Hi, any discord users here? Care to share your way of using discord?
It’s really sad that services/platforms with extremely bad privacy
policies and sometimes with lack of proper security practices are mass
adopted (…and allowed to exist haha), in a way that there are almost no
real competition when it comes to the number of active users per
community. Especially when some of those communities are just too
valuable to be left ignored.
Below are my thoughts and an attempt to bring at least some awareness
of what to take into account, and also to bring up some questions about
the relevance of things such as browser fingerprinting and extensions.
Also, the questions are there asking you to participate and give
(better) recommendations since I can’t possibly know everything. If you
think I’m wrong in something, then please educate me, I’d really
appreciate the opportunity to learn more!
I think a lot of the following can also be applied to any web service that requires an account, not just discord.
EDIT:
I decided to add better formatting and some stuff I didn’t think about earlier in the original post, and also I included the great tips I got from the replies! Thank you for those! ALSO as a new user here, I cannot post more than 2 urls and tag 2 members in a post, I had to format those, the urls now annoyingly start as “https://-” so sorry for that. I wonder if a moderator here can modify them?
1. Account creation prerequisites
Since you’ll have to create a user account there to be able to do
anything, you are already unique, you are pseudonymous, not anonymous.
Everything you do there will always be tied to that user account.
How to then disconnect that user account from the real you and your other internet activities? Use VPN or Tor.
There’s a BUT though, in order to create and use your discord account
while connected to a VPN or Tor network, you’ll also need a burner phone
number (this will reveal the country you are from though). Otherwise
you’ll be stuck on the phone verification phase when registering a new
account.
If you use VPN, remember to check if your VPN works, does it have IP leaks?
How to check if your VPN is working - Proton VPN Blog
- Check that your ipv4 has changed
- Check for ipv6 leaks
- Check for DNS leaks
- Check for WebRTC leaks
Additionally, activate VPN killswitch.
2. What to use to register and use your discord account - a browser or a foss client?
Now let’s say you have a VPN (do not forget the killswitch!!!) and a
burner phone number. Then, in order to minimize the information discord
can gather about your device and track you across the internet,
obviously don’t use the official app, but then what should you use to
create a discord account and then use it?
There are options, from different privacy focused browsers with a
dedicated browser profile with its own settings and extensions to FOSS
clients/frontends like WebCord and ArmCord to name a couple. But what
would be the best option?
2.1 Browser with a dedicated browser profile (recommended)
If you pick a browser, create a browser profile dedicated to discord,
start modifying its settings and add extensions to that browser
profile, does fingerprinting from all of that matter really since you’re
already pseudonymous, everything is tied to that discord account
anyway, and you’re only using that browser profile and revealing its
fingerprint specifically to discord only so it can not be tied to any of
your other internet activities ie browsing the internet and logging
into other accounts on other platforms/services on another browser
profile with different fingerprint.
Getting more technical, considering what kind of browser, browser profile hardening and extensions to use.
If you choose to use Tor Browser and not a regular browser with a VPN, don’t mess with its settings and extensions at all. It is not recommended to do with Tor Browser ever.
Things to consider when choosing to use a regular browser with a VPN
- Pick a browser and create a browser profile and follow the PG’s guides how to modify the browser settings
- Firefox with arkenfox user.js
- Mullvad Browser
- Librewolf
- Brave
Then on your new dedicated browser profile
- Tweak WebRTC so that it cannot reveal your real IP address
-
on Firefox based browsers WebRTC can be disabled on about:config, setting the
media.peerconnection.enabled
to false. -
on Chromium based browsers = Brave, you can install the WebRTC Network Limiter: https://-chromewebstore.google.com/detail/npeicpdbkakmehahjeeohfdhnlpdklia) browser extension. This official extension from Google allows you to manage how WebRTC connections work in your browser. You can do this by selecting Use only my default public IP address option from the extension options.
- Apparently an extension is not needed. Read what user @Sharply said below:
As far as your WebRTC concerns go, no extension from Google is
needed. Just change “WebRTC IP handling policy” under “Privacy andSecurity” in Brave’s Settings to “Disable non-proxied UDP”. Do note
though that messing with WebRTC will cause issues with calls.
-
Disable DNS from your browser settings so that the default by your VPN is used instead and you will not have DNS leaks.
-
Add uBlock origin, and consider the following
- Select Medium block mode and allow 3rd party scripts to one by one to make the web app functional
- Which filter lists to choose since apparently these are visible to the websites (test here: Content Filters and Proxy Detection - BrowserLeaks)?
- block remote fonts, cosmetic filtering on the page from the uBlock settings
- block elements with the element picker if you desire to do so.
- Actually, are there known privacy violating elements you should block/add cosmeting filtering to on the discord web app?
- Are there any other things that you can and should do with uBlock origin? What?
- To add or not to add other privacy-related extensions? Which ones? Given that this fingerprint is only tied to discord activity so the uniqueness should not matter (right?)
-
do canvasblockers, user-agent switching, NoScript, Privacy Badger,
LocalCDN/Decentraleyes or any other extension offer any benefit at all?Obviously adding many extensions and even redundant ones is something
you should never do with a browser, but does this use case of a
dedicated browser profile for a specific service justify more extensions
and therefore a browser fingerprint that sticks out like a sore thumb if more privacy can be achieved with it?
- Use browser extensions created specifically for Discord
- on Chromium based browsers = Brave, you can use Vencord for browser: https://-vencord.dev/download/ which is not available for Firefox based browsers.
Also consider user Sharply 's general recommendation:
My general recommendation for using Discord currently is:
Separate Brave profile under a VPN with Vencord. Vencord 4: https://-vencord.dev/ is an open source extension for Discord, which can be used to improve
privacy and QOL (It disables telemetry by default, also has plug-ins for
anonymising file names, disabling typing indicators, ClearURLS
functionality, etc). Using a modification like this is technically
against Discord TOS, but I’ve really never seen them enforce this.
Vencord isn’t currently available on Firefox, which is why I suggested
Brave. You can follow PG’s recommendations for Brave settings.As far as your WebRTC concerns go, no extension from Google is
needed. Just change “WebRTC IP handling policy” under “Privacy and
Security” in Brave’s Settings to “Disable non-proxied UDP”. Do note
though that messing with WebRTC will cause issues with calls.
2.2 Foss client (clients created with Electron are not recommended due to security issues)
If you pick a foss client like WebCord or ArmCord or some other
client (AFAIK, this is against the discord tos, so you can be banned
although it has almost never happened?), is there a privacy benefit over
a dedicated browser profile that is not tied to your other browsing?
Can someone offer some insight regarding this? Do those clients offer
something that cannot be achieved with a browser? I’d really love to
hear from someone who has decided to use a foss client instead of
browser. What are your reasons for it?
Thanks to user Sharply for pointing out the security issues of Electron apps such as WebCord and ArmCord:
Clients like WebCord or ArmCord should be avoided. They just use Electron, which has [various security issues: https://-github.com/secureblue/secureblue/issues/193#issuecomment-1953323680 , and everything they achieve can just be done through browser configuration anyways. You’d be much better off just using Discord in the browser, as it will be much more private and secure, and will give you more control over it in general.
3. Keep in mind, everything you do/share on discord, will always be visible to discord
Then last but not least, actually the most important part, how you actually interact while on discord. What you write there.
- What you share about yourself and your real identity, or other identities you have on the internet
- How you behave, the style how you write and what you write it will
all reveal your beliefs, opinions, your unique stack of interests - Discord can and might record your voice chats, we can not 100% know if it does or does not.
obviously all of that, literally everything will be known by discord who can then profile you.
Like user exaCORE said:
My 2 cents: use them as little as possible.
And user Sharply added:
At the end of the day, like @exaCORE said, you really should just try to use Discord as little as possible. It isn’t a private or secure platform at all, even with this configuration. This just helps to mitigate the damage done.
So depending on your threat model, what you want and don’t want to
share, how much information you want to give to discord and put out
there in public for anyone to see, it’s entirely up to you.
Discord - terms of service; didn’t read summary
On tosdr . org Discord has the worst possible privacy grade, which is E. You can check it out at Discord – Terms of Service; Didn’t Read: https:///tosdr.org/en/service/536).
Tweak your discord user account settings
credits to user Sharply for these recommendations:
Most important options related to privacy:
Privacy & Safety → Use data to improve Discord → Off
Privacy & Safety → Use data to personalise my Discord experience → Off
Privacy & Safety → In-game rewards (aka Quests) → Off
Clips → Allow my voice to be recorded in Clips → Off
Activity Privacy → Share your activity with others → Off
Activity Privacy → Share your activity status by default when joining large servers → Off
Activity Privacy → Allow friends to join your game → Off
Activity Privacy → Allow voice channel participants to join your game → Off
You can also set your account’s status to “Invisible” to prevent others from knowing when you’re online, as well as tweak other settings as needed.
Actually, try to avoid discord
Try to move your conversations to privacy friendly alternatives if possible
Any meaningful contacts/friends that you have made along the way, you
can try to move the 1on1 discussions to privacy friendly messaging apps
like Element, Signal, Session, Simplex, Threema and Briar and what else are
there. Although that can sometimes be hard trying to convince someone
to move the conversation to another platform.
Try to find the communities that you are interested in from other places, like web forums
Forums also work much better as a knowledge repository and structured discussion compared to chat as user HauntSanctuary pointed out:
Chat is a bad place to store information and is barely searchable - a mature community would have chosen a forum for knowledge repository and for better curating of structured discussion.
4. Compartmentalizing your discord activity into multiple accounts
Furthermore, if you decide to compartmentalize your discord activity
into multiple accounts (for example, by different interests with
different personalities (writing style, behavior) sharing different fake
information like gender/age/name/whatever) to keep discord from being
able to create a have a complete record of you as a person.
4.1 Alt account creation prerequisites
Obviously, firstly, you’d need to again use a different VPN ip
or Tor and another burner phone number (an online service for phone
number aliasing would be great for this! Got any recommendations?). That burner phone number is also again revealing the country you are from.
4.2 Selecting how to register and use your discord alt account
4.2.1 Consider your alt accounts browser fingerprint in comparison to your other account(s)
Secondly, wouldn’t it then also make sense to use different foss browsers with different fingerprint to make you stand out
clients and/or
differently from the other discord accounts you have so that none of
those cannot be easily tied to one another by discord?
Some things to consider:
-
Using different devices with different OS. Or using VMs.
-
Have a different browser, or just different browser profile with different extensions to make them stand out differently from one another
-
If you like to do element blocking/cosmetic filtering with the uBlock element picker. Atleast you should have some differences how you utilize that on the site in case that kind of blocking is also visible to discord.
- An example of this that I can think of would
probably be due to blocking some very specific asynchronous script
communicating with the server from running that are normally run by
every user when they do a specific but very common interaction on a
specific component on the web app.
4.2.2 Consider your alt account’s way of writing and information you share in comparison to your other account(s)
Some things to consider:
-
Giving fake information that is different and even conflicting to your other account, like name, age, where you are from, what are your interests, beliefs and so on
-
What kind of language you use. Maybe professional and mature on some account, youthful on another and so on. But also the grammatical errors you make.
-
The time patterns when you log in to each of your accounts, is it the same always? E.g. log in A, then sign out, log in B, then sign out B, and so on…
-
If you are logged in on multiple accounts at the same time and lose your internet connection. That is very visible to discord. Consider your cover blown!
-
If you like to voice chat, maybe do that on one profile only, since we don’t know if discord records them
Sorry for the long text, I hope I was able to offer some value at
least! And thank you for reading all that. I’d really want to hear and
learn more from you so please share your thoughts, strategies, tips,
anything! Have a great day y’all!