this post was submitted on 17 Sep 2024
138 points (94.8% liked)

Technology

59495 readers
3081 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 30 comments
sorted by: hot top controversial new old
[–] simple@lemm.ee 94 points 2 months ago* (last edited 2 months ago) (1 children)

It's weird that they're adding E2EE on voice but not in private text DMs, which is probably everybody's biggest concern when it comes to security on Discord. Better than nothing I guess.

[–] morrowind@lemmy.ml 8 points 2 months ago (1 children)

In servers I can see why but yeah not sure about dms

[–] RmDebArc_5@sh.itjust.works 22 points 2 months ago* (last edited 2 months ago) (3 children)

~~They sell your dms for money, which makes them money. They don’t make money through spying on your calls. I’ll let you figure this one out.~~

Edit: no evidence

[–] morrowind@lemmy.ml 17 points 2 months ago (1 children)

They sell your dms for money

This is a very large claim. Do you have a source?

[–] RmDebArc_5@sh.itjust.works 0 points 2 months ago* (last edited 2 months ago) (1 children)

~~Here is the article were they adjusted the privacy policy to allow AI training. Personally I think this is enough evidence to think they train their AI on messages.~~

[–] morrowind@lemmy.ml 4 points 2 months ago (1 children)

Your changed claim is still incorrect, and your own article contradicts it. The article contains an update, including a statement from discord

The recently-announced AI features use OpenAI technology. That said, OpenAI may not use Discord user data to train its general models.

On top of that, it's stated in the article that the AI features are for servers, not dms

[–] RmDebArc_5@sh.itjust.works 3 points 2 months ago

Yeah, I think in my head I mixed up this article with a unrelated one.

[–] anas@lemmy.world 10 points 2 months ago

Another day, another request for a source on Discord selling your data.

[–] morrowind@lemmy.ml -4 points 2 months ago

They sell your dms for money

This is a very large claim. Do you have a source?

[–] hal_5700X@sh.itjust.works 53 points 2 months ago* (last edited 2 months ago)

Encryption on Discord. Okay, if you say so.

[–] mox@lemmy.sdf.org 41 points 2 months ago* (last edited 2 months ago) (2 children)

Discord’s audio and video end-to-end encryption (“E2EE A/V” or “E2EE” for short)

That last bit is a little concerning. E2EE is widely understood to mean full end-to-end encryption of communications, not selective encryption of just the audio/video bits while passing the text around in the clear. If Discord starts writing "E2EE" for short when describing their partial solution, it is likely to mislead people into thinking their text chats are protected, or thinking that Discord is comparable to real E2EE systems. They aren't, and it isn't.

We want an E2EE A/V protocol that is publicly auditable

Their use of the word "auditable" here is also concerning. What does it mean for a protocol to be auditable? Sure, it's nice that they're publishing their design, but that doesn't allow independent audit of the implementation that actually runs on their servers and (importantly) people's devices. Without publicly auditable code that can be independently, built, run, and used instead of the binaries they provide, there's no practical way to know that it matches the design that was reviewed. And even if code is made available, without a way to verify that the code being run is the code that was inspected, any claim giving the impression that the system was audited is misleading at best.

During the rollout phase, a single non-supporting member being present forces the call to transport-only encryption. The call will automatically “upgrade” to E2EE if that member disconnects.

This sort of thing has historically been ripe for abuse. (See also: downgrade attack.) I hope they are very careful about how they implement it.

The protocol uses Messaging Layer Security (MLS) for group key exchange

Interesting. This makes me wonder if their motivation might be eventual compliance with the European Digital Markets Act. If that is the case, perhaps they also have a plan in the works for protecting text chats?

My early impression, based on what they wrote:

This won't fix Discord's major fundamental flaws. However, if their E2EE A/V design holds up to scrutiny, and if they were to fix their problematic language and provide truly auditable client code, the protection offered for audio & video could at least reduce Discord users' exposure to unwanted harvesting of voice & face samples. A step in the right direction, and a timely one, given that biometric data collection and AI impersonation are on the rise.

Their whole writeup is somewhwere between "trust me bro" and "enough holes you can legally sell it as swiss cheese".

I'm utterly confused as to who the target market for this is since their current userbase clearly does not care if shits encrypted or not, and any even remotely privacy oriented person is going to have the exact same take you did.

[–] semperverus@lemmy.world 4 points 2 months ago* (last edited 2 months ago) (1 children)

The code is very auditable. I have not audited it myself though so I have no idea if it's actually good, but you can absolutely audit it.

EDIT: Just read through the Javascript portion, which seems incredibly anemic. Each file is like 20 to 40 lines of code max. I did notice there is a C++ folder though, I'm guessing that's where the meat and potatoes are.

[–] pressanykeynow@lemmy.world 6 points 2 months ago (1 children)

Is Discord client code available?

[–] semperverus@lemmy.world 2 points 2 months ago

kind of

If you download the client, it's just an electron app, so all of the bits written in js/css/etc are sitting right there in the client itself. People have used this to repackage it with customizations, such as webcord (nicer user experience on Linux) and others.

As for the compiled bits... well, every binary executable is open source if you're brave enough

[–] SnotFlickerman@lemmy.blahaj.zone 31 points 2 months ago* (last edited 2 months ago) (1 children)

The audit details and whitepaper details are far beyond my capabilities to understand. Can anyone with knowledge of the field tell us about the findings? If you would be so kind, please and thank you.

Good on them for getting an audit and making the code publicly auditable, but I really would like to hear an opinion from some folks who are more involved in cryptography on whether this is Discord being genuine and doing the right thing, or is it Discord trying to use Public Relations and weasel words to make it seem like they're doing the right thing.

It's just hard to trust a private company's motives sometimes, but that doesn't mean they're not capable of doing the right thing. Thanks to anyone who can give some input on this.

[–] CosmicTurtle0@lemmy.dbzer0.com 4 points 2 months ago (1 children)

My very cursory glance at the paper is that basically they are encrypting live calls. Basically they are doing what zoom has been doing since the pandemic.

[–] ArtikBanana@lemmy.dbzer0.com 2 points 2 months ago

From what I remember, in Zoom the meeting's host needs to enable E2EE, it's not automatic, and it disables a lot of Zoom's features while also limiting the amount of participants.

[–] Juice260@lemmy.world 14 points 2 months ago (1 children)

I’ll admit that I'm skeptical but since I could not get my friends to start using signal after about a year of poking at them I do appreciate it 🤔

[–] morrowind@lemmy.ml 4 points 2 months ago (1 children)

Man, I'd be happy if I could just get past sms

[–] rumschlumpel@feddit.org 1 points 2 months ago (1 children)

Don't most people have Whatsapp? It's certainly harder to spy on the content of your messages, it's just a matter of how much issue you have with giving Meta your metadata.

[–] morrowind@lemmy.ml 1 points 2 months ago (1 children)

I'll give you three guesses as to where I'm from that it might be a problem

[–] rumschlumpel@feddit.org 1 points 2 months ago (1 children)
[–] morrowind@lemmy.ml 1 points 2 months ago

~~un~~fortunately no

[–] Zak@lemmy.world 13 points 2 months ago

I'm confused by why they would do this, and at the same time, why not for private text messages.

I'm in favor of encrypting as much communication as possible, but I don't think many of Discord's users were complaining that their voice chart wasn't secure. I'd expect more of them to care about text chart, which is less effort to spy on.

[–] nailingjello@lemmy.zip 7 points 2 months ago

When it goes down can I get an error message that says Dave's not here?

[–] Dark_Arc@social.packetloss.gg 5 points 2 months ago

I wonder how this scales to large voice rooms.

[–] subignition@piefed.social 5 points 2 months ago (1 children)

I am WAY too unqualified to understand any of the technical stuff, so I'll be waiting to hear thoughts from experts on this one. It looks like if there are no major flaws in it this is a great thing for the platform overall.

[–] Badeendje@lemmy.world 8 points 2 months ago (1 children)

Discord is already one of the black holes of the internet, where information goes to die.

[–] subignition@piefed.social 1 points 1 month ago

Was that supposed to speak to some part of my comment...?

It seems like a complete non sequitur to me.