Not really a debate thing, just wanted to put this information out there.

Discord recently partered with an AI company Domo.ai to let users use their ImageGen tools within Discord itself. People have been (reasonably) concerned that this means Discord is sharing image data with them, with varied reactions. Also generally just some misunderstandings of how discord's systems work- which is reasonable if you haven't made a discord bot before.

What is the actual nature of the partnership?

Practically speaking- in terms of both the rights the company has and the data being moved, this is a discord bot. Typically when you think of a discord bot, you think of something that the server owner adds to a server.

However, this isn't exactly the case- anyone can use Domo.ai anywhere. This has led to people thinking this is some "sneaky" way to insert AI everywhere and have it read everyone's messages.

It's not- what it is, is a App. In effect, this is a discord bot that is not scoped to a server, but rather is scoped to your account. What that means is that you as the user can call the bot anywhere, if you add the bot to your account. I've actually done this- I have a bot that lets me track my stocks, and that is scoped to my account. I can call that bot from any server, if I was stupid and wanted to expose my finances to others.

This feature has existed for a while- Discord has been trying and failing to foster some kind of "App Marketplace" for a while now, and this is part of that effort.

What information does it access?

This is hard to say with 100% confidence because I don't see their dev console. However, what I know is that discord really locked down how much access bots have to the content of messages being sent in a server. This is what motivated the transition to slash commands- because that's a way to trigger an action from a bot, without the bot needing permissions to read people's message contents.

If you try the bot, you'll see that it has no functionality that allows you to reference someone else's message.

EDIT: I was wrong! The old section here has been deleted but I kept the first sentence so you get the gist.

The only way that Domo can access a random image sent in a server, is hovering over the image and clicking on the icons on the top-right. There, you can restyle the image with their GenAI product(s). So that is one avenue in which your image could be sent to Domo for processing by a random discord user. This is again a very strictly bounded scope- it can't comb through a server, it can only see images that users actually call Domo on.

I would like to stress here that functionally, any discord user could do this before- they could download your image and upload it wherever. This just makes it easier- still not good if this is a concern for you, but it's not a catastrophic change in the status quo.

Based on this, I don't think that Discord is funneling image data en masse to Domo. You probably aren't at risk of having your data read by this company if the bot simply interacts with your server. I should note- technically a bot could go through a server and rip all the data- I've implemented something to that effect in the past. That's only if it has the necessary permissions, which Domo does not appear to have.

Can they switch permissions down the line?

It's complicated. When you add a bot, there is a certain bit-encoded number that defines exactly what permissions the bot has. That number doesn't change unless you make it change. Of course, that's not an unreasonable thing to ask end-users to do "we have new functions that need new permissions, please re-install the bot blah blah"

The issue is that you as the server owner don't control that because it's account scoped. My knowledge is a bit fuzzy here, but my understanding is that if the user passes a message to the bot, from a server that the bot isn't authorized for, it can't read the message. So, if you haven't added the bot to your server, it won't be able to read messages within it- even if the user sending the command can access the server.

I don't like this, how do I prevent people from using it?

Personally I disagree with this approach to problems, but if this is something you wanted to do, it's not hard. As the server administrator, you have to disable the "Use External Apps" permission for your general users. That will prevent them from posting public messages on your server using any App that's added to their account, but not the server at large.

Note that this will disable users using ANY account-scoped bot in your server. I would argue that's a small loss, because account-scoped bots are a really niche thing that has only very specific cases in which it makes sense.

This will not prevent them from using it privately. If they use the bot in any channel, it will still run, but it's responses will only be shown to the user. In effect, sandboxing them.

You could also disable the "Use Application Commands" permission, but this would be throwing the baby out with the bathwater. You'd disable every single bot on your server by doing that.

Should I trust Discord?

Absolutely not. From the little that I know, they have an okay history with protecting user data, but they're a company with massive amounts of high-quality image and text data. As someone that works in ML, I would love to have this dataset (if I ignore some of the ethical concerns therein). I would not be surprised if Discord did begin selling data- that was my initial thought as well when I saw news of the partnership. However, looking into it further this doesn't seem to be a deal of that nature.

TL;DR:

• Domo.ai is an account-scoped bot that anyone could use, not something sneakily inserted into all of your servers

• Domo.ai can't even theoretically get access to a server's messages, unless added by a server admin

• You can prevent people from making public messages using Domo.ai using the "Use External Apps" permission if you're so inclined, but are not able to stop people from using it privately.

Sidenote: I tried Domo just to test how it works for this post- their image models aren't that good to begin with. If you're an AI-inclined person, you have much better options.

Edit 1: Adjusted to account for the "Edit Image with Apps" feature, which I didn't know about until someone mentioned it.

Edit 2: Domo.ai actually reached out and they confirmed with me that they are not collecting images beyond direct user interactions, and that they offer a "Ghost Mode" for additional privacy.