It is specifically because you got banned for "being under 13" it comes from someone asking a question like "How many candles in this photo?" then you reply "7" then they edit the message to say "How old are you" and voila, underage ban.
What you are overlooking is that Discord is the new MSN Messenger, YIM, etc your friends are not backed up in a meaningful way, nor the servers you're in, if you lose your account, you lose contact with basically your entire internet life and friends.
Discord should not keep those IDs longer than a month at a time once the user is unbanned it should be deleted a week later, or removed from that panel altogether.
I'm not making excuses for companies retaining PII longer than they should. I'm simply stating why someone might give their ID. Another reason is to verify yourself as a bot developer, though supposedly that is usually done via an entirely different third party.
This should be a warning to anyone providing function in any way similar to what Discord is doing. Do not keep PII longer than you legally have to. Don't have to keep it at all? Delete it. Leave a redacted record such as "Image verified by x, removed on x after unban" or something simple if you must. Remove PII from ticketing systems especially on a platform like Discord where users want to be private by design.
The issue then becomes "well why don't they just go back to a Teamspeak server? they can self host it!"
But we're forgetting there that the average person online is not a dev. The most they usually know is how to point and click on something. Which also means they usually don't know how to spin up a Linux machine/VM somewhere and install their own chat server.
Discord is popular because it lets almost anyone on Earth point and click to create a chat "server". If someone can figure out how to do that (eg cPanel), you can absolutely break their moat.
Which is kinda sad. Way back in the mid-2000s, I was playing World of Warcraft with a few people I had met in the game itself. Later on, we chipped in to rent a TeamSpeak server from a company that offered ready-made servers and we had a lot of fun. You didn’t even have to do much admin work. :(
A bunch of UK users are blocked from the more "free speech" (over 13) channels unless they prove their identity to Discord, to comply with the Online Safety Act.
What would you say of a lot of FOSS companies/orgs who love to stay on places like Discord? Hell, some entities that pride themselves on "privacy" and "E2EE" shit are specifically on Discord. I think that must go beyond moronity.
Are you seriously blaming kids and teenagers (who spend their free time on Discord) because they are not smart enough to know better and form communities elsewhere?
You can do better than victim blame, and instead point the finger at Discord and whoever told the British government that delegating ID control to third-parties was a good idea.
No need to blame the user for the companies actions.
Company enacts policy enforced on them by law, for example requiring proof that a user is above the age of 18 to be able to use a channel where other users may use naughty words (The Horror!!!).
User struggles to use the automated age check system (I used the "guess age by letting an AI have a look at a selfie" method and it was a pain in the ass which failed twice before it finally worked) so does what is recommended and make a support ticket. [0]
User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
Full blame is on Discord for poorly handling their users data by their 3rd parties, and on the Governments forcing such practices. Discord should have their asses handed to them by the UK's ICO.
Sure, us geeks can and will use self hosted systems and find ways to avoid doing ID checks, but your avg joe isn't going to do that.
Hopefully cases like this will help with the push back on governments mandating these kind of checks, but I see the UK government just falling back to "think of the children" and laying all the blame on Discord, (who are not without fault in this case).
> Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
This wasn't documents uploaded via the automated ID checker, it was users manually sending ID documents to support in order to appeal an automated age decision.
> User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
This is the part where the user has to take at least partial blame. You have to be utterly stupid (or at the very least way too sheltered) to believe a statement like this from a company, especially when there are zero consequences to the company for lying about it or negligently failing to live up to their policy.
In the UK we have the ICO (https://ico.org.uk/) who have the ability to fine companies who fail to live up to their data retention polices and/or fail to take adequate security measures to prevent or contain a serious personal data breaches.
If the UK Government are determined to enforce companies having to validate user ID's to use the company's services, then the government better well be determined to enforce our data protection laws too. Governments can not have it both ways (esp as the UK government also want to role out new digital IDs that will need to be checked when getting a new job), demanding users hand over ID to access services but not kick butts when those services fuck things up is just idiotic (Ok its the government, they make being idiots a profession), but that's not the fault of the user.
I'm mad at both Discord (for not securing their customers data inline with their published polices), and at the government (for forcing them into collecting the data in the first place, if Discord didn't have the data to begin with it can not be exposed).
But I can not be mad as users of a service, who though no fault of their own just wished to continue to be in communication with their friends and were faced with the no-win choice of providing ID or being denied access to a communication platform.
(just to be clear, I was not breached in this leak so I'm not being salty about the leak, but I see the point of view of the avg user because I see how the avg person uses the net every day.)
Nobody believes the policy or even cares about the policy. They need to use the service, because everyone else is using the service, and they don't have a choice. Plain and simple.
At this point a whole bunch of crypto exchanges including chinese ones have my driver's license, passport and more. It is what it is, any real KYC process will require video identification anyway.
It is specifically because you got banned for "being under 13" it comes from someone asking a question like "How many candles in this photo?" then you reply "7" then they edit the message to say "How old are you" and voila, underage ban.
What you are overlooking is that Discord is the new MSN Messenger, YIM, etc your friends are not backed up in a meaningful way, nor the servers you're in, if you lose your account, you lose contact with basically your entire internet life and friends.
Discord should not keep those IDs longer than a month at a time once the user is unbanned it should be deleted a week later, or removed from that panel altogether.
You can come up with all kinds of excuses, but Discord is not, and NEVER WAS a trustworthy company.
> You've got to be a complete moron uploading your gov ID to discord
^ Still stands.
I'm not making excuses for companies retaining PII longer than they should. I'm simply stating why someone might give their ID. Another reason is to verify yourself as a bot developer, though supposedly that is usually done via an entirely different third party.
People’s priorities don’t match yours man. It doesn’t make them stupid.
2 replies →
This hits the nail on the head. The big issue here is that the submitted photos were not deleted and that is quite concerning to me.
This should be a warning to anyone providing function in any way similar to what Discord is doing. Do not keep PII longer than you legally have to. Don't have to keep it at all? Delete it. Leave a redacted record such as "Image verified by x, removed on x after unban" or something simple if you must. Remove PII from ticketing systems especially on a platform like Discord where users want to be private by design.
The issue then becomes "well why don't they just go back to a Teamspeak server? they can self host it!"
But we're forgetting there that the average person online is not a dev. The most they usually know is how to point and click on something. Which also means they usually don't know how to spin up a Linux machine/VM somewhere and install their own chat server.
Discord is popular because it lets almost anyone on Earth point and click to create a chat "server". If someone can figure out how to do that (eg cPanel), you can absolutely break their moat.
Which is kinda sad. Way back in the mid-2000s, I was playing World of Warcraft with a few people I had met in the game itself. Later on, we chipped in to rent a TeamSpeak server from a company that offered ready-made servers and we had a lot of fun. You didn’t even have to do much admin work. :(
3 replies →
Ah, the classic shoe size prank.
A bunch of UK users are blocked from the more "free speech" (over 13) channels unless they prove their identity to Discord, to comply with the Online Safety Act.
It's channels marked NSFW that you need verification for and it's also incredibly easy to bypass with a VPN.
I know of a bunch of small servers that unmarked all their porn channels from the NSFW flag so their British members could access them freely.
This applies to all users and isn’t related to OSA (though that will probably make leaks like this more likely).
What would you say of a lot of FOSS companies/orgs who love to stay on places like Discord? Hell, some entities that pride themselves on "privacy" and "E2EE" shit are specifically on Discord. I think that must go beyond moronity.
Are you seriously blaming kids and teenagers (who spend their free time on Discord) because they are not smart enough to know better and form communities elsewhere?
You can do better than victim blame, and instead point the finger at Discord and whoever told the British government that delegating ID control to third-parties was a good idea.
...or point the finger at ourselves, for not creating a more decentralized and secure place for our kids to hang out online.
No need to blame the user for the companies actions.
Company enacts policy enforced on them by law, for example requiring proof that a user is above the age of 18 to be able to use a channel where other users may use naughty words (The Horror!!!).
User struggles to use the automated age check system (I used the "guess age by letting an AI have a look at a selfie" method and it was a pain in the ass which failed twice before it finally worked) so does what is recommended and make a support ticket. [0]
User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
Full blame is on Discord for poorly handling their users data by their 3rd parties, and on the Governments forcing such practices. Discord should have their asses handed to them by the UK's ICO.
Sure, us geeks can and will use self hosted systems and find ways to avoid doing ID checks, but your avg joe isn't going to do that.
Hopefully cases like this will help with the push back on governments mandating these kind of checks, but I see the UK government just falling back to "think of the children" and laying all the blame on Discord, (who are not without fault in this case).
[0] https://support.discord.com/hc/en-us/articles/30326565624343...
[1] https://support.discord.com/hc/en-us/articles/30326565624343...
> Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
This wasn't documents uploaded via the automated ID checker, it was users manually sending ID documents to support in order to appeal an automated age decision.
> User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
This is the part where the user has to take at least partial blame. You have to be utterly stupid (or at the very least way too sheltered) to believe a statement like this from a company, especially when there are zero consequences to the company for lying about it or negligently failing to live up to their policy.
In the UK we have the ICO (https://ico.org.uk/) who have the ability to fine companies who fail to live up to their data retention polices and/or fail to take adequate security measures to prevent or contain a serious personal data breaches.
If the UK Government are determined to enforce companies having to validate user ID's to use the company's services, then the government better well be determined to enforce our data protection laws too. Governments can not have it both ways (esp as the UK government also want to role out new digital IDs that will need to be checked when getting a new job), demanding users hand over ID to access services but not kick butts when those services fuck things up is just idiotic (Ok its the government, they make being idiots a profession), but that's not the fault of the user.
I'm mad at both Discord (for not securing their customers data inline with their published polices), and at the government (for forcing them into collecting the data in the first place, if Discord didn't have the data to begin with it can not be exposed).
But I can not be mad as users of a service, who though no fault of their own just wished to continue to be in communication with their friends and were faced with the no-win choice of providing ID or being denied access to a communication platform.
(just to be clear, I was not breached in this leak so I'm not being salty about the leak, but I see the point of view of the avg user because I see how the avg person uses the net every day.)
4 replies →
You don’t remember what it was like to just not think about this stuff too much because all our peers weren’t either.
How many of us freely and gleefully gave our info to Facebook, Google, etc all through the 2010’s? How many continue to?
Nobody believes the policy or even cares about the policy. They need to use the service, because everyone else is using the service, and they don't have a choice. Plain and simple.
Pure victim blaming.
3 replies →
At this point a whole bunch of crypto exchanges including chinese ones have my driver's license, passport and more. It is what it is, any real KYC process will require video identification anyway.