Please notice: This article is more than 3 years old
Content, Source code or links may no longer be correct in the meantime.

Lately I received the following invitation for an online meeting in a network of consultants:

The EU-US Privacy Shield has been overturned by the ECJ. What does this mean for companies and service providers? Which services may still be used and which data may be transferred?

Exactly my topic and I continued further reading. The link at the end of the mail led to a meeting room on the platform discord.com - exactly my sense of humour!

A quick look at the Data Protection Policy¹, accessed yesterday afternoon, last updated 23 June 2020.

(…) we sometimes hire other companies or individuals to perform certain business-related functions. Examples of such functions include mailing information, maintaining databases and processing payments.

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of the Company or Related Companies, (iii) protect the personal safety of users of the Services or the public, or (iv) protect against legal liability.

Discord complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively.

But there’s still more to come: Like other so-called “social” networks, Discord reserves the right to obtain a perpetual, non-exclusive, transferable, royalty-free, sub-licensable and world-wide valid license² with any upload, distribution, or any other act of transmission in conjunction with its service, e.g. sharing a file during a conversation. It may therefore:

(…) use, host, reproduce, modify, adapt, adapt, publish, translate, create derivative works, distribute, perform and present content in connection with the operation and provision of the Service.

Discord effectively reserves all rights to do whatever it deems appropriate with its 100+ million customers’ aggregated data from the daily volume of 4 billion server messages³.

Let’s take a look how an advertising agency work when selling exclusive logo or images to their clients and sharing and working on it internally via Discord between its project team-members. What if the same image appears in an internet image-database just because Discord has entered a lucrative (for itself!) contract with an stockimage agency and therefore sublicensed all images to them?

The legal basis is supposed to be the Privacy Shield, which has been legally invalidated⁴ for nearly 2 months by the highest court of justice responsible for us. Unfortunately, many people forget that the Privacy Shield was not only declared invalid. The ECJ has identified a violation of fundamental EU rights, since a subject has effectively no rights towards US companies⁵. Without special technical or organizational measures and without “case by case” analysis, even the so-called standard contract clauses do not help⁶.

(…) people also have no option to go to the courts. The CJEU found that this violates the ’essence’ of certain EU fundamental rights.

As Max Schrems put it very nicely during his recent EU hearing: We are simply dealing with two fundamentally incompatible legal concepts of basic rights. Either the US changes its data protection laws or there is no legal basis, the data must not be transferred. It is so simple. Even the well-known Axel Voss can only approve 99.9% of Max Schrems’ statements in the same hearing⁷.

Okay Tomas, don’t be a bummer, they just don’t know what they are doing. They just need someone to tell them. Minimize the risk to yourself and attend the meeting. So I started up a testing VM used for exactly such purposes without access to customer- or project-data, separated from my entire internal network. The following screenshots and this screencast document my attempts to log in via web interface:

Conculsion: Anyone who intends to use Discord cannot avoid the services of Google, especially Google Analytics and NewRelic. Neither of them mentioned in the privacy policy. Regarding this NewRelic is no unknown in this context, as it enables even more detailed data mining in “real time” not only with the aggregated contents and metadata but also from the devices used by the user - in short, the complete IT stack ⁸.

Bearing that in mind, the following detail is quite insignificant, but I find it debunking in its own distinctive way. Discord uses the free polyfill.io⁹ on its site but not on their own (rented) servers but hosted and externally linked. This is the technical comination of disinterest and laziness.

After half an hour of trying I deleted the VM and wrote a friendly, but determined cancellation to the organizer. Of course combined with my invitation and offer to give a lecture on the subject on my own conference server.

Anyone who is working on projects with NDAs, competition or confidentiality clauses is no longer on thin ice with the use of such services, he has already broken through. I would be pleased to help you with the development and risk-assessment of your own technology.

With this in mind,
you are welcome

Transparency notice:

Tomas Jakobs has been a Gold Sponsor (No 2879) of noyb for several years now and supports the organization with an annual three-digit donation