Spy.pet is a “service” that uses the technique of “ scraping » to extract data from Discord users without their consent.
Gamers, SMEs, teenagers or even family circles, Discord and its 150 million active users around the world is the most popular instant messaging platform. A veritable hive of users who come and go between different private or public servers, you can find everything on Discord: discussions, files, software, documents, etc.
And sometimes, we forget in this frenzy that Discord is nothing other than a huge arena open to the four winds on the Internet in which everything that is exchanged is potentially accessible to anyone who wants it.
This is exactly what a new “service” seems to benefit from since October 2023, according to a survey revealed by the site 404 Media. Spy.pet, not to mention it, allows those who wish to explore – for a fee – Discord data on 14,000 servers. All while sitting on GDPR and morality.
Spy.Pet uses Discord’s public system to monetize its operation
We tend to forget it, but Discord is essentially an IRC, for Internet Chat Relay, a system that allows anyone to chat almost in real time with strangers on the other side of the planet and to exchange ideas, but also software, or even documents and photos. In other words, anyone with good tools, such as bots, can access all the data hosted on Discord, since some of it is public and stored. It is also this storage that allows Discord users to carry out searches on discussion channels.
These accessible data, some of which may be sensitive, have fallen prey to a “service”, if we can call it that. Called Spy.Pet, it took advantage of the open nature of Discord. It tracks over 14,000 servers, has a history of over 627 million users, and has nearly 4 billion messages saved in its archives. Not only does it use “scraper” robots, which “scrape” user data without their consent, also scratching Discord’s T&Cs in the process, but when a user realizes the “sequestration” of their data by Spy. fart and tries to request their deletion (via a link available to him on the site), he is simply redirected to a humorous video, clearly indicating that deleting the chat history is not an option.
And as if that were not enough, the platform also offers an “Enterprise” package, which offers interested parties the opportunity to use this scraped data to train AI models.
Finally, and as all work deserves payment, access to this data is not free. We are in the middle of Pay-Per-View since to see this data, you will have to pay some cryptocurrencies. A payment system whose transparency has yet to be demonstrated.
A clear violation of the GDPR and heavy moral harm for powerless users
Spy.pet does not bother with the GDPR, of which it violates at least 3 articles, mainly relating to consent and the right to be forgotten. Indeed, scraping robots collect the personal data of Discord users without their consent, that of the owners of the servers or of Discord, sometimes even without their knowledge that it is not a crime strictly speaking. .
Article 6 of the GDPR states that the processing of personal data must be lawful, meaning it must be based on consent or necessity. Spy.pet, by collecting data without user consent, directly violates this requirement.
Next, Article 17 of the GDPR provides the right to erasure, AKA “ right to be forgotten “. This gives individuals the right to request deletion of their personal data. The fact that Spy.pet casually treats removal requests by redirecting to the famous Spider Man meme “ Are You Serious? » shows not only a disregard for this law, but also a lack of respect for individuals’ privacy concerns.
Finally, Article 8 of the GDPR concerns the conditions of consent of children for information society services. Since Discord users can be as young as 13, storing minors’ data without parental consent further complicates Spy.pet’s legal status.
Beyond legality, there is an ethical dimension to consider. The indiscriminate collection and monetization of personal data can cause real harm, affecting people’s social lives, personal relationships and even their mental health. Information collected and sold may be used for purposes ranging from harmless to profoundly malicious, including harassment, stalking, or commercial exploitation without the consent or knowledge of the individuals involved.
Major damage that, at the time of writing, Discord has taken charge of by opening an investigation. Because gamers’ favorite platform has already been slapped on the wrist by the CNIL in 2022 for breaches of the GDPR on… the protection of its users’ personal data. We can bet that the fine of 800,000 euros imposed on this occasion will serve as a lesson to Discord which will be able to put an end to the opportunistic actions of Spy.pet. In the meantime, if you use Discord, alas, you can only suffer a potential breach of your data and consent. But you can still report possible abuse on the Pharos platform or contact Discord and if that is not enough, contact the CNIL, particularly regarding the right to be forgotten.
Source : 404 Media, Ars Technica
3