Inside Discord’s Security Overhaul
Popular communications tool tweaks settings to court everyday users
In an April 2020 report on the security and privacy of 15 video calling apps, the Mozilla Foundation gave failing grades to three apps: Doxy, Houseparty, and Discord. I was one of the journalists who worked with the foundation to break the story.
It’s been months since the report came out, and both Doxy and Houseparty are still on the foundation’s fail list. But Discord, a voice, video, and text communication tool that’s popular with gamers and on the rise among other groups, is different. Within one day of the Mozilla report’s release, Mozilla announced that Discord had fixed its most glaring security hole, which allowed accounts to be created with passwords as simple as “111111.” The foundation applauded the rapid change, saying, “We’re pleased to see Discord prioritize consumers’ security, and thank them for their quick action.”
After the Mozilla report, Discord reached out to me with information about the privacy of its app. The spokesperson said, “We do not make any money via advertising or share [user] data with any third-parties that look to profit off of the information from our users. Our business model is entirely based on subscriptions (Nitro).”
Fixing password procedures seems like it should be straightforward, but in reality, it requires changing verification systems across multiple websites, apps, and other digital endpoints.
Zero monetized data sharing is a pretty bold claim for a technology company to make. So I started to dig deeply into Discord’s privacy and security — from a legal, technical, and business standpoint. I expected to find all kinds of lurking demons. But instead, I walked away pleasantly surprised. Discord still faces challenges, but the company seems genuinely committed to improving privacy and security for its users.
For my investigation, I started by using a browser-based data logger to capture and view all the data Discord sent as I used the service. I also used Lumen — an app developed by UC Berkeley’s Haystack Project — to monitor the data sent out by Discord’s…