Hey. I work at Discord - and actually, this system is a thing I work on - and code my team wrote caused your account to be locked. If my team is doing a good job, you won't notice us. If we're doing a bad job, you might get some spam, or your account may be blocked for false positives.<p>Discord gets a lot of spam. We've disabled, and/or challenged millions of accounts for trying to use our platform for unsolicited spam (trying to advertise their service, sex bots, crypto spam, etc...). Our anti-spam systems continue to evolve - just as the spammers who target our platform continue to evolve. The spam attacks against our platform vary in terms of how elaborate and skilled they are. Some are very obvious in terms of a detection perspective, and some are not. As such, we use a blend of signals, heuristics and machine learning algorithms to determine whether someone is spamming on our platform. Additionally, we look at where spam is originating from as an input to our heuristic.<p>One such source is TOR exit nodes - and as such, our system considers content created (DMs opened, etc..) from people using TOR exit nodes with more stringency than other sources. As such, if you are using TOR, it is definitely more likely that you may get challenged either via captcha, or phone verification. The system is definitely not perfect - and unfortunately in OP's case, it flagged the account for phone verification.<p>To address the 3 demands in OP's email:<p>> 1. Discord's anti-spam isn't so anal,<p>I'm not entirely sure what this means, nor what actionable steps I can take. You are using TOR, a source of a great amount of spam/attempted spam on our network.<p>> 2. my account (and other accounts in good standing and with proper 2FA) is exempt from such checks<p>Having 2fa is not a strong signal as to whether or not an account is legitimate. It is very trivial to automate setting up 2fa on an account. <a href="https://github.com/pyauth/pyotp" rel="nofollow">https://github.com/pyauth/pyotp</a> can be used to both generate and validate 2fa codes. It'd be trivial to hook that up to the registration flow to enable 2fa - and if that was a way to 'bypass' our anti-spam measures, it'd surely be exploited.<p>> 3. I don't have to solve a Google reCAPTCHA for an account I have taken every step to protect against bruteforcing. Using Tor is not a crime; don't treat it as such.<p>Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)<p>Finally, I'd like to address: "Discord has shown to be hostile toward FOSS and privacy for a while now" and understand why that is.<p>As a company, we have tried to give back to open source software (either by financial sponsorship, or by contributing our bugfixes/changes upstream.) We also attribute all open source projects we use in our software here: <a href="https://discordapp.com/licenses" rel="nofollow">https://discordapp.com/licenses</a>. Additionally, we host many open source communities on our platform: <a href="https://discordapp.com/open-source" rel="nofollow">https://discordapp.com/open-source</a>. And finally, we try to open source software we make which may be useful to the eco-system in general: <a href="https://github.com/discordapp/" rel="nofollow">https://github.com/discordapp/</a>.<p>As for privacy, we've stated that we don't sell your data. When you verify your phone number, we ONLY use it for the purpose of anti-spam, and it is never shared with anyone (aside from twilio, which sends you the SMS), especially for the purpose of financial gain. We're pretty up front about how we make money (freemium model: <a href="https://discordapp.com/nitro" rel="nofollow">https://discordapp.com/nitro</a>, in-app commerce: <a href="https://discordapp.com/sell-your-game" rel="nofollow">https://discordapp.com/sell-your-game</a>). We provide privacy controls: <a href="https://support.discordapp.com/hc/en-us/articles/360004109911" rel="nofollow">https://support.discordapp.com/hc/en-us/articles/36000410991...</a>, and allow you to request an export of all the data we have stored on your account: <a href="https://support.discordapp.com/hc/en-us/articles/360004027692-Requesting-a-Copy-of-your-Data" rel="nofollow">https://support.discordapp.com/hc/en-us/articles/36000402769...</a><p>I know this reply won't satisfy everyone, but hopefully, being truthful and upfront about this will help!