In case any Discord employees are reading this: please don't remove the ability for bots to read message_content , or make me jump through verification hoops either. Reading raw messages is absolutely crucial for moderation bots and, well, just about every other fun and interesting bot.
I don't write discord bots so you can type a slash command to do a thing. That's boring. Good bots can read messages. Discord will be very "not dope" and "not cool" if bots are forced to become a sterilized pick-list of interaction options.
Also they need to stop rate limiting so much for normal users. We found out they rate limited banning. I moderate a large server where we dont add many barriers to entry so we get raiders and bots. We had to ban a thousand bots and couldnt go as swiftly due to rate limiting. I wish they would provide sensible controls for their bot problem and looser API restrictions. The bad bots dont care about rate limiting. I even saw a bot raid where accounts were just created that very moment. They have a broken registration flow somewhere.
Sorry for rant I moderate a sizable Discord and these are burdens a lot of political or reasonably large servers face. We get fresh raids every other week with thousands of accounts. Idk why Discord finds it normal that thousands of accounts would join any server within a minute and spam user DMs and leave. These are red flags.
You're talking to an empty room. Startups operate by pushing money at features that are inherently unsustainable, so that they look like they're "better" than the competition. Now that discord is highly valued and looking for buyers there's no stress to ensure those features continue, or to in any way seriously improve the product. Standard push-pull economics.
Microsoft offered $12 billion. They set the floor, and now Discord is trying to raise it. Nothing about this makes sense, unless Discord plans to offer premium bots they control or something along those lines.
A real-world example I base this on: Twitter started squeezing developers after the IPO in ways that only make sense for a company that wants to control the experience for monetization purposes. They were desperate to justify their stock to investors. Discord might be on the same track.
Reading that placates my concerns a little. The bot API community's reported morale deflation after the NDA-sealed meeting mentioned in the Gist kind of trounces it though. I've got a sinking feeling that the ultimate vision for this applies to all bots, and it's only "bots used in 100+ servers" for now.
Time will tell, I hope I'm proven wrong. I hope that preemptively voicing my concerns helps keep the conversation going to make sure small bot authors aren't left in the dark.
The thing is, you're probably right. Over time they've been restricting items for bots in over 100 servers. Right now its to see the users in the server and also to see the statuses of these users.
They should not remove it but it shouldn't be the way for most bots. Unless your bot is working with the messages instead of commands, it should get access to zero messages. While adding the bot, it should clearly say if it can read messages and if it can, why does it need it.
I wrote a bot and then realized my boy can easily log everything even tho it was only posting some updates from somewhere else.
Since then I've been restricting bot permissions as much as possible. Most bots these days directly want admin permissions in every channel. They don't need it. They can get their 99% things done with slash commands. I should be able to deny message permissions and get those 99% things working.
If your bot is not in your own channel and is reading messages, you should be fully verified by discord.
If it is your own channel and you _host_ the bot server, you should be able to anything without verification.
The issue is most bots setup instructions include adding them with tons of privileges including admin even if they don't need it. Then they get private channel access and can log those. This is not really apparent to most (non-engineering) people.
I think bots that can read messages, should always be self hosted instead of some random 3rd party.
Most bots just post updates and responds to commands. / Is the way to go.
> I don't write discord bots so you can type a slash command to do a thing. That's boring. Good bots can read messages. Discord will be very "not dope" and "not cool" if bots are forced to become a sterilized pick-list of interaction options.
Are there large bots that are particularly dynamic? Every bot i've seen with any real usage across servers has a !help command with a static set of commands. Plus, on almost all of them you can change the command prefix to a special character like `~`, which was very needed with multiple bots defaulting to the `!` character, thus causing multiple bots to respond at once to commands where the user only intended one bot to respond.
I've seen a few markov chain bots which were hilarious. As another comment mentioned, they can also be used for automated moderation. I've also seen a few servers with a bot that lets you "level up" depending on how active you are
Nadeko bot is a fairly big bot that has the ability to configure custom responses that the bot will reply with if a user types a certain message (any string of text, no prefix).
Core functionality is of course behind a prefix, but that's just convenient.
Another popular bot, Mudae, allows the user to use both prefixed commands and slash commands, and the latter can take a few seconds to go through. Not acceptable when you have to fire ten or more commands at once in under half a minute.
A better argument would be that "slash commands lack the same accessibility", than to say they are boring. I have many friends that use a variety of accessibility tools and well aware of how changes can really frustrate and block them from communicating.
You're wasting your breath. Given the hamfistedness of their approach and swiftness with which this was pushed through, this was an order from the top. Which means that they're likely going to start monetizing user data directly and they're aiming to shut down third-party collectors.
I think Discord bots bots have a huge security and privacy issue where there are these mega (and less mega, but still large) bots that are just unnecessarily slurping up all private conversations in a lot of servers, without a lot of people's knowledge.
As a user in a server, you don't really have a way to consent to whatever third party bots reading your message. You've just got to hope you see that the bot was added, or see it in the user list. The server admins consent to the bot being added (and as an admin you still need to hope and trust that they're not doing anything dodgy with all the unnecessary information they're getting), but no one else in the server gets to consent or is made aware of the new audience they're broadcasting to.
I think for the broader Discord community - which is pretty broad with a lot of younger and non-technical folk - making reading messages a privilege intent is the right move.
When you join a server you can go through the entire history of that channel. A user or a bot pretending to be a user could come in at any point and slurp all of that up.
If you restrict this capability then ultimately you'll just end up with bots pretending to by users.
I think the difference though is that as a user, you cannot do that easily. Whereas a bot can automate this across many channels and servers (especially as this restriction only applies to bots in 100+ servers).
User bots I think is a different, equally valid problem (if not more problematic) that's probably harder to solve. "Rogue bots" look just like normal bots that a server admin would voluntarily install without knowing what it's dong behind the scenes. Bot users are actively malicious and breaking the ToS, and can't reach the same scale as bots (because all server admin cannot just add one to their server).
I think they're both problems, but represent different points on the threat matrix. It's kind of like saying "iPhone shouldn't restrict access to the camera roll for App Store apps when viruses can just bypass and get them anyway".
Bot users aren't necessarily malicious at all. That's how automated bots always start out as. And there's no way to tell whether a user is a bot or not if they don't interact with the server.
Besides, if you say something on a public discord chat it's like saying it on Twitter.
But you realise the danger of this, no? If you have a bot in your private server listening for all messages, those messages are being sent off to somebody else. You have no way of verifying what they do with those messages. They could be logging them, using them for targeted campaigns of any kind. It's a huge privacy issue.
I think Discord requiring ID for large bots is a right step towards being able to hold these bot authors to account. But it's not enough.
Nothing prevents you from denying read permissions to bots in "private" channels. Slash commands are still available even if you do. If you still need normal functionality, you can always restrict the bot to its own channel.
The only thing this prevents is new bot authors from, well, writing interesting bots.
Correct, this is what we do on a reasonably large server (tens of thousands). Public channels are free game, staff channels are restricted from bots. Honestly I dont see a bot owner having a budget to store all that message data I store only very specific meaningful data. For example I have a bot where users can message our bot to contact our staff team. You can see why reading message_content is extremely useful. This allows mods to communicate to users via the bot and appear fully impartial.
Soon I fear my efforts are going to be thrown away because I dont want to expose personal information with Discord.
How long before we read a headline here on HN that someone hacked all Discords verified bot developer information? No thanks.
As somebody else in this thread stated, Discord is a platform mostly for young people. I doubt most users are aware that bots are a privacy risk. How are they going to know that they need to create a separate bot-free channel for their private discussions. This isn't something users should even need to worry about.
I mean, every user of that channel can do that as well. It's just that there shouldn't be expectation of privacy on a Discord channel unless you know and trust every participant.
Message reading bots are very useful for many things. Limiting them because of privacy concerns sounds like a loss for no gain to me. There isn't any privacy on Discord to begin with.
+ AFAIK Discord said they aren't going to completely remove message access, just lock it behind a privilileged intent. What's stopping malicious developers from adding features such as bad link detection, chat activity leveling system, thus giving them a reason to say to Discord, hey, we need message access, and then using the message access for these malicious reasons.
I don't write discord bots so you can type a slash command to do a thing. That's boring. Good bots can read messages. Discord will be very "not dope" and "not cool" if bots are forced to become a sterilized pick-list of interaction options.