While writing a bot with discord.py
I realised that it would be extremely easy for a developer to log all messages that would pass through the listener on_message
.
A simple logging
call in the listen such as:
@commands.Cog.listener()
async def on_message(self, message):
logger.debug(f"Message received from {message.author} in {message.guild.name}: {message.content}")
# ...
As all messages sent in channels where this bot is present passes through this listener, the 3 lines above would allow a developer with access to the bot internal log to "listen" to anything that is written in any channel were the bot is present.
This is even more severe if the bot is granted (because it's required or by mistake) admin rights in the guild/server, allowing all channels in the server to be transcribed in the log.
Is this correct? Am I doing something wrong with my bot?
I'm not writing my bot with the intention to spy on other guilds/servers, but I'm realising how easy it would be and I would like to understand if, by mistake, I'm basically coding a spy bot or if there is a way to be more fair with my users. I would also like to avoid accusations of doing so or (probably a bit far fetched) even legal consequenses
Yes, access to message content by bots is a risk to the privacy of Discord users. That's why Discord bots that are verified (a bot needs to be verified to be on more than 100 servers) now have to apply to privileged intents to gain access to message content.
This change applies only to verified bots and apps that are in 100 or more servers.
If your bot or app is not approved for message content, the following fields of the message object in Gateway and API payloads will be empty—either an empty string or empty array, depending on the data type—when you receive a message:
- content
- embeds
- attachments
- components