Discord has been fined 800,000 euros by the French regulator ( CNIL) for a series of violations of the GDPR, including failing to use strong enough passwords and failing to protect data by default during voice chats.
According to the French National Commission for Information Technology and Civil Liberties (CNIL), Discord violated the EU privacy rule in several ways, including failing to disconnect a voice chat when a user clicks on the « X » icon in the top right corner of a window.
As the CNIL notes, clicking the « X » in most Windows applications terminates the program, but in the case of Discord, the application was simply put into the background, which could lead to a caller unknowingly communicating with everyone else connected to the voice chat when he or she thought he or she had interrupted it.
According to French authorities, Discord now warns users via a pop-up window that Discord is still running and that users can change the settings to close the application rather than minimize it by clicking on the « X » icon.
The investigation also faulted Discord for allowing users to use weak passwords of only six alphanumeric characters. The service now requires users to have an eight-character password that includes all four types of characters and offers a CAPTCHA challenge after 10 failed login attempts.
The company has also committed to deleting accounts after two years of inactivity to comply with GDPR data retention policies.
The CNIL says the fine amount takes into account Discord’s efforts to address the concerns « and the fact that its business model is not based on the exploitation of personal data. »
Earlier this year, France’s data protection authority fined Facebook €60 million for not allowing users to opt out of tracking cookies. Facebook’s business model relies on collecting and analyzing user data to provide advertisers with a targeted audience.
In an email, a Discord spokesperson told Information Security Media Group that the CNIL report « is based on the product features and practices of 2020 that have since been updated. » The company appreciates « the opportunity to engage with the CNIL because user privacy is very important to us, » the spokesperson also said.
While the company generally has a good reputation for internal security, it has come under a lot of criticism lately for not doing enough to limit attacks on its users via the platform.
Some have complained that the way the company handles 2FA connections makes it too easy for an attacker to compromise someone by sending them a malicious link, and that the process of recovering the account is long and difficult once compromised.
So, could this fine be a sign of Discord taking back control of privacy?