> About the name: The subdomain was called onyx, a reference to the Pokémon Onix (a Pokémon made of multiple boulders, fitting for a multi-node architecture). It was an informal codename chosen by the engineer. It had no connection whatsoever to Fivecast ONYX, an unrelated 3rd party commercial product previously used by ICE. We understand this coincidence caused confusion, and we address it further below.
I agree; I didn't want to editorialize too much as I think the writeup stands on its own.
My takeaway was that in this case, even an author with a clear and extreme bias against this sort of thing could find only unfortunately-common bad practices rather than deeply nefarious intent. Of course, this is just the front-end code, but this just looks like a KYC platform to me. Most of the secondary reports on this write-up seem to completely ignore section 0x13 and jump to the specific conclusions the author does not draw.
The fact that we've created a system where Discord need and want a KYC platform is a different and quite strange thing, but the KYC platform itself just looks like what it says on the tin.
Some of the most interesting authors in tech on the internet have just absolute awful websites. Blinking animations everywhere, weird sounds, "cute" little javascript animations like it's 1999 again.
Teter Piel (don't want to use the other name) kind of purchased a LOT of influence power via lobbyists. One lobbyist is Sebastian Lurz (also not going to use the real name here; the letter "l" is an in-country humourous take on Lüssel, Lasser and so forth - ex-politicians). The superrich buy influence and worsen the situation for the rest of us. This has to stop. The USA is currently under direct control of them - this also has to stop. I do not buy into Discord's attempt here though - they 100% knew what they were doing. The only reason they respond in this way is because they alienated and scared their user base with their idea to sniff-invade everyone. It was never about protecting kids in the first place - it was to spy.
I find it more concerning that mass surveillance has come to the point where someone can’t safely express their frankly-not-that-controversial opinions without obfuscating the subject’s name.
The problem with Discord is their upcoming IPO, and reconciling the fact that their only valuable asset is their userbase - and their billions of messages - with a way to sell this asset and make it valuable to the investors in some way.
the damage is already done though. Discord just burned years of goodwill and trust. Im in a few discord communities and while they aren't moving Im not looking to join any more right now because of this whole thing.
Can someone explain to me how Discord got so big in the first place, particularly for non-gaming uses?
I saw this coming a mile away when folks started ditching slack for Discord - Slack being problematic because a) it was profit-seeking and would use its leverage over your personal data to seek rent and b) it was antithetical to the open web.
Discord has the exact same two issues so was obviously not a solution.
For how it got so big, after it took over the gaming market initially it's likely network effect in action.
Discord is a centralised IM + basic forum with commercial polish.
Small communities can't afford site hosting and moderation, FOSS alternatives like Matrix are significantly inferior products. Fandom killed independent wikis, Reddit killed independent forums.
If Discord ever goes down, there will be decentralised services competing and advocating freedom until a new centralised service takes all the users for itself, just like Mastodon and Bluesky.
As far as I can tell, Discord doesn't delete history so you can join an older discord and scroll back. 99.99% of slacks that are free lose history after some arbitrary timeframe (used to be 10,000 messages, now I think its 90 days). Plus you can connect Discord to your Steam/Playstation/Xbox account, which gamers like.
Basically dumping - they made an objectively superior product that was completely free to users, funded by investor money without any plans for immediate profitability and long term sustainability.
That was all nice for a few years, but it was clear it can't got like this for ever - and here we are.
Yeah I was concerned back when it first started rolling out. Years later the gaming community embraced like it was the second coming of Christ. Nobody looks at the people and organization supporting these platforms. If I remember correctly, wasnt funded by major conglomerates in the entertainment industry?
I guess thats changing though, I see Youtubers all over the place now watching these things like a hawk. Referring to the Highguard scandal.
> Can someone explain to me how Discord got so big in the first place, particularly for non-gaming uses?
It won by simply building a vastly superior product during its growth phase.
For gamers, it replaced fragmented, clunky, or paid alternatives (TeamSpeak, Ventrilo, Mumble, Skype) with a frictionless, free app that had excellent voice quality and modern UX.
It worked so perfectly for gaming communities that non-gamers inevitably took notice, realizing it was effectively a better, free version of Slack for community building.
But that was the user-acquisition era. Now, we're seeing the classic enshittification phase.
Every other notification badge is an alert trying to sell you something. I still use it, but the product development focus seems to have entirely shifted to selling $9.99/month "blinky bullshit." I understand they have to monetize eventually, but it's exhausting.
Ultimately, it got big because for a few years, it was undeniably the best, cleanest chat client on the market. It was just relentlessly good for the user.
Whether it stays good, or follows down the Microsoft path of turning into a full-on ad-distribution network remains to be seen. But right now, despite all the crap sales, it's still pretty good... (=
To answer how it got so big: it didn't start out trying to replace Slack. It just solved an acute pain point for gamers. Skype was becoming increasingly enshittified, and people were floating between TeamSpeak, Ventrilo, and Mumble, none of which were that great. Discord captured the market because it was completely free and had the audio mechanisms in place to make people with shitty mics and background noise tolerable without forcing everyone to use push-to-talk. That’s really it. By the time non-gaming communities were looking for a Slack alternative, they just defaulted to Discord because 90% of their target audience already had the client running in the background.
Real time chat? Great. But entire communities, forums, and wikis moving behind the locked walled of Discord has been a disaster for information discovery.
Don't replace Discord with a similar alternative. Return to open forums and wikis!
The problem is forum UX on mobile is mediocre, and people have to create an account for each forum. Most people are using mobile devices now, like it or not, so convenience of rich text chat wins out.
I would have agreed 5 years ago, but not this day and age, when AI is raping open source projects and killing platforms like Stack Overflow.
We need a safe space from web crawlers and surveillance, and open forums ain't it. (Neither is Discord, but a sufficiently secure alternative might be.)
Isn't it a good thing ? It makes clearly marks companies like Persona dangerous and toxic enough to hopefully makes an example that prevents others from working with them.
I think they have been steadily losing their years of goodwill and trust over time. Their client is becoming worse and worse every release, introduced ads, etc... Typical enshittification, it could be worse, but Discord already went from being cool to being tolerable. The age verification thing is just another step on the way down.
So does this mean Discord is scrapping its new face verification requirement for users, or imply they’re no longer using this 3rd party service (Persona) to do it? The article wasn’t too clear on that.
> So does this mean Discord is scrapping its new face verification requirement for users,
No, they’re outsourcing the verification to an external company. Just not this one.
Side note: The verification is only if you want to remove content filters, join adult-themed servers and a couple other features. If you only want to chat with your friends and use voice then no verification is required.
Well, until the upcoming batch of laws goes through classifying discussion of lgbtq people as inherently mature content. This is one half of a two part strategy by the american right to make queer content de facto illegal again without running into first amendment protections. Getting the payment processors banning "mature" content is the other leg of this stool.
Discord isn't scrapping its plans, just assuring people that one of the vendors they trialed in a sub-market they aren't moving forward with globally. They've been trying for a multi-vendor solution from the beginning and k-ID is the vendor they've been much more publicly happy with than Persona.
(Also, from that post most notably mentioned about the global rollout is delayed in light of some of these vendor verification issues and also hoping to rollout a few more features to even further lesson the need for age verification by many users. One such feature being first-class opt-in "spoiler channels", which some servers had been using age restricted channels for that rather than opt-in roles and somewhat more complex role-based permissions.)
K-id is the vendor they were proposing which did on device processing. They were trying to downplay the initiative by saying all the k-id data stayed on device.
This was undermined by the fact they were also trialling a switch to Persona (the vendor in the story), which did not uphold that guarantee. It was horrific optics to be reassuring people that it was ok because you didn’t save data but also be trialling a switch to a vendor which did save data, which I guess is a lot of the reason this vendor switch was cancelled. (Though it does call into question discord’s judgment that they thought this was a good idea).
Anyway, Persona was also breached which is how the government links were discovered and also probably a part of this decision. This is not to be confused with the breach in November of 5CA, _another_ vendor they used in the initial UK and Australia roll outs. The fact that two vendors were breached in four months is a good example of why this is a bad idea
I don't think you can ever trust closed source software that also requires network for other features that it really does on-device processing for something specific.
It might not even send the sensitive data immediately but bundle it with other traffic once it goes online.
Thanks. I was curious if someone was going to address the weird use of “CATASTROPHIC” to describe source maps being available for front-end code. It’s already public. Minified is better for the regular user, and should be in production, but it’s like by far the least problematic thing in this article.
>Nearly 2,500 accessible files were found sitting on a U.S. government-authorized endpoint, researchers pointed out on X. The files showed Persona conducted facial recognition checks against watchlists and screened users against lists of politically exposed persons.
>Persona performs 269 distinct verification checks, including screening for “adverse media”
im sure everyone assumed this, but its good to know it.
>And the information was openly available. “We didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep,”
it is kind of scary how often these types of situations are only found out because of wild incompetence. you have to imagine that most similar situations dont suffer from the same incompetence (and thus arent known)
>“At Discord, protecting the privacy and security of our users is a top priority.
please, i wish companies would just stop saying this obvious lie. you know that you dont care. we know that you dont care.
>It’s dystopian that we want people to facedox themselves to everyone to be real online.
.... says the ceo of the company that you have to send your face ("facedox", if you will) to
> According to Discord, only a small number of users were part of this test, in which any information submitted could be stored for up to seven days before it would be deleted.
Ah yes, we only store it for 7 days. During those 7 days, we pass it to Persona, and who knows how long they keep it!
The way I read that is Discord would delete your data, but they were taking an intentionally hands off approach to the data broker they subcontracted to identify you.
If a tech company says something to you, and they don't give you the means to verify it on your own, they are lying to you. Do not trust anything they say, ever.
Is there a problem with Peter Thiel or is their problem that somebody accidentally leaked the front end source code? The first I would understand, though I would find it silly. The second I don’t understand. Front end code is neither meant to be secret nor meant to be trusted. Who the hell cares if your users can see it?
For some reason, discord has never asked more from me than a verified email address. No phone number or anything else. Maybe I'm being monitored and they don't want to spook me off the honeypot? Half joking..
Same for me, and my account is almost a decade old. I think it depends a lot where are you from and the kind of activity, as i read stories of people being asked to register a number out of nowhere.
Many servers requires you to have it tho, due to spam protection. I just don't talk on those.
It’s tragic but I have the “verified” setting turned on my public server because it’s literally impossible to stop a determined spammer with the tools Discord has. They can make new accounts faster than you can ban them, and there’s no like “IP ban” equivalent
If your account is a decade old, and you registered at 13, you're now 23 and they don't need to verify you're older than 18. If you were younger than 13, they might be required to delete your account.
Each discord server can decide whether they only will allow people with a phone number on. When you hit one of those, Discord will ask you for your number.
Those require a phone for you to send messages and interact. It will ask you to 'Verify phone', but you can chose not to and stay on the server as read-only, Discord itself won't bother you about it. I am on a few like that for quite some time.
Does cutting ties with Persona actually take them out of the picture? Whomever they move to can then relay or sell data to Persona. Third party turtles all the way down. inb4 but they pinky promised...
The appropriate solution would be to send an RTA header [1] from the servers and the client must check to see if parental controls are enabled on the device or in the application. Not perfect, but likely sufficient to protect small children assuming the account is a child account and the parent enabled parental controls. Teens will always be able to bypass controls whether local or third party. Teens can share porn, warez, movies and more in rated-G video games with one another and small children. Or over SFTP/FTP/P2P/S3/HTTPS. Or a million other ways. Have fun playing whack-a-mole.
what is such a shame is, well, two things: first, that these companies even do this kind of thing at all (i.e., age verification); and second, that it takes the kind of backlash this event has generated for them to cut ties with these companies. Apparently, it is too much to ask for any corporation to even give a damn about who runs or backs another corporation that they want to associate themselves with these days.
The bigger shame is that it took Peter Theil's name to get people's outraged about this. Discord handed over their users' identifications to a third party without regard for how it would be used or secured. I don't care if it was backed by Peter Theil or Mother Theresa - it's a huge problem either way.
And they'll do it again too. They'll find a new partner - one with less baggage - to do the exact same thing and few people will bat an eye.
Even if I disregard all the shady connections that are obviously total coincidences, it still wouldnt feel better they worked together at all. You should only partner with a company if you are 100% certain it fits.
There were a few popular Discord channels where moderators would regularly suspend or ban me. They were toxic communities that advocated for doxxing for mundane reasons. The idea that Discord moderators (even worse than Reddit mods) could have access to verified identities from Palantir related databases sounds so atrocious. Who exactly in their right minds thought this was a good idea in the first place?
discord already had 70k government IDs breached through age verification last year. their fix was handing the next batch to a vendor with 2500 files sitting on a government endpoint.
What's the point of E2E on a chatroom/channel/"""server""" that anyone can join?
Yes, I'm making (another) argument in favour of IRC. IRC has optional client-server encryption, and you can set channel modes to only allow encrypted clients access. So that way you at least prevent eavesdropping.
These guys need to spend a few million on helping them be cool because its fucking their money up. Zuck was headed in the right direction for a minute there. Thiel and Altman are still too weird for most people. Karp is probably in the middle to me. Tasteless, sauceless, billionaires.
I guess we could all forgive trying to destroy western civilization under the guise of saving it, but drew the line at poor media literacy when it comes to One Piece and Watchmen.
It was always difficult to get normal people to understand why the tech billionaires are so bad until Thiel gave us that clip of him getting stumped by the "should humanity survive" question.
I'm forever grateful to Thiel for that clip, and to Musk for his crippling Twitter addiction. It was pretty impossible to get regular people to understand that folks like Bill Gates or Larry Ellison are skinwalkers when all they ever see about these people is professionally managed public relations content.
I used to get the occasional recruiter cold-calling me and hyping up the chance to work for some Musk- or Bezos-associated entity, and for me it's not as appealing as they think it is. But I politely decline without pointing out their fallacy.
Thiel is one of the more public faces of what is now known as the "Epstein class" of societal predators. But one of many and certainly not the epicenter.
That's fine, if not very good, but the central problem remains (ignoring the capitalist corrupted business culture and its merging with the state behind much of this). We can't centralize our communications without major concessions in significant ways that non-techies seem unaware of until a big news item like this comes out. "What, they're logging my chats, and IP, voice clips, and now they want my ID for 18+ discords?" Yes, absolutely you are being logged and those logs will go places you have no control over. Maybe even to oppress you or your loved ones.
Discord's entire value proposition was "Hey just click here, no need to pay for a teamspeak server or do peer-to-peer jank." Deeply personal stuff is said and posted in those spaces. Common communication should not be shared like this and we keep falling back to the "tapped my phone line" problem.
The difference between then and now is that for a long time there was no alternative to POTS. You just had to use the phone to call someone. The phone company and whatever government tapping was very hard to get around. But today there are other ways to do near everything if we give up on for-profit centralized services.
I think society keeps flirting with federation and other things similar to that but never quite makes the jump. The twitter exodus went back to a new centralized service like Bluesky that will one day be sold to another deep-pocketed buyer with its own agenda, thus creating this problem again. Sure, now with federation or personal servers, the privacy issue goes back to the server operator, but at least that could be someone you trust, or even you. When currently, neither of those options are possible with things like Discord or Bluesky.
I'm testing moving my friends and gaming group to self-hosted teamspeak or stout or mumble or something like that. I think we'll lose some convenience, but life isn't all about gains. Sometimes you have to sacrifice things for the greater good. I also really want to start moving away from things like reddit, bluesky, HN, etc to federated services and have dipped my toes there quite a bit, but the population isn't there (yet?).
I hope this is a wakeup call that people need, much like the wake-up call the fight against personal encryption was in the 90s. I think we're in a super bad place right now, and its worth discussing the elephant in the room, even to non-techies, and what alternatives there are to the current system. I think people need to get over the convivence of the current system and realize if they want privacy and safety, they may have to migrate to services built with that in mind.
Everyone needs to cut ties with those companies. Not just with Persona but any service linked to Peter Thiel, Joe Lonsdale, Palmer Luckey, Elon Musk, David Sacks, etc. The entire MAGA cultist ecosystem.
Unfortunately there will be companies that take their money and won’t care. It’ll be up to other companies and consumers to punish them for it. Maybe we need a website that lets you quickly check if you should or shouldn’t use some service based on the investors.
I'm getting there. Just a few more. I've found myself kicking my not so distant past self for not listening better to my even further distant past self...
I think it's a bad trend. It's kind of a meta version of an ad hominem attack. The headline contained no information about why Discord is making the decision, only that there's a bad name associated with the company. The name of the company isn't even mentioned in the headline. This is prioritizing hate over information.
Ah man, just tried to submit this with the title "Discord cuts ties with Peter Thiel-backed SaaS once code tied to US spying found" which is slightly better I think, and fits exactly within 80 characters :)
I think the whole "after its code was found tied to U.S. surveillance efforts" part is new and wasn't known before, so feels important to have in the title too. Although most of us probably assumed it was true before too.
The government spying on what you do has been old news for 20 years. Snowden should not have been a shocking revelation to any one but it was, and that was 13 years ago.
Its less of a "assumed it was true" and more of a "oh look another one, not shocking".
> The government spying on what you do has been old news for 20 years.
The methodology has evolved dramatically in those 20 years, what we've seen from Snowden is almost certainly obsolete in the light of new surveillance tactics. Even as a pessimist myself, I'm still routinely shocked by the lengths that American tech has been bugged.
Salt Typhoon is really the icing on this cake; "lawful" intercept turned against the state that implemented it. There are more twists left in this story no matter how jaded you might feel.
I don't think HN titles are judged by "is it true?" but rather how close the submission title is to the original title and otherwise represents the content of the submission.
I mean today I am one of the 10,000 people learning this for the first time. But it does seem like an awkward term which seems to mean “high level government official who is likely to be corrupt” or just “politician”. Don’t really see the need for this wordplay to be honest.
The referenced write-up based on the Persona front end code is here:
https://vmfunc.re/blog/persona
I definitely recommend reading this primary source before drawing conclusions about the code as most of the secondary reporting is quite low quality.
Note also there's a direct response from Persona's security team here[1], and a lot of back and forth from Rick on Twitter[2].
[1]: https://withpersona.com/blog/post-incident-review-source-map...
[2]: https://x.com/Persona_IDV/status/2025048195773198385?s=20
> About the name: The subdomain was called onyx, a reference to the Pokémon Onix (a Pokémon made of multiple boulders, fitting for a multi-node architecture). It was an informal codename chosen by the engineer. It had no connection whatsoever to Fivecast ONYX, an unrelated 3rd party commercial product previously used by ICE. We understand this coincidence caused confusion, and we address it further below.
3 replies →
Twitter requires login to view the replies, might use an alternative:
https://nitter.net/Persona_IDV/status/2025048195773198385
1 reply →
Submitted 6 days ago but flagged https://news.ycombinator.com/item?id=47059129
@dang can this get a second chance?
I read it and, maybe it’s because I’ve spent too much time in fintech, I don’t share most of the concerns.
The differences in proclaimed data retention periods is concerning though. The rest is par for the course for KYC/AML.
I agree; I didn't want to editorialize too much as I think the writeup stands on its own.
My takeaway was that in this case, even an author with a clear and extreme bias against this sort of thing could find only unfortunately-common bad practices rather than deeply nefarious intent. Of course, this is just the front-end code, but this just looks like a KYC platform to me. Most of the secondary reports on this write-up seem to completely ignore section 0x13 and jump to the specific conclusions the author does not draw.
The fact that we've created a system where Discord need and want a KYC platform is a different and quite strange thing, but the KYC platform itself just looks like what it says on the tin.
Tell me more before I doom about this too much.
1 reply →
Good article but the web site gave me eye and ear cancer.
Please make it actually readable and don't steal my audio!
[flagged]
7 replies →
Seems to be down for me. https://web.archive.org/web/20260220192124/https://vmfunc.re...
It's up.
And his follow up here: https://vmfunc.re/blog/persona-2
damn. why did the website stole my audio?
Some of the most interesting authors in tech on the internet have just absolute awful websites. Blinking animations everywhere, weird sounds, "cute" little javascript animations like it's 1999 again.
16 replies →
Yeah, come on! I'm trying to watch a video and read the article!
1 reply →
That was a great read, very interesting!
I am not convinced.
Teter Piel (don't want to use the other name) kind of purchased a LOT of influence power via lobbyists. One lobbyist is Sebastian Lurz (also not going to use the real name here; the letter "l" is an in-country humourous take on Lüssel, Lasser and so forth - ex-politicians). The superrich buy influence and worsen the situation for the rest of us. This has to stop. The USA is currently under direct control of them - this also has to stop. I do not buy into Discord's attempt here though - they 100% knew what they were doing. The only reason they respond in this way is because they alienated and scared their user base with their idea to sniff-invade everyone. It was never about protecting kids in the first place - it was to spy.
This refusal to use people’s names comes across as childish and distracts from your intended point.
And it diminishes search accuracy. You can publish a reasonable criticism, but if people don't see it, you're not changing minds.
To me it feels pragmatic.
I find it more concerning that mass surveillance has come to the point where someone can’t safely express their frankly-not-that-controversial opinions without obfuscating the subject’s name.
17 replies →
It's a useful deterrent against defenders (actual or bots) coming and drowning people out
2 replies →
What is he? Voldemort?
Considering the things he is directly responsible for, he might as well be.
The problem with Discord is their upcoming IPO, and reconciling the fact that their only valuable asset is their userbase - and their billions of messages - with a way to sell this asset and make it valuable to the investors in some way.
Remember the good ol' days of the last century when we worried about Big Government spying on us?
Everyday someone cuts ties with Palentier's Peter Thiel (or the rest of the digital mafia), it's a good day for society as a whole.
They really should be a proscribed organization.
afaik the term "proscribed organization" is used nigh-exclusively in the imperial core, so i'm not sure how that applies here
Related: I Verified My LinkedIn Identity. Here's What I Handed Over https://news.ycombinator.com/item?id=47098245
the damage is already done though. Discord just burned years of goodwill and trust. Im in a few discord communities and while they aren't moving Im not looking to join any more right now because of this whole thing.
Can someone explain to me how Discord got so big in the first place, particularly for non-gaming uses?
I saw this coming a mile away when folks started ditching slack for Discord - Slack being problematic because a) it was profit-seeking and would use its leverage over your personal data to seek rent and b) it was antithetical to the open web.
Discord has the exact same two issues so was obviously not a solution.
Why did the internet en masse fall for it again?
For how it got so big, after it took over the gaming market initially it's likely network effect in action.
Discord is a centralised IM + basic forum with commercial polish.
Small communities can't afford site hosting and moderation, FOSS alternatives like Matrix are significantly inferior products. Fandom killed independent wikis, Reddit killed independent forums.
If Discord ever goes down, there will be decentralised services competing and advocating freedom until a new centralised service takes all the users for itself, just like Mastodon and Bluesky.
As far as I can tell, Discord doesn't delete history so you can join an older discord and scroll back. 99.99% of slacks that are free lose history after some arbitrary timeframe (used to be 10,000 messages, now I think its 90 days). Plus you can connect Discord to your Steam/Playstation/Xbox account, which gamers like.
3 replies →
Basically dumping - they made an objectively superior product that was completely free to users, funded by investor money without any plans for immediate profitability and long term sustainability.
That was all nice for a few years, but it was clear it can't got like this for ever - and here we are.
2 replies →
Slack sold out, changed the deal, and threw every small group under the bus. Most of those people ended up on Discord
Yeah I was concerned back when it first started rolling out. Years later the gaming community embraced like it was the second coming of Christ. Nobody looks at the people and organization supporting these platforms. If I remember correctly, wasnt funded by major conglomerates in the entertainment industry?
I guess thats changing though, I see Youtubers all over the place now watching these things like a hawk. Referring to the Highguard scandal.
> Can someone explain to me how Discord got so big in the first place, particularly for non-gaming uses?
It won by simply building a vastly superior product during its growth phase.
For gamers, it replaced fragmented, clunky, or paid alternatives (TeamSpeak, Ventrilo, Mumble, Skype) with a frictionless, free app that had excellent voice quality and modern UX.
It worked so perfectly for gaming communities that non-gamers inevitably took notice, realizing it was effectively a better, free version of Slack for community building.
But that was the user-acquisition era. Now, we're seeing the classic enshittification phase.
Every other notification badge is an alert trying to sell you something. I still use it, but the product development focus seems to have entirely shifted to selling $9.99/month "blinky bullshit." I understand they have to monetize eventually, but it's exhausting.
Ultimately, it got big because for a few years, it was undeniably the best, cleanest chat client on the market. It was just relentlessly good for the user.
Whether it stays good, or follows down the Microsoft path of turning into a full-on ad-distribution network remains to be seen. But right now, despite all the crap sales, it's still pretty good... (=
To answer how it got so big: it didn't start out trying to replace Slack. It just solved an acute pain point for gamers. Skype was becoming increasingly enshittified, and people were floating between TeamSpeak, Ventrilo, and Mumble, none of which were that great. Discord captured the market because it was completely free and had the audio mechanisms in place to make people with shitty mics and background noise tolerable without forcing everyone to use push-to-talk. That’s really it. By the time non-gaming communities were looking for a Slack alternative, they just defaulted to Discord because 90% of their target audience already had the client running in the background.
1 reply →
Discord is a cancer on the open internet anyway.
Real time chat? Great. But entire communities, forums, and wikis moving behind the locked walled of Discord has been a disaster for information discovery.
Don't replace Discord with a similar alternative. Return to open forums and wikis!
The problem is forum UX on mobile is mediocre, and people have to create an account for each forum. Most people are using mobile devices now, like it or not, so convenience of rich text chat wins out.
You have a point, I've seen a fair share of Github projects where they asked you to join their Discord if you wanted documentation/support/tips etc.
These communities don't owe the world their information, and attention/adverisement economics destroyed the open internet on its own.
3 replies →
Yes. And likewise for all those other walled gardens. I shouldn't need a Facebook or a Twitter account to read what some politician wrote.
I would have agreed 5 years ago, but not this day and age, when AI is raping open source projects and killing platforms like Stack Overflow.
We need a safe space from web crawlers and surveillance, and open forums ain't it. (Neither is Discord, but a sufficiently secure alternative might be.)
8 replies →
Isn't it a good thing ? It makes clearly marks companies like Persona dangerous and toxic enough to hopefully makes an example that prevents others from working with them.
I think they have been steadily losing their years of goodwill and trust over time. Their client is becoming worse and worse every release, introduced ads, etc... Typical enshittification, it could be worse, but Discord already went from being cool to being tolerable. The age verification thing is just another step on the way down.
I've exported any servers that I run as backups and plan to uninstall if I get an age verification prompt personally.
> Discord just burned years of goodwill and trust.
...not here, they never had any. it is good tech, but so is the w80 nuclear warhead, the tiger iv (for its time) and the j-35.
So does this mean Discord is scrapping its new face verification requirement for users, or imply they’re no longer using this 3rd party service (Persona) to do it? The article wasn’t too clear on that.
> So does this mean Discord is scrapping its new face verification requirement for users,
No, they’re outsourcing the verification to an external company. Just not this one.
Side note: The verification is only if you want to remove content filters, join adult-themed servers and a couple other features. If you only want to chat with your friends and use voice then no verification is required.
Well, until the upcoming batch of laws goes through classifying discussion of lgbtq people as inherently mature content. This is one half of a two part strategy by the american right to make queer content de facto illegal again without running into first amendment protections. Getting the payment processors banning "mature" content is the other leg of this stool.
7 replies →
As far as I am aware, "sensitive content" is blocked even in private messages. So it impacts your ability to chat with friends.
1 reply →
probably find out the new identity verification firm is just a shell around the Thiel company
1 reply →
Discord isn't scrapping its plans, just assuring people that one of the vendors they trialed in a sub-market they aren't moving forward with globally. They've been trying for a multi-vendor solution from the beginning and k-ID is the vendor they've been much more publicly happy with than Persona.
Today Discord also released a rather comprehensive (and good) recap of the plan so far, their apologies for some of their messaging mistakes, and what comes next: https://discord.com/blog/getting-global-age-assurance-right-...
(Also, from that post most notably mentioned about the global rollout is delayed in light of some of these vendor verification issues and also hoping to rollout a few more features to even further lesson the need for age verification by many users. One such feature being first-class opt-in "spoiler channels", which some servers had been using age restricted channels for that rather than opt-in roles and somewhat more complex role-based permissions.)
K-id is the vendor they were proposing which did on device processing. They were trying to downplay the initiative by saying all the k-id data stayed on device.
This was undermined by the fact they were also trialling a switch to Persona (the vendor in the story), which did not uphold that guarantee. It was horrific optics to be reassuring people that it was ok because you didn’t save data but also be trialling a switch to a vendor which did save data, which I guess is a lot of the reason this vendor switch was cancelled. (Though it does call into question discord’s judgment that they thought this was a good idea).
Anyway, Persona was also breached which is how the government links were discovered and also probably a part of this decision. This is not to be confused with the breach in November of 5CA, _another_ vendor they used in the initial UK and Australia roll outs. The fact that two vendors were breached in four months is a good example of why this is a bad idea
I don't think you can ever trust closed source software that also requires network for other features that it really does on-device processing for something specific.
It might not even send the sensitive data immediately but bundle it with other traffic once it goes online.
For anyone interested, they published the post-mortem of the referenced incident:
https://withpersona.com/blog/post-incident-review-source-map...
Thanks. I was curious if someone was going to address the weird use of “CATASTROPHIC” to describe source maps being available for front-end code. It’s already public. Minified is better for the regular user, and should be in production, but it’s like by far the least problematic thing in this article.
>Nearly 2,500 accessible files were found sitting on a U.S. government-authorized endpoint, researchers pointed out on X. The files showed Persona conducted facial recognition checks against watchlists and screened users against lists of politically exposed persons.
>Persona performs 269 distinct verification checks, including screening for “adverse media”
im sure everyone assumed this, but its good to know it.
>And the information was openly available. “We didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep,”
it is kind of scary how often these types of situations are only found out because of wild incompetence. you have to imagine that most similar situations dont suffer from the same incompetence (and thus arent known)
>“At Discord, protecting the privacy and security of our users is a top priority.
please, i wish companies would just stop saying this obvious lie. you know that you dont care. we know that you dont care.
>It’s dystopian that we want people to facedox themselves to everyone to be real online.
.... says the ceo of the company that you have to send your face ("facedox", if you will) to
That last quote, buried at the end of the article, absolutely killed me. I cannot believe he had the nerve to say that doing what he does everyday
This name is turning radioactive. Not a bad thing.
Discord? Or Thiel? Or both?
At this rate, both.
Thiel.
This does not cure the face scanning nonsense. I deleted and am not going back.
> According to Discord, only a small number of users were part of this test, in which any information submitted could be stored for up to seven days before it would be deleted.
Ah yes, we only store it for 7 days. During those 7 days, we pass it to Persona, and who knows how long they keep it!
Discord's previous statement:
> "Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation"
So now it's not "immediately" but 7 days? I don't know how anyone can trust any statement from these guys.
"I don't know how anyone can trust any statement from these guys."
this is the fun part, you can't!
The way I read that is Discord would delete your data, but they were taking an intentionally hands off approach to the data broker they subcontracted to identify you.
The one thing you can trust is this:
If a tech company says something to you, and they don't give you the means to verify it on your own, they are lying to you. Do not trust anything they say, ever.
Is there a problem with Peter Thiel or is their problem that somebody accidentally leaked the front end source code? The first I would understand, though I would find it silly. The second I don’t understand. Front end code is neither meant to be secret nor meant to be trusted. Who the hell cares if your users can see it?
For some reason, discord has never asked more from me than a verified email address. No phone number or anything else. Maybe I'm being monitored and they don't want to spook me off the honeypot? Half joking..
Same for me, and my account is almost a decade old. I think it depends a lot where are you from and the kind of activity, as i read stories of people being asked to register a number out of nowhere. Many servers requires you to have it tho, due to spam protection. I just don't talk on those.
It’s tragic but I have the “verified” setting turned on my public server because it’s literally impossible to stop a determined spammer with the tools Discord has. They can make new accounts faster than you can ban them, and there’s no like “IP ban” equivalent
1 reply →
If your account is a decade old, and you registered at 13, you're now 23 and they don't need to verify you're older than 18. If you were younger than 13, they might be required to delete your account.
Each discord server can decide whether they only will allow people with a phone number on. When you hit one of those, Discord will ask you for your number.
Those require a phone for you to send messages and interact. It will ask you to 'Verify phone', but you can chose not to and stay on the server as read-only, Discord itself won't bother you about it. I am on a few like that for quite some time.
They should never even started doing businesses with that labeled figure.
Like ring recently, they just try to see it the thing sticks and that pisses me off. They should have that as a starting point.
Does cutting ties with Persona actually take them out of the picture? Whomever they move to can then relay or sell data to Persona. Third party turtles all the way down. inb4 but they pinky promised...
The appropriate solution would be to send an RTA header [1] from the servers and the client must check to see if parental controls are enabled on the device or in the application. Not perfect, but likely sufficient to protect small children assuming the account is a child account and the parent enabled parental controls. Teens will always be able to bypass controls whether local or third party. Teens can share porn, warez, movies and more in rated-G video games with one another and small children. Or over SFTP/FTP/P2P/S3/HTTPS. Or a million other ways. Have fun playing whack-a-mole.
[1] - https://news.ycombinator.com/item?id=46152074
what is such a shame is, well, two things: first, that these companies even do this kind of thing at all (i.e., age verification); and second, that it takes the kind of backlash this event has generated for them to cut ties with these companies. Apparently, it is too much to ask for any corporation to even give a damn about who runs or backs another corporation that they want to associate themselves with these days.
The bigger shame is that it took Peter Theil's name to get people's outraged about this. Discord handed over their users' identifications to a third party without regard for how it would be used or secured. I don't care if it was backed by Peter Theil or Mother Theresa - it's a huge problem either way.
And they'll do it again too. They'll find a new partner - one with less baggage - to do the exact same thing and few people will bat an eye.
Even if I disregard all the shady connections that are obviously total coincidences, it still wouldnt feel better they worked together at all. You should only partner with a company if you are 100% certain it fits.
Right, and in June they'll try it again. Small setbafk
Early 2024 if you had speculated about this about Persona's broader goals you would have been called nuts. It has become increasingly obvious though.
Who IS still using this verification software?
Good question. Quite a few, publicly. https://withpersona.com/customers
Ooof. So no more OpenAI, Twilio, Lime, Square, ...
Is this the same provider that linkedin uses? I was never able to pass this succefully.
Do you resemble a Moldovan Finance Minister?
I am not sure since I don't know how the Moldovan Finance Minister looks.
There were a few popular Discord channels where moderators would regularly suspend or ban me. They were toxic communities that advocated for doxxing for mundane reasons. The idea that Discord moderators (even worse than Reddit mods) could have access to verified identities from Palantir related databases sounds so atrocious. Who exactly in their right minds thought this was a good idea in the first place?
discord already had 70k government IDs breached through age verification last year. their fix was handing the next batch to a vendor with 2500 files sitting on a government endpoint.
Matrix works. You don't need Discord.
So what? They'll just outsource it to somewhere else.
Only question is who's going to lose the data first, Discord or the subcontractors?
Too fucking late, eat shit Discord. We’re all moving to E2E encrypted platforms.
What's the point of E2E on a chatroom/channel/"""server""" that anyone can join?
Yes, I'm making (another) argument in favour of IRC. IRC has optional client-server encryption, and you can set channel modes to only allow encrypted clients access. So that way you at least prevent eavesdropping.
I just nuked it and didn’t replace it. Bloated piece of shit full of misery.
We decided to just meet up in person twice a month and play board games instead.
where we definitely will not be moaning about the same thing in 18 months time
Joke's on you, once I finish setting up my P2P tin can network I'll be invisible.
Finally
Do not believe them.
What the hell does Discord need identity verification for in the first place?
“For The Children”!
These guys need to spend a few million on helping them be cool because its fucking their money up. Zuck was headed in the right direction for a minute there. Thiel and Altman are still too weird for most people. Karp is probably in the middle to me. Tasteless, sauceless, billionaires.
I'm glad to see "Peter Thiel-backed" becoming a widely-recognized epithet.
I guess we could all forgive trying to destroy western civilization under the guise of saving it, but drew the line at poor media literacy when it comes to One Piece and Watchmen.
(This is a joke in case that wasn't clear)
It was always difficult to get normal people to understand why the tech billionaires are so bad until Thiel gave us that clip of him getting stumped by the "should humanity survive" question.
I'm forever grateful to Thiel for that clip, and to Musk for his crippling Twitter addiction. It was pretty impossible to get regular people to understand that folks like Bill Gates or Larry Ellison are skinwalkers when all they ever see about these people is professionally managed public relations content.
109 replies →
it's all a fuckin' joke
I always explain it to recruiters contacting me from one of his companies.
I used to get the occasional recruiter cold-calling me and hyping up the chance to work for some Musk- or Bezos-associated entity, and for me it's not as appealing as they think it is. But I politely decline without pointing out their fallacy.
it is truly amazing how much damage one person is able to do to civilized society
if you expand the scope to a handful of adjacent figures, the catastrophe is truly amazing
Maybe a society that can be so damaged by someone because they're incredibly wealthy shouldn't be considered civilized.
1 reply →
yeah, this is what unchecked wealth gives you. yay capitalism.
Thiel is one of the more public faces of what is now known as the "Epstein class" of societal predators. But one of many and certainly not the epicenter.
4 replies →
I’m hearing this a lot but never with any substance, would you care to elaborate with a hard action or idea with a direct result?
5 replies →
That's fine, if not very good, but the central problem remains (ignoring the capitalist corrupted business culture and its merging with the state behind much of this). We can't centralize our communications without major concessions in significant ways that non-techies seem unaware of until a big news item like this comes out. "What, they're logging my chats, and IP, voice clips, and now they want my ID for 18+ discords?" Yes, absolutely you are being logged and those logs will go places you have no control over. Maybe even to oppress you or your loved ones.
Discord's entire value proposition was "Hey just click here, no need to pay for a teamspeak server or do peer-to-peer jank." Deeply personal stuff is said and posted in those spaces. Common communication should not be shared like this and we keep falling back to the "tapped my phone line" problem.
The difference between then and now is that for a long time there was no alternative to POTS. You just had to use the phone to call someone. The phone company and whatever government tapping was very hard to get around. But today there are other ways to do near everything if we give up on for-profit centralized services.
I think society keeps flirting with federation and other things similar to that but never quite makes the jump. The twitter exodus went back to a new centralized service like Bluesky that will one day be sold to another deep-pocketed buyer with its own agenda, thus creating this problem again. Sure, now with federation or personal servers, the privacy issue goes back to the server operator, but at least that could be someone you trust, or even you. When currently, neither of those options are possible with things like Discord or Bluesky.
I'm testing moving my friends and gaming group to self-hosted teamspeak or stout or mumble or something like that. I think we'll lose some convenience, but life isn't all about gains. Sometimes you have to sacrifice things for the greater good. I also really want to start moving away from things like reddit, bluesky, HN, etc to federated services and have dipped my toes there quite a bit, but the population isn't there (yet?).
I hope this is a wakeup call that people need, much like the wake-up call the fight against personal encryption was in the 90s. I think we're in a super bad place right now, and its worth discussing the elephant in the room, even to non-techies, and what alternatives there are to the current system. I think people need to get over the convivence of the current system and realize if they want privacy and safety, they may have to migrate to services built with that in mind.
Peter Thiel Integration (PTI) halted
The (PTB) Peter Theil Be
Everyone needs to cut ties with those companies. Not just with Persona but any service linked to Peter Thiel, Joe Lonsdale, Palmer Luckey, Elon Musk, David Sacks, etc. The entire MAGA cultist ecosystem.
Unfortunately there will be companies that take their money and won’t care. It’ll be up to other companies and consumers to punish them for it. Maybe we need a website that lets you quickly check if you should or shouldn’t use some service based on the investors.
I'm getting there. Just a few more. I've found myself kicking my not so distant past self for not listening better to my even further distant past self...
Which is pretty much everything at this point... God help us.
[flagged]
Why should there be mass hysteria over Soros-backed entities? What entities are those?
1 reply →
I think it's a bad trend. It's kind of a meta version of an ad hominem attack. The headline contained no information about why Discord is making the decision, only that there's a bad name associated with the company. The name of the company isn't even mentioned in the headline. This is prioritizing hate over information.
Having the name associated with the company says a lot, actually. The man is the Forrest Gump of backing creepy companies.
Ah man, just tried to submit this with the title "Discord cuts ties with Peter Thiel-backed SaaS once code tied to US spying found" which is slightly better I think, and fits exactly within 80 characters :)
I think the whole "after its code was found tied to U.S. surveillance efforts" part is new and wasn't known before, so feels important to have in the title too. Although most of us probably assumed it was true before too.
> once code tied to US spying found
New and also should be the big story.
"Butcher cuts ties with supplier when steaks found to be human meat" shouldnt be a story about changing suppliers ...
> "after its code was found tied to U.S. surveillance efforts" part is new ... Although most of us probably assumed it was true before too.
This makes me feel VERY old.
641A: https://en.wikipedia.org/wiki/Room_641A
Retroactive telecom immunity: https://www.eff.org/press/archives/2008/10/17
The government spying on what you do has been old news for 20 years. Snowden should not have been a shocking revelation to any one but it was, and that was 13 years ago.
Its less of a "assumed it was true" and more of a "oh look another one, not shocking".
> The government spying on what you do has been old news for 20 years.
The methodology has evolved dramatically in those 20 years, what we've seen from Snowden is almost certainly obsolete in the light of new surveillance tactics. Even as a pessimist myself, I'm still routinely shocked by the lengths that American tech has been bugged.
Salt Typhoon is really the icing on this cake; "lawful" intercept turned against the state that implemented it. There are more twists left in this story no matter how jaded you might feel.
Is this actually a thing that is true?
I don't think HN titles are judged by "is it true?" but rather how close the submission title is to the original title and otherwise represents the content of the submission.
You might email @dang and request a title change. hn@ycombinator.com is the email address.
That would have been a better title, I agree.
[dead]
Why was the title changed from its original that mentioned it's owned by Peter Thiel?
Because it's clickbait. The company has several major VC investors, and Thiel is one partner at one of them.
[dead]
[flagged]
> politically exposed persons
I do not know what this euphemism means. Is this like the modern trend of calling inmates “justice involved individuals”?
its not some new/modern trend just because you have not seen the term. its been a term for nearly 3 decades.
https://en.wikipedia.org/wiki/Politically_exposed_person
I mean today I am one of the 10,000 people learning this for the first time. But it does seem like an awkward term which seems to mean “high level government official who is likely to be corrupt” or just “politician”. Don’t really see the need for this wordplay to be honest.
Translate: People who are likely to be attacked by (Putin|Orban|Erdogan|Trump) or similar.
Apparently that’s not what Wikipedia defines it as. More like potentially shady high level government official.
1 reply →