> Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack.
However, their senior director states in this Verge article:
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
This is also contradicted by what Discord actually says:
> Quick deletion: Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation.
Well since you have these IDs, for national security (AML, criminals and whatnot), we will need you to keep them if our endpoint says so, here's the endpoint
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
Everyone says this, including the TSA. But they never say they don't keep a hash, or an eigenvector of your biometric. Which is equally as important.
They also never say it goes through datacenters in room 641A or though Utah before it's "deleted", because it's a US company and they can't refuse that.
> We do not keep any information around like your name
But they might be sending a copy to the NSA, similarly to how Alphabet, Yahoo, Apple, Meta etc. have been doing (PRISM program, part of the Snowden revelation [1]). The US has the legal mechanisms of requiring this to happen, secretly, such as NSLs [2].
Until we have some kind of "One Time ID Verification" service that would work, the ID will never be deleted. Or a hash of the info or some kind of identifiable info.
Humm yeah, like a government digital ID of some sort. Except people go mental about that, so sending scanned copies of my personal ID documents to every bank/solicitor/estate agent/mortgage broker/random internet service it is then...
They're a nonsense company, and trusting them with any information is foolish.
They'll store everything and anything, because data is valuable, and won't delete anything unless legally compelled to and held accountable by third party independent verification. This is the default.
The purpose of things is what they do. They're an adtech user data collection company, they're not a user information securing company.
TL;DR: The IDs were used in age-related appeals. If someone's account was banned for being too young they have to submit an ID as part of the appeal. Appeals take time to process and review.
Discord has 200,000,000 users and age verification happens a lot due to the number of young users and different countries.
Sigh, I guess it's time to move platforms again or get your identity stolen. The more a company makes a fuss about trusting users, the more likely they store all of their shit in plaintext with vibe coded server security.
*CANCEL YOUR NITRO SUBSCRIPTION NOW IF YOU'RE PAYING FOR ONE* (for whatever reason)
This was just announced today and a flood of canceled payments within the next 24 hours are the easiest way to send a message. And also tell people on the servers you're on to do the same. It's not like they give you anything of real value for that money.
It boggles my mind that they need a photo ID to prove that my 9-year-old account with a saved credit card belongs to an adult. The linked Steam account is 18 years old.
`For most adults, age verification won’t be required, as Discord’s age inference model uses account information such as account tenure, device and activity data, and aggregated, high-level patterns across Discord communities. Discord does not use private messages or any message content in this process`
Y’all forgot that the only reason we’re on Discord was because MS actively killed Skype. Skype was much better software circa 2012 before MS let vulnerabilities run rampant, degraded the UI, and moved off the remarkably robust P2P calling system.
Just cancelled mine after reading this comment, I only really cared about the bigger file uploads and the HD screen-sharing anyways and I can live without those.
Now that I think of it, I bet I could host a decent instance of some open-source alternative in a public cloud for around the same cost as what I paid for Nitro ($100 a year)...
>I only really cared about ... the HD screen-sharing
I bought and canceled nitro in a single day because it's a bad product.
They promise HD screen-sharing, but it's only for _my_ screen. When I hopped into a call, the other user's screen share is illegible. Higher quality is still locked behind a "Buy Nitro" message.
If I'm paying for an improved experience, I should be able to get it.
Cancelled. Was a right job trying to get in as it just refreshed everytime I tried on mobile. When I went to the site separately after clicking subscribe it magically let me in.
The cancel login flow didn't inform me that it found my login suspicious but the subscribe one did
Not a subscriber, but I understand your call for retribution.
I suppose the silver lining is that they are putting the responsibility for age verification adults. Which imo is better than requiring everyone; kids get a free pass to the kids stuff...
Unless they're changing things with some sort of automated classification, then it's users who designate which servers and channels have adult content.
In my experience, you run the risk of getting your server shut down in small servers if someone reports it. Or risk losing your community server status in larger public servers until you come back into compliance.
Also in my experience what teenagers are going to do when they hit an age gate is use a fake picture/video. Sometimes they'll get banned for that and then they'll make a new account and do it again.
Thank you for reminding me, I've been meaning to cancel for months but it's only 2.50EUR and having to sign into my apple account was such an effort I never got around to it.
I'm sure I'm in the minority here, but I read the announcement and other than the risk of a slippery slope into more invasive ID demands, I'm not sure I have a huge problem with it.
The default experience will be the "teen" experience - they list what that entails - stuff that's flagged as adult/NSFW/etc. is blurred out until your age is verified, which for most(?) people will require ID or face scan. DMs/friend requests from people you don't know take some extra clicks to view. Fine.
It depends on how broad the definition of adult content ends up being I guess, but I'm simply not convinced that requiring ID to view "adult" content is the end of the world. If that means porn, I'm 100% OK with it, put porn behind gates. It has become far too easy to access. It's 2026 and we now have a generation of gooning addicts out there who never have actual sex and it's basically a guarantee that they won't find partners or start families any time soon, exacerbating an already problematic decline in the birth rate. This is not a version of society or anyone's "rights" that I care to defend. You want to goon, show ID. That's how it was before the Internet anyway.
On the other hand if it means any speech that the platform deems to be "controversial" will be blurred out then my response will not be to submit ID, I'll simply limit how I use the platform. Anonymous speech continues to matter and needs protection. But Discord was never the entity that was going to provide that protection.
I mean Discord is a gaming chat room. Expectations should be set by that fact. I don't need a gaming chat room to be NSFW, or even host i.e. political speech really. I get that people have used it for more than gaming, but it was always pretty clear what it was. If people don't like that this gaming chat room no longer supports other uses, they should switch to an alternative.
Clearly the outrage is about the slippery slope and the current techno-fascism gripping the US. I'm not being sarcastic.
You do it for the children now, you poo-poo concerns because "who uses discord for non gaming anyway" and you're just letting the foxes in the henhouse.
Twelve months from now and they'll want it for every chat.
I'm biased, as I lead the Zulip project. But I think this is a reasonable place for me to post some thoughts.
Given current events in the USA, I can't emphasize enough how worried one should be about the fact that a few companies like Discord, Google (Gmail), and Meta have databases with access to the private conversations of hundreds of millions of people with their closest friends and family members, linked up with their identity.
Some of the big strengths of running a self-hosted Zulip server for your community are:
- Zulip servers are operationally simple, highly stable and easy to upgrade.
- Zulip is much better than Discord or Slack for managing the firehose of busy communities. Or at least, a lot of people tell us that they prefer the user experience to everything else they've tried, after a few weeks of getting used to it. :)
- Your community leaders get to make the policy decisions about data protection, identity, etc.
- It's 100% FOSS software, with an extremely readable and maintainable codebase that ~1500 people have successfully contributed code to. I don't think you'll find modern alternatives with a comparable featureset to Discord that are more resilient to the sponsoring company being acquired or going out of business.
- We are a values-focused organization (https://zulip.com/values/) where providing a public service is important to us all.
- Each server is completely self-contained and independent, with the only centralized services needed from us being desktop/mobile app publication and mobile push notifications delivery (which is free for community use and soon to be E2EE).
Because I have some experience with FOSS, I know you don't get the recognition that you deserve. So on behalf of everyone who's too distracted to say thank you.
Thank you!
Admittedly, it did take a day (less than), but once I got used to the interface Zulip provides. It's better than what I would have asked for! It's phenomenal software! The whole experience is better than anything else that exists. And everyone charging for the same features should feel embarrassed given how much better Zulip is!
Genuinely, it's impressive what y'all have created. So thank you!
Yes, hear hear! As someone who've run a couple of FOSS communities, many of them having chats via IRC, Slack, Discord, forums and more, using Zulip has always been one of the most welcome options, yet also the one that takes the longest for people to understand if they've never seen it.
But it's easily worth it, as you can actually come back and read through old discussions and understand things and it isn't a mess. It's like if you could force Slack/Discord to only do threads, and the entire UI is optimizing for that specific UX. Overall pleasant experience once you get over the initial bump :)
I'm asking because I hate Matrix and actually want you to convince me: why should I accept the risk of migrating my friend group from Discord to Zulip, which has already "broken the seal" of restricting features behind a monthly fee even for self-hosted users, when I could migrate us to Matrix instead? Matrix seems like the much less risky option.
I see that you have a "community" tier that's free and doesn't restrict notifications, but it's not clear to me exactly what's involved in proving that we should qualify.
Mobile push notifications are a special case because it's literally not technically possible to self-host them. Or rather, it's possible if you build the iOS and Android apps from source and distribute them through TestFlight or an analogous Android channel, but it's not possible for the developer of an App Store or Play Store app to allow its users to point it at a different push-notification server, because the public key has to be hardcoded in the app binary. So if you want your self-hosted Zulip server to work with the Zulip client apps in the App Store and Play Store, you have to use Zulip's push server, and there's nothing Zulip can do to fix that.
Matrix works analogously; if you use the Element app from the App Store or Play Store, then you're using Element's push notification server, even if your Matrix homeserver is self-hosted. It's possible that Element allows their server to be used gratis in situations where Zulip charges a fee, I don't know their policies or anything, but in principle Matrix still leaves you exactly as dependent on a third party's goodwill unless you make your friends install a privately distributed mobile app.
Zulip IIUC does not restrict self-hosting of any feature that's technically possible to self-host.
I don't think we've ever charged a friend group or other non-incorporated group of people a dime for self-hosted notifications.
For the community tier, you don't have to do anything up to 10 users.
If your server has more than 10 users, you fill out a brief form (https://github.com/zulip/zulip/blob/main/templates/corporate...). We work hard to consistently process these requests within a couple business days, and the vast majority of communities are approved for full sponsorship without further interaction.
(Large communities managed by a business are quoted nonzero but extremely discounted pricing for self-hosted notifications).
I really like Zulip, and I'd like to migrate my friend-group onto it, but it probably won't happen. I think Zulip is just a bit too heavy-duty for a friend group chatting, and also lacks the visual polish that a lot of people want.
For now, my friends and I mostly just use Signal for group chats, which leaves a lot to be desired, but IMO is still just a better experience for our purposes than Zulip or Matrix.
That said, if you have friends who are keen to try things out, I would definitely recommend at least trying Zulip and see what you like and what you don't. It has a lot of really nice features and things to love.
Having interacted a fair amount with the Zulip devs over the years, and being an open-source product, I believe that they have no plans or intention of trying to fleece or milk self-hosted users or small communities.
Regarding risk: I certainly won't blame you for feeling risk-averse given the history of the tech industry. I can tell you about some unusual choices we've intentionally made to minimize risk for our users:
- We eschewed VC funding. A big part of my motivation was that I felt that VC funding usually requires eventual enshittification. https://zulip.com/values/ talks more about this.
- Zulip has been 100% FOSS software for more than a decade.
- At the very beginning, we built a complete data import/export system that allows migrating between our Cloud hosting and self-hosting; we put a lot of care into maintaining it well.
I can't promise that we'll never have something to sell for self-hosting communities. For example, I could imagine offering a paid add-on for encrypted backups.
That said, I'd like to push back on the idea that charging businesses for a tool that's an important part of their daily work "breaks the seal". Organizations with a software budget should be happier to pay a fair price for ethical, user-first software from a friendly vendor than for a closed-source product from a megacorp. And Zulip's full-time development team should be able to make a living building ethical FOSS software.
The federation of Matrix seems risky to me to the person self-hosting. I don’t want to host random people’s content. I’ve read some interesting articles about the design flaws of Matrix that led me to believe that it’s not a good option.
What is confusing to you about the community tier? It is basically describing any type of community of people who are not a for-profit business. Groups of friends, non-profits, volunteer groups, etc.
Zulip isn’t charging you anything unless you’re a business with more than 10 users and need push notifications, and that is still only $3.50/month/user if you don’t need more enterprisey things like SSO and compliance stuff.
I recently moved a small community group from Slack to Zulip. Half because of the UX for infrequent visitors (topics are so much better than "50 unread messages in #general"). And half because of your organisational values, which are more aligned with ours than are those of Salesforce.
The Bluesky team talks about "credible exit", and Zulip has that in spades - which makes me not want to exit.
Thank you for the work you do. Hanging out in CZO watching the Zulip team work in public is inspiring!
Hey, just wanted to say that I am a happy Zulip customer.
I used it at my previous employer and after a month of hangringing from people- many did not desire to go back to what we had before. (though some people did say they wanted Slack for the emojis and “prettiness”).
Now I started in a new position and I’ve positioned Zulip (on prem) as the only viable solution since we’re shirking SaaS as a strategic move.
The people who followed me to the new place are quite glad of this, or at least thats what I am told.
Some of the big weaknesses of running a self-hosted Zulip server for your community are:
- Your server admin can see DMs (or at least metadata, not sure if Zulip does E2E for DMs). The same is true for centralized services in theory, but unless you're a terrorist or a person of interest to a major government, it's extremely unlikely that a Discord employee will have an incentive to spy on your messages specifically. Your admin is likely part of your community and may know you personally, so the temptation is much, much higher.
- If the admin dies and nobody else has the keys to the kingdom, the server can go down at any point, and there's no way for users to reconstitute the network semi-automatically. Discord servers don't just go away unless somebody actively makes them to.
- It's much less secure in practice, it relies on your admin to always be on guard and constantly update their server to prevent vulnerabilities, either in Zulip or in the myriad of other self-hosted services running on it. One guy in his basement that goes on vacation once a year and has family responsibilities is far more likely to make mistakes than a team of trained cybersecurity professionals.
- Many Discord users are in 20+ servers. Anything that doesn't provide a one-click server joining experience (for users who already have an account on a different server) is nowhere near a Discord replacement.
- People want bots (for things like high-fidelity Youtube music streaming on voice channels), and those are mostly Discord-only.
- Anything open source will be worse at phishing and fraud / abuse prevention by definition, as many fraud-prevention approaches rely on the fraudster blindly guessing at what the code and ML models (do you even have ML models for this) are doing.
> it's extremely unlikely that a Discord employee will have an incentive to spy on your messages specifically
No, but history shows some unscrupulous staff members will always snoop, whether its just pure interest or something more nafarious like intent to sell on the black market. This makes the risk of your private data being leaked > 0, which should always be treated as a valid risk.
> If the admin dies and nobody else has the keys to the kingdom, the server can go down at any point
This is how infrastructure works, and supposed to work, besides the point that servers "die by themselves" which of course isn't true in reality. You decrease the bus factor if this is a problem for you.
> Discord servers don't just go away unless somebody actively makes them to
If all the sysadmins at Discord died and nobody else has the keys, exactly the same problem happens. Discord though surely have multiple backups of the keys and so on, something you too can do when you have your own infrastructure, so overall that argument feels almost dishonest, since you don't compare the two accurately.
> Anything open source will be worse at phishing and fraud / abuse prevention by definition
What? Completely orthogonal concerns, and if your main "fraud-prevention approaches" depend on security by obscurity, I'm not sure you should even attempt to be involved in those efforts, because that's not what the rest of the industry is going by a long mile.
> People want bots (for things like high-fidelity Youtube music streaming on voice channels), and those are mostly Discord-only.
Actually, the further I get in your comment, the more it seems like you don't actually understand what Zulip offers nor what the parent comment is about. Music streaming on voice channels? Completely outside the scope of Zulip...
----------
I think you have to understand the comment you're replying to a bit better, before attempting to lift Discord above Zulip. They're specifically talking about Zulip as an alternative "for managing the firehose of busy communities", not as a general replacement for every single Discord "server" out there. Yet you've responded to the comment as that's what they've been doing.
Glad to hear E2EE is coming soon, but it’s been “soon” for probably a year now. It’s a bit odd that encrypted notifications still don’t work, and I’d argue it’s a very big caveat with regard to privacy and security.
Our main reason for using Zulip is that we work in a highly regulated space (healthcare) and would like to be able to safely talk about things. I suspect this sort of situation is a major motivator for Zulip adoption, so it’s weird that transit encryption was left as an afterthought.
(There has always been an option to just not include message content in mobile notifications).
Cryptography is not something you can do sloppily, and requires coordination between the mobile and server teams. Zulip 11.x included the protocol, but while doing the mobile implementation, we decided to make several more changes which have delayed it to the upcoming Zulip 12.0.
Some important context is that we retired the old React Native mobile app this summer in favor of the new Flutter apps (https://blog.zulip.com/2025/06/17/flutter-mobile-app-launche...), which has been an enormous improvement in the quality of the app and developer experience.
But as you can imagine, the cutover and relentlessly addressing feedback after it took a lot of time for the mobile team. We've also experienced an AI slop bombardment in the last few months that has consumed a lot of time. I'll save that story for another time.
What is Zulip's position on speech they/(you?) disagree with -- if someone is paying for non-selfhosted Zulip, are you going to delete/shutdown/dox users/operators that you politically disagree with?
If say the hyprland people were using a Zulip instance and someone astroturfed/brigaded/massreported a campaign to shut them down because they didn't agree to some external code of conduct and external enforcement of such, what would Zulip's response, as a company, be?
Moderation of self-hosted servers is entirely the responsibility of the server's owners (and perhaps hosting providers, if it's extreme enough). We have no way to know what's happening on self-hosted servers, and it's none of our business.
Regardless, there is no technical mechanism through which we could block access to a self-hosted Zulip server via the web application (which is hosted by the self-hosted server itself and designed to work on both desktop and mobile devices).
For Zulip Cloud, you can read https://zulip.com/policies/rules. One of the nice things about Zulip's model is that communities that we do not want to host can just migrate to self-hosting.
Doesn’t exist in Zulip, theres a “camera” button that generates a jitsi link, I tried (and failed) to make it a google meet link, but it works surprisingly well, though it is a context switch.
Thanks for your work. Moved my company from Slack to self-hosted Zulip after Salesforce unilaterally decided to transfer our account to Alibaba Cloud and the transition has been very smooth. We especially appreciate proper markdown support !
I'm really hoping for Zulip to succeed, which is why I'm even commenting. But it really needs people with UI/UX expertise. E.g. good user onboarding does not mean showing them a 2 minute video, as another comment on here mentioned.
This is great to hear and ironically we (Pidgin) just decided that Zulip was going to be the next protocol we were going to add support for just barely 24 hours ago before all this Discord nonsense!
Awesome, feel free to start a thread in #integrations in chat.zulip.org! We'd be happy to chat about some of the things that will make your life easier to do carefully when writing a new client.
The main thing regards our double-entry API changelog system. Basically, the API documentation for individual endpoints, say https://zulip.com/api/get-user, natively cover for each endpoint all the changes relevant for that endpoint from https://zulip.com/api/changelog... and how to write nice code using feature level checks to support all server versions.
Happy to hear Pidgin is still at it after all these decades. I still fondly remember using it when it was still called Gaim and only spoke OSCAR, back when Rob was involved before he started Asterisk. I lurked on IRC back then and even made a simple TUI when libpurple first came out.
My understanding is that Campfire hasn't been actively developed for ~10 years (https://once.com/campfire/changelog shows some minor fixes after the OSS launch; their GitHub has no 2026 commits). There are no mobile apps. It is not an actively maintained Discord alternative.
https://www.rocket.chat/ and https://mattermost.com/ are open-core military contractors these days. You'll see what I mean if you visit their websites. But like Zulip, they are full-featured team chat systems, and if the parts of their system that are OSS work for your organization, they're certainly valid options.
Finally there is Matrix/Element. They have an inspiring vision and similar values to mine, and I'd recommend checking it out. Element/Matrix is built on an ambitious distributed consensus protocol with an E2EE option, which provides capabilities Zulip don't have but also adds complexity. Zulip is focused on just doing team chat really well, and does not support more than ~100K users in an instance. Hopefully will have a lot more resources now, thanks to Current Events. I wish the Element team the very best of luck!
----------------------------------------
Overall, Zulip's focus has always been on making a delightful chat experience, especially when you have multiple conversations happening at the same time. We aren't trying to build a clone, but instead the best possible experience for having lots of possibly complex conversations. So there will be some differences from what you're used to.
But critically, we spend a very large amount of our time relentlessly fixing micro-interactions that annoy us or are reported to us. If you read #design, #issues, and #feedback in https://zulip.com/development-community/, you'll get an idea of how we work.
So while there's some features we don't have that are present in other products, and we don't have dozens of designers on staff to do cool end-of-year animated reports like Discord does, you can expect few bugs and a lot of interaction design polish.
-----------------------------------------
The one mistake that I think a lot of folks make in evaluating options is focusing on buzzwords like E2EE without thinking through their threat model. E2EE doesn't add much practical security over self-hosting for many threat models, and it comes with significant usability trade-offs. And some current E2EE systems don't actually protect against a malicious server, say because they only protect message content, not metadata like who has access to what... just against raiding the server's disk.
(For example, WhatsApp has E2EE for message content, but I expect Meta's databases know everyone who's had a conversation with me on WhatsApp and the precise timestamps and approximate lengths of every message I've sent or received on the platform. And apparently some keyboard apps send what you're typing to remote servers!).
I'd say so, especially if you start on desktop and have them watch the 2-minute onboarding video. We are satisfied with what we see with our internal usability studies with nontechnical users.
Among customers, one reference that I can quickly cite is this one:
> Agents at GUT contact use Zulip every day to communicate with their team leads. “Most of our agents are in their 60s or 70s, so the software must be as simple as possible. That’s why we love Zulip,” says Erik Dittert, who’s been leading GUT contact’s IT team for the past 20 years.
I would recommend doing a little training/handholding call/video when moving over a community -- but this is true for any new app.
My mom needed training to do basic things in Squarespace, and I had a friend who worked at Slack whose manager started every chat message with "Hi <name>" and ended it with a signature, like you would an email. :)
man, I want to support something like Zulip, I would even want to work on a product like this but one thing I'd say is you have to go back and study why Slack beat Hipchat and others. It's so simple in hindsight but it was the marketing and the UI/UX of Slack that made it so much easier to use. If you'd like, I have a ton of ideas and experience building UIs and would love to give you some of my input. Too much typing for a comment at the moment.
You should stop by #feedback in chat.zulip.org and share your ideas!
Regarding the history: Slack had very effective marketing, powered by a lot of venture capital. And HipChat was a weak product that had an embarrassing total hack, which did not leave customers with confidence that their data was safe there.
Zulip is not venture-funded, so we're reliant on people sharing it with others to get the word out.
As a side note, I don't think Slack could have succeeded if it launched today. Microsoft Teams has far far more users as Slack, and it's slopware. You can thank the end of anti-trust enforcement for that.
Based on some (admittedly very surface level) research, one spot where Zulip will still struggle to replace Discord is Voice/Video chats and Screensharing - the little I could find about voice chatting in zulip is that it has to be configured to use an external service (jitsi, zoom, etc)
> Zulip is much better than Discord or Slack for managing the firehose of busy communities. Or at least, a lot of people tell us that they prefer the user experience to everything else they've tried, after a few weeks of getting used to it. :)
Slack has basically one main hierarchy level (messages are grouped into channels) while Zulip has two, streams and topics. So you can create a stream for each project (say) and create a different topic for any given point that needs discussion about that project.
Kind of like if each slack thread discussion had a title and was discoverable from the left sidebar and didn’t get in the way of the other threads.
Check out https://zulip.com/for/communities/ and some of the linked case studies; they explain it better than I'll be able to in a quick comment.
But the main reason is that the topics-based organization and ability for moderators to move/split conversations means one can read and participate in a community much more fully given a fixed amount of time.
As a former user of Zulip at a previous company, thank you for this software, I enjoyed using it. Maybe I'll setup a private instance for friends and family so I can enjoy it once again.
Hi Tim. For pricing, it would seem that large, public-facing, Discord-style organizations would have to go with the free plan to avoid the pricing being prohibitive. Think something like the new Limewire community on Discord which has 2 million members. Or am I missing something about what a 'user' is considered in terms of being billable or not?
On a related note, I'm gonna check out Zulip for PortableApps.com. Any interest in having the Windows desktop app be portable? (We'd love to do that if we wind up using it)
The advertised pricing is for workplace use where the users are on payroll; if you read the plans page carefully you'll see we have free or highly discounted pricing for other use cases, both in Cloud and self-hosted.
Zulip is not designed to support 2M user accounts in a single organization. But if you enable the public access option (https://zulip.com/help/public-access-option), such that no account is required just to read content, you can end up with 1-2 orders of magnitude fewer "total accounts" that just wanted to see something once and don't actually use the server.
Just dropping in on a completely unrelated note to thank you for developing PortableApps - as a kid with no UAC access almost two decades ago now it helped me immensely to develop my interest in IT :-)
I'm curious whether you feel you're actually in control to actually make policy decisions about data protection or whether you feel you could be hit any day by the "$5 wrench" by the government any time they feel it necessary. I'm starting to feel that in this environment, nothing is safe, even if encrypted and on FOSS platforms.
Personally, I advocate for self-hosting communications software, ideally on physical hardware that someone in your community has control over. Zulip runs great on old laptops, if you can solve the IP address problem for hosting it in your house.
And if you want to be extra careful, put your chat system behind a VPN/firewall, so it's difficult to identify what software is being used externally.
And if you're not going to do that, because it sounds like too much work, the next best thing is to at least pick a Cloud service where you can migrate your group to paranoid self-hosting overnight if you decide the work is now worth it.
Self-hosting this way doesn't protect against all threat models. I am human and have children who I love dearly, so it's hard to rule out the possibility of my being compelled to make a malicious release.
But at least the Zulip source code is entirely open and highly readable; so users would at least have a chance to notice and not upgrade. With a centralized architecture like Discord, you're entirely reliant on whisteblowers.
It's kind of weird that e2ee is kind of afterthought everywhere. If I was making a chat system I'd obviously didn't want to keep anything that the users talk about on my servers unencrypted or decryptable. Why would you? If something is supposed to be public then keep it. If not, don't.
The weird "we pinky promise to try to keep it non-public for some time" is a weird idea.
Most consumers don't know the difference between "encryption" and "end-to-end encryption".
Zulip uses standard TLS encryption, where the messages are encrypted in transit, but the server has access to the messages.
The server having access to the messages is extremely useful for many key features. Access control policies. Search. Markdown rendering that can make guarantees to clients about its behavior. Mobile notifications for mentions. And many more. There's options for all of these problems, but it's /hard/ and you end up having a lot of risk of nasty bugs where "all the message history become unreadable" and a lot of performance issues.
This is why why end-to-end encrypted messenger apps like Signal are extremely minimal with basically no chat features, and can take a while to load long conversations ... there's a lot of expensive cryptography happening in the background. AFAIK it's not realistic to use the Signal protocol with the volume of messages people do in high-traffic Discord or Zulip communities.
Some other E2EE chat systems have more features but fail to actually provide end-to-end security. (For example, the server provides the source code for the web app and can freely modify that code to steal all the messages the user can still read, or the server is still in charge of metadata like channel membership ... so a malicious server could just add a fake user to every channel).
You get almost all of the security benefits of these "E2EE" chat systems by having a trusted person self-host the server, and setting a message retention policy if you want messages in certain channels to be automatically be deleted after a period of time.
Our vision for Zulip is not billions of people on our Cloud service. People should own their own communities, not corporations. And in that world, usually the person who runs the community can be trusted to host it.
Also your website (https://zulip.com) is so fast and snappy, I was surprised to see everything load instantly when clicking around. I have not tried the app yet, but seeing a static website like this is quite refreshing.
Do you know if migrating from Mattermost to Zulip is remotely possible?
I had been using Mattermost because it's also (mostly) FOSS. However, they've recently been changing their released OSS edition to restrict capabilities... Unfortunately the org I maintain it for is having some issues with it now and I have metaphorical egg on my face.
Hi tabbott. Thanks kindly for offering to answer questions. :)
I signed up on your site just a bit ago, but I'm a bit concerned with the paid upgrade. Unlike Discord, I need to pay per user, which I find onerous and would get out of control fast for the group I run with around 100 members. Is there any plans for a flat fee model? I'm even happy to pay twice what I pay for Discord Nitro, but yeah, $8/mo per user is too expensive.
If it helps at all, it's for a retro computing community group, and not for profit.
First time hearing about this project and it feels mature. However, the landing page example of the app on web is…messy and noisy to the point i am totally lost.
This is not the case for slack or discord. I think having an awesome clean first impression would do wonders to sell what younare doing.
I don’t have any questions as of yet, but reading your site; it speaks to me and those values align with mine. Just wanted to say that I think the world could use a bit more of this.
Hi @tabbott I've been meaning to pass this feedback on for 5 months, and I hope it comes across in the spirit it's meant.
I tried Zulip (cloud offering) with some techie/designery friends, so we should have been right at home but... the desktop app on macOS and the web app was visually unappealing and clunky, and we ended up going back to a paid Slack plan.
I looked for docs on how to theme Zulip (so I could contribute), or for existing theme packs that would soften the transition but found neither.
tl;dr: The functionality was good (Love the threading!) but the UI feels like the 2000s came calling. Some UI polish would go a long way.
How well does Zulip protect users' privacy against snooping admins? I.e., does it have E2EE DMs? Unfortunately, this is a legitimate threat to be concerned about
very good take. IMO "current events" goes back to The Patriot Act if not further. Aggressive digital surveillance by 3-letter-agencies has been active for 20-60 years
The built-in Jitsi integration lets you create a voice chat call via a single button click. You can also put those call links in a channel description if you like.
We do have plans to make the integration offer some additional ways to jump into a call, and have been talking about adding video chat. But our focus has been on building the best text chat possible, given there are multiple actively developed FOSS video call systems that we can integrate with.
It has modern features. It stores message history. It has a fairly unique feature of letting you create ad-hoc "topics" (that go under a "Channel") that make it easier to manage the flood of conversation.
so instead of discord, google, meta having access to private convos... we should all switch to Zulip and have Zulip being the one with access to those convos? Or join someones self hosted instance and let them have access to those convos?
I spent 7 hours or so yesterday installing Zulip. It was a huge pain; for one, it wants to own an entire server and the only supported installation method is this mega-script that clobbers everything, so I had to try to use the Docker container. Documentation on installation is scarce; other than telling you to use the script, and the fact that a docker container exists (though the GitHub repo it linked me to was no longer accurate, and I had to find the updated image name elsewhere), there's practically no information on how it works or how to use it, or what it depends on or how to configure it.
- Had to use ChatGPT to help generate me a docker-compose.yml, except it forgot about memcached, set the wrong environment variables and just generally did a sloppy job.
- Once it was running it was a huge pain to set up reverse proxying properly, because Zulip apparently doesn't even pay attention to proxy headers if you're talking to it on port 80, even if X-Forwarded-Proto says https. It would get stuck in an endless redirect loop trying to redirect https to https. I could only properly debug this with tcpdump. The only solution I could find was to expose port 443 of the container and then have the reverse proxy talk to that, but Zulip still won't respect X-Forwarded-For, and login emails still show the Docker network address for whatever reason. No idea how to fix this as I couldn't find documentation on how to do it for Docker; the doc for reverse proxying without Docker says to edit zulip.conf, which is impossible (or I don't know how, as again, I couldn't find documentation on any way to do it for Docker.)
- Even once I could access Zulip it was a huge pain to get it to access the databases it needs, because again, I couldn't find documentation on how to do this for Docker. This was after it was a pain to figure out how to generate an org creation link because I don't think I could find documentation for that either, I had to find the script and read the source to figure it out.
- Even once it could access the databases it needs, and I could get it to use the right passwords (which was annoying as it generated SOME of own secrets, but not others, and started ignoring the corresponding settings, like the email host password), I tried to set up push notifications but that required a setting I didn't know how to set because I couldn't find documentation on how to do that for Docker; I eventually figured it out but it was annoying.
It was so awful and took up practically my entire day. Once I could finally get it to work, it works pretty well, but it's not an experience I would recommend until the docs start supporting this use case.
I'm sure it would've been easier if I read the entire documentation, the entire source code, the entire build script of the Docker container, etc. but I just wanted something to work...
I typed "Zulip docker compose" into DuckDuckGo, the first result was https://github.com/zulip/docker-zulip which has commits from today, so doesn't seem out-of-date.
> Had to use ChatGPT to help generate me a docker-compose.yml, except it forgot about memcached, set the wrong environment variables and just generally did a sloppy job.
It has a docker-compose file in it, has memcached in it.
That's very understandably annoying. If can you confirm that that is what happens, a bug report either with Zulip or ReadTheDocs (not sure which) might be in order.
I mostly got hate on HN every time I posted about it LOL. I think something about "decentralized" gets some people really riled up (maybe it's the association with crypto / blockchain?) but frankly, it's the ONLY solution to extreme centralization.
Someone's got to build a platform with all the features of Discord, but make it decentralized and open source.
I've spent over $1M and 10 years on it. I have to package it so that it's easy to install. But I'm working on something to take care of that, in the next few months, that will also include actually safe AI agents inside.
I'm happy to welcome anyone aboard who takes the time to learn the platform, but I won't lie, it's huge. As you would expect an open source decentralized clone of Facebook / Discord to be. I just hope it's architected well enough for developers to pick it up quickly. At the very least, I think it's a lot less spaghetti than Wordpress and Joomla :)
PS: In 2018 I launched something that HN hates even more... a Web3 company that released open source smart contracts at https://github.com/Intercoin . Why you ask? Because once a lot of value is at stake (whether it takes the form of money, votes, or even just community roles), it's better to have thousands of computers secure it than "just trust" the central site.
When founders of famous centralized messengers criticized decentralization, I had to write this:
Don't forget, it's not just Discord. As of Jan 1, Texas is now requiring digital ID to download any app at all or visit many internet sites, and forcing Apple/Google to build it in "to protect the children" of course. And Utah is following suit soon too. The Supreme Court last year said that digital ID can be required by states.
You need someone to rework that ecosystem.pdf file if you're serious. You spent a million dollars on this but your ecosystem pdf looks like it was created by a 12-year old trying out slides for the first time.
>>Given current events in the USA, I can't emphasize enough how worried one should be
I've been putting my pants on every morning for the last several years, had breakfast, gone to work, and come home without worrying about any current events in the USA and my life seems no different than 50 years ago except I have modern gadgets.
Social media is not the world. In fact, it's 10% of what the real world is like and how the real world thinks. It's why I ignore social media except for HN and one other but I only scan the headlines and rarely pop into comments like this.
And I'm happy.
EDIT: And the comments below are proof why you, too, should ignore all social media and why you, too, will be happier.
Thousands of people have put their pants on, had breakfast, gone to work, and then been intercepted by militarized federal agents, thrown to the ground, locked up in prison camps, then deported overseas.
If your eyes are closed, then things look the same whether you're in the middle of a calm meadow or on a highway about to be run over by a truck.
If you prefer not to look, maybe because you're convinced there's no truck, or you don't think it would help avoid the truck if there is one, fair enough. But the fact that your personal experience is unchanged is meaningless.
That is not a good analysis because it insinuates that everything stays the same. This is clearly not the case. Besides - no matter whether in a democracy or in a dictatorship, almost everyone puts on pants.
It is also incorrect to confine this "merely" to social media. This is clearly government overreach. They want data from The People.
I hope Discord understands the risks they pose to their audience when they open source their IDs again.
Discord is used by a bunch of closeted users having pseudos, who wouldn't do the same activities on it if everyone had their names.
A part of the Discord users is from countries from which Discord isn't even officially accessible (eg China) or where involvement in LGBT discussions could result to death row (Afghanis are still on Discord)
For me, a company that open sourced 70,000 IDs and ask for moooooore just weeks later is just a joke about the sharing economy
The problem isn't even for new users. Some users have over a decade of private hobbies and will now need to associate their governement ID to their profile. Discord pinky swears they ask but don't keep this time, which isn't enough.
Companies shouldn't be allowed to change such fundamental ToS after an account is created.
> Discord is used by a bunch of closeted users having pseudos, who wouldn't do the same activities on it if everyone had their names.
Exactly. I am sure they won't share their face or ID and will move somewhere else. Big opportunity for other platforms to stand up and grow their user base.
Discord also calculates a whole lot of (inferred) demographic information. Estimated age, gender, and surely much more. They also feed all the messages into a ML model, which guesses what people are talking about, and pushes a notification to other users. This is probably the culmination of all that, this is why they refuse to be e2e like every other reasonable messaging app...
Discord is focused on large groups. E2EE doesn't work in this case. Group management overhead traffic is too high and too unreliable, and a bad actor could just join the group under a pseudonym to log messages. Discord isn't E2EE for the same reason Hacker News isn't.
I REALLY doubt anyone XYZ while XYZ is illegal/pursued/banned in their country hasn't already extensively thought about their own threat model, and that disclosing this kind of infomration on a public platform is not safe.
To protect my privacy, I have a photoshopped drivers license with a photo of my dog that I've successfully used for verification (e.g. AirBnB) in the past.
Though, with AI being used I suspect it wouldn't pass any longer.
Huh. Can you do that? I wonder what is legal status of this. I used to make all sorts of fake IDs (pretty good ones!) when I was a teen (you know, for purposes such as going to clubs, buying alcohol), but of course this is literally a crime, and not even a "minor" one. Apparently, back then it didn't bother me much, but with age I became more cowardly, I must admit. So now I use my passport data more often than not, even though I am not really a fan of the idea of giving a scan of your documents to some random guy on AirBnB (although, with some obvious caption photoshopped on top, to make the scan less re-usable). I mean, it's just a matter of fact that everyone requires them, and it also has that weird status of "semi-secret thing" that you are somehow aren't supposed to give to anyone, and I still have close to zero understanding of how that works.
So, I suppose you shouldn't give your fake id (digital or physical) to a government officials. It also seems "obvious" that it's similarly unwise to give it to a bank. But you can do that to a random guy on AirBnB? A hotel? To a delivery service (Uber/Wolt/whatever)? Dicsord? Where is the line between a bank (a private commercial corporation) and Discord (a private commercial corporation)?
Youtube flagged one of my accounts as a teenager because I watched a few pop videos (lol) and I was not able to trick it with fake IDs, though I didn't try all that hard.
I tried to do this when LinkedIn forced me to upload an ID. It didn't work unfortunately. I see the good in this but I know it will be abused. I want to run away but I don't foresee any way that the powers-that-be will let the common person use the Internet without an approved ID in the future.
I have discord for gaming communities, but also for political communities. Pod Save America has a discord with thousands of users talking political things. While I don't mask my identity there, I sure don't want Discord preemptively linking my state ID to my person. Screw that.
If you're worried about government retaliation they can already figure out who you are from what discord has, especially with a justice department that doesn't really even care about looking like they're following the law
Nope, I want the social media companies to be shut down, I want smart phones to go away permanently, and I don't want kids to be handed laptops or ipads in school.
1 - Piles of parents too stupid or lazy to, well, parent the children they made;
2 - A very reasonable societal expectation that it shouldn't be easy for young kids to access, or even be exposed, to the worst dregs of the internet;
3 - Very different use cases (gaming, kids stuff, free/affordable slack for communities) all on the same platform;
4 - A pile of morons in legislatures who insist there's a magic highly private way to do all this, but (see Australia) refuse to lay out the actual method. It's a government-wide game of underwear gnomes.
> A pile of morons in legislatures who insist there's a magic highly private way to do all this, but (see Australia) refuse to lay out the actual method.
This is a case where there's plenty of evidence that it's actual malice, not just incompetence. Leaving aside that this shouldn't be done at all, there is no desire to do this in a privacy-preserving way, because destroying anonymity and controlling online discourse is the point for governments, not the "unintentional" side effect to be avoided. "Think of the children" is just the excuse to get people to unknowingly buy in, just as it has been for generations.
How reasonable is this expectation? All you do by intituting these draconian 'wont someone please think of the children' ID laws is make it marginally more difficult to access mainstream services where there's not much crazy bad stuff anyway. The rest of the internet is the wild west, and good luck controlling that.
The whole thing is security theater designed to conceal the fact that child security is not the objective, it's the justification.
All social media websites should require id tbh. This is the new public town square - everyone should have a voice, but nobody should escape the consequences of using that voice to peddle bullshit.
Except that is clearly not how it works. Spend 5 minutes on facebook, and you will quickly realize that people have absolutely no problem spewing the most disgusting racist, xenophobic shit you have ever seen in your life, while their full names and pictures of them hugging their granchildren are there for everyone to see.
I believe what you said is correct and this headline is incredibly misleading. Most people should not need to upload any ID. If you are so addicted to NSFW content on Discord, then it is a different story.
I’m giving it exactly 2 weeks after implementation for most people to just suck it up and upload their IDs. I can’t think of a single “this new thing will break the service, people will mass quit!” thing every working out. Sure, some users left. But super majority, who has already built communities and are depended on it just keep churning.
Privacy and all that jazz aren’t that important to an average person. Everyone’s IDs are already circulating in a mix of Tinder, AirBnB, Twitter, <any random other app that just requires it>.
I deleted my Facebook account in 2011. After finding out how much critical neighborhood information I have been missing, I finally registered a new Facebook account fifteen years later to follow my neighborhood groups.
A month later, the account was suspended for supposedly breaking guidelines. I never posted a single message, never reacted to any posts.
They then required me to upload a video scan of my face to prove I was a person.
We aren’t quite at the end of the internet, but man I can really see the end of this journey coming sometime soon.
I helped an elderly woman create her first FB account. She'd just lost her husband and wanted to notify his friends about his upcoming memorial service. She knew their names but didn't have contact information.
We created the account from an Apple device, registering from her home cable modem IP, giving FB her cellphone number and ISP issued email address — all strong signals of consumer authenticity. But after she added five of her relatives within half an hour, her account was locked for suspicious activity.
There was an appeal button; she was asked to take a picture of her face from many angles and upload ID. She gave them everything they asked for, but when Facebook reviewed the appeal, they closed her account permanently.
> There was an appeal button; she was asked to take a picture of her face from many angles and upload ID. She gave them everything they asked for, but when Facebook reviewed the appeal, they closed her account permanently.
I can't speak for every company, but I know with Facebook and Paypal, these requests generally are from automated systems and the chances of successfully reopening the account is well under 1%. The info you submit is not viewed by a human and the systems are mostly treated as a way to lighten the load on human support staff. They don't care if your account is reopened, they just want you to feel like you had a chance, did all you could, and then just give up.
I discovered this about 20 years ago dealing with Paypal. I happened to know someone who worked in Paypal engineering at the time. I had a well established account, a Paypal debit card, linked accounts, etc., everything you could need to feel good about an account.
Out of the blue it was suspended and I was sent into this system to send in verification documents. I gave everything it wanted. First it was ID, then a "utility bill" so I sent over my phone bill. That wasn't acceptable because it didn't prove I lived at my address for some reason, so I sent a natural gas bill. Even though that did have to be tied to a physical address (you can't deliver gas wirelessly!) I was asked for an electric bill. Then the lease. Then a bank statement. Every time I gave it pretty quickly. Then I was asked for a passport. I didn't have one. Suddenly that was the only thing that could unlock my account and as soon as they had the passport my account would be reopened. Nothing further would be done without a passport, not even communication.
I asked my friend to look into it. She said, "that's on purpose, that's the NoBot. It gets people out of support's hair." Turns out if you let unhappy customers complain to humans on the phone they will, so some exec decided to improve call center metrics by forcing customers into a system designed to keep them occupied until they gave up. You funneled people into it, and it would continue to reject their submissions with new reasons infinitely. It just went through a list of things to ask for, and when it found one you couldn't provide, suddenly that was the key and without it you were screwed.
Many consumer banking apps have begun integrating similar identity verification third-party providers. They are very inaccurate.
Sometimes it works with the front camera on one smartphone but doesn’t with another (iPhone 17’s distortion), sometimes it recognizes your face on one day, but desperately fails to recognize you on another. I had to repeatedly record videos for it only to fail over and over again. Anything their system flags as suspicious, anything, will trigger the same video identification flow again, which effectively blocks your money in the account.
I’m closing my accounts with a couple of banks with these video id flows. Simply because it’s way too easy to lose access to my money in the account with them. If their QA is not good enough for this vital requirement, I don’t want to know how they treat other requirements. They simply outsourced the id verification to some third parties that are way too unreliable.
It sure beats the Reddit system where you think you are interacting with people, only to find out a couple of days later that your fresh account is shadow-banned and nobody is seeing your comments and that none of your likes went through.
Not to defend, but to understand. Last year our old "High School class of 19NN" group received about a dozen join requests per week from bogus accounts for a couple of years. At first they were trivial to discriminate because they were folks located on the opposite side of the Earth. But over time they became filled with pictures and names of (randomly generated?) Americans.
I could still tell because their profiles were sterile and had few normal comments or likes etc. Also a high school class has a very narrow age range. We recently landed a fatal blow by disallowing joins by "pages" and adding a few questions. A trickle continued but stopped recently.
The hamfisted false positive response you described is probably a result of the above.
Last year I finally caved and tried to sign up for instagram. It's tragic but it's almost like a second internet. So many small business and bands only have instagram. So many lil communities post their events only on instagram. I always have to ask friends with instagram to tell me when a brewery is open, when a show starts, etc.
So I tried to sign up (and I already HAVE an active facebook account from high school, with hundreds of friends) and it wanted me to scan my face. I did it, which I regret, only to be told five days later that I am too suspicious. So here I am, still locked out of all this information lmao
My sister died a few years ago. A couple of months later, someone created an account with her name and profile pic and started inviting family members. Quite frankly, I would have been ready to brawl with this person if I were in a room with them.
I feel very badly for your friend. Unfortunately, those completely benign actions look identical to a common identity theft pattern.
It's as if all the other problems Facebook has done in the past never mattered. Nobody stops to think about how Facebook's _repeated and exhaustive history of abuse_ might actually impact them. If only there was some evidence of what might happen...
Mark Zuckerberg, folks. It matters when his default philosophy is "They trust me dumb fucks". Copying Snapchat 9 times is more of a priority than account security. He wasn't "making a good point". He's a malicious asshole who deserved jail years ago
Ironically, this may be one of the many straws that breaks the proverbial internet camel’s back. We all wax and wane about the old internet, the pre-homogenized, non-corporate, Wild West internet.
Perhaps these constant restrictions will finally spur us to create our own spaces again Our own little groups that exist independent of the corpo-sphere.
The only reason ‘the way things used to be’ went away was because the new thing was convenient. Well, now it isn’t anymore. So let’s just go back to the old thing.
I yearn for the days of yore when a few of us would co-lo some boxes at a small local ISP we were friendly with, where we'd get to take advantage of their always-on and (at the time) blazing-fast T1 connectivity. It was low-cost for everyone, and we'd host our own services for whatever was useful to us and our friend groups.
On the other hand: It was kind of awful when even my dialup access would get screwed up because someone's IRC server got DDoS'd -- again -- and clogged up the pipes.
---
These days, the local ISPs are mostly gone. But the pipes are bigger -- it's easy for many of us to get gigabit+ connections at home. Unfortunately, the botnets are also bigger.
> Perhaps these constant restrictions will finally spur us to create our own spaces again Our own little groups that exist independent of the corpo-sphere.
The normies already did this. They just did it on centralized platforms like Discord. Until their backs get broken we're not getting anywhere. (Although I may be being a little too cynical.)
> Perhaps these constant restrictions will finally spur us to create our own spaces again
We had forums using forum software but moderating the spam got too hard. If you create your own space using any common software platform then you'll be pwned (a la PHP-Nuke et al). I presume even pure custom web pages would end in tears these days (DoS complaints seem to be a more recent reason; also Bot form submission is pretty good at being bad).
I have my small little groups. I've walked away from big sites constantly and this won't be an exception. Definitely going to cancel my Nitro today until/unless they revert this.
But leaving is never free. There's a lot of gaming communities (especially niche subcommunities like emulation, speedrunning, modding, etc) that are mostly on Discord and not anywhere else. Many probably won't move. A lot of tribal knowledge will be lost as it's locked in these communities.
Heck, even some FOSS communities communicate mostly on Discord. I have more faith they will move. But not all.
The interests of the people who own/control technology, and have the most influence over standards, will make sure you are forced to participate.
And they have always organized society to make sure this is the case. It's not a wacky conspiracy theory. These are just the interests of the people who create and have most influence over tech, and these interests are shared in common amongst most elements of that class. So, this class, the capitalist class, will just plan (conspire) to make it necessary for you to participate.
Viewing tech in this way makes one see that the historic development of tech is not happenstance occurrence, just tech skipping along, unconsciously, into authoritarianism, but as tech being influenced by the interests of the people who have the most influence on its development: those who own it, who are often the same people who determine standards.
The internet was never a free form idea upon which everybody could sway, its a technology owned, controlled and influenced by those who produce it.
They WILL absolutely try to place social/state/labor functions behind this wall of authoritarianism. As they already have, and are currently doing with the growing ban on VPN usage, anti phone rooting measures, anti-"side loading", etc.
It should not be absurd to suggest that the people in power have used, are using, and will use power in their favor.
I have a similar story. I quit in like 2016 or so and 9ish years later I wanted to shop for a used car for my oldest kid. I know already, of course, that Facebook now holds a monopoly on peer to peer sales of goods like that so I tried to make a new Facebook account. I was denied at the creation and told I had to try again with a video of my face (which I begrudgingly did) at which point I was denied AGAIN and told there was no appeals process.
> a monopoly on peer to peer sales of goods like that
I don't know ... around these parts (Santa Fe/ABQ) while Marketplace is very popular, Craigslist continues to be widely used for this, especially since an ever growing number of younger people are not on Facebook (either at all, or not regularly).
FB/Discord/etc were never the internet. They were walled gardens you could enter via the internet. This could be a revitalization of the internet - pushing people back to decentralized ways of communications.
Perhaps you may have not read about how Iran is moving to a whitelisted internet. Or perhaps you believe this will not happen in your country.
However, “think of the children” will always result in more restriction in western countries, not less. We are watching countries prove that it works to isolate from each other. Europe is not isolating from America in exactly the same way, but is isolating business processes from American services.
We are not on the cusp of the end of the internet, but the cliff sure seems in view to me.
My friend has a restaurant and showed me the ad he wanted to promote on Instagram about a pizza coupon was suspended for breaking the guidelines, they mentioned gambling or something. I was quite impressed. When you see that one of the "magnificent 7" is dysfunctional to that level, it's hard not to think we're living the last decades of American economic hegemony, by now propelled mostly by inertial monopolies than anything else.
The big ad networks want a cut from business users and will actively suppress posts from business accounts that haven't paid up.
But instead of paying Instagram for reach, consider taking the same budget and spending it delivering samples and coupons to other local businesses mid/late morning. Bonus points if you make the coupons unique for each delivery so you can track which local businesses are your biggest fans. Office managers are generally receptive to this kind of cold call and you can leave a catering menu. Catering gigs can keep your kitchen busy during the off hours.
Had a similar experience after rejoining a few years ago. My account wasn't suspended for breaking guidelines AFAIK, but rather flagged as a suspicious account that required an upload of my face and driver's license. I think the account still exists in this limbo state because I'd rather not upload all of that to Facebook, and yet still not able to login to request for the account to be deleted.
Twitter (before Musk) and Facebook did the same thing to me... and that was a long time ago.
Discord tried to do it to me a few months ago but I refused, contacted support instead. Eventually they made it work but it took forever. Lucky for me I hate Discord so tried to avoid it anyway.
Instagram did a similar thing for me back in 2016-ish.
A family member had been sharing some photos they were taking, but only on Instagram.
So I signed up an account, verified via email and phone number. I wasn't initially able to find the family member's account. A week later after I got the spelling of their username right, Instagram popped up "Your account has been suspended". They then sent me an email saying I needed to take a photo of myself holding government ID, and a piece of paper with a hand-written code they supplied, plus a close-up photo of said government ID. No way was I supplying all that just to be able to browse some photos.
I had the same experience when I deleted my FB then years later reregistered one using the same email. I think thats kind of a good thing in some ways, specifically in the FB case because I wouldnt want someone to go online saying they are me when they are not.
I’m actually excited for it. We have a lot of infrastructure already in place so I’m looking forward to the internet being a deanonymized space where people watch what they say and there’s accountability.
Oh yay, the company that told me to "just use your wife's phone" when I couldn't verify my own phone number, instead of even trying to fix the problem, now wants a copy of my face?
Pardon me if I don't have a lot of trust in their ability to keep it safe.
One thing most of those lack is an easy way to share screen.
Now if anyone wants to differentiate their Discord alternative, they want to have most of discord functionalities and add the possibility to be in multiple voice chats (maybe with rights and a channel hierarchy + different push-to-talk binds). It's a missed feature when doing huge operations in games and using the Canary client is not always enough.
I use MiroTalk for it. Within Element you can set up widgets (basically PWAs) and so you can call via Element’s built in Jitsi widget (or a more reliable dedicated Jitsi link) and then use MiroTalk to share screens. It is a LOT better, especially for streaming video.
In terms of ease of use, it’s like three clicks. Technically more than Discord, but it’s p2p streaming so it’s far nicer quality.
Hard to say, I don't really use discord so I think of it as voice chat as a service, and for pure voice chat it is hard to do better than mumble. However from the way people talk about discord, it is also a text chat screen sharing file server. and it is hard to find one product that does all that well.
For video, both video chat and screen sharing I have had a lot of success with Galene, it
offers text chat and file sharing, but they are sort of anemic and bare bones, which could be good or bad based on the needs of your users. https://galene.org/
What I usually do is start with a fossil server, this is trivial and gives you files, a wiki and a forum (none of them super good but like I said trivial to set up) then if I want voice, mumble is my normal route, but galene is growing on me more and more, the web interface makes buy in from the end users trivial and despite it being nice you almost never need the cool room stuff you can do with mumble.
But I am a sys-admin, I like running servers, hell, I find I enjoy running the servers more than I like playing the games. Plus, statistically, I have zero-friends, it is fine to say a server is great when only one other person has used it. That is to say, my results may not be typical.
I think Matrix is the closest equivalent that's reasonably popular, at least for text messaging. There are both web and mobile clients and they interoperate seamlessly. It's also at the point where it somewhat reasonably works for the average user, rather than being the usual UX nightmare that teaches people that anything open source or anything pushed by their nerdy friend should be avoided.
Honestly, this is HN and founders should pay attention to this. People don't want to host their own shit, they want a one-click easy switch. All of these alternatives have baggage.
This is your chance to start Bluesky for discord. A competently built, VC backed competitor to exploit a misstep only caused by government overreach due to their colossal market share. 26 million daily active users is a nice guaranteed market to start whittling away at, with an effective marketing campaign to drive a wedge between "little gamers, and big corporate enshittification."
Nevertheless, I don't like the new name either, oh well...
I like this comment though:
Imagine you make a free software project and it runs into trademark issues because people have more money than you to register in more classes than your project.
And then even though your project existed first, they still come after you anyway.
And from that an even more expensive rebranding from this as well.
Argh. If there's no stoat emoji, petition the Unicode Consortium for one, don't just use a beaver. It's not even the right family; the badger emoji would be closer.
Does matrix have decent 1:N client desktop broadcasting with low latency (and high fps) yet? I use discord for "watch parties", video and tabletop gaming...
I wonder how Stoat will fare, and how it is currently maintained, in terms of "making money"; my fear is that it would steer into the direction of Discord itself.
Currently financed on user donations. The future plan is to intoduce further features which are costly to provide behind a paywall to remain sustainable.
For me, the closest alternative to Discord is Stoat. Matrix with Element (or other clients) would be great, but it feels so slow on both desktop and mobile.
IRC does not support group voice & video calls, which is one of the primary features of Discord (and previously Skype, from which everyone migrated to Discord in the first place)
For most Discord users IRC simply does not have the feature set that people need. Basics like simple drag and drop media sharing, threaded conversations, emoji reactions and voice comms, up to more complicated stuff like screen sharing and video calling.
The real sin is that if they went with electron, they probably could have gone with a web app, and while web apps have downsides, they make fellow user buy in trivial, instead of "download this client" it's "go to this web page"
I am especially bitter because electron advertises as being "cross platform" by which they mean that it also runs on linux and as a openbsd driver I get to go "cross platform my ass" and then weep because of how close I am, if it were a web app it would probably be trivial for me to to run. What I really want is a method to unelectronify electron apps.
I keep wondering why Zulip is so often left out of reviews and tooling comparisons. For me it ticks a lot of important boxes, yet it barely gets mentioned. Is there a downside I'm missing, or is it just under the radar?
The concept that every message belongs to a topic and the async communication focus makes so much sense to me. I read conversations, not timelines.
Last I checked Signal was not fully open source, which is iffy, believe their encryption protocol is still closed. That said its the best of a bad bunch for E2EE messaging. If you're on android I'd recommend doing what I do, which is installing from the APK on the site, manually verifying the sig locally (you can use termux for this), and then lagging ever so slightly behind on updates to avoid potential supply chain or hostile takeover attacks. This is probably over cautious for most threat profiles, but better safe than sorry imo. Also their server side stuff is close sourced, technically this isnt an issue though as long as the E2EE holds up to scrutiny though.
Edit: My information may be out of date, I cannot find any sources saying any part of the app is closed source these days, do your own research ofc but comfortable saying its the most accessible secure platform.
Readit News
https://www.bbc.com/news/articles/c8jmzd972leo
> Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack.
However, their senior director states in this Verge article:
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
Why they didn't do that the first time?
This is also contradicted by what Discord actually says:
> Quick deletion: Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation.
What are the non-most cases?
Yeah, say goodbye to those the privacy and safety of those documents.
Everyone says this, including the TSA. But they never say they don't keep a hash, or an eigenvector of your biometric. Which is equally as important.
But they might be sending a copy to the NSA, similarly to how Alphabet, Yahoo, Apple, Meta etc. have been doing (PRISM program, part of the Snowden revelation [1]). The US has the legal mechanisms of requiring this to happen, secretly, such as NSLs [2].
[1] : https://en.wikipedia.org/wiki/PRISM
[2] : https://en.wikipedia.org/wiki/National_security_letter
I call it bollocks. Likely they have to keep it for audit and other purposes.
Expect any claims that things are being deleted to be a bold faced lie.
The company they hired to do the support tickets archived them, including attachments, rather than deleting them.
The purpose of things is what they do. They're an adtech user data collection company, they're not a user information securing company.
TL;DR: The IDs were used in age-related appeals. If someone's account was banned for being too young they have to submit an ID as part of the appeal. Appeals take time to process and review.
Discord has 200,000,000 users and age verification happens a lot due to the number of young users and different countries.
> We do not keep any information around
... "around"
Dead Comment
*CANCEL YOUR NITRO SUBSCRIPTION NOW IF YOU'RE PAYING FOR ONE* (for whatever reason)
This was just announced today and a flood of canceled payments within the next 24 hours are the easiest way to send a message. And also tell people on the servers you're on to do the same. It's not like they give you anything of real value for that money.
`For most adults, age verification won’t be required, as Discord’s age inference model uses account information such as account tenure, device and activity data, and aggregated, high-level patterns across Discord communities. Discord does not use private messages or any message content in this process`
I don't expect the masses to change their incomprehensible habits just because of this.
Telegram, Slack, Facebook, Team Speak, Reddit, GroupMe, nothing really offers the same feature set and ease of setup that Discord does.
It isn't surprising to me they are going scorched earth now bending to the will of the fascist government.
Now that I think of it, I bet I could host a decent instance of some open-source alternative in a public cloud for around the same cost as what I paid for Nitro ($100 a year)...
I bought and canceled nitro in a single day because it's a bad product.
They promise HD screen-sharing, but it's only for _my_ screen. When I hopped into a call, the other user's screen share is illegible. Higher quality is still locked behind a "Buy Nitro" message.
If I'm paying for an improved experience, I should be able to get it.
The cancel login flow didn't inform me that it found my login suspicious but the subscribe one did
I suppose the silver lining is that they are putting the responsibility for age verification adults. Which imo is better than requiring everyone; kids get a free pass to the kids stuff...
In my experience, you run the risk of getting your server shut down in small servers if someone reports it. Or risk losing your community server status in larger public servers until you come back into compliance.
Also in my experience what teenagers are going to do when they hit an age gate is use a fake picture/video. Sometimes they'll get banned for that and then they'll make a new account and do it again.
The default experience will be the "teen" experience - they list what that entails - stuff that's flagged as adult/NSFW/etc. is blurred out until your age is verified, which for most(?) people will require ID or face scan. DMs/friend requests from people you don't know take some extra clicks to view. Fine.
It depends on how broad the definition of adult content ends up being I guess, but I'm simply not convinced that requiring ID to view "adult" content is the end of the world. If that means porn, I'm 100% OK with it, put porn behind gates. It has become far too easy to access. It's 2026 and we now have a generation of gooning addicts out there who never have actual sex and it's basically a guarantee that they won't find partners or start families any time soon, exacerbating an already problematic decline in the birth rate. This is not a version of society or anyone's "rights" that I care to defend. You want to goon, show ID. That's how it was before the Internet anyway.
On the other hand if it means any speech that the platform deems to be "controversial" will be blurred out then my response will not be to submit ID, I'll simply limit how I use the platform. Anonymous speech continues to matter and needs protection. But Discord was never the entity that was going to provide that protection.
I mean Discord is a gaming chat room. Expectations should be set by that fact. I don't need a gaming chat room to be NSFW, or even host i.e. political speech really. I get that people have used it for more than gaming, but it was always pretty clear what it was. If people don't like that this gaming chat room no longer supports other uses, they should switch to an alternative.
You do it for the children now, you poo-poo concerns because "who uses discord for non gaming anyway" and you're just letting the foxes in the henhouse.
Twelve months from now and they'll want it for every chat.
Deleted Comment
And the community im interacting with is looking into self-hosted options.
Given current events in the USA, I can't emphasize enough how worried one should be about the fact that a few companies like Discord, Google (Gmail), and Meta have databases with access to the private conversations of hundreds of millions of people with their closest friends and family members, linked up with their identity.
Some of the big strengths of running a self-hosted Zulip server for your community are:
- Zulip servers are operationally simple, highly stable and easy to upgrade.
- Zulip is much better than Discord or Slack for managing the firehose of busy communities. Or at least, a lot of people tell us that they prefer the user experience to everything else they've tried, after a few weeks of getting used to it. :)
- Your community leaders get to make the policy decisions about data protection, identity, etc.
- It's 100% FOSS software, with an extremely readable and maintainable codebase that ~1500 people have successfully contributed code to. I don't think you'll find modern alternatives with a comparable featureset to Discord that are more resilient to the sponsoring company being acquired or going out of business.
- We are a values-focused organization (https://zulip.com/values/) where providing a public service is important to us all.
- Each server is completely self-contained and independent, with the only centralized services needed from us being desktop/mobile app publication and mobile push notifications delivery (which is free for community use and soon to be E2EE).
I'm happy to answer any questions.
Thank you!
Admittedly, it did take a day (less than), but once I got used to the interface Zulip provides. It's better than what I would have asked for! It's phenomenal software! The whole experience is better than anything else that exists. And everyone charging for the same features should feel embarrassed given how much better Zulip is!
Genuinely, it's impressive what y'all have created. So thank you!
But it's easily worth it, as you can actually come back and read through old discussions and understand things and it isn't a mess. It's like if you could force Slack/Discord to only do threads, and the entire UI is optimizing for that specific UX. Overall pleasant experience once you get over the initial bump :)
I see that you have a "community" tier that's free and doesn't restrict notifications, but it's not clear to me exactly what's involved in proving that we should qualify.
Matrix works analogously; if you use the Element app from the App Store or Play Store, then you're using Element's push notification server, even if your Matrix homeserver is self-hosted. It's possible that Element allows their server to be used gratis in situations where Zulip charges a fee, I don't know their policies or anything, but in principle Matrix still leaves you exactly as dependent on a third party's goodwill unless you make your friends install a privately distributed mobile app.
Zulip IIUC does not restrict self-hosting of any feature that's technically possible to self-host.
For the community tier, you don't have to do anything up to 10 users.
If your server has more than 10 users, you fill out a brief form (https://github.com/zulip/zulip/blob/main/templates/corporate...). We work hard to consistently process these requests within a couple business days, and the vast majority of communities are approved for full sponsorship without further interaction.
(Large communities managed by a business are quoted nonzero but extremely discounted pricing for self-hosted notifications).
I really like Zulip, and I'd like to migrate my friend-group onto it, but it probably won't happen. I think Zulip is just a bit too heavy-duty for a friend group chatting, and also lacks the visual polish that a lot of people want.
For now, my friends and I mostly just use Signal for group chats, which leaves a lot to be desired, but IMO is still just a better experience for our purposes than Zulip or Matrix.
That said, if you have friends who are keen to try things out, I would definitely recommend at least trying Zulip and see what you like and what you don't. It has a lot of really nice features and things to love.
Having interacted a fair amount with the Zulip devs over the years, and being an open-source product, I believe that they have no plans or intention of trying to fleece or milk self-hosted users or small communities.
- We eschewed VC funding. A big part of my motivation was that I felt that VC funding usually requires eventual enshittification. https://zulip.com/values/ talks more about this.
- Zulip has been 100% FOSS software for more than a decade.
- At the very beginning, we built a complete data import/export system that allows migrating between our Cloud hosting and self-hosting; we put a lot of care into maintaining it well.
I can't promise that we'll never have something to sell for self-hosting communities. For example, I could imagine offering a paid add-on for encrypted backups.
That said, I'd like to push back on the idea that charging businesses for a tool that's an important part of their daily work "breaks the seal". Organizations with a software budget should be happier to pay a fair price for ethical, user-first software from a friendly vendor than for a closed-source product from a megacorp. And Zulip's full-time development team should be able to make a living building ethical FOSS software.
What is confusing to you about the community tier? It is basically describing any type of community of people who are not a for-profit business. Groups of friends, non-profits, volunteer groups, etc.
Zulip isn’t charging you anything unless you’re a business with more than 10 users and need push notifications, and that is still only $3.50/month/user if you don’t need more enterprisey things like SSO and compliance stuff.
Dead Comment
The Bluesky team talks about "credible exit", and Zulip has that in spades - which makes me not want to exit.
Thank you for the work you do. Hanging out in CZO watching the Zulip team work in public is inspiring!
my experience is exact opposite
I used it at my previous employer and after a month of hangringing from people- many did not desire to go back to what we had before. (though some people did say they wanted Slack for the emojis and “prettiness”).
Now I started in a new position and I’ve positioned Zulip (on prem) as the only viable solution since we’re shirking SaaS as a strategic move.
The people who followed me to the new place are quite glad of this, or at least thats what I am told.
So, thank you, sincerely.
I’m sorry to be that guy but it’s “handwringing” - twisting your hand like you wring your clothes until you agree
- Your server admin can see DMs (or at least metadata, not sure if Zulip does E2E for DMs). The same is true for centralized services in theory, but unless you're a terrorist or a person of interest to a major government, it's extremely unlikely that a Discord employee will have an incentive to spy on your messages specifically. Your admin is likely part of your community and may know you personally, so the temptation is much, much higher.
- If the admin dies and nobody else has the keys to the kingdom, the server can go down at any point, and there's no way for users to reconstitute the network semi-automatically. Discord servers don't just go away unless somebody actively makes them to.
- It's much less secure in practice, it relies on your admin to always be on guard and constantly update their server to prevent vulnerabilities, either in Zulip or in the myriad of other self-hosted services running on it. One guy in his basement that goes on vacation once a year and has family responsibilities is far more likely to make mistakes than a team of trained cybersecurity professionals.
- Many Discord users are in 20+ servers. Anything that doesn't provide a one-click server joining experience (for users who already have an account on a different server) is nowhere near a Discord replacement.
- People want bots (for things like high-fidelity Youtube music streaming on voice channels), and those are mostly Discord-only.
- Anything open source will be worse at phishing and fraud / abuse prevention by definition, as many fraud-prevention approaches rely on the fraudster blindly guessing at what the code and ML models (do you even have ML models for this) are doing.
No, but history shows some unscrupulous staff members will always snoop, whether its just pure interest or something more nafarious like intent to sell on the black market. This makes the risk of your private data being leaked > 0, which should always be treated as a valid risk.
So basically Discord is a warez service?
This is how infrastructure works, and supposed to work, besides the point that servers "die by themselves" which of course isn't true in reality. You decrease the bus factor if this is a problem for you.
> Discord servers don't just go away unless somebody actively makes them to
If all the sysadmins at Discord died and nobody else has the keys, exactly the same problem happens. Discord though surely have multiple backups of the keys and so on, something you too can do when you have your own infrastructure, so overall that argument feels almost dishonest, since you don't compare the two accurately.
> Anything open source will be worse at phishing and fraud / abuse prevention by definition
What? Completely orthogonal concerns, and if your main "fraud-prevention approaches" depend on security by obscurity, I'm not sure you should even attempt to be involved in those efforts, because that's not what the rest of the industry is going by a long mile.
> People want bots (for things like high-fidelity Youtube music streaming on voice channels), and those are mostly Discord-only.
Actually, the further I get in your comment, the more it seems like you don't actually understand what Zulip offers nor what the parent comment is about. Music streaming on voice channels? Completely outside the scope of Zulip...
----------
I think you have to understand the comment you're replying to a bit better, before attempting to lift Discord above Zulip. They're specifically talking about Zulip as an alternative "for managing the firehose of busy communities", not as a general replacement for every single Discord "server" out there. Yet you've responded to the comment as that's what they've been doing.
Our main reason for using Zulip is that we work in a highly regulated space (healthcare) and would like to be able to safely talk about things. I suspect this sort of situation is a major motivator for Zulip adoption, so it’s weird that transit encryption was left as an afterthought.
Cryptography is not something you can do sloppily, and requires coordination between the mobile and server teams. Zulip 11.x included the protocol, but while doing the mobile implementation, we decided to make several more changes which have delayed it to the upcoming Zulip 12.0.
Some important context is that we retired the old React Native mobile app this summer in favor of the new Flutter apps (https://blog.zulip.com/2025/06/17/flutter-mobile-app-launche...), which has been an enormous improvement in the quality of the app and developer experience.
But as you can imagine, the cutover and relentlessly addressing feedback after it took a lot of time for the mobile team. We've also experienced an AI slop bombardment in the last few months that has consumed a lot of time. I'll save that story for another time.
If say the hyprland people were using a Zulip instance and someone astroturfed/brigaded/massreported a campaign to shut them down because they didn't agree to some external code of conduct and external enforcement of such, what would Zulip's response, as a company, be?
Regardless, there is no technical mechanism through which we could block access to a self-hosted Zulip server via the web application (which is hosted by the self-hosted server itself and designed to work on both desktop and mobile devices).
For Zulip Cloud, you can read https://zulip.com/policies/rules. One of the nice things about Zulip's model is that communities that we do not want to host can just migrate to self-hosting.
https://discourse.imfreedom.org/t/protocols-to-support/234/1...
The main thing regards our double-entry API changelog system. Basically, the API documentation for individual endpoints, say https://zulip.com/api/get-user, natively cover for each endpoint all the changes relevant for that endpoint from https://zulip.com/api/changelog... and how to write nice code using feature level checks to support all server versions.
My understanding is that Campfire hasn't been actively developed for ~10 years (https://once.com/campfire/changelog shows some minor fixes after the OSS launch; their GitHub has no 2026 commits). There are no mobile apps. It is not an actively maintained Discord alternative.
Stoat is early in development. For example, https://github.com/stoatchat/stoatchat has 1421 commits, compared with 68K for https://github.com/zulip/zulip/. I wish them luck! It's really important that we have multiple independent efforts.
https://www.rocket.chat/ and https://mattermost.com/ are open-core military contractors these days. You'll see what I mean if you visit their websites. But like Zulip, they are full-featured team chat systems, and if the parts of their system that are OSS work for your organization, they're certainly valid options.
Finally there is Matrix/Element. They have an inspiring vision and similar values to mine, and I'd recommend checking it out. Element/Matrix is built on an ambitious distributed consensus protocol with an E2EE option, which provides capabilities Zulip don't have but also adds complexity. Zulip is focused on just doing team chat really well, and does not support more than ~100K users in an instance. Hopefully will have a lot more resources now, thanks to Current Events. I wish the Element team the very best of luck!
----------------------------------------
Overall, Zulip's focus has always been on making a delightful chat experience, especially when you have multiple conversations happening at the same time. We aren't trying to build a clone, but instead the best possible experience for having lots of possibly complex conversations. So there will be some differences from what you're used to.
But critically, we spend a very large amount of our time relentlessly fixing micro-interactions that annoy us or are reported to us. If you read #design, #issues, and #feedback in https://zulip.com/development-community/, you'll get an idea of how we work.
So while there's some features we don't have that are present in other products, and we don't have dozens of designers on staff to do cool end-of-year animated reports like Discord does, you can expect few bugs and a lot of interaction design polish.
-----------------------------------------
The one mistake that I think a lot of folks make in evaluating options is focusing on buzzwords like E2EE without thinking through their threat model. E2EE doesn't add much practical security over self-hosting for many threat models, and it comes with significant usability trade-offs. And some current E2EE systems don't actually protect against a malicious server, say because they only protect message content, not metadata like who has access to what... just against raiding the server's disk.
(For example, WhatsApp has E2EE for message content, but I expect Meta's databases know everyone who's had a conversation with me on WhatsApp and the precise timestamps and approximate lengths of every message I've sent or received on the platform. And apparently some keyboard apps send what you're typing to remote servers!).
Among customers, one reference that I can quickly cite is this one:
https://zulip.com/case-studies/gut-contact/
> Agents at GUT contact use Zulip every day to communicate with their team leads. “Most of our agents are in their 60s or 70s, so the software must be as simple as possible. That’s why we love Zulip,” says Erik Dittert, who’s been leading GUT contact’s IT team for the past 20 years.
I would recommend doing a little training/handholding call/video when moving over a community -- but this is true for any new app.
My mom needed training to do basic things in Squarespace, and I had a friend who worked at Slack whose manager started every chat message with "Hi <name>" and ended it with a signature, like you would an email. :)
I would also like to note that Slack did not pass the grandma test in our case. I highly doubt that Discord would given how hyperactive the UI is.
Regarding the history: Slack had very effective marketing, powered by a lot of venture capital. And HipChat was a weak product that had an embarrassing total hack, which did not leave customers with confidence that their data was safe there.
Zulip is not venture-funded, so we're reliant on people sharing it with others to get the word out.
As a side note, I don't think Slack could have succeeded if it launched today. Microsoft Teams has far far more users as Slack, and it's slopware. You can thank the end of anti-trust enforcement for that.
Could you expand on this?
Kind of like if each slack thread discussion had a title and was discoverable from the left sidebar and didn’t get in the way of the other threads.
But the main reason is that the topics-based organization and ability for moderators to move/split conversations means one can read and participate in a community much more fully given a fixed amount of time.
On a related note, I'm gonna check out Zulip for PortableApps.com. Any interest in having the Windows desktop app be portable? (We'd love to do that if we wind up using it)
Zulip is not designed to support 2M user accounts in a single organization. But if you enable the public access option (https://zulip.com/help/public-access-option), such that no account is required just to read content, you can end up with 1-2 orders of magnitude fewer "total accounts" that just wanted to see something once and don't actually use the server.
I'm curious whether you feel you're actually in control to actually make policy decisions about data protection or whether you feel you could be hit any day by the "$5 wrench" by the government any time they feel it necessary. I'm starting to feel that in this environment, nothing is safe, even if encrypted and on FOSS platforms.
Personally, I advocate for self-hosting communications software, ideally on physical hardware that someone in your community has control over. Zulip runs great on old laptops, if you can solve the IP address problem for hosting it in your house.
And if you want to be extra careful, put your chat system behind a VPN/firewall, so it's difficult to identify what software is being used externally.
And if you're not going to do that, because it sounds like too much work, the next best thing is to at least pick a Cloud service where you can migrate your group to paranoid self-hosting overnight if you decide the work is now worth it.
Self-hosting this way doesn't protect against all threat models. I am human and have children who I love dearly, so it's hard to rule out the possibility of my being compelled to make a malicious release.
But at least the Zulip source code is entirely open and highly readable; so users would at least have a chance to notice and not upgrade. With a centralized architecture like Discord, you're entirely reliant on whisteblowers.
The weird "we pinky promise to try to keep it non-public for some time" is a weird idea.
Zulip uses standard TLS encryption, where the messages are encrypted in transit, but the server has access to the messages.
The server having access to the messages is extremely useful for many key features. Access control policies. Search. Markdown rendering that can make guarantees to clients about its behavior. Mobile notifications for mentions. And many more. There's options for all of these problems, but it's /hard/ and you end up having a lot of risk of nasty bugs where "all the message history become unreadable" and a lot of performance issues.
This is why why end-to-end encrypted messenger apps like Signal are extremely minimal with basically no chat features, and can take a while to load long conversations ... there's a lot of expensive cryptography happening in the background. AFAIK it's not realistic to use the Signal protocol with the volume of messages people do in high-traffic Discord or Zulip communities.
Some other E2EE chat systems have more features but fail to actually provide end-to-end security. (For example, the server provides the source code for the web app and can freely modify that code to steal all the messages the user can still read, or the server is still in charge of metadata like channel membership ... so a malicious server could just add a fake user to every channel).
You get almost all of the security benefits of these "E2EE" chat systems by having a trusted person self-host the server, and setting a message retention policy if you want messages in certain channels to be automatically be deleted after a period of time.
Our vision for Zulip is not billions of people on our Cloud service. People should own their own communities, not corporations. And in that world, usually the person who runs the community can be trusted to host it.
I had been using Mattermost because it's also (mostly) FOSS. However, they've recently been changing their released OSS edition to restrict capabilities... Unfortunately the org I maintain it for is having some issues with it now and I have metaphorical egg on my face.
I signed up on your site just a bit ago, but I'm a bit concerned with the paid upgrade. Unlike Discord, I need to pay per user, which I find onerous and would get out of control fast for the group I run with around 100 members. Is there any plans for a flat fee model? I'm even happy to pay twice what I pay for Discord Nitro, but yeah, $8/mo per user is too expensive.
If it helps at all, it's for a retro computing community group, and not for profit.
Sounds like you could be eligible for free or for a significant discount. Also:
"If there are any circumstances that make regular pricing unaffordable for your organization, contact sales@zulip.com to discuss your situation."
This is not the case for slack or discord. I think having an awesome clean first impression would do wonders to sell what younare doing.
arent you as a zulip instance owner going to have to implement all the same stuff as discord?
If you create an invite-only Zulip chat for your pub trivia league or school parent association that’s all adults, probably not.
I tried Zulip (cloud offering) with some techie/designery friends, so we should have been right at home but... the desktop app on macOS and the web app was visually unappealing and clunky, and we ended up going back to a paid Slack plan.
I looked for docs on how to theme Zulip (so I could contribute), or for existing theme packs that would soften the transition but found neither.
tl;dr: The functionality was good (Love the threading!) but the UI feels like the 2000s came calling. Some UI polish would go a long way.
Deleted Comment
Every word of this page appears as its own line on mobile.
Don't worry - they're repealing section 230 of the Communications Decency Act.
The one that says platforms aren't liable for what their users post.
This means there will be no platforms at all very soon.
I'm not worried. We'll use Zulip which has values and thus takes responsibility for everything its users post, right?
While I personally strongly favor federated solutions those are of significantly more concern in this regard.
We do have plans to make the integration offer some additional ways to jump into a call, and have been talking about adding video chat. But our focus has been on building the best text chat possible, given there are multiple actively developed FOSS video call systems that we can integrate with.
(Thanks for making Zulip, I love it)
But we don't have a dedicated accessibility tester on staff, so we're reliant on people reporting issues that bother them in actual use.
I should also mention there's a nice TUI app: https://github.com/zulip/zulip-terminal, which can be helpful for some people.
I'm told (https://chat.zulip.org/#narrow/channel/127-integrations/topi...) that upvoting that discussion might help it get prioritized.
I am confused.
- Had to use ChatGPT to help generate me a docker-compose.yml, except it forgot about memcached, set the wrong environment variables and just generally did a sloppy job.
- Once it was running it was a huge pain to set up reverse proxying properly, because Zulip apparently doesn't even pay attention to proxy headers if you're talking to it on port 80, even if X-Forwarded-Proto says https. It would get stuck in an endless redirect loop trying to redirect https to https. I could only properly debug this with tcpdump. The only solution I could find was to expose port 443 of the container and then have the reverse proxy talk to that, but Zulip still won't respect X-Forwarded-For, and login emails still show the Docker network address for whatever reason. No idea how to fix this as I couldn't find documentation on how to do it for Docker; the doc for reverse proxying without Docker says to edit zulip.conf, which is impossible (or I don't know how, as again, I couldn't find documentation on any way to do it for Docker.)
- Even once I could access Zulip it was a huge pain to get it to access the databases it needs, because again, I couldn't find documentation on how to do this for Docker. This was after it was a pain to figure out how to generate an org creation link because I don't think I could find documentation for that either, I had to find the script and read the source to figure it out.
- Even once it could access the databases it needs, and I could get it to use the right passwords (which was annoying as it generated SOME of own secrets, but not others, and started ignoring the corresponding settings, like the email host password), I tried to set up push notifications but that required a setting I didn't know how to set because I couldn't find documentation on how to do that for Docker; I eventually figured it out but it was annoying.
It was so awful and took up practically my entire day. Once I could finally get it to work, it works pretty well, but it's not an experience I would recommend until the docs start supporting this use case.
I'm sure it would've been easier if I read the entire documentation, the entire source code, the entire build script of the Docker container, etc. but I just wanted something to work...
> Had to use ChatGPT to help generate me a docker-compose.yml, except it forgot about memcached, set the wrong environment variables and just generally did a sloppy job.
It has a docker-compose file in it, has memcached in it.
> [...] X-Forwarded-Proto [...]
Does https://zulip.readthedocs.io/projects/docker/en/latest/how-t... help?
> access the databases it needs
The official docker compose has databases set up already, I guess you were missing those from your ChatGPT created compose file.
____
It kind of seems like you were linked to the wrong place for documentation about Zulip with docker in the beginning and then went from that.
A quick click-through seems to suggest you landed on https://zulip.readthedocs.io/en/stable/production/install.ht... and then clicked on the prominent "Docker image" link on top which leads to a random location on the page. (at least on Firefox)
That's very understandably annoying. If can you confirm that that is what happens, a bug report either with Zulip or ReadTheDocs (not sure which) might be in order.
Dead Comment
Dead Comment
Dead Comment
I don't think it's cool even now.
I mostly got hate on HN every time I posted about it LOL. I think something about "decentralized" gets some people really riled up (maybe it's the association with crypto / blockchain?) but frankly, it's the ONLY solution to extreme centralization.
Someone's got to build a platform with all the features of Discord, but make it decentralized and open source.
I've spent over $1M and 10 years on it. I have to package it so that it's easy to install. But I'm working on something to take care of that, in the next few months, that will also include actually safe AI agents inside.
It will look sort of like this: https://engageusers.ai/ecosystem.pdf
I'm happy to welcome anyone aboard who takes the time to learn the platform, but I won't lie, it's huge. As you would expect an open source decentralized clone of Facebook / Discord to be. I just hope it's architected well enough for developers to pick it up quickly. At the very least, I think it's a lot less spaghetti than Wordpress and Joomla :)
PS: In 2018 I launched something that HN hates even more... a Web3 company that released open source smart contracts at https://github.com/Intercoin . Why you ask? Because once a lot of value is at stake (whether it takes the form of money, votes, or even just community roles), it's better to have thousands of computers secure it than "just trust" the central site.
When founders of famous centralized messengers criticized decentralization, I had to write this:
https://community.intercoin.app/t/web3-moxie-signal-telegram...
And history has proven me right... their only move is "withdrawing" from a country like Sweden. Well I guess the DSA would make them withdraw from all of Europe: https://www.reddit.com/r/privacy/comments/1ixrv14/signals_ce...
Don't forget, it's not just Discord. As of Jan 1, Texas is now requiring digital ID to download any app at all or visit many internet sites, and forcing Apple/Google to build it in "to protect the children" of course. And Utah is following suit soon too. The Supreme Court last year said that digital ID can be required by states.
Dead Comment
You lost me there. I need to have all my contacts on Zulip. Nothing else matters to me
This part absolutely isn't necessary because it's a wrong idea no matter who is in charge.
I've been putting my pants on every morning for the last several years, had breakfast, gone to work, and come home without worrying about any current events in the USA and my life seems no different than 50 years ago except I have modern gadgets.
Social media is not the world. In fact, it's 10% of what the real world is like and how the real world thinks. It's why I ignore social media except for HN and one other but I only scan the headlines and rarely pop into comments like this.
And I'm happy.
EDIT: And the comments below are proof why you, too, should ignore all social media and why you, too, will be happier.
Glad things are comfy for you though.
Have you scanned any headlines about ICE lately? Maybe do a quick search for news about Minnesota?
(I'm pretty sure that if you'd been putting your pants on in Minnesota, you would not have written this comment.)
If you prefer not to look, maybe because you're convinced there's no truck, or you don't think it would help avoid the truck if there is one, fair enough. But the fact that your personal experience is unchanged is meaningless.
It is also incorrect to confine this "merely" to social media. This is clearly government overreach. They want data from The People.
Dead Comment
Dead Comment
Dead Comment
Dead Comment
Discord is used by a bunch of closeted users having pseudos, who wouldn't do the same activities on it if everyone had their names.
A part of the Discord users is from countries from which Discord isn't even officially accessible (eg China) or where involvement in LGBT discussions could result to death row (Afghanis are still on Discord)
For me, a company that open sourced 70,000 IDs and ask for moooooore just weeks later is just a joke about the sharing economy
The problem isn't even for new users. Some users have over a decade of private hobbies and will now need to associate their governement ID to their profile. Discord pinky swears they ask but don't keep this time, which isn't enough.
Companies shouldn't be allowed to change such fundamental ToS after an account is created.
Exactly. I am sure they won't share their face or ID and will move somewhere else. Big opportunity for other platforms to stand up and grow their user base.
It's a push out.
That's fine. We'll take our attention elsewhere.
Though, with AI being used I suspect it wouldn't pass any longer.
So, I suppose you shouldn't give your fake id (digital or physical) to a government officials. It also seems "obvious" that it's similarly unwise to give it to a bank. But you can do that to a random guy on AirBnB? A hotel? To a delivery service (Uber/Wolt/whatever)? Dicsord? Where is the line between a bank (a private commercial corporation) and Discord (a private commercial corporation)?
But not even worth that effort for this. Not a subscriber, but probably won't ever use it again, either.
Cesspit of AI-driven "validated" accounts for pushing propaganda.
It's the worst of both worlds.
It's not really about protecting them; people that claim this is the case are generally doing so to launder that hatred.
1 - Piles of parents too stupid or lazy to, well, parent the children they made;
2 - A very reasonable societal expectation that it shouldn't be easy for young kids to access, or even be exposed, to the worst dregs of the internet;
3 - Very different use cases (gaming, kids stuff, free/affordable slack for communities) all on the same platform;
4 - A pile of morons in legislatures who insist there's a magic highly private way to do all this, but (see Australia) refuse to lay out the actual method. It's a government-wide game of underwear gnomes.
This is a case where there's plenty of evidence that it's actual malice, not just incompetence. Leaving aside that this shouldn't be done at all, there is no desire to do this in a privacy-preserving way, because destroying anonymity and controlling online discourse is the point for governments, not the "unintentional" side effect to be avoided. "Think of the children" is just the excuse to get people to unknowingly buy in, just as it has been for generations.
https://bsky.app/profile/tupped.bsky.social/post/3lwgcmswmy2...
The whole thing is security theater designed to conceal the fact that child security is not the objective, it's the justification.
The problem isn't the platform, it's getting a critical mass of users. Until everyone is using it, nobody is.
>> nobody should escape the consequences
There are no consequences whatsoever for this.
>nobody should escape the consequences of using that voice to peddle bullshit.
We can already do that without needing ID stored on servers. Blame lazy enforcement with an incentive to retain even bad customers.
Privacy and all that jazz aren’t that important to an average person. Everyone’s IDs are already circulating in a mix of Tinder, AirBnB, Twitter, <any random other app that just requires it>.
I don't most people will even notice, as they are not in age restricted servers or channels.
A month later, the account was suspended for supposedly breaking guidelines. I never posted a single message, never reacted to any posts.
They then required me to upload a video scan of my face to prove I was a person.
We aren’t quite at the end of the internet, but man I can really see the end of this journey coming sometime soon.
We created the account from an Apple device, registering from her home cable modem IP, giving FB her cellphone number and ISP issued email address — all strong signals of consumer authenticity. But after she added five of her relatives within half an hour, her account was locked for suspicious activity.
There was an appeal button; she was asked to take a picture of her face from many angles and upload ID. She gave them everything they asked for, but when Facebook reviewed the appeal, they closed her account permanently.
I can't speak for every company, but I know with Facebook and Paypal, these requests generally are from automated systems and the chances of successfully reopening the account is well under 1%. The info you submit is not viewed by a human and the systems are mostly treated as a way to lighten the load on human support staff. They don't care if your account is reopened, they just want you to feel like you had a chance, did all you could, and then just give up.
I discovered this about 20 years ago dealing with Paypal. I happened to know someone who worked in Paypal engineering at the time. I had a well established account, a Paypal debit card, linked accounts, etc., everything you could need to feel good about an account.
Out of the blue it was suspended and I was sent into this system to send in verification documents. I gave everything it wanted. First it was ID, then a "utility bill" so I sent over my phone bill. That wasn't acceptable because it didn't prove I lived at my address for some reason, so I sent a natural gas bill. Even though that did have to be tied to a physical address (you can't deliver gas wirelessly!) I was asked for an electric bill. Then the lease. Then a bank statement. Every time I gave it pretty quickly. Then I was asked for a passport. I didn't have one. Suddenly that was the only thing that could unlock my account and as soon as they had the passport my account would be reopened. Nothing further would be done without a passport, not even communication.
I asked my friend to look into it. She said, "that's on purpose, that's the NoBot. It gets people out of support's hair." Turns out if you let unhappy customers complain to humans on the phone they will, so some exec decided to improve call center metrics by forcing customers into a system designed to keep them occupied until they gave up. You funneled people into it, and it would continue to reject their submissions with new reasons infinitely. It just went through a list of things to ask for, and when it found one you couldn't provide, suddenly that was the key and without it you were screwed.
Companies still do this today.
Sometimes it works with the front camera on one smartphone but doesn’t with another (iPhone 17’s distortion), sometimes it recognizes your face on one day, but desperately fails to recognize you on another. I had to repeatedly record videos for it only to fail over and over again. Anything their system flags as suspicious, anything, will trigger the same video identification flow again, which effectively blocks your money in the account.
I’m closing my accounts with a couple of banks with these video id flows. Simply because it’s way too easy to lose access to my money in the account with them. If their QA is not good enough for this vital requirement, I don’t want to know how they treat other requirements. They simply outsourced the id verification to some third parties that are way too unreliable.
At least Facebook tells you that you are banned.
I could still tell because their profiles were sterile and had few normal comments or likes etc. Also a high school class has a very narrow age range. We recently landed a fatal blow by disallowing joins by "pages" and adding a few questions. A trickle continued but stopped recently.
The hamfisted false positive response you described is probably a result of the above.
So I tried to sign up (and I already HAVE an active facebook account from high school, with hundreds of friends) and it wanted me to scan my face. I did it, which I regret, only to be told five days later that I am too suspicious. So here I am, still locked out of all this information lmao
I feel very badly for your friend. Unfortunately, those completely benign actions look identical to a common identity theft pattern.
Perhaps these constant restrictions will finally spur us to create our own spaces again Our own little groups that exist independent of the corpo-sphere.
The only reason ‘the way things used to be’ went away was because the new thing was convenient. Well, now it isn’t anymore. So let’s just go back to the old thing.
On the other hand: It was kind of awful when even my dialup access would get screwed up because someone's IRC server got DDoS'd -- again -- and clogged up the pipes.
---
These days, the local ISPs are mostly gone. But the pipes are bigger -- it's easy for many of us to get gigabit+ connections at home. Unfortunately, the botnets are also bigger.
How do we get back to what we had?
The normies already did this. They just did it on centralized platforms like Discord. Until their backs get broken we're not getting anywhere. (Although I may be being a little too cynical.)
We had forums using forum software but moderating the spam got too hard. If you create your own space using any common software platform then you'll be pwned (a la PHP-Nuke et al). I presume even pure custom web pages would end in tears these days (DoS complaints seem to be a more recent reason; also Bot form submission is pretty good at being bad).
But leaving is never free. There's a lot of gaming communities (especially niche subcommunities like emulation, speedrunning, modding, etc) that are mostly on Discord and not anywhere else. Many probably won't move. A lot of tribal knowledge will be lost as it's locked in these communities.
Heck, even some FOSS communities communicate mostly on Discord. I have more faith they will move. But not all.
And they have always organized society to make sure this is the case. It's not a wacky conspiracy theory. These are just the interests of the people who create and have most influence over tech, and these interests are shared in common amongst most elements of that class. So, this class, the capitalist class, will just plan (conspire) to make it necessary for you to participate.
Viewing tech in this way makes one see that the historic development of tech is not happenstance occurrence, just tech skipping along, unconsciously, into authoritarianism, but as tech being influenced by the interests of the people who have the most influence on its development: those who own it, who are often the same people who determine standards.
The internet was never a free form idea upon which everybody could sway, its a technology owned, controlled and influenced by those who produce it.
They WILL absolutely try to place social/state/labor functions behind this wall of authoritarianism. As they already have, and are currently doing with the growing ban on VPN usage, anti phone rooting measures, anti-"side loading", etc.
It should not be absurd to suggest that the people in power have used, are using, and will use power in their favor.
I don't know ... around these parts (Santa Fe/ABQ) while Marketplace is very popular, Craigslist continues to be widely used for this, especially since an ever growing number of younger people are not on Facebook (either at all, or not regularly).
However, “think of the children” will always result in more restriction in western countries, not less. We are watching countries prove that it works to isolate from each other. Europe is not isolating from America in exactly the same way, but is isolating business processes from American services.
We are not on the cusp of the end of the internet, but the cliff sure seems in view to me.
But instead of paying Instagram for reach, consider taking the same budget and spending it delivering samples and coupons to other local businesses mid/late morning. Bonus points if you make the coupons unique for each delivery so you can track which local businesses are your biggest fans. Office managers are generally receptive to this kind of cold call and you can leave a catering menu. Catering gigs can keep your kitchen busy during the off hours.
Bit of a stretch to correlate this with Instagram suspending some guy
Discord tried to do it to me a few months ago but I refused, contacted support instead. Eventually they made it work but it took forever. Lucky for me I hate Discord so tried to avoid it anyway.
A family member had been sharing some photos they were taking, but only on Instagram.
So I signed up an account, verified via email and phone number. I wasn't initially able to find the family member's account. A week later after I got the spelling of their username right, Instagram popped up "Your account has been suspended". They then sent me an email saying I needed to take a photo of myself holding government ID, and a piece of paper with a hand-written code they supplied, plus a close-up photo of said government ID. No way was I supplying all that just to be able to browse some photos.
I don't see it as the journey's end. But it's gonna be a much quieter road if most people don't walk away from this stuff. Maybe that's for the best.
I’ve had friends coordinate for me in the past for a couple things but honestly eBay is still my go to.
[1] https://en.wikipedia.org/wiki/World_(blockchain)
Pardon me if I don't have a lot of trust in their ability to keep it safe.
- Matrix
- Stoat, previously revolt (https://stoat.chat/)
- IRC + Mumble
- Signal
I wrote the summaries with my own two hands, no LLMs involved.
Now if anyone wants to differentiate their Discord alternative, they want to have most of discord functionalities and add the possibility to be in multiple voice chats (maybe with rights and a channel hierarchy + different push-to-talk binds). It's a missed feature when doing huge operations in games and using the Canary client is not always enough.
For now, I think they do it through their Jitsi integration. I don't know how easy it is, as I haven't tried it.
https://docs.element.io/latest/element-cloud-documentation/i...
In terms of ease of use, it’s like three clicks. Technically more than Discord, but it’s p2p streaming so it’s far nicer quality.
For video, both video chat and screen sharing I have had a lot of success with Galene, it offers text chat and file sharing, but they are sort of anemic and bare bones, which could be good or bad based on the needs of your users. https://galene.org/
What I usually do is start with a fossil server, this is trivial and gives you files, a wiki and a forum (none of them super good but like I said trivial to set up) then if I want voice, mumble is my normal route, but galene is growing on me more and more, the web interface makes buy in from the end users trivial and despite it being nice you almost never need the cool room stuff you can do with mumble.
But I am a sys-admin, I like running servers, hell, I find I enjoy running the servers more than I like playing the games. Plus, statistically, I have zero-friends, it is fine to say a server is great when only one other person has used it. That is to say, my results may not be typical.
https://taggart-tech.com/discord-alternatives/
(Not affiliated)
This is your chance to start Bluesky for discord. A competently built, VC backed competitor to exploit a misstep only caused by government overreach due to their colossal market share. 26 million daily active users is a nice guaranteed market to start whittling away at, with an effective marketing campaign to drive a wedge between "little gamers, and big corporate enshittification."
Nevertheless, I don't like the new name either, oh well...
I like this comment though:
Imagine you make a free software project and it runs into trademark issues because people have more money than you to register in more classes than your project.
And then even though your project existed first, they still come after you anyway.
And from that an even more expensive rebranding from this as well.
from: https://news.ycombinator.com/item?id=45626225, not sure how accurate it is, but it makes me want to revolt .
Argh. If there's no stoat emoji, petition the Unicode Consortium for one, don't just use a beaver. It's not even the right family; the badger emoji would be closer.
That would be my answer.
If you don't NEED the open-source, pumble and steam group chats work great too
I personally would advocate the combination of Zulip for text chat plus Jitsi for calls and screen sharing.
I've never heard of Stoat. Looks like IRC but it's Electron. Total waste of time.
I am especially bitter because electron advertises as being "cross platform" by which they mean that it also runs on linux and as a openbsd driver I get to go "cross platform my ass" and then weep because of how close I am, if it were a web app it would probably be trivial for me to to run. What I really want is a method to unelectronify electron apps.
The concept that every message belongs to a topic and the async communication focus makes so much sense to me. I read conversations, not timelines.
Deleted Comment
Deleted Comment
Edit: My information may be out of date, I cannot find any sources saying any part of the app is closed source these days, do your own research ofc but comfortable saying its the most accessible secure platform.