Potential Large-scale breach of privacy on Discord from a community bot

[bitstorm]

errrr....it was permitted access. Also your claim that within discord there is an ability to create separate channels and allow certain peeps to join there by being "private". While I appreciate you consider that "private". Legally, it's about as private as being in a public park and going to the far corner of the park to have a private conversation. That doesn't provide you legal protection of privacy, and would be foolish to sincerely believe such a place is legally private.

There's a notion of spying by the backdoor here.

Sure if you're savvy with it, and it's fine you calling people naive because you obviously know best. But players do not expect community built tools to be silently leeching all communications where ever this app is and archiving it for the person who built the app to read and trawl at their leisure.

It's pretty underhand and it's pretty disgusting to be quite honest about it.

 

[Kaltern]

For the record, I used to be a moderator on UKChatterbox, at the time, the biggest independent chatroom in the UK.

There was a botscript back in the day, called mspy, specifically designed to log chats in chatrooms, but also to store private/direct messages. The intention was for IRC server hosts to maintain security for users in case of harassment, or child abuse. Unfortunately, it was also deemed to be illegal due to privacy laws. So it's use was officially discontinued.

However, there was no law that said channels could not be stored, so that continued.

That changes with an EU regulation, which can be found here: ec.europa.eu/justice/data-protection/data-collection/legal/index_en.htm

In a nutshell, unless there is a LEGITIMATE reason OR CONSENT has been given for storing data given by a person, then it is illegal under EU law. Specifically, the Data Controller needs to be identified in this case. I don't know if the owners of Discord, the channel admins or the person using the bot are ultimately responsible, and that's above my knowledge of law. However, I DO know that, back in the days of the IRC chatroom I mentioned, because there were under 13's involved in one of the rooms, the server admins were ultimately responsible for any personal data that might have been collected.

The use of a bot, on a channel, willingly or not, that data mines and transmits potentially personal data to a 3rd party is very likely acting illegally, and I am assuming the server admin will be the one responsible for running it.

 

[Mangal Oemie]

@Kaltern, technically, i completely agree.

But what is the 4% of global revenue of no revenue at all? That is, what would be the punishment?

And who actually would be liable? I'd argue it is the admins of the channels that _ran_ the bots and gave it the permissions it wanted! After all, they essentially gave the consent, and jeopardized their users, who did not.

(Don't worry, the Eurofeds are not going to go after the admins, either)

 

[CMDR Adelind]

Hows about some in-game tools for comms and organisation, Fdev?

 

[Kaltern]

@Kaltern, technically, i completely agree.

But what is the 4% of global revenue of no revenue at all? That is, what would be the punishment?

And who actually would be liable? I'd argue it is the admins of the channels that _ran_ the bots and gave it the permissions it wanted! After all, they essentially gave the consent, and jeopardized their users, who did not.

(Don't worry, the Eurofeds are not going to go after the admins, either)

It only takes ONE person to make an official complaint regarding this breach to cause major problems. The amount of potential money gained is irrelevant when it comes to privacy. I believe any prosecution would have to look at intent as well, and I believe here, unless there is concrete proof that any admin was involved in potential gains, that any case would likely be dropped, with maybe fines handed out - however, IANAL so I'll let someone more versed in online law sort that out

ATEOTD all bots should be 100% trusted and tested before use. Otherwise it's dangerous, period. Extreme case; what if this bot were used in an anti-Islam chatroom, and names/facebook/twitter handles were passed on to be used for Very Bad purposes... see the issue here?

 

[AluminumAlloy]

Personally, I love scammers and all those thieving morons. I leave my cell phone on all the time - I broadcast false data.
I fill out all the questionaires - with false data.
I give out "my" address - it happens to be the local prison.
I give out "my" phone number - it rings the desk of a Secret Service agent I've known for decades.
I don't run a firewall on my public IP - I want you to steal all my fake information - it's all tied to accounts monitored by various agencies - both local and INTERPOL. It's great.

Human Honeypot - have all the data you desire.

Data has grown itself to be an interesting commodity for the past decade, it can and will be used as an illegal trade, nonetheless very similar to organ theft, data is sold on the black market not just to hundreds of thousands advertising companies, the data could be collected by the company you work for so they can analyze your personality and behavioral patterns to properly exploit and manipulate you at the right time, in and out of workplace property. It seems almost apparent that data is more vital than perhaps crude oil now--We're simply in the middle of a physically-nonviolent, third world war where the biggest resource is intelligence and data.

There are a few ways to spot that your data is being collected without your consent;

Do you ever walk past a digital advertising sign and the screen advertises something you're interested in?

Does your phone ever get rang my telemarketers during times of the day that you're relaxed and not busy doing anything?

Say you're relatively new to a job, does your supervisor and/or manager talk to you in such a way as if he/she knows you?

Don't answer them here of course, in your head instead. And get ready to hear a joke: Make sure you flip the bird at any black dot you see in the bathroom while you're on the toilet.

 

[Kaltern]

Hows about some in-game tools for comms and organisation, Fdev?

Hardly going to happen, for the exact same reason being discussed, as Frontier would be held accountable for any data protection leakage. It's a sad world we live in, but we do, none the less. (this is why I loathe and detest Facebook, as you automatically give your consent for your personal data to be used as they see fit when you originally sign up....)

 

[CMDR Adelind]

Hardly going to happen, for the exact same reason being discussed, as Frontier would be held accountable for any data protection leakage. It's a sad world we live in, but we do, none the less. (this is why I loathe and detest Facebook, as you automatically give your consent for your personal data to be used as they see fit when you originally sign up....)

That's not the reason, since they already collect such data from the limited tools already there. It's because they save dev time and dollars by farming out work to the community.

 

[ZerooTrace]

EXACTLY!!!! and no reasonable person would have.

I recall a court case in the late 80's where a stock broker was discussing trades on a public phone while on lunch break. While walking back to his office, another broker over heard the first's conversation, and made a killing by beating the originator to the 'punch'. The court saw this as a breach of privacy because the originator had been speaking in hushed tones (admitted to by the defendant) and ruled that by doing so he expected a level of privacy.

Adjust for times, and any member of a discord channel that didn't install said bot would reasonably expect that the server's owner had vetted the bot well enough to expect a reasonable amount of privacy. So in reality it would be a fault of both programmer and server owner/admin.

The definition of 'reasonable' when in the realm of the law normally means 'the public norm' and not common sense ergo most people would expect privacy while on a subway (tram/tube) platform yelling into their cellphone standing among a crowd of 5 thousand people.

Disclaimer* As I mentioned I use neither discord or teamspeak nor am I a lawyer or in the field of justice in anyway shape or form. Just playing devils advocate because My gaming computer is down for cleaning. [alien]

 

[A D]

Oh look the thread is back!

In any event, could someone explain in a one-liner why this is so important? Surely any rights to privacy on a discussion forum on the internet is barely tenable at best?

Seriously?

A party to a discussion (whether by telephone, chat or some other means) has the right to know whether the discussion is being recorded, who will have access to the information and how it will be used. In many countries this activity would (not may) be illegal without the express consent of the party. EDIT - The fact that many web sites hide this in the small print or vague about those rights is besides the point.

So you should thank the OP for bringing it to light.

 

[Bam]

Oh look!
A storm in a tea cup, bet that's worth scanning, I hope its terraformable.

What we are really talking about its people who provided something for free to fellow game players, that was probably poorly coded to read from a text file rather than memory cos it was easier, and who failed to delete old logs of chat about a game, and now they are a threat to our very way of life! Has anyone checked if they are Russian yet?

 

[Arkku]

How is it a breach of privacy?
If you are writing in a Discord Channel, you have to expect that anyone and everything with access to that channel can see what you're writing.
Why would you be concerned that a log your your messages was being kept? Hell the entire discord channel is a log of your messages and you can scroll back as far as you want.

I don't see what the concern is. There is always a permanent record of everything that happens on the internet.
You should never have considered anything written in discord to be private.

Of course technically any number of parties (Discord, human members, the bot's author, various intelligence agencies) can read or leak the information from a "private" chat without you technically being able to prevent it, so one shouldn't make any assumptions about its absolute privacy. However, discussing things about a game may be sensitive within the context of that game, but not so much outside the game, so Discord is entirely fine for the level of privacy required for a player group's internal discussions about the game. Also, just because technically there isn't absolute privacy it doesn't mean that it's unreasonable to expect some good-faith effort to not leak it outside the intended audience…

In this case it seems that at least the bot's author has betrayed the trust of others, and it might be that the bot's "terms of use" would have needed to inform its users about the logging. Yes, it may be naive to trust a bot run by another player group, but it's still a breach of privacy: even if it were known that the bot technically has the capability to spy on the channels its in, that doesn't mean it's ok for it do so. As an analogy, your e-mail provider can technically read your e-mail and you should encrypt your really sensitive e-mails (or not send them over the internet in the first place), and is running software that technically must "read" your emails, but it doesn't mean it's ok for their CEO to read them personally, and it would still be a breach of privacy if he were caught doing so.

 

[CMDR IAN NORTON]

do you have a copy of the bot ? can I download it and take a look?

 

[AluminumAlloy]

If i need to talk about financies or some crucial things with my wife we are doing it in the car with all celphones turned off, inside of a tunnel. I am not joking.

Make sure your car doesn't have a sat nav unit and/or doesn't have OnStar. And make sure the back of your rear view mirror doesn't have a camera lens and sound recorder.

 

[A D]

Of course technically any number of parties (Discord, human members, the bot's author, various intelligence agencies) can read or leak the information from a "private" chat without you technically being able to prevent it, so one shouldn't make any assumptions about its absolute privacy. However, discussing things about a game may be sensitive within the context of that game, but not so much outside the game, so Discord is entirely fine for the level of privacy required for a player group's internal discussions about the game. Also, just because technically there isn't absolute privacy it doesn't mean that it's unreasonable to expect some good-faith effort to not leak it outside the intended audience…

In this case it seems that at least the bot's author has betrayed the trust of others, and it might be that the bot's "terms of use" would have needed to inform its users about the logging. Yes, it may be naive to trust a bot run by another player group, but it's still a breach of privacy: even if it were known that the bot technically has the capability to spy on the channels its in, that doesn't mean it's ok for it do so. As an analogy, your e-mail provider can technically read your e-mail and you should encrypt your really sensitive e-mails (or not send them over the internet in the first place), and is running software that technically must "read" your emails, but it doesn't mean it's ok for their CEO to read them personally, and it would still be a breach of privacy if he were caught doing so.

Exactly, or for that matter use the information for some other purpose.

 

[[VR] Merkir]

Do what I do... just assume the whole world is able to read anything on discord (and similar services), in any channel, at any time.

it's the safest way, short of nuking it from orbit.

 

[Lightspeed]

not one person has mentioned that a normal human user can also record the info "secretly".....there is no law against doing things secretly in public

I'm not a lawyer, but I think that argument is flawed.

 

[crushdepth]

If you give something 'read' privileges, by definition it is gathering information. Logging chat streams as a function of fulfilling what a bot does is fundamental to how things work.

The only issue is how long logs are retained, yes?

Well you can add 'did they tell anyone' and 'why were they really doing it' to the list. Also, mindlessly logging potentially sensitive data for no good reason is not really acceptable IMHO.

 

[Angry Fish Smell]

not one person has mentioned that a normal human user can also record the info "secretly".....there is no law against doing things secretly in public

Varies by jurisdiction. There are many US States where single-party recordings can't be used as evidence in court cases and may or may not be illegal on their own (not a lawyer, etc). You can have a conversation with someone else, but as soon as it comes to recording it, both parties have to be okay with it.

The legality here may be grey at best (does The Bot count as the owner in terms of "being allowed to view chat"? Should The Bot be allowed to write down conversations that go through it? If so, what data protection laws apply?), but I don't think the morality is at all in question-- recording the logs in the first place was problematic, but actively searching through them, let alone sending them to third parties, is beyond the pale.

Hopefully everyone associated with Palcon (the bot and the organization) takes a long hard look at where they stand on this and choose their affiliations accordingly. This doesn't seem to be just "some guy in Palcon", the bot in question was written and run by the leader of the faction. The entire officer structure was probably complicit in this, by using the take of a spy program and not saying anything to anyone about it. It's outside of FDev's "actual" jurisdiction and the ToS, probably, but I hope they make an exception in this case and ban them outright.

 

[Saxon Kili]

There's no issue with a Discord bot being on a Discord channel.

There's a definite issue if said bot also sends all chat logs to some receiving server, without the knowledge of the people who invited that bot onto their Discord server. There is especially an issue if said bot is allowed access to a private/sensitive Discord channel.

Dont drop your credit card number into Discord chat. Other than that I don't think I've said anything important on that app.

I can only imagine what a bot might be scraping off this forum right now?