If we're doing a bad job, you might get some spam, or your account may be blocked for false positives.
Discord gets a lot of spam. We've disabled, and/or challenged millions of accounts for trying to use our platform for unsolicited spam (trying to advertise their service, sex bots, crypto spam, etc...). Our anti-spam systems continue to evolve - just as the spammers who target our platform continue to evolve. The spam attacks against our platform vary in terms of how elaborate and skilled they are. Some are very obvious in terms of a detection perspective, and some are not. As such, we use a blend of signals, heuristics and machine learning algorithms to determine whether someone is spamming on our platform. Additionally, we look at where spam is originating from as an input to our heuristic.
One such source is TOR exit nodes - and as such, our system considers content created (DMs opened, etc..) from people using TOR exit nodes with more stringency than other sources. As such, if you are using TOR, it is definitely more likely that you may get challenged either via captcha, or phone verification. The system is definitely not perfect - and unfortunately in OP's case, it flagged the account for phone verification.
To address the 3 demands in OP's email:
> 1. Discord's anti-spam isn't so anal,
I'm not entirely sure what this means, nor what actionable steps I can take. You are using TOR, a source of a great amount of spam/attempted spam on our network.
> 2. my account (and other accounts in good standing and with proper 2FA) is exempt from such checks
Having 2fa is not a strong signal as to whether or not an account is legitimate. It is very trivial to automate setting up 2fa on an account. https://github.com/pyauth/pyotp can be used to both generate and validate 2fa codes. It'd be trivial to hook that up to the registration flow to enable 2fa - and if that was a way to 'bypass' our anti-spam measures, it'd surely be exploited.
> 3. I don't have to solve a Google reCAPTCHA for an account I have taken every step to protect against bruteforcing. Using Tor is not a crime; don't treat it as such.
Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)
Finally, I'd like to address: "Discord has shown to be hostile toward FOSS and privacy for a while now" and understand why that is.
As a company, we have tried to give back to open source software (either by financial sponsorship, or by contributing our bugfixes/changes upstream.) We also attribute all open source projects we use in our software here: https://discordapp.com/licenses. Additionally, we host many open source communities on our platform: https://discordapp.com/open-source. And finally, we try to open source software we make which may be useful to the eco-system in general: https://github.com/discordapp/.
I still heavily disagree with the "Discord <3 Open Source" statements.
3rd party clients (eg. Ripcord) that were shared on reddit were quickly shot down with a We don't allow or support 3rd party clients or modified versions of the client.
Do you actively hunt for Discord users with a 3rd party client or is it more of a "we don't hurt you unless you abuse our API"-deal?
>Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)
Solution: add a checkbox "disable account security measures", so a user who doesn't want CAPTCHAs when logging into their account doesn't see them. It would have a warning so any user selecting it would know what they're doing.
See this from a provider standpoint and you will immediately groan at the users setting up their accounts for easy collection from spammers, who in turn use those accounts to spam your service to oblivion. You'll have to deal with the cleanup, not the spammers, not the compromised users. A lot of users don't value their accounts, and this is precisely why we have so many account breaches happen to this day.
A user can already choose to reduce their account security, by reusing passwords, choosing common passwords, not using 2fa, etc. Allowing a user to choose to not have to complete a CAPTCHA before a login attempt, or allowing the user to choose to not require their account to have a phone number in case of suspicious logins, is reasonable, and would make many people who care about their privacy respect Discord much more.
First of all, thank you for the reply. Yes, my ticket was fairly … to the point and I did not make an effort to be polite, but Discord's support team does perform a good job in terms of timely and complete responses. As I said, starting the account deactivation/deletion process over E-mail was not a hassle (compare that to Twitter, eh…) and I have even been able to start a transfer of my own guild over to a trusted member, so the guild does not die with my absence. But with the current route Discord is taking, I cannot wish it as a company the best of luck. I'll respond to some of your points.
>anti-spam
My impression would be that an aged account with a good reputation would be held to much less scrutiny than a new account, regardless of my method of accessing the service.
>regardless of whether […] there is 2fa enabled on the account
Clue me in on this one because I do not understand how a bot surfing for accounts would be able to guess this code in a configured number of attempts. Many login forms have a number of tries before the account is temporarily locked and the user is notified of a potential breach. This is no substitute for a good password, but it's one additional safeguard, and it's one that doesn't depend on a nonfree CAPTCHA service. I'm trying to de-Google lately and I've been pretty successful; one of the few services I use anymore is GDrive and that's only because I have unlimited storage and GPG at my disposal. Discord isn't owned by Google, so my decision to abandon Google's services shouldn't have weighed in on my decision for third-party services.
>it's also our responsibility […] (even if they don't employ the best security practices[…].)
I understand, but there's a line one has to draw for things like this. I'm not a fan of password requirements but employing a minimum password length (if Discord doesn't already do so) would be a good start. As a public service provider, I understand the issue with compromised accounts, and how they can be used for spam and harassment, but I still believe there are smarter ways to go about this than punishing people for using the wrong IP address to log in.
>hostile toward FOSS
>we have tried to give back to open source software
That doesn't really mean much when Discord openly detests third-party FOSS clients and will not make its server available at least in a similar capacity to GitHub's self-hosted solution (I don't think GitHub is appreciative of FOSS either, and they prefer to capitalise from the walled garden they've created rather than truly express the libre ethic, but hosting servers has been a long-requested feature especially from established communities who don't wish to rely on Discord's infra).
>and privacy
>we've stated that we don't sell your data
I'm a cryptoanarchist. If an organisation has my IP address, they have my IP address. If they have my phone number, they have my phone number. Discord may have my intentions at heart, its servers may be kept updated and secure from most threats, but Discord is a high-profile platform now, and we're all no stranger to hackers leaking database information from a zero-day or some other oversight. I cannot trust words and policies, I can only fully trust audited code and myself. So, no, in this light Discord does not appreciate the concern for privacy if it does not make exceptions for verifying accounts by other, more private means.
I wish I could give an answer on how to moderate a platform without negatively impacting people, but to reuse your words, there isn't an answer that satisfies everyone, and there will always be shortcomings for any solution, whether it's a setup cost or a long-term conditioning of users to create better passwords. In fact, I talked about passwords specifically in another blog post [1] so I can only hope they are eventually phased out for something less prone to user error. Despite what we're stuck with, I do genuinely believe Discord could tune their spam and login mechanisms such that false positives are kept to a minimum.
>My impression would be that an aged account with a good reputation would be held to much less scrutiny than a new account, regardless of my method of accessing the service.
"Good" accounts turn bad pretty quick. We have some betterments to make around taking account age into consideration - but it's also a well observed event that a prior good account gets compromised, moves between continents and starts sending out spam. We've also observed spammers register accounts, sit on them for a while (we've observed some age for over a year) before using them for spam. So, if we notice an "account traveling around the world at an unreasonable speed" we use that as a signal as well - and it is a very common pattern, almost exclusively exhibited by spam accounts, but also the few users whom connect via tor.
>That doesn't really mean much when Discord openly detests third-party FOSS clients and will not make its server available at least in a similar capacity to GitHub's self-hosted solution
In an ideal world, it'd be nice to support 3rd party clients - but unfortunately - we've observed on many occasions where 3rd party clients have malicious plugins that lead to account compromise. Additionally, having to support 3rd party clients can be problematic from an anti-spam perspective, as it muddles the line between "here's an obviously fake client" and "here's a legitimate 3rd party client." I actually wonder if this is why twitter struggles at anti-spam so much (but I don't know nor have talked to anyone at twitter to verify this.)
I also don't really understand why we have an obligation to offer a self-hosted solution. An advantage of our business is our server infrastructure - and although we occasionally blog about how we do things, maintaining an open source release is neither good for business, nor is it for product velocity - and definitely not something we can support given the available engineering resources. We are a very small team of engineers. For the first 3 years of the product, the infrastructure team at Discord was 2-4 people, in the current day, the IC's on the Core Infra team at Discord is less than 5.
I think a lot of people have this misconception that we are a huge company with a bunch of engineers - however, unlike a lot of valley startups, we actually hire very slowly, and deliberately - and relative to other products in our space, our team is exceptionally small. From what I hear, our entire engineering department is the size of the mobile department at another company in the voice/text chat space. As such, we work efficiently and deliberately - with the goal to build a good product, and also to ensure that we're successful as a business in the long term. These values mean that we do have to make trade-offs. But we do so in the interest of our users. Discord as a product is one that I'm passionate about working on, and a product that I use daily to play games with and talk to my friends.
> If they have my phone number, they have my phone number.
Have you considered using a burner phone? Very easy to pick one up from your local convenience store for a few bucks - and will work with phone verification on our product just fine - and will work with others that employ similar anti-spam solutions.
> Despite what we're stuck with, I do genuinely believe Discord could tune their spam and login mechanisms such that false positives are kept to a minimum.
I do agree! We are actively hiring for this position: https://discordapp.com/jobs/4286902002 - there are many betterments to be made, but we need more people such that we can work on em!
Discord gets a lot of spam. We've disabled, and/or challenged millions of accounts for trying to use our platform for unsolicited spam (trying to advertise their service, sex bots, crypto spam, etc...). Our anti-spam systems continue to evolve - just as the spammers who target our platform continue to evolve. The spam attacks against our platform vary in terms of how elaborate and skilled they are. Some are very obvious in terms of a detection perspective, and some are not. As such, we use a blend of signals, heuristics and machine learning algorithms to determine whether someone is spamming on our platform. Additionally, we look at where spam is originating from as an input to our heuristic.
One such source is TOR exit nodes - and as such, our system considers content created (DMs opened, etc..) from people using TOR exit nodes with more stringency than other sources. As such, if you are using TOR, it is definitely more likely that you may get challenged either via captcha, or phone verification. The system is definitely not perfect - and unfortunately in OP's case, it flagged the account for phone verification.
To address the 3 demands in OP's email:
> 1. Discord's anti-spam isn't so anal,
I'm not entirely sure what this means, nor what actionable steps I can take. You are using TOR, a source of a great amount of spam/attempted spam on our network.
> 2. my account (and other accounts in good standing and with proper 2FA) is exempt from such checks
Having 2fa is not a strong signal as to whether or not an account is legitimate. It is very trivial to automate setting up 2fa on an account. https://github.com/pyauth/pyotp can be used to both generate and validate 2fa codes. It'd be trivial to hook that up to the registration flow to enable 2fa - and if that was a way to 'bypass' our anti-spam measures, it'd surely be exploited.
> 3. I don't have to solve a Google reCAPTCHA for an account I have taken every step to protect against bruteforcing. Using Tor is not a crime; don't treat it as such.
Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)
Finally, I'd like to address: "Discord has shown to be hostile toward FOSS and privacy for a while now" and understand why that is.
As a company, we have tried to give back to open source software (either by financial sponsorship, or by contributing our bugfixes/changes upstream.) We also attribute all open source projects we use in our software here: https://discordapp.com/licenses. Additionally, we host many open source communities on our platform: https://discordapp.com/open-source. And finally, we try to open source software we make which may be useful to the eco-system in general: https://github.com/discordapp/.
As for privacy, we've stated that we don't sell your data. When you verify your phone number, we ONLY use it for the purpose of anti-spam, and it is never shared with anyone (aside from twilio, which sends you the SMS), especially for the purpose of financial gain. We're pretty up front about how we make money (freemium model: https://discordapp.com/nitro, in-app commerce: https://discordapp.com/sell-your-game). We provide privacy controls: https://support.discordapp.com/hc/en-us/articles/36000410991..., and allow you to request an export of all the data we have stored on your account: https://support.discordapp.com/hc/en-us/articles/36000402769...
I know this reply won't satisfy everyone, but hopefully, being truthful and upfront about this will help!