Discord enhances privacy with end-to-end encryption for voice and video calls

DAVE is designed to fully protect users' audio and video communications

Discord's DAVE with end-to-end encyprtion program

Discord has finally taken that much-wanted step to officially implement end-to-end encryption in voice and video calls, one of the biggest moves regarding user privacy. This enhancement will make sure that all conversations remain private and beyond unauthorized reach, even beyond Discord. It is a great step for a platform that has grown far beyond its gaming roots.

Although Discord was originally built as a platform for gamers to communicate with each other while playing games, today it has become home to more than 200 million registered users across the globe. These include different communities, businesses, and interest groups.

To address this, Discord developed a custom E2EE protocol named DAVE (Discord's Audio and Video Encryption). Created in collaboration with cybersecurity experts from Trail of Bits, DAVE is designed to safeguard audio and video calls without compromising call quality or performance.

Mark Smith, Vice President of Core Technology of Discord, announced new features on September 17, 2024:[1]

We’re excited to announce that starting today, we’re rolling out passwordless login with biometric passkeys to streamline and safeguard your sign-in experience as well as default end-to-end encryption for audio and video (E2EE A/V) calls.

What is the DAVE protocol?

The DAVE protocol operates by utilizing the WebRTC encoded transform API. This technology allows media frames—such as audio and video – to be encrypted immediately after they're encoded and before they're sent over the network. By doing so, the actual content of the calls remains protected, with only essential codec metadata left unencrypted for compatibility.

For managing encryption keys, DAVE employs the Messaging Layer Security (MLS) protocol. MLS facilitates secure and scalable group key exchanges, ensuring that each participant has a unique symmetric encryption key. This setup enhances security, especially in group communications, by isolating each user's encryption credentials.

Moreover, it utilizes the Elliptic Curve Digital Signature Algorithm, ECDSA, in generating identity key pairs, which provides an additional layer of security by verifying the identities of the call participants and unauthorized access.

How Discord enhances privacy by implementing intricate verification methods

When changes occur in a group call – like participants joining or leaving – DAVE initiates a new “epoch.” This means the group's encryption state updates by generating new keys, all without disrupting the ongoing conversation. It's a seamless process that maintains security without affecting user experience.

User verification is strengthened through methods like comparing “voice privacy codes.” These codes are derived from the group's MLS epoch state and allow users to confirm the identities of other participants. This feature enhances trust and security within calls.

To prevent persistent tracking, DAVE uses ephemeral identity keys. Users receive new keys for each call, making it difficult for anyone to monitor users across multiple sessions. This approach protects user privacy even further.

Text messages will continue to be moderated

Discord has begun migrating eligible channels to the DAVE protocol. Users can verify if their calls are end-to-end encrypted by checking for an indicator within the app's interface. This transparency allows users to be confident in the security of their communications.

The initial roll-out includes Discord's desktop and mobile applications, with plans to extend E2EE to web clients in the future. Users are encouraged to update their apps to the latest version to take advantage of the new encryption features. Those using outdated clients will continue with transport-only encryption until they update.

While this update significantly enhances privacy for voice and video calls, Discord has stated that text messages will not be end-to-end encrypted at this time. This decision allows the platform to maintain its content moderation policies and ensure a safe environment for all users, as explained by Discord’s staff software engineer on audio/video infrastructure Stephen Birarda:[2]

While audio and video will be end-to-end encrypted, messages on Discord will continue to follow our content moderation approach and are not end-to-end encrypted. The E2EE A/V protocol was designed from the outset to be compatible with additional safety features that support the E2EE experience.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare