BreachExpress

Cybersecurity, explained for the rest of us.

General

Discord DMs and Server Messages: What's Actually Private and What Isn't

Margot 'Magic' Thorne@magicthorneJune 24, 202612 min read
A Discord chat window with partially transparent message bubbles, revealing server infrastructure behind the interface

Discord feels private. You're chatting with friends, the interface looks like a messaging app, and those DMs have "direct" right in the name. But Discord's architecture tells a different story. Every message you send lives on Discord's servers in a format they can read, and the platform's business model depends on analyzing that data. Here's the underlying mechanism, what Discord actually sees, and what you can control.

The Core Architecture: Client-Server Without End-to-End Encryption

Discord uses a client-server model. When you send a message, your device encrypts it using HTTPS and sends it to Discord's servers. Discord decrypts it, stores it, and forwards it to recipients. This is standard for most messaging platforms, but it differs fundamentally from end-to-end encryption.

End-to-end encryption means only you and your recipient can decrypt messages. The platform sees only ciphertext. Apps like Signal and WhatsApp use this model. Discord does not. Discord stores your messages in plaintext on their servers, and anyone with server access can read them.

HTTPS protects messages in transit. If you're on public WiFi, an attacker can't intercept your Discord traffic and read it. But once the message reaches Discord, that protection ends. Discord's employees, contractors with database access, and law enforcement with a valid request can all read your messages.

This isn't a vulnerability. It's the design. Discord needs to read messages to power search, content moderation, link previews, and other features that users expect. The tradeoff is that privacy ends at Discord's servers.

What Discord Sees in Your DMs

Discord stores every message you send. That includes text, images, videos, voice recordings, and metadata like timestamps, IP addresses, and device information. They also store deleted messages for a period of time, though the exact retention window isn't publicly documented.

When you delete a message, it disappears from your view and your recipient's view. But it remains in Discord's logs. This is common across platforms. Deletion removes the message from the active database but not from backups or moderation queues. Security researchers have found that Discord retains deleted content for at least several weeks, and potentially longer.

Discord's privacy policy states they collect "the content you create, upload, or receive from others when using our services. This includes things like email, photos and videos, docs, and spreadsheets, and when you use voice or video chat." That's broad language. It covers everything you type, upload, or say in voice channels.

Discord also analyzes message content for automated moderation. Their Trust and Safety team uses machine learning to flag potential violations of their Terms of Service. This means your messages are scanned, even if no human reads them unless the system flags something. The FTC has investigated platforms for inadequate disclosure of automated content analysis, and Discord's approach falls into this gray area.

Server Messages vs. DMs: The Practical Difference

Server messages and DMs differ in who can see them, but both are equally visible to Discord. In a server, your messages are visible to all members with access to that channel, plus server administrators with logging enabled, plus Discord. In a DM, your messages are visible to you, your recipient, and Discord.

Server admins can configure bots to log messages. Popular bots like MEE6, Dyno, and Carl-bot offer logging features that capture everything said in a server and store it in a separate channel or external database. This is a feature, not a bug. Admins use it for moderation, record-keeping, and resolving disputes.

If you're in a server, assume your messages are logged. Even if the server doesn't use a logging bot today, an admin can enable one tomorrow and capture everything going forward. Some bots even offer retroactive logging if they have the appropriate permissions.

DMs don't have this problem because they exist outside server infrastructure. A server admin cannot see your DMs, even if you're both members of their server. But Discord can. And if either participant reports a DM, Discord's Trust and Safety team reviews it.

What Happens When Someone Reports Your Message

Discord's reporting system works the same for DMs and server messages. If someone reports your message, it goes into a moderation queue. A human reviewer at Discord reads the message, evaluates it against their Community Guidelines, and decides whether to take action.

This is how platforms handle moderation at scale. Automated systems flag potential violations, and humans review the flags. But it means your DMs aren't private from Discord's moderation team. If you send something that gets reported, a stranger at Discord will read it.

Discord's Community Guidelines prohibit harassment, threats, sharing personal information without consent, and sexually explicit content involving minors. Violating these rules can result in warnings, temporary suspensions, or permanent bans. And because Discord stores message history, they can review past messages when investigating a report.

This isn't unique to Discord. Every major platform with user-generated content has a moderation team that reads reported messages. But it's worth understanding that "direct message" doesn't mean "private from the platform."

Voice and Video: The Same Model

Discord's voice and video features follow the same architecture. Audio and video travel through Discord's servers, and Discord can access them. They don't store voice chat by default, but they can if needed for moderation or legal compliance.

When you're in a voice channel, your audio is compressed, encrypted with HTTPS, sent to Discord's servers, and forwarded to other participants. Discord decrypts it at their servers, which means they have access to the plaintext audio. If someone records the call locally, that recording exists outside Discord's control, but Discord could theoretically record any call.

Video works the same way. Discord uses WebRTC for peer-to-peer connections when possible, but falls back to server-relayed video when network conditions require it. Either way, Discord has the technical capability to access video streams.

Screen sharing is particularly sensitive. When you share your screen, you're broadcasting everything visible on your display. If you have sensitive information open, Discord's servers process that video stream. It's not stored by default, but it passes through their infrastructure.

Metadata: The Data You Don't See

Even if Discord didn't store message content, they'd still collect metadata. Metadata includes who you message, when you message them, how often, how long your conversations last, and what servers you're both in. This data reveals social graphs, communication patterns, and behavioral profiles.

In The Good Place, the characters discover that their actions are tracked and scored by an omniscient system. They can't escape the surveillance because the system is the foundation of their world. Discord's metadata collection works the same way. You can't opt out because metadata is inherent to how the platform functions.

Metadata is often more revealing than content. If I know you message someone every day at 3 AM, I don't need to read those messages to infer a relationship. If I know you're in a server about a specific medical condition, I don't need to read your posts to know you have that condition. Metadata is data.

Discord uses metadata to power features like friend suggestions, server recommendations, and activity status. But metadata also powers advertising targeting, user profiling, and behavioral analysis. Discord's privacy policy allows them to use metadata "to personalize your experience and improve our services."

What Discord Says They Don't Do

Discord's privacy policy states they don't sell user data to advertisers. This is narrower than it sounds. They don't sell a list of usernames and message logs to third parties. But they do share data with partners for analytics, fraud prevention, and service improvement.

Discord uses third-party services for crash reporting, performance monitoring, and analytics. These services receive data about your usage, including which features you use, how often, and for how long. Some of this data is anonymized, but anonymization is imperfect. Researchers have shown that anonymous datasets can often be re-identified with additional context.

Discord also complies with law enforcement requests. If police or federal agents present a valid subpoena or warrant, Discord turns over user data. This includes message content, metadata, IP addresses, and payment information. Discord's transparency report shows they receive thousands of requests per year and comply with most of them.

This is standard for U.S.-based platforms. The Stored Communications Act allows law enforcement to access electronic communications with appropriate legal process. Discord can't refuse a valid warrant, and they don't have the technical architecture to refuse even if they wanted to. Because they store messages in plaintext, they can always produce them when required.

What Server Admins Can See

Server administrators have significant visibility into member activity. They can see when you join, when you're online, what roles you have, and what channels you access. If they enable logging bots, they can see every message you send in that server.

Admins can also see your user ID, which is a unique identifier that persists across username changes. If you change your username or display name, admins can still track you by your user ID. This is by design. Admins need stable identifiers to enforce bans and manage large communities.

Some servers require ID verification through bots like Wick or Beemo. These bots can request access to your Discord profile, including your email address, connected accounts, and server list. Once you authorize a bot, it retains that access until you revoke it. And revoking access doesn't delete data the bot already collected.

Admins cannot see your DMs. This is a hard boundary in Discord's architecture. DMs exist outside server infrastructure, and server admins have no access to them. But if you discuss server-related topics in DMs and then act on that information in the server, admins can infer what you discussed based on your behavior.

What You Can Control

You can control who sees your messages within Discord's user-facing features. You can block users, leave servers, delete messages, and adjust privacy settings. But you cannot control what Discord sees, because Discord's servers process and store everything.

Discord's privacy settings let you control:

  • Who can send you DMs (everyone, friends only, or server-specific)
  • Who can add you to group DMs
  • Whether your online status is visible
  • Whether you appear in server member lists
  • Whether read receipts are enabled in DMs

These settings affect what other users see. They don't affect what Discord sees. Discord still processes and stores all your messages, regardless of your privacy settings.

You can delete your account, which Discord says removes your data "in accordance with our data retention policies." But those policies aren't fully disclosed. Discord retains some data for legal compliance, fraud prevention, and service improvement. How long they retain it, and what exactly gets deleted, isn't documented publicly.

The Practical Reality for Most Users

For most conversations, Discord's privacy model is fine. If you're coordinating a game night, sharing memes, or discussing hobbies, the fact that Discord can read your messages probably doesn't matter. The risk is low, and the convenience is high.

But if you're discussing sensitive topics (health, finances, legal matters, political organizing), Discord's architecture creates real risk. Your messages are visible to Discord employees, vulnerable to data breaches, and accessible to law enforcement. And because Discord stores messages indefinitely by default, that risk compounds over time.

In 2024, Discord disclosed a data breach affecting user email addresses and hashed passwords. The breach didn't expose message content, but it demonstrated that Discord's security isn't perfect. If attackers gained access to Discord's message database, they'd have plaintext access to billions of messages.

This isn't hypothetical. In 2020, researchers found that Discord's CDN was hosting malware uploaded by attackers who used Discord as free file hosting. The same infrastructure that stores your images and videos also stores malware samples. Discord's content moderation is reactive, not proactive.

When to Use Discord and When to Use Something Else

Discord works well for:

  • Gaming coordination
  • Public communities
  • Casual social chat
  • Hobby groups
  • Fan communities

Discord works poorly for:

  • Sensitive personal conversations
  • Financial discussions
  • Health information
  • Legal matters
  • Political organizing
  • Anything you wouldn't want a stranger to read

If you need actual privacy, use an end-to-end encrypted app like Signal. Signal's architecture prevents the platform from reading your messages. Discord's architecture requires the platform to read your messages.

This doesn't make Discord bad. It makes Discord a tool with specific tradeoffs. You can use Discord for gaming and Signal for sensitive conversations. You don't need to choose one platform for everything.

The Broader Pattern Across Platforms

Discord's privacy model isn't unusual. Instagram DMs, Facebook Messenger, and Telegram all use similar architectures. They store messages in plaintext, analyze content for moderation and features, and comply with law enforcement requests.

The platforms that offer true privacy (Signal, WhatsApp with default settings, iMessage between Apple devices) use end-to-end encryption. But even those platforms collect metadata. Signal knows who you message and when. Apple knows your device ID and IP address. No platform is completely private.

The difference is what the platform can access. Signal can't read your messages even if they wanted to. Discord can, and their business model depends on it. That's the tradeoff.

What Discord Could Do Differently

Discord could implement end-to-end encryption for DMs. This would prevent Discord from reading messages while preserving the platform's core features. Signal and WhatsApp prove this model works at scale.

But end-to-end encryption would break some features users expect. Discord couldn't offer server-side message search across devices. They couldn't generate link previews without decrypting messages client-side. They couldn't moderate content without user reports. These are real tradeoffs.

Some platforms offer optional end-to-end encryption. Facebook Messenger has "Secret Conversations." Telegram has "Secret Chats." Discord could implement a similar feature for users who want it. But as of mid-2026, they haven't.

What You Should Do

If you use Discord for casual conversation, keep using it. The convenience and community features are valuable, and the privacy tradeoff is reasonable for most use cases.

If you discuss sensitive topics on Discord, move those conversations to Signal or another end-to-end encrypted platform. Discord's architecture makes it unsuitable for private communication about anything that matters.

Review your Discord privacy settings. Limit who can DM you, disable read receipts if you don't want them, and consider whether you need to be in every server you've joined. Fewer servers means less exposure.

Assume everything you say on Discord is public. Not public to other users, but public to Discord and anyone with access to their systems. If you wouldn't say it in a room full of strangers, don't say it on Discord.

And remember: "direct message" is a user interface label, not a privacy guarantee. The label describes who sees the message in the app. It doesn't describe what happens on the server.

A split-screen view showing a Discord DM conversation on one side and server logs on the other
→ Filed under
discordmessaging privacydirect messagesend-to-end encryptionplatform privacy
ShareXLinkedInFacebook

Frequently asked questions

Yes. Discord stores all messages in plaintext on their servers, and employees with appropriate access can read them. There's no technical barrier preventing this.
Discord uses HTTPS encryption in transit, which protects messages from interception while traveling between your device and Discord's servers. But once messages reach Discord's servers, they're stored unencrypted and readable by Discord.
Both are equally visible to Discord. The only difference is who else can see them: DMs are visible to participants and Discord; server messages are visible to participants, server admins, and Discord.
No. Server administrators cannot see DMs between users, even if both users are members of their server. DMs exist outside server control.
Discord states they don't sell user data to advertisers, but their privacy policy allows broad use of data for analytics, recommendations, and platform improvements. Messages inform these systems even if they're not directly sold.

You might also like

Smartphone with lock screen displaying remote wipe confirmation and location tracking map overlay
General

What to Do When Your Phone Is Stolen: Step-by-Step Recovery Guide

Phone stolen? Lock it remotely, wipe your data, and secure your accounts fast. Here's the exact sequence of steps and why timing matters.

12 min · Margot 'Magic' Thorne · May 11

Smartphone displaying location map with layered technical signals showing GPS satellites, WiFi networks, and Bluetooth beacons
General

Find My Phone: How the Tech Works and Where It Fails

Find My Phone uses GPS, WiFi, and Bluetooth to locate lost devices. Here's the underlying mechanism, what happens when location fails, and what you can actually do.

11 min · Margot 'Magic' Thorne · May 15

Abstract visualization of browser architecture showing layers of data access with permission boundaries and agent scope
General

Browser-based AI agents: what they can access, what they can't

AI agents running in your browser can see tabs, cookies, forms, and browsing history. Here's the underlying mechanism, what permissions control, and what stays hidden.

12 min · Margot 'Magic' Thorne · Jun 9