If you use Discord, be aware: your activity in public messaging and voice channels may have been scraped and sold online for as little as $5.
404Media originally broke the story, reporting that an online service called Spy Pet was crawling over 10,000 servers across Discord. The vast amounts of data accumulated from this campaign are used for a variety of purposes: Spy Pet is sold to anyone who wants it for as little as $5 via cryptocurrencies, including Bitcoin, Ethereum or Monero, esp. Law enforcement officials and organizations seeking to train artificial intelligence systems.
According to the report, Spy Pet essentially turns Discord's decentralized platform, where users can post on thousands of servers of their choice, into a simple way to target a given user's activity. Anyone who pays can decide to view your published content in one convenient location. In short, not good.
404Media tested Spy Pet and found that it works as advertised. While the outlet was unable to confirm Spy Pet's claims of having more than 14,000 servers, 600 million users and 3 billion messages, it was able to successfully purchase data from the service. Apparently you can find specific users for about 10 cents. (I guess that’s all we’re worth.)
Spy Pet has data from a variety of different servers, ranging from gaming communities like Minecraft , Among Us , and Runescape to cryptocurrency-related servers. That said, 404Media reports that many of the tens of thousands of servers listed here have no data at all and appear unlikely to be scraped.
Emerging Issues in Internet Privacy
This is obviously a serious violation of user privacy, but it's a complicated story. For one, Spy Pet doesn't actually crawl direct messages: your private messages between other Discord users are safe, it's just the messages you post in the server itself.
Here's where things get tricky: These messages aren't necessarily personal. Anyone who joins the server can see everything you post and can extract this data themselves. In theory, if someone is part of every Discord server you're active in, they could perform their own spy pet grab. It's going to be weird for them, but they can do it.
Of course, Spy Pet is doing much more than that: they're scraping tons of data and can check all of your activity for a dime of cryptocurrency. Plus, they sell it to sources you never agreed to. Law enforcement may not care about your Discord activity, but you didn't expect the police to scrutinize your Minecraft memes. The same goes for AI companies: I don't want my Discord data being used to train AI models, even if these companies no longer have the internet to train their systems.
What you can do to protect your Discord data
Unfortunately, there's not much you can do about the data that's already been scraped: Spy Pet doesn't appear to be interested in deleting your data from its servers (if any).
However, going forward, please be on the lookout for any bots looking to join your Discord channel. This is how Spy Pet originally scraped all this data. It's not always easy, as this Reddit post explains: Some bots won't advertise themselves as such, but will appear as new accounts with no identifying information or profile pictures, and will silently remain in the channel crawling Get data. Better safe than sorry: Channeling suspicious lurkers.
If you control the server, consider taking some privacy actions, such as making the server private, or changing the server's authentication settings. These changes don't guarantee privacy, but they will help keep bots off your channel.
While it may not be as public as Twitter, it's assumed that everything you post on Discord will be seen by anyone. This is a really good rule of thumb for anything that isn't end-to-end encrypted and anything you post or send online. Even under the most secure circumstances, nothing on the Internet is foolproof and someone, somewhere, may see what you say. If you join a Discord server, please keep this in mind before you start typing.
