While everyone is beginning to fret about intrusive government surveillance, many people still have a blind spot when it comes to the surveillance done by private entities.
A stark illustration of the issue can be seen in the way that Discord is currently being scraped for user data. More about scraping methods you can find at Smartproxy. A new tool called Dis.cool has been building profiles of Discord users and selling access. Dis.cool is a website that has been scraping discord users to create profiles, including people who have never signed up for the service.
Mass Scraping and GDPR
The website is not only indiscriminately scraping Discord for private data and then using it for commercial purposes. Apparently, it is also outright refusing to delete user data or at least being incredibly obtuse about doing so.
Such a business model appears to be very clearly violating GDPR on a regular basis. Say what do you like about GDPR, but it is a very strict law that carries some serious weight when it comes to issuing penalties. However, despite such a flagrant and public violation of GDPR, it is unclear exactly what can be done or who needs to do it.
While Discord was slow to respond, their recent actions suggest that they are now taking this threat seriously. The company has made attempts to secure the API and asserted that it is preparing to pursue legal action against Dis.cool.
Of course, Discord has tools available to them if they really want to stop people from being able to access their data and abuse the API. And while it is now good to see Discord using these tools, this highlights a long-standing issue with the platform many people have discussed before. Namely that Discord stores all of its information unencrypted.
If Discord was implementing even the bare minimum of encryption and security standards for user data, it would not be so susceptible to being scraped in this way. More importantly, user data would not be nearly so easy for an attacker to steal. Under GDPR, businesses have an obligation to act as responsible custodians for data.
Options to Protect Data
However, Discord’s options are limited in these scenarios. They can issue cease and desist letters, but they have to be willing to follow these up with legal action. For small teams of developers operating in countries where laws might not be compatible with those of the US, it can be hard to effectively enforce any court order, even if one is obtained.
Users who are unhappy about the way Discord has treated their personal data can file a complaint with their national data authority. Evidence on the main Reddit thread about the Discord issue suggests that this is an option that lots of irate users have chosen to take. There also seems to be a consensus that the tool violates Californian law as well as EU law; this significantly reduces the area where the tool can safely operate.
Discord can also choose to block the IP addresses that are being used to scrape its servers. Unfortunately, thanks to the ease with which most people can access a VPN or rotating proxy, this will soon devolve into a game of whack-a-mole. However, there is no doubt that much of the information being scraped should not be so easily available, irrespective of access to discord API.
Possible Legal Measures
While the legal status of scraping is far from settled, there is certainly legal precedent for discord to take steps to block access to its data. Much of the data in question is not something that could reasonably be considered to be in the public interest, so this seems like a clear privacy violation.
The data might be accessible using the official discord API, but there is no basis for inferring from this that Discord is happy for the information to be widely and publicly available. EU and US courts differ slightly on this issue, but one area that they are united in is that there are circumstances when a business has a right to keep their data private and prevent scraping. This would seem to be a textbook example.
The debacle at Discord highlights, once again, that private businesses can sometimes be just as careless with our data as the most incompetent government department. The ease with which scrapers were able to access sensitive Discord data and monetize the results shows how vulnerable online services like this are to this kind of attack. Even worse, the slow response from Discord suggests they don’t take the threat too seriously.
If businesses aren’t going to take responsibility, then it falls to users to push for the enforcement of GDPR and national equivalents. Without proper penalties, however, there will be more incidents like this.