First reported by StackDiary and The Register, a website called Spy.pet claims to have scraped billions of public Discord messages made by almost 620 million users, selling the individual messages and profiles for crypto.
Spy.pet ties message logs to the users who sent them, and also collects Discord aliases and linked social media and Steam accounts—it’s basically one stop shopping for any surveillance and harassment needs. Spy.pet further purports to offer an “enterprise option” for anyone looking to train an AI model on the site’s library of messages.
The site presents this as a potential option for “federal agents looking for a new source of intel,” but I’m not sure what bush league FBI office is looking to outsource that capability here.
Even with all our data already liable to be scrutinized by the government and sold by platform owners, there’s a particular sense of violation at seeing it all packaged up and on sale to anyone like this, and Spy.pet’s owner seems to take a certain glee in potential objections to the business: A “request removal” link on the site just leads to a .gif of JJ Jameson laughing in the Sam Raimi Spider-Man 2. I don’t think J.K. Simmons is actually that flippant about my privacy, thank you very much.
In a statement issued to both the Register and StackDiary, Discord indicated that it is investigating Spy.pet for potential breaches of the company’s terms of service: “Discord is committed to protecting the privacy and data of our users. We are currently investigating this matter. If we determine that violations of our Terms of Service and Community Guidelines have occurred, we will take appropriate steps to enforce our policies. We cannot provide further comments as this is an ongoing investigation.”
As StackDiary points out, Spy.pet is also likely in violation of several articles from the European Union’s General Data Protection Regulation. While we don’t get nice consumer protections like that here in the US, the Register argues that Spy.pet’s potential sale of children’s data could still leave it legally liable in the States as well.
A crypto-fueled private sector surveillance and harassment machine is a lovely new nightmare of the 2020s, and I hope it gets shut down, but it’s another valuable reminder not to treat Discord like it’s private. What you say in a small, invite-only server with friends will probably stay there unless one of your friends shares it or reports a message to Discord’s mod team, but to really be safe, chatting on Discord has to be seen as posting publicly on social media.
So, you know, probably don’t leak classified military intel on Discord servers, and just generally don’t say anything on there you wouldn’t want to see screenshotted and put on Twitter or Reddit. Of course, it would also help if we would just stop making Discord servers for things that shouldn’t be Discord servers.