My local org uses Discord. What should I know about account security / op sec / settings I should immediately change before using it?

  • Zvyozdochka [she/her, pup/pup's]@hexbear.net
    link
    fedilink
    English
    arrow-up
    22
    ·
    6 months ago

    I know Discord is super convenient and easy to use, but please don’t use it for organizing purposes, this is a horrible idea for so many reasons. If you’re going to use Discord for this purpose, you may as well just invite the local police officers to your meetings. This goes for Microsoft’s Windows as well, but that’s a whole different conversation and not in the scope of this post.

    Piggybacking on what @hello_hello said, I’d bring Matrix to your organizations attention and lobby for it’s adoption. It’s free, open-source, decentralized/federated, and end-to-end encrypted (important!) and has everything you’d want like direct messages, group chats, voice & video calls, and plenty more.

    If you really must use Discord, make a throw away e-mail that you only use on Discord, do not attach a phone number to your account, pick a username that you’ve never used on any other platform, don’t talk about anything that could be linked back to you, etc. Assume everything you send/do is being looked at, because it is.

  • sovietknuckles [they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    6 months ago
    • Opt out of the arbitration agreement within 1 month of registering by sending something like this to arbitration-opt-out@discord.com
    • Don’t use the official desktop client, which is very bad for privacy. Use ArmCord (unlike other third-party clients like Ripcord, no one has been banned for using ArmCord), which is open source and blocks Discord’s trackers.
    • Disable everything in the How we use your data section of the Privacy & Safety settings
    • Disable everything in the Activity Privacy settings so it doesn’t scan your computer to detect games that are running
    • Assume everything you put on Discord is public information, data mining companies pay Discord for your data.
    • Wertheimer [any]@hexbear.netOP
      link
      fedilink
      English
      arrow-up
      11
      ·
      6 months ago

      Much appreciated. Between what you and @hello_hello@hexbear.net have said it sounds like Discord is a colossal mistake for an org. I wish I had more options locally, but in the meantime I’ll keep Discord communication as minimal as possible.

  • EcoMaowist [she/her]@hexbear.net
    link
    fedilink
    English
    arrow-up
    13
    ·
    6 months ago

    Discord is horrible. People have already said Matrix. and they’re right. Try to get them to switch, and give them the reasons many people here have already listed. As soon as they realize they can be surveilled they should be willing to switch. (Can’t discord also ban servers or users at will?)

  • hello_hello [comrade/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    6 months ago

    Ask them if they can switch to Matrix. If they’ve only been using Discord as free hosting for a chat/video call service then it shouldn’t be difficult.

    Discord is a horrible platform and I don’t trust any leftist org that uses discord for its main communication: zero E2EE (not even in your fucking “private” dms), horrible and juvenile userbase of gamers (most chuds and liberals), poor moderation, predatory user interface and worst of all: forced to use a shitty electron app. You also are required to submit an email address and a phone number to use the service (no telling what other requirements they would impose). Impossible to access via tor or through VPNs.

    For video conferencing you can use Jitsi Meet which AFAIK is integrated into the Element client for Matrix. I’ve not joined orgs because they use shit like Google Docs and Discord for basic tasks.

    Case in point a marxist group at my uni uses google forms for signups. Like wtf no I’m not signing up using Google literally just use E2EE email you fucking lib. Maybe a Signal username to the group’s main recruiter? Maybe an XMPP username??? There’s so many freer ways to do this shit that doesn’t require de-anonymizing people.

    • Zvyozdochka [she/her, pup/pup's]@hexbear.net
      link
      fedilink
      English
      arrow-up
      10
      ·
      6 months ago

      Hell, even the PSL uses Google Forms for initial on boarding where they ask you for things like your full name, phone number, e-mail address, social media handles, and all that jazz. Really big yikes moment, but I understand that hosting an open-source alternative/writing their own solution is a lot of work and they might not have the resources to pull something like that off right now, but still.

        • Zvyozdochka [she/her, pup/pup's]@hexbear.net
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          6 months ago

          That’s only if a peer-to-peer connection can be made in the first place, which most of the time it can’t because of NAT and other things. The Element client even has a checkbox to prevent you from making peer-to-peer connections forcing you to go through your homeserver’s TURN server or Matrix’s fallback TURN server.

          Edit: To clarify the warning under the “Allow fallback call assist server” saying your IP address will be shared, it means it will be shared with matrix.org, not the parties you are calling.

  • Maoo [none/use name]@hexbear.net
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 months ago

    I’ll echo others and say no discord!

    Matrix is good though a little complex and unintuitive. I would recommend limiting your online chats in general for opsec reasons and maybe sticking to something simpler like Signal for announcements.