Why Discord might not be the best place to start a diverse community
Security, privacy, server hijacking, expiring server invites, and safety
When I first started my online community for early-stage web developers, I wanted to find a platform that was familiar to most people and where most people already were. People already have so many accounts on so many platforms I did not want to require someone to sign up on yet another one.
After doing some research and through personal experience joining multiple Discord servers for programming-related topics, I decided to go with Discord.
I still think Discord has a lot of potential. Recent updates to the moderation tools built into Discord also hold a lot of promise. With that said, Discord is not a platform for everything and everyone, and I have some reservations about the platform in general after some recent revelations (recent to me, anyway).
I hope you find this helpful!
Safety
You cannot build a healthy community when people do not feel safe. As mentioned, the moderation tools in Discord have continued to improve since the introduction of Auto-mod. Discord also has a number of resources collectively called the Discord moderator academy.
With this said, Discord has not always had these tools, and these needs had to be filled by bots. This also means that many Discord servers did not have any moderation to speak of. Another problem is that direct messages on Discord are open by default (learn how to disable this).
As a result, many women and LGBTQ+ people have not and do not feel safe on Discord. Also, some neuro-diverse folks find Discord tough because of all the common bells, whistles, and popups on Discord. Discord does allow a user to turn on reduced motion, but this is not part of Discord’s onboarding experience and is left to server owners who may be as new to Discord as their community members.
Having direct messages off by default and highlighting the accessibility features during a new user’s onboarding will be very helpful. Something else that is critical is having and enforcing a code of conduct. While it is part of the community server guidelines, an easy-to-access community checklist like the one on GitHub would be a welcome addition.
Privacy
Two news stories you may or may not have heard about are the leak of the Pentagon papers on Discord and privacy concerns related to Discord’s AI features. Both are concerning, but what some people, including myself, are asking is, how does the stance of the Pentagon, NSA, and others change now that Discord has been shown to be a weakness in their monitoring arsenal?
As with many things, it is not about having something to hide; it is about how a person changes when you assume you are being watched (tangentially related is an article about people being monitored at work). There is also the case where, depending on where you live, being known as being part of the LGBTQ+ community can result in a death sentence.
Discord’s change to usernames
Depending on how you look at it, the username change debacle could be much ado about nothing or open up yet another challenge for moderators. It is telling that Discord very recently introduced a new AutoMod feature to block undesired usernames called “Block Words in Member Profiles.”
Other than people using undesirable words in their username, if you read the post linked to above, depending on your place in the VIP hierarchy, the username you wanted or had could already have been claimed. How do you know that a user with the name MrBeast is the real MrBeast? Will Discord introduce a blue checkmark? What if you are not well-known, but your username is part of your personal brand?
Some related and additional concerns are raised in this Reddit thread.
The Discord expired invites attack vector
The most recent topic I learned about is that expired Discord invite URLs can be used as an attack vector to impersonate and take over another Discord server. The tl;dr (too long did not read) is that an attacker tracks down an expired Discord server invite (these default to expire in 7 days, although I have also seen them expire in 24 hours by default), and with this in hand, spins up a new Discord server.
There are many ways to find expired Discord invite links, which I will not dig into here.
To unlock the custom server invite link, the server must either be a Discord partner server OR be boosted to level three. Once unlocked, the server admin can use the expired invite as the custom server invite URL. When someone clicks on the invite, they are directed to the impersonating server and exposed to data breaches, information leaks, and much more.
This came from a report on HackerOne. Here are some more related articles.
https://www.vauld.com/insights/baycs-discord-server-hacked-again/
https://www.theblock.co/post/145432/opensea-discord-account-hacked-to-promote-scam-nft-pass
This is especially prevalent in the crypto space, but nothing stops it from happening to any server where the potential value of tricking users is high enough. If you run or moderate a Discord server, you can see the list of existing invites, expired, about to expire, and those set to never expire by going to Server settings > Invites.
You can now also pause invites instead of deleting them from the dashboard. As part of researching these topics, I also discovered this important note at the bottom of the Invites 101 page on Discord.
The last tidbit of information to know is that each individual channel, whether it's a voice channel OR a text channel, has its own settings for invite links. This means that even if you adjusted the #general text channel invite settings, they will not transfer over to any of your other channels!
I hope the information shared here is helpful and allows you to go into the Discord server ecosystem with your eyes wide open. Mine was certainly opened when I started writing and researching the details for this post.
Image credit: Photo by Brooke Cagle on Unsplash