This seems like an interesting footgun. Since they only support official clients, and official clients go the whole ‘fsck you’ of “it’s your lucky day, here’s an upgrade’ (which then also proceeds to download more upgrades) to ignore bump the version number in resources/build_info.json there should be no point to have a way to downgrade the shared session.
DAVE is compatible with all of our supported clients and nearly all of our voice and video spaces. Our latest desktop and mobile clients already support this upgrade, and we plan to extend support to the rest of our clients next year.
The blog post originally announcing the plan to do voice+video encryption was over a year ago, so to me it seems like having a downgrade path was a requirement to ship this feature in a reasonable time frame. Better to protect some portion of calls now than to protect no calls until some time in 2025. I just hope they’ll tweak the protocol to prevent downgrading once they do roll it out everywhere (or maybe add a setting to the client to disallow/disconnect from non-E2EE calls?)
The mobile clients don’t work like that. You can run a year old version of the official Android client if you want to.
Also, while unofficial clients aren’t supported for users, all bots use 3rd party libraries that need to be updated. Discord has said that they will give 6 months notice to bot developers before E2EE becomes a hard requirement.
The way they seem to have upgrades implemented is that they require a restart of the app, so I guess this is to let people who don’t restart the app for weeks (like me) join voice chats without friction?
They could just prompt you to restart to continue using voice chats at that point, though.
I’m not in favour of it, but I this it’s at the point where arguments against platforms doing any kind of scanning or action are, functionally, arguments for actively protecting cybercriminals. If it’s automated, I don’t care what they’re scanning.
I would prefer E2EE for all, including potential criminals and lowlifes*, than normalising all communications being read by the government of the day (or of the future).
* I have two school-aged children, so I’m not without skin in this game.
This is a massive issue on Discord for sure. And its generally understood that they really don’t seem to be doing much to help the situation. But this is very very unlikely to be related, or pushed in particular to protect those kinds of awful people. It actually is a net benefit to the users.
That being said, I still hate discord, for a few reasons. And it is still a platform that poses a risk to minors. But more so than other platforms? I’m not sure.
I found out just the other day they obfuscate the reporting options for CSEM and child predators, and they require you to have access to specific message IDs before they investigate. Really trying their hardest to keep kids safe.
https://github.com/discord/dave-protocol/blob/main/protocol.md#downgrade-to-transport-only-encryption
This seems like an interesting footgun. Since they only support official clients, and official clients go the whole ‘fsck you’ of “it’s your lucky day, here’s an upgrade’ (which then also proceeds to download more upgrades) to ignore bump the version number in resources/build_info.json there should be no point to have a way to downgrade the shared session.
They allude to the reason in the blog post:
The blog post originally announcing the plan to do voice+video encryption was over a year ago, so to me it seems like having a downgrade path was a requirement to ship this feature in a reasonable time frame. Better to protect some portion of calls now than to protect no calls until some time in 2025. I just hope they’ll tweak the protocol to prevent downgrading once they do roll it out everywhere (or maybe add a setting to the client to disallow/disconnect from non-E2EE calls?)
The mobile clients don’t work like that. You can run a year old version of the official Android client if you want to.
Also, while unofficial clients aren’t supported for users, all bots use 3rd party libraries that need to be updated. Discord has said that they will give 6 months notice to bot developers before E2EE becomes a hard requirement.
The way they seem to have upgrades implemented is that they require a restart of the app, so I guess this is to let people who don’t restart the app for weeks (like me) join voice chats without friction?
They could just prompt you to restart to continue using voice chats at that point, though.
The only DAVE software I know https://en.wikipedia.org/wiki/Thursby_DAVE
Discord engineers putting in overtime to protect the sextorters and pedophiles that run rampant and live the life of Riley on their platform. Nice.
are you one of those people in favor of the government scanning all private chat activity ?
I’m not in favour of it, but I this it’s at the point where arguments against platforms doing any kind of scanning or action are, functionally, arguments for actively protecting cybercriminals. If it’s automated, I don’t care what they’re scanning.
I would prefer E2EE for all, including potential criminals and lowlifes*, than normalising all communications being read by the government of the day (or of the future).
* I have two school-aged children, so I’m not without skin in this game.
This is a massive issue on Discord for sure. And its generally understood that they really don’t seem to be doing much to help the situation. But this is very very unlikely to be related, or pushed in particular to protect those kinds of awful people. It actually is a net benefit to the users.
That being said, I still hate discord, for a few reasons. And it is still a platform that poses a risk to minors. But more so than other platforms? I’m not sure.
Yep, Discord is structurally designed to encourage child abuse.
I found out just the other day they obfuscate the reporting options for CSEM and child predators, and they require you to have access to specific message IDs before they investigate. Really trying their hardest to keep kids safe.