Discord is a popular communications platform that many communities are built upon. While Discord Inc. has generally taken the stance that they are not in the business of selling your data, there is still a lot of potential for abuse. Privacy policies can change with little notice and upon acquisition. Representatives of the platform have stated openly that encrypted conversations are not a feature that is planned as it prevents the operators to moderate abuse that occurs on the platform. Individuals may find that Discord is unavoidable if they wish to participate in some communities.
This post will detail some proactive steps that can be taken to protect oneself while using the platform. Adversaries that are considered include:
- Other Discord users
- Third-party bots
- Discord Inc., the company that runs the Discord platform
Use a web browser
Discord works really well in a web browser unsurprisingly given that the desktop client is an Electron application (essentially a Chromium browser dedicated to a single web application). Using a web browser instead of the desktop app allows for a reduced fingerprinting surface due to the sandboxed nature of most web browsers.
Configuration
These instructions will use Mozilla Firefox but any modern web browser can be used, really.
- Create a new profile just for Discord
- Install uBlock Origin
- Block the telemetry API endpoint by applying this filter
||discord.com/api/*/science$xhr,1p
Register using an anonymous e-mail address
E-mail forwarding services can conceal your true e-mail address by acting as a middleman that accepts and resends e-mails from the service to your true e-mail address. I like to use an open-source e-mail forwarding service like SimpleLogin for this. Other alternatives include AnonAddy and Firefox Relay.
Mobile devices
The web browser application can be used on mobile web browsers but it has limited to no optimisations for responsive designs. The mobile app should be avoided if possible.
Configure the Discord User Settings
Configuration
On the Privacy & Safety tab:
- Set Safe Direct Messaging to Do not scan.
- Disable Use data to improve Discord.
- Disable Use data to customize my Discord experience.
- Disable Allow Discord to track screen reader usage.
Discord has a option for enabling 2FA through TOTP. While enabling 2FA is generally a good idea, Discord’s implementation does not allow for this without providing a mobile number. Thus, it’s generally better to avoid enabling this option.
Practise good OPSEC
Avoid oversharing
This should be obvious. Don’t write anything that you may regret later. Not only is everything you write exposed to other users and potentially stored permanently in the Discord backend, many Discord servers utilise bots which have their own privacy policies which may be keeping additional records.
Discord does not implement end-to-end encryption in any shape or form. This means that Discord direct messages should not even be used to communicate anything of value.
Externalise sharing of sensitive data
If there is a need to share details that can be linked to your real identity, share the information using an external E2EE utility such as Bitwarden Send or PrivateBin. Setting a password to these tools can prevent processing of data through automated processes such as URL preview generation.
Compartmentalise using multiple accounts
Using different account identifiers reduces the ability of other users and bots to correlate users across their different usage habits. For example, if you browse Discord servers that are considered Not Safe For Work (NSFW), you may want to separate the activities that are associated for gaming.
If Discord Inc. is considered an adversary, a VPN is required so that IP addresses cannot be correlated. Similarly, Discord has an account switcher feature which should be avoided as it allows the company to accurately link accounts. Instead, create a web browser profile for each Discord account. For improved usability, create shortcuts for each profile.
Delete your messages
Put some time into deleting messages from time-to-time. This can be easily done using the Undiscord script.