Page 1 of 8 12345 ... LastLast
Results 1 to 15 of 117

Thread: Potential Large-scale breach of privacy on Discord from a community bot

  1. #1

    Potential Large-scale breach of privacy on Discord from a community bot

    It appears there may have been a major violation of the privacy of the Elite:Dangerous community, through the actions of a group known as the Paladin Consortium.
    The PalCon bot, which has been (and continues to be) used on "[...] 30+ Discord servers and 240+ channels"[1] has been gathering information from every Discord channel to which it has been given 'read' privileges. It has been doing so without the knowledge or consent of other server owners, and of the members of those groups; the only people aware were the members of the PalCon Council (as the details of the bot were apparently mentioned several times in there), and from what I understand only higher PalCon members had access to the 'take'.

    If you are on a server with the bot, you should ban it immediately or cage it in an IFF room for that function only. It will very likely disappear shortly.
    While I was myself for a time a proud member of Paladin Consortium, I am extremely glad that I was never promoted to any higher position in which I might have been exposed to this - and subsequently been obliged to do as I am doing now. This information came through CMDR Dutch Foster, who was given a copy of a fragment from a csv file to which PalCon bot output its data. If possible, the file will be made available here and on the Frontier forums. I should make it clear at this point that there is NO REASON TO ASSUME that any person outside the PalCon Council was in any way complicit: the only people who could possibly have been aware of this occurring were those with Council access, and even that is not entirely certain (as messages may have been missed, and to my knowledge the vast majority of them were not granted access to the take from the bot).
    What you will see in the csv file only a small portion of the take, over a short period of time, which shows a search for instances of the word 'dutch'. If you are/were a member of a Discord chat in which this bot was present, you may safely assume that anything and everything you have said in that chat was similarly recorded, and is accessible to the executive of Paladin Consortium.

    The intention for the future of the bot was that it be expanded into an app, which would have access to your PC. Whether the data capture would be acknowledged at this point, none can say - but it suffices to say at this point that none of the server owners were aware of PalCon's capabilities until very recently.
    So, what comes next? I can't say. We are leaving this in the hands of Frontier, Discord, and the community: I know that others have been in contact with members of the Frontier team; I contacted Discord's privacy and security team last night/today; and obviously, you are now all being made aware.

    We have CMDR Dutch Foster to thank for exposing this when it came to light, and an anonymous source within Paladin Consortium to thank for providing supplementary intel.
    Again, to be clear: very few people actually knew about this until now. This was done for several reasons: we wanted to protect those involved from potential attack before we had a chance to release the information, as well as to contain whatever damage might be caused as a result, and to control its release as much as possible. As I am posting this, some members of other groups are no doubt informing members of their discord servers. I hope the community will forgive we few who had access to this knowledge before them for waiting as we did (rest assured, it was not for long) before informing the community at large. The few days allowed us the chance to gather as much information as possible, coordinate our release, and let Dutch say his farewells (as he fully expected to be hunted to the ends of the earth for this). PalCon is by no means a small or insignificant group, and I fully realize that by stepping out as I have I will probably become the primary target for any future aggression. This is, however, something I willingly accept. My actions are not representative of any organization within the E:D community, and any fallout from this may safely be directed back at me - if you want someone to come after, direct your anger toward me. Please refrain from searching out other groups to which I may have been a member, as they have no part in my words or actions here.

    I encourage you not to withdraw from the community as a result of this: those who acted did so alone, and by no means represent most of the Discord-based community. Again, the majority of their members are entirely without blame, having no knowledge of this information and themselves being victims, similarly recorded without their knowledge or consent. Most people you will encounter are worthy of your trust, Paladins included.

    To conclude, I wish to convey the personal hurt and deep disappointment of myself, of those others who have become involved, and of those on whose behalf I have decided to bring this information forward here.

    [1] The images from the Paladin Inn detailing PalCon's current access and future plans for the bot, as well as a screenshot of the csv file, are available here: http://imgur.com/a/5wn3u

    A censored version of Dutch's original message to Delmonte is here:https://cdn.discordapp.com/attachmen...Untitled-1.jpg (The word 'Dutch' has been blanked out, as at the time there was concern for his safety and privacy)

    As a final note to Paladins who may be orphaned by this: there will, I have no doubt, be a place for you to go. Please keep an eye out; you're all in the same boat, but you were betrayed just as much as the rest of us - if not moreso. Go forward knowing this was not your fault.

    (The csv file has been converted to xml to upload here. It has been attached to this post.)
    Attached Files Attached Files

  2. #2

  3. #3
    Hunted to the ends of the earth? Say his farewells? Orphaned? Anonymous sources? As someone who barely knows how to use Discord, can anyone provide a bare-basic tl;dr?


  4. #4
    What, and you think that Google et all are not spying on you as well ?

    Best unplug from the internet .. destroy your phone .. don't go outside (facial recognition) nor drive your car (number plate recognition) ...
    I don't like ED atm, so "I guess I'm just one of those entitled tosspots"

    [
    Basic Network 101 Guide for ED] [Menu logging is legitimate] [SomaFM] [No Mans Sky] [One punch man]

  5. #5
    Thank you for changing the text colour. It looked like it had been reproduced from Disaster Area's Stuntship.

  6. #6
    Statement:- I have been asked to speak as a neutral party about the Elite PalCon Bot used to identify Friend or Foe.
    I did NOT discover this nor am I taking any credit for this information.
    Many people have no knowledge of this and only a select few should be ashamed of their actions.
    .
    Facts:-
    The PalCon bot is recording chat messages in specific channels in any Discord server it is being used in. If you have this Bot installed I suggest you BAN it from your servers.
    If it is kept in its own channel in isolation it seems to be ok; otherwise it is recording ALL OF YOUR CHAT HISTORY, this is then available to a select few as a searchable data base.
    This breaches UK Data protection laws (and probably many others around the world).
    The Forge is one Discord where it was used extensively, this is a place for good and not harm, the insidious operation of the Bot was NOT known to the leaders of this Discord.
    I have seen copies of some of this data, including data taken from our Canonn Discord from rooms used by our moderator teams. I am frankly disgusted by how this Bot has been abused.
    This is no ‘accident’ it was a deliberate attack on our rights to privacy.
    .
    Evidence :-
    A good man released this information to me, knowing full well he would no longer be able to play as part of his favourite group, or even be in Game without harassment; for that he has my upmost respect.
    I have more but will NOT share it publicly, but it is in the hands of those who need it.
    ,
    CMDR Dutch
    We have a very serious problem, and if Palcon leadership were to ever find out this info came from me, I would probably have to disappear from the community entirely. It might already be too late.
    Palcon bot has the capability to capture what people are saying, and Palcon leadership can pull this information into a .csv file and read through it. I have seen one of these .csv files and it did contain messages from #officers_mess. (Canonn Moderator channel) I give you my word, had I known about that bots spying ability, I would never have suggested bringing it into the discord. I learned about this after Palcon leadership gave me evidence of a misinformation campaign against me and The Forge and I did my own investigating. My name keeps coming up in different discords, some of them being very secretive. These were places where Palcon has no members, but they have the Palcon bot. The .csv file I saw was of every mention of my name or someone saying Dutch going back to February.
    The bot's spy capabilities are minimized if it is cornered in its own chats, places like a bot room where normal conversations don't occur. It shouldn't be able to capture anything if it doesn't have read, read history, and post perms. I sifted through that .csv file for a long time, checking over where it could get stuff out of the Forge chat. Any channel that had the denial of permissions did not show up. Just like Canonn's officer's chat, The Forge's council chat is also compromised.
    Ships - Anaconda "Lapsed Pacifist" Corvette "Fringe Element" & my trusty Python "Nervous Energy"

  7. #7
    So not only did palcon screw up with how they ran PAC, they have been actively spying on other groups. Juicy.

  8. #8
    Something just happened,that much is clear.

  9. #9
    If this is true, those responsible should be tarred and feathered.

    This is unethical behavior at the best of times and it only makes it worse that any possible use was inane and trivial.

  10. #10
    Originally Posted by sataris View Post (Source)
    Juicy.
    I know right .. such drama !

    However, it's a witch hunt thread ...
    I don't like ED atm, so "I guess I'm just one of those entitled tosspots"

    [
    Basic Network 101 Guide for ED] [Menu logging is legitimate] [SomaFM] [No Mans Sky] [One punch man]

  11. #11
    Wow. Just wow. Thanks for bringing this to light. I'm interested in hearing a response from those responsible.

  12. #12
    Originally Posted by biot View Post (Source)
    Thank you for changing the text colour. It looked like it had been reproduced from Disaster Area's Stuntship.
    Do you think it uses Heat Sink launchers when it does its sun dives?

  13. #13
    Will this affect my tax.
    .
    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
    My God, it's full of stars!

  14. #14
    Originally Posted by Liqua View Post (Source)
    What, and you think that Google et all are not spying on you as well ?

    Best unplug from the internet .. destroy your phone .. don't go outside (facial recognition) nor drive your car (number plate recognition) ...
    Defeatest talk. There are ways and precautions you can take to be literally invisible on the net. Research it. Get a phone without wifi or net, no smart phone, they`re safe. Going outside is fine and driving the car isn`t an issue unless you actually commit a crime. One does not have to have a car. Walk, take a bus, cycle with headgear and mask or don`t always go to the city centres (where most surveillence takes place).

  15. #15
    Originally Posted by Sindri Arcturus View Post (Source)
    [[...]has been gathering information from every Discord channel to which it has been given 'read' privileges. It has been doing so without the knowledge or consent of other server owners, and of the members of those groups[...]
    If you give something 'read' privileges, by definition it is gathering information. Logging chat streams as a function of fulfilling what a bot does is fundamental to how things work.

    The only issue is how long logs are retained, yes?

Page 1 of 8 12345 ... LastLast