Discord's AI breaks its own TOS!

00:00

you probably didn't know but discord's

00:01

AI summaries break discord's own terms

00:04

of service by leaking your data but how

00:06

did this happen what are the

00:08

repercussions and what is Discord going

00:10

to do about it now I'm going to assume

00:11

that you've never had the absolute

00:13

pleasure of using discord's AI summaries

00:15

now I'm in Discord experiment Tu will

00:17

have the invite Link in the description

00:18

so you can try it out yourself but

00:20

there's this little scroll button up

00:21

here and when you click on it you get

00:22

this option to look at Discord AI

00:25

summaries now what the summaries feature

00:26

does is it uses open AI to summarize

00:29

your Discord conversations and why am I

00:31

saying this feature is an absolute

00:32

pleasure to use well here's this example

00:34

here a conversation about enabling a fax

00:37

printer which if you click on it is just

00:38

one message from someone named fax

00:40

printer asking how to enable AI is going

00:43

to be taking our jobs for sure actually

00:45

for Discord that's definitely not the

00:46

case because I don't think this AI

00:48

summaries feature is going to last for

00:50

long because there's a big massive issue

00:52

with it and the issue with AI summaries

00:54

was found by a very familiar face on

00:56

this channel penley now I could be

00:58

really lazy and boring and just read off

01:00

of the screenshot but I've had two cups

01:02

of coffee today I'm feeling it so I'm

01:04

going to show you how this exploit Works

01:06

in practice so when you're on a Discord

01:07

server and you get these AI summaries

01:09

it's actually something called a get

01:11

request to discord's API it's like me

01:13

ringing up Discord servers and saying

01:14

yeah I need some summaries for this

01:16

specific Channel but in these summaries

01:17

we can see that there is a topic a

01:19

summary short message IDs and people and

01:22

this actually corresponds to the

01:23

information shown in the summaries tab

01:25

we can see that the title is

01:26

impersonation issues the topic

01:27

impersonation issues well like I said we

01:29

can also see message IDs and we can also

01:31

see the user IDs of everyone that is in

01:34

the summary so let's say that Pokemon

01:35

deletes their message if you go to the

01:37

AI summaries tab they should not show up

01:39

as an author anymore in fact every

01:41

single person could delete their message

01:43

except one there has to be one remaining

01:45

message but if everyone deleted their

01:46

message they will not show up as authors

01:49

which is fine except if you go to

01:51

insomnia or you just use anything and

01:54

you send a get request to Discord if

01:55

they delete all of their messages you

01:57

will still be able to see their message

01:59

IDs and the people that have partak in

02:01

the summary so let's say there's an AI

02:03

summary of someone talking about them

02:04

coming out of the closet now whoever was

02:06

chatting about that they realize maybe

02:08

we should delete our messages so that

02:10

people don't harass us so they delete

02:12

all their messages talking about coming

02:13

out of the closet but they just forget

02:15

one so that it still remains in the AI

02:17

summaries well let's say a homophobe

02:19

joins the Discord server and they see a

02:21

summary talking about someone coming out

02:23

of the closet even with the messages

02:24

deleted they could still go to insomnia

02:26

send a get request and figure out

02:28

everyone that talked about about the

02:30

thread which means that the homophobe

02:31

could see everyone involved in the

02:33

thread and harass every single one of

02:35

them so that is how this security issue

02:37

could affect you personally but things

02:39

get even worse because this whole entire

02:41

security issue has legal repercussions

02:44

now let's look at the rules by dran Van

02:47

strangle but in discord's terms of

02:48

service they have a privacy policy now

02:50

this whole document basically dictates

02:52

what Discord can and cannot do with your

02:55

personal information and if you scroll

02:56

down long enough there's a very

02:58

important section you actually allowed

03:00

to edit and delete specific pieces of

03:02

information within Discord services this

03:04

is like a fundamental Rule and the

03:06

fundamental rule is that you can delete

03:08

any message that you have sent on

03:10

Discord if you have posted it and you

03:11

still have access to the server or the

03:13

space that you posted it what this means

03:16

is that if you delete a message on

03:17

Discord it should be deleted your

03:19

personal information should not be

03:21

attached to it in any way whatsoever

03:23

your Discord user ID should all be wiped

03:26

unless of course you've done something a

03:28

little bit naughty so when what

03:30

scenarios would Discord store your

03:31

message even after you delete it well

03:33

there's two main scenarios the first one

03:35

is to comply with the law for example if

03:37

you're planning a domestic terrorism

03:39

attack on Discord Discord would save

03:41

your messages even if you deleted it

03:43

assuming of course they actually figure

03:44

you out because they are required by law

03:46

or if they get some sort of legal notice

03:48

but the second scenario that Discord

03:49

would store your messages is if you're

03:51

reporting someone so if you go through

03:53

the report message prompts and you go

03:55

through everything Discord will store

03:56

this message so that they can actually

03:58

ban the person even after after you

03:59

delete this message it's still going to

04:01

be stored by Discord but here's the

04:03

thing even with these AI summaries if

04:05

you delete your message your user ID

04:07

will still pop up that is your

04:09

information and absolutely nowhere in

04:12

this privacy policy I promise you

04:13

absolutely nowhere it says that a

04:15

like me some random Discord user can get

04:18

some of the information of your message

04:20

discord's own AI summaries is breaking

04:23

discord's own privacy policy now I'm not

04:27

a lawyer but I'm not sure about the

04:28

legality of of all this and I want to

04:30

point out that this has been an issue

04:32

since May

04:34

2023 and it still has not been patched

04:37

at this time and what will Discord do

04:40

about it well we need a little bit of

04:42

backstory because here's the thing every

04:44

single tech company on the planet loves

04:46

Ai and Discord is no exception but

04:49

Discord is the exception in terms of

04:51

complete and utter failure because in

04:54

this blog post talking about AI Discord

04:55

announces a handful of AI features we

04:58

first have Clyde Clyde is discord's AI

05:01

chatbot Clyde says racial slurs Clyde

05:03

tried to date underage people and if

05:05

you're not up to date on the Discord

05:07

news Clyde has been cancelled our next

05:09

feature automod AI the way that it works

05:11

is that it'd use AI to moderate your

05:13

Discord server and see whether or not

05:15

people are breaking the rules I've not

05:16

seen any update to discord's automod AI

05:19

whatsoever this feature is basically

05:21

dead in the water we have Avatar remix

05:23

which is just a Discord bot so nothing

05:25

crazy there we have whiteboard with AI

05:27

preview which is where you're supposed

05:29

to be able to Draw Something in the

05:30

Whiteboard and uh turn it into a magical

05:32

AI image it doesn't exist in Discord so

05:35

the final AI feature of Discord is

05:37

conversation summaries it is an absolute

05:40

hot mess of problems for Discord and I'm

05:43

99% sure I am betting my left nut on

05:45

this one that Discord is going to cancel

05:47

AI summaries just like how they canceled

05:50

every single AI feature that they tried

05:52

to release W wamp and now that the cat

05:54

is out of the bag with this problem

05:56

chances are Discord is going to look at

05:58

this summaries AI feature and just

06:00

cancel it completely which means I get

06:03

to save my left nut so this is a big win

06:05

for me now one final thing I want to

06:07

talk about in terms of these AI

06:08

summaries leaking your user ID is that

06:11

Discord will actually pay you money if

06:13

you find bugs like this Discord has a

06:15

bug Bounty and fortunately for us panle

06:17

told us how much they got paid

06:20

$750 which is a pretty fair chunk of

06:22

change you could actually buy 42

06:24

emergency fire blankets to put out the

06:26

giant dumpster fire of a problem that AI

06:28

summaries are Discord take notes here

06:30

any hoot Gamers That's All She Wrote a

06:32

pretty nerdy video and somehow if you

06:34

made it this far then let me give you a

06:36

kiss I love you sweetheart