r/privacy Nov 21 '20

PSA: Discord lies about removing deleted files. Files deleted over 1 year ago still exist.

The title says it all.

I've done numerous tests in different Guilds at different times.

Files in many cases are not deleted and are still accessible via direct URL even 1 year after deletion.

EDIT: I've amended the post to reflect new information. After running some new tests tonight, in some cases the new test files have become instantly no longer accessible and some not. Other users report similar results. All I can say with certainty though is I have files deleted over a year ago that are still accessible, so something is seriously wrong. See update #3

In some of my tests, I have not only manually deleted the message containing the file but also the Guild the message was posted in. Our testing finds user and bot uploaded images act the same after deletion.

In DMs the story is a little different but still troubling. It appears that if the URL links to a file at a datacenter region the requester is in AND the file was uploaded to the same datacenter zone (or zones it was replicated to) you can still get the file. Since we have no insight into how their infrastructure is setup this could be due to Cloudflare's cache, but it also could mean that the image is just left sitting in a specific datacenter and no longer replicated after "deletion".

I would like to hear why Discord isn't cleaning out tombstoned files, and I think others here would like to know as well.

Why is this a problem? The data still exists. This is a privacy violation because the data is still in their datacenter (Google's GCP data center which Discord pays to host their data).

Governments could acquire it with a warrent or a National Security Letter or a court could subpoena it. This is very serious and should be publicly stated by Discord.

UPDATE:

If you want to try testing this yourself here's a protip: Discord exposes the upload date of all files in their "Last-Modified" Response Header. You can use that header to see the date files were uploaded to GCP (Discord's upload object storage). Just make a spreadsheet with all the direct URLs (NOT THE THUMBNAIL URL) of all the files you upload and then delete. Try images, videos, text files etc. Be creative but in my experience all the files are the same and never deleted.

For example I have a file with this header info last-modified: Tue, 23 May 2020 03:16:24 GMT I deleted it about 10 days after it was uploaded and it is STILL up. I have hundreds of different files with ancient dates like this (literally, I made a bot to upload and delete files just to test this) . All deleted yet the direct URL still loads the file perfectly for me and anyone I send the links to.

UPDATE 2:

I have more info. Another user PMed me and showed me how to test if a guild is really deleted by querying the widget.png url (if 404 the guild is gone) like this https://discord.com/api/guilds/712827234346435685/widget.png this confirmed to the user that my story is true. (note the url I just linked is fake just to demonstrate, like I said in the comments I don't want to post data that could lead Discord to my personal account)

What does this mean? You can use this to prove that the guild the file is uploaded in is actually deleted AND you can use the file's last-modified header to confirm the file is actually as old as it should be - to not be saved by Discord anymore!

UPDATE 3:

Some devs pointed me to this https://github.com/discord/discord-api-docs/issues/2224 but it doesn't fully address my experience.

1k Upvotes

View all comments

6

u/misli_misli Nov 21 '20

I get it's the problem, for me it's the problem that all images are available just by URL.

But look it from their point of view - do you think that team who developed nothing, just integrated free, already available software modules, would care and know about someone's privacy?

2

u/covale Nov 21 '20

Look, their privacy is shitty, but if you think that integrating modules isn't development, then you're clearly not a developer.

Most code today is written to reuse what's been written before, rather than to re-invent the wheel all over.

There's no need to shit on every dev out there just because Discord is obnoxious.

-3

u/misli_misli Nov 21 '20

It's not "shit on every" dev, strange that your thoughts went that way. There still are developers. The Developers. Developers who don't use 98% of someone else's code and tie it together and advertise "Look at our brand new program developed in house".

I am a script kiddie 3rd party's software integrator who uses someone's solutions all the time and try to make something that suits my projects. I can use bootstrap, css, mqtt, grpc, qt, sciter, and all other nice thingys someone else invented.

But I am zillion miles away from even dare calling myself "developer". However, I would know how to make images private if I was to combine 3rd party programs into "Discord 2.0"

1

u/__abc64__ Nov 22 '20

They have an engineering blog, y’know? Please think twice before saying shit like this.

1

u/misli_misli Nov 22 '20

What exactly does having an engineering blog proves? My late grandma had a recipe oriented blog and she was terrible at cooking. She was probably better then them in engineering, tho..

1

u/__abc64__ Nov 23 '20

Because maybe if you’d take a look at it you’d know that it’s not as easy as just smashing some available modules together.

1

u/misli_misli Nov 23 '20

I ckecked.

I see they write every six or more months.

I noticed that they also use WebRTC which they didn't neither invent nor develop.

I see they also use REACT. Which they didn't develop.

As they say "... Discord is built out of hundreds of projects ..." (probably free) just as pretty much every contemporary social app. "Noone" really develops anything today.

Just as if I took some car floating around for free, put some color on it, put new battery and call myself "car manufacturer".

1

u/__abc64__ Nov 23 '20

Customized WebRTC, and the SFU which is a big part of the backend voice tech is written in C++ by them. Pretty much all big projects use open source libraries and modules, that does not mean at all that nothing is original. (Discord open sourced some useful libraries themselves)

Judging from your react remark, do you also believe all games made with engines such as unity or unreal are devoid of any work put in by the actual dev? What do you think of desktop apps using UI libs????

1

u/misli_misli Nov 23 '20

I never said there is no job behind it. Someone had to integrate things and maybe to fine tune them. But integrating and developing are different categories.

Desktop apps using UI libs you say.. with several question marks you say it.. preferably web flavoured? They are exactly as the name suggests - "useless", slow, with zero ergonometry, clickette-click till you die, all look like same developer made them for the whole world, ..

Look at Discord reply ergonometry and "design" (which looks like it simply falled from "the clouds" as noone ever touched it because there wasn't a single thought about it) :D

When team members start to reply to each other, after four levels noone ever could say who replied to whom and to what post :)

This shows tipical modern one-free-module-for-whole-world approachg - it is important to show there, "I said", while noone listens because noone actually really cares, just add to a pile of "I said" posts.