Discord Servers asking for Phone Numbers and 'Verification Levels'
cross-posted from: https://lemmy.world/post/10799766
(Edit: Cross-posted OP (link above) was mod removed by the Discord forum 'admin' on 2024-01-19 as being "False claim, false interpreted", so the above link will no longer work.)
Recently read this on a Steam game's reviews section ...
User Comment...
The game's Discord REQUIRES your personal phone number to get access at all. This is a very intrusive, and 100% unnecessary requirement, in order to just be able to interact with others about the game, it's content, player experiences, and many other things. It's also intrusive in regards to being able to contribute any input to help other players in any way at all.
Dev Response...
It's Discord that's asking you for verification of the account. We're not getting your phone number. This is standard practice on bigger servers that allows for a better user experience, filtering bots/ spam accounts, trolls, etc.
Could companies please STOP lying about it being Discord's choice, its not, is the Discord server's choice to ask for it.
Its a "Verification Levels" setting that the server op sets, and they have multiple options that they can choose from, its not an on/off switch. They can dial it back one notch and still have spam/bot protections.
The only difference between "High" and "Highest" verification levels is the addition of asking for a phone number, all other features of "High" is in "Highest", and "Highest" has no other extra features besides asking for the phone number.
Makes it really hard to have an pseudonym account on the Internet, for gaming purposes, and then be asked for your real phone number. I don't need to be tracked 24/7.
deleted
That's the impression that is being given, but its not true.
I've been successful in a very few cases of getting a Discord server admin to dial back the verification level from 'highest' to 'high' on their server, so that I was not prompted for a phone number. They agreed that the highest setting was overkill.
Most times though server admins refuse to do so.
Gotta wonder at this point if they actually see the phone numbers or not.Other server admins say they can't see the number, so will assume that's correct.When I ran a Naruto RP server we ran without verification for a while. Then trolls came in and they just kept coming back. They would target the feminine-identifying members of the server every time. Situations like this are probably why. To my knowledge I could not access the phone numbers.
In one XMPP group I was in that got spammed, they just disabled the ability to speak without manual approval. Was your "guild" too big for that? Can Discord do something like this? Because giving phone number to something as shady as Discord is just inappropriate.
Is the email verification/validation, being registered on Discord for more than five minutes, and being present in the server for longer than ten minutes, not sufficient?
No, they would just sign up with a new alias, wait, then join the server, wait, and then do it again. Most servers should not do this. But for situations like ours, a small RP server being harassed, it was useful for the year it was up. The users would not have been okay with that if the entire server wasn't a close community of about 20 people. Its just another example of a thing that can protect extremely small teams conveniently being abused by bigger entities to get something they want (your data).
AFAIK you can have roles which have access to different parts of your server. Thus you can have that all newly joined accounts have a role where they only can see and interact with a channel for those waiting for acceptance. You can even make it “fill out a form in a thread” for why they want to join, and only after they’ve been accepted will they be given access to the rest of the server (or just some of it)
I did that. When you get trolls in your server targeting your players, you can throw all the forms and wait times you want. It accomplishes two things: 1) it kills the real people trying to play, every barrier of entry just to type silly Naruto RP stories on a discord channel turns people off incrementally. 2) the trolls don't care, they make multiple accounts using gmail aliases and wait out the restrictions, when those are up a tidal wave of troll/bot combinations fucks your server.
In the end, I had to lock the server down for 3 months, I implemented a tool that exposed your MAC address, if it matched one on my blacklist you were automatically banned. This killed new players too. But it completely stopped the troll once I reported the MAC address to discord with screenshots. It ended up being a nurse at the hospital one of my players went to. They ended up losing their job. Crazy story tbh. I wouldn't handle it again like that but this was before I had worked IT.
Getting a valid email address, being registered on Discord for more than five minutes and being present in the server for longer than ten minutes takes, you guessed it, 15 minutes.
If you ban someone from your Discord server for harassing other members, they can be back at it after 15 minutes. How do you deal with that?
AFAIK you can have roles which have access to different parts of your server. Thus you can have that all newly joined accounts have a role where they only can see and interact with a channel for those waiting for acceptance. You can even make it "fill out a form in a thread" for why they want to join, and only after they've been accepted will they be given access to the rest of the server (or just some of it)
on quite a number of servers that are 18+, higher verification usually sounds a little bit more safe. But then on most of the servers I run or moderate, we tend to have our own in-house verification methods instead of the built levels for discord.
the idea of the verification levels is attractive, however. anything to keep the kids out. though I'm not sure I'd go as far as requiring a phone number, I might consider it for future.
it depends on how the server is going to be used. why a gaming server should be highest level, I don't know. I would think "high" is enough.
Only difference between high and highest is the asking of the phone number, all other security checks are the same. So if the other existing forms of validation are not already enough, then the bad guys have already won.
what "bad guys"? Whatever the server owner feels is appropriate for levels of validation is up to them. ya know?
Those who would spam/troll/etc. The ones you're trying to exclude from the server. To repeat my comment ...
For the record, I was NOT talking at all about the server admins, at all.
I doubt they do. They just want to be "secure" and are unwilling to admit setting the level at "highest" is bullshit.
It's not like you can easily get a new number and circumvent this "security" measure if you want... /s
That's the crux of it, they're using a lie by omission to not have to justify to their users that its they themselves that are asking for the phone number, and not Discord corpo.
I came across this issue on my own discord server, the system kinda encourages you towards those higher security levels without really being especially clear about what it will do to the user experience.
One thing I would clear up though:
I think both sides in the OP are correct here.
Yes, the server admin sets the security level that triggers those requirements.
But it's also true that the server/admins do not get your phone number, that private information is only kept within discord's verification system. It is not sent to the server admins.
I mean, I sort of get why the developers say it's Discord's policy even if it's a bit misleading.
Game developers don't really want to moderate their own discord server and simply want to use the strictest automated filtering system available and this just happens to include phone number linking. The operators of the servers themselves do not have access to these phone numbers and they are only stored by discord directly to prevent spam.
I would personally prefer games to not have their communities tied to discord, akin to how forums were big deal for games back in the day, but even then they do need some kind of automated way to filter out all the crap. This is a problem with moderating any community, including a lemmy/kbin/mastodon, and I don't blame them for simply picking the strictest option to ease the burden on the 1 or 2 people who are charged with managing these servers (especially if they are unpaid or volunteers, which is a whole other can of worms that shouldn't happen...)
The language on that is very plain, and a lie, as it is the server admins, and not the Discord corporation, who are asking for it, by having the ‘Highest’ verification level setting, vs. just the ‘High’ setting.
The only difference between the 'High' and 'Highest' verification level setting is the asking of the phone number. All other verification features (email validation/verification, time on the server before approval, etc.) are the same.
How exactly does that prevent spam, vs just using other existing established verification methods like email validation? If the only goal is preventing spam, its overkill, and other web sites who also have to contend with spam don't use it.
Finally, I'd feel allot better about it if a trusted third party verified that its not used for marketing reasons, and that we all just didn't take Discord's word for it. I don't know this as fact, but I can't help thinking that we are being lied to, and that the number is used to link our Internet pseudomnames to real-life persons (via agregate gathering/purchasing of data via third-party brokers).
Having said all that, my post wasn't about what is done with the number (that's a whole other topic), just the fallacy of stating who is requesting the number (Discord vs server admins).
It's trivial to create new accounts and emails to verify those accounts. It is not trivial to get a new phone number since virtual numbers are blocked by the verification process.
Is it really that trivial, especially while having to spend your own money to do so?
And can't that be detected in the same way that virtual phone numbers are detected by Discord currently?
You get your ISPs email address, and you could have your Google address, what else?
Granted, a phone number is better than email for verification, but plenty of websites work off email verification today successfully.
What are you talking about? There are endless services where you can get a free email address without spending a cent. Verifying that an email is genuine is a much harder ask than you might think.
Fair enough, but then how is it used today successfully by websites?
That's the thing, it's not. Lots, and I mean lots of sites are plagued by bot activity. The ones hardest hit are the ones that only have email validation.
I could go to Google and create a new account right now, absolutely free.
Hell, I could write a script that creates a million for me for barely any money, just paying a CAPTCHA farm a nominal sum to solve the robot tests for me. This is why sites like discord are plagued with advertisement bots, the bar to entry is literally nothing.
Phone numbers cost money to create, and are in finite supply. Even PAYG (pre paid numbers for you Americans) numbers require you to go outside and purchase a SIM card from a store. They aren't foolproof, but they stop the vast majority of fake accounts.
But those other websites that suffer the same kind of issues work successfully without asking for a phone number, just via email verification. I don't see why Discord should be any different.
I understand all of those ramifications, and not arguing against it.
However, it's moving the onus of dealing with the issue from the website owners to the users who use the website. It causes the users to lose their anonymity, and allows their website usage to be tracked and sold. That's a step too far.
How else is the platform owner to prove that the account is linked to an actual person without defeating the check being trivial? They can't without something being tied to you. An email address may have been a good one to use back when AOL gave out addresses as part of their subscription service, but the availability of free email has destroyed this possibility. Out of the many things that could be asked for you to provide, a phone number is the least nefarious.
You reserve the right to not give your phone number to Discord. You do not need to give Discord your number in order for you to be able to use it. Likewise, the server owner reserves the right to ask Discord to only allow accounts that have been verified to not be burner accounts. Email verification does not do this, and the time limits on membership only go as far as slowing down accounts used in bad faith in a server, whether that be scams, trolling or otherwise.
Like many things in life, it's a trade-off. You value your right to privacy more than being granted access to this particular server. The server owner values the reduced ability of trolls and bad actors over the loss of membership from users like you. Unfortunately you cannot have your cake and eat it too.
The only alternative I can think of is just buying a pre-paid number and a cheap second hand phone and using that only to verify with services. It's good for 2FA too as it makes you immune to SIM swap attacks.
As the owner of a 2000+ user server, this setting is an absolute necessity because yes, disposable email accounts are plentiful and Discord still does a poor job of detecting them. Server raids still happen, and temporarily restricting access to non-verified accounts helps mitigate this.
However, Discord's phone number verification blocks most VoIP or burner numbers from being registered. It's one of the few things Discord does pretty well these days, IMO.
I host my own email. I have literally billions of email addresses available if I want them and getting billions more only costs however much I can get a new domain registration for, which isn't often more than $10. I already own a dozen domains or more and I can have any username I want at any of those domains for any email at no additional cost.
Now I'm not some dickhead harassing people online or spamming discord servers, but I will admit that Wendy's once had a deal where you could get a free frosty for creating a new account and I had free frosty coupons for weeks before they realized that email only verification for unique users was a losing proposition and they switched to requiring that new accounts attach a phone number.
Email verification only works if you've got nothing to lose. As soon as there's anything on the line, you'd better look for something more concrete like a phone number, a credit card, or a government ID. Personally I'm more comfortable with Discord having one of those pieces of info before the other two, but that's just me, you do you.
Discord has 5 levels of user verification.
None.(none)
Verified email. (Low)
Verified email + more than 5 minutes old account. (Medium)
Verified email + >5 mins old account + member of server for more than 10 mins. (High)
Verified email + >5 mins old account + server member >10 mins + verified phone number. (Highest)
Server admins can set the level. Some server sizes or types (community severs etc.) have a discord-mandated minimum level to qualify for the server type.
Normally (Medium) or (High) security is more than enough. Servers that experience raiding or high levels of trolling are recommended to choose (Very High) security as it makes it harder to make multiple accounts and evade bans or brigade a server.
Discord store the number. The server never sees those details.
Servers that ask for ID to ensure you are over age, are doing that in their own, and probably illegally handling that data, without adequate security.
The server sets the security level. Discord does the enforcing. It IS discord asking for the phone number. But only because the server asked Discord to. But the server definately doesn't see your phone number.
I run a game community server, and normally have security set at medium.
If raided, it goes to High.
If persistently trolled by a user or users that are ban evading (has happened only once), I turn it to highest for a bit.
But I turn it back down after a bit.
A bigger server might not get that luxury.
If a server has stupid high security settings, chances are they have active troublemakers.
What does the "5 minute" rule even do? Any bot can be programmed to wait that long, or have a few accounts lined up to use in sequence.
Just wanted to add that my OP has a link to the Discord page that breaks down each of the verification levels, if you want to read more about it.
it sucks, and it is absolutely necessary for some communities. i work for a small game company and we have one or two people that have gone to extreme lengths to contribute hate and saltiness to everyone there. im talking dozens of alt accounts made over the course of years. discord provides the tools for these verification paths. its a choice on behalf of the discord managers to enforce the different levels of verification, but it is absolutely discord that stores and verifies that data. we've tried other methods before, like alt identifier bots, and ive been in communities that do personal ID verification, and neither of those are trustworthy. discord is doing their best, and the kinds of people that complain about these things either are ignorant of the challenges such communities face, or are themselves the problem.
As Discord is still unable to provide a GDPR compliant process for the phone number thing (and let's not even start about personal ID), if I were a small game dev I would rather not make myself liable the way one does when using this - it's simply fucking expensive.
But it's not the game dev that handles the information, so the game studio wouldn't be at fault. The game dev never gets that info so isn't storing anything. Discord would be liable for any GDPR infractions.
Nope, doesn't work that way. The game dev is offering a networked service (community,support,etc.)in his name/trademark/brand and therefore is therefore liable for the data protection, it doesn't matter at all if the dev is the data holder or not - that's up to the dev to manage contractually with discord.
The concept of "not holding the data, not liable for the data" has been turned down by various high court rulings by now - Amazon and Microsoft amongst others have tried it and lost.
Except that's not how it's working here. The only "contract" is the EULA that the developer agrees to when creating their discord account.
The developer doesn't collect or store the data, nor have they entered an agreement with discord for them specifically to collect this data. The game developer does not sell access to the discord server (a violation of the EULA). All they have done is use a feature on Discord, available to every user and bound to the terms of both the EULA and Discord's privacy policy.
If what you said was true, then any individual that enables the highest level of protection on any server of any size would end up being liable. This simply is not true. It would also mean that the lowest setting would also leave them liable as an email is stored, which is also not true.
It would also be incredibly hard to determine exactly what they're liable for. Is it all the users who have Discord? All the members in their server? What if a user is in multiple servers with phone/email verification turned on?
Discord collects this information as part of their service for their verification purposes, including 2FA. The implication for the developer is nothing more than a flag on an account.
The difference between the developer and Microsoft/Amazon is that those two companies, while yes they don't store it on their own servers, collect the data for use in their services for their profit for services they sell, run ads on, or collect more data to sell on. The game developer does not run discord, they do not sell discord, they have little agency over that server in discord, and is a service that discord provides. The game developer could pull out at any point and the service would still exist because it is not theirs.
TL;DR - The developer is not liable in the same way that X users aren't liable for people who verify their phone number following them. It's not their service, and the Discord EULA and Privacy Policy apply.
But if the developer makes a Discord "server" for their game community, they are telling Discord to set up a service. If the developer encourages people to join it and retains moderation rights, they're taking that service they ordered from Discord and providing it to other people. If the developer failed to get some legally required in their jurisdiction contractual terms from Discord about what Discord can and can't do with data on the people who use the service, the developer could get in trouble when they provide that service to people without the service following local laws.
In that case, is a YouTuber liable for the GDPR failings of Google? Of course they aren't. It's the same here.
Is McDonald's liable for the GDPR failings of X? They have an account with their name and brand on it. They even pay X for a golden checkmark.
Is Taylor Swift or UGM liable for the GDPR failings of Spotify?
Are individual eBay sellers liable for the GDPR failings of eBay.
I could go on, but you don't quite seem to realise what the implications of what you're saying are if they are true. You're basically making every user liable for any GDPR on any service that collects any data. This isn't the case, or businesses wouldn't use these services.
As long as what is going on here is basically comparable to what is going on when a company uses a third-party service as a peer to individuals, then yes, the company probably isn't somehow responsible for what the service is doing. Government Twitter pages have been found to legally constitute public forums, but that was in the context of restricting the government from blocking people. The person whose page it is still don't really run the place and probably isn't responsible for the actions of the platform.
But if a company hires another company to build and operate a communication platform for it (more of a Mailchimp or Invision Community situation), then you probably have a data controller-data processor style relationship.
So, is Discord more like Spotify or is it more like Mailchimp?
I'm sorry, but it's probably in your best interest to do some research and actually read the discord Terms of Service and Privacy Policy before arguing about something you lack knowledge in. Creators of a Discord server are not responsible for members' data that they send to Discord. That relationship is between Discord and the Member, not the creator of a server. Any "contractual agreement" you are talking about is covered when you click "I agree" when creating an account, the devs' accounts included.
This is a ridiculous argument that has a correct answer that Discord themselves will tell you.
Source: CASP+ Certified
Does the server operator avoid any responsibility for data protection by just having the actual physical copies of all the data they do have access to (user names, post contents, etc.) physically live over at Discord? If the company president's PC is hacked and someone steals copies of all the personal information in support chats that were conducted over Discord, or the contents of private channels where people posted their home addresses for Secret Santa, or whatever, can the company get out of having any sort of data breach disclosure obligations because the data was really Discord's data?
I'll be honest, I don't even know what you're asking. Discord owns all data on Discord. Server "owners" do not own anything from a data security standpoint. If you are asking a question in good faith, please rephrase it into smaller sentences. If you are arguing in bad faith, I have no desire to continue this thread.
How can you tell that this is true?
Did you really have to end a decent comment on a personal attack?
Have you not considered that people just want to keep their anonymity for other reasons?
That asking for such a personal piece of information, that has ramifications if it gets out in the wild, for such a minor thing like a discussion of a video game website, wouldn't want to give their phone number? (Lots of server hacks these days on the news where people's personal information gets out on the dark web, etc.)
I can't prove a negative, that I'm not something, but for what it's worth, I'm not the kind of person you described. I'm a retired computer programmer who is a decent human being.
Or you could just ban people when they get out of line like we've done since the dawn of time, dont act like modding a discord is a high level job
You did read how these trolls have alts built up over years, right? These aren't normal trolls OP is dealing with
If the commenter could read they'd be very upset with you right now.
oh my God they made new accounts what will we do
Increase account creation restrictions (you are here)
Hopefully, Matrix [Element & al ] and Revolt will catch up to discord
I'd like to see what they say if you tell them you don't have a phone number.
Probably "get one". Or "use a friend's".
The times I have run into this verification stuff, it's for servers that want to be for adults only. And so would much rather just give Discord my phone number than a copy of my ID to the server owner, like most of them want to verify I am over 18.
It's not hard to get a toss away phone number you can use for these things or for 2FA stuff. Like a throwaway email.
How does one go about doing that? Because Google Voice doesn't seem to cut it.
I could stop trying to use Discord and drive to Best Buy and buy a cell phone and pay for a month of service. Then I could add the number to the account. Then if I stop paying for the monthly service, there's a good chance that Discord or whoever won't believe I'm me at some future login and will demand I give them a code they sent to the phone number on file.
I just searched for it and got into some shady free service that didn't even need an account, the only caveat is that you are sharing that temporary phone number with several people, and it will probably stop existing in some days, just enough to create an account.
Which means when they ask to verify your number again in 6 months, or after a computer upgrade, you are SOL without that specific phone number.
That's a lot of effort/cost that the user of a website/server has to do, just to access that website/service, when email validation already works (not as well, but still works).
The onus of the effort/difficulty of dealing with bots/etc. has been shifted from the website/server owner, to the user base.
I'm an avid gamer, and most Discord servers that have to do with a certain game, like WoW private servers, etc., require them.
I've attempted that a couple of times, and Discord has detected them and rejected them every time. There's some kind of identifier associated with a phone number that allows Discord to determine if it comes from a third party source.
There's many articles and Reddit style conversations about the issue, if you want to read up on it further.
As someone who had run & managed a Discord server with 10,000+ users, there's only so many options available to us to try and limit bot spam and throwaway account raids.
Yes it's needlessly intrusive to an extent, but you really should try and look at it from their perspective. We didn't run that setting 24/7, but we were also a pretty niche (albeit relatively popular) server. For a server that exists for a fully advertised steam game, I can kinda understand the urge to lock down the security settings to the maximum.Even some of the best server-ran bots which try and stop / catch suspicious accounts just can't do the trick sometimes, and the best solution after that is unfortunately the nuclear option.
As someone who worked in the computer software field his whole career, I sincerely emphasize, I truly do.
But we're talking about recreational access to forums to discuss things like a video games with someone else.
To give up that level of personal information, information that's stored without clear legal specifications of what's done with it, that can be hacked and stolen and used for nefarious reasons, is a bridge too far.
It's putting the security onus on the user, where server security should be the onus of the server admins.
First of all, this is just patently false, Discord lays out precisely what they will and won't do with information you provide to them in their Privacy Policy. That said, I'm not exactly championing giving every website or service you log into your phone number.
Regardless, you're still putting the blame in the wrong place. The onus for securing the server is still on the server admins, and they're doing exactly that by leveraging the security options made available by Discord. Don't blame the admins for taking necessary steps, blame one-click spam bot SAAS providers for making it a necessary step in the first place. I would even argue blaming Discord is even a step too far, because phone number verification does actually work to limit account creation spam.
As crippling as it might be to your sense of privacy, phone numbers are still a decent enough way to limit account spam since most spam creators are taking the path of least resistance and not going through the effort to set up a voip / prepaid throwaway phone line for every new account they create.
This is a ridiculous claim to make, because of how useless the tier before phone verification is:
Those are not legitimate restrictions, please do not pretend like they are.
You have to balance privacy / security with convenience in the modern age. If you put more weight on your phone number than on your desire to interact with that video game community, then just don't join the server and claim the moral highground.
I'm aware of their privacy policy, but I'm speaking specifically towards what is done with the phone numbers when they're obtained.
Are they used just for verification and then discarded, or are they kept?
Those privacy policies usually contain a clause for using the data for marketing purposes. I want it explicitly stated if I'm being tracked for marketing purposes via that number or not.
The fight is between those two, and not me. I'm just the third party trying to use the service / website.
And yet all websites seem to still exist using only email verification.
So, blame the victim then?
You know there's another moral equivalence, that a server admin and a company shouldn't be asking for excessive security for recreational uses.
If email verification is not sufficient then they need to look into other methods of securing their servers, the onus is not on the user base to secure the server.
Yes, and unless you haven't noticed spam comments and fake account are rampant across most popular online services.
And yet most people don't care, and just add their phone number to their Discord account without a second thought; because it's not excessive, it's the norm. You can't even make an account on Instagram without providing your phone number, and in some cases and selfie while holding up a security code on a piece of paper to verify you are human. I'm not saying this slow creep into collecting user date should just be hand-waived away by virtue of it's widespread adoption, but the matter of fact is that if it was really viewed as such an egregious breach of privacy by the average person, then it wouldn't have survived since no one would be using the affected services.
You seem to be willfully ignoring the fact that phone number verification is the answer to this question. Real people tend to have one phone number, fake phone numbers are easy to create but cost money, emails do not cost money.
Do you really not see the intrinsic benefit of requiring a phone number as the strictest form of online security for a tragically spam-laden service like Discord?
No, it's definitely an answer for Discord corporate. For the user base, not so much.
The onus is on Discord corporate and the server admins to deal with the problem, not for the user base to surrender their privacy to solve the problem.
Not agreeing with this, but also, ...
And yet all websites seem to still exist, using only email verification.
FYI, the cross-posted OP (link above) was mod removed by the Discord forum ‘admin’ on 2024-01-19 as being “False claim, false interpreted”, so the above link in the OP will no longer work.
Use a google voice number or give it bunk data. But it is BS.
Google voice numbers do not work. Giving bunk data requires a text back, so can't give a false number.
Even putting whether it works aside, how do you register a Google Voice account without giving Google your number?
Worked for me?
There's plenty of posts/articles on the Internet that would say otherwise. My own personal experience says so as well, as I had already tried what you suggested previously. /shrug
That sucks. Maybe they changed it recently or something. Darn. Well gl!
When I tried was over a year ago. Don't know how long before that. /shrug