Are we Pomelo yet?

GitHub

Yes. Yes, we are.

Take me home, country roads

Terms of Service & Privacy Policy

"Are we Pomelo yet?" was a crowdsourcing project that collected anonymized data about Discord's Pomelo rollout.

NOTE: This project had no affiliation with Discord or its employees.

Users had two ways to engage with this service: adding the bot to a server or using the OAuth2 button on the landing page to contribute to the dataset.

By engaging with this service, users agreed to the following terms of service. If these terms were not agreeable, the service should not have been used.

1. Data Collection

The following anonymized data was gathered (refer to source code):

  • Discord user ID hash (SHA-256)
  • Discord registration date (YYYY-MM)
  • Possibly Nitro (yes/no)
  • Early Supporter (yes/no)
  • Added through OAuth2 (yes/no)
  • Creation time of the record

To collect this data, several Discord Gateway events were monitored (refer to source code):

  • Guild Create*
  • Guild Member Add*
  • Guild Member Update
  • User Update
  • Guild Member Remove*
  • Guild Delete*

* These events also helped synchronize the total guilds and members counters on the landing page.

There were no logs that contained uniquely identifiable information, nor was any other information stored outside of the data model described earlier. This claim could be verified by examining the source code.

2. Data Usage

The gathered data was used to display anonymized statistics on the website through crowdsourcing. The data was strictly used for this purpose.

The bot developer didn't access the data unless it was needed for debugging purposes and didn't share the data with anyone else. The hash database was permanently deleted when the Pomelo rollout was considered concluded on June 27, 2023.

The only slightly personal information collected was the hashed Discord user ID using SHA-256, which helped prevent the addition of duplicate records to the database. However, this information was not used for any other purpose, and the dataset is no longer available.

3. Data Storage

Services were hosted using Fly.io in the State of California in the United States of America. Details regarding database endpoint security, anti-spoofing controls, hardened hosting, secrets management, and more can be provided upon request.

  • Database Endpoint Security: Databases on Fly.io talked to app servers over 6PN and WireGuard, and never to the public Internet.
  • Anti-Spoofing Controls: Attackers that booted up harmful Fly.io apps couldn't spoof packets to other Fly.io instances.
  • Hardened Hosting: Apps running on Fly.io ran inside Firecracker, a Rust-based, memory-safe KVM hypervisor designed at Amazon as the engine for Fargate.
  • Secrets Management: A "write-only" secrets management scheme was employed that kept app secrets encrypted, exposing them only to running instances of the app.
  • WireGuard Everywhere: Every component communicated with every other component over WireGuard. WireGuard is a next-generation in-kernel (and userland) VPN designed by vulnerability researchers for simplicity, auditability, and modern cryptography.
  • Encryption in Transit: WireGuard operated 256-bit ChaCha20-Poly1305 with an authenticated Curve25519 key exchange.
  • TLS Everywhere: Fly.io terminated TLS at its edge. A fleet of memory-safe, Rust-based proxies that used the Hyper and Rustls libraries to implement HTTPS was in operation.
  • 6PN Private Networking: eBPF in the Linux kernel was utilized to ensure that private networks couldn't talk to each other; they were completely private, without any extra configuration.
  • Encryption at Rest (Fly Postgres was used): Fly.io Volumes functioned like a drive plugged in and mounted in an app instance. And those drives were block-level encrypted with AES-XTS.

4. Data Deletion

Since the database was anonymized, it wasn't possible to identify a record without running the user ID(s) through the SHA-256 algorithm. This is a one-way hash function, meaning it's only possible to reverse the process and identify a record by knowing the user ID(s).

As previously mentioned, the Postgres database was encrypted at rest using AES-XTS. This meant that even if someone managed to access the database volume, they would not be able to read the data without the encryption key. The Fly.io account was protected with hardware security keys.

Moreover, after the Pomelo rollout was considered mostly finished on June 27, 2023, the hash database was permanently deleted and real-time data collection was stopped. The anonymized statistics were then exported to a flat JSON file hosted on GitHub.

For those who wanted to delete their anonymized data before the end of the Pomelo rollout, they were advised to send an email to [email protected], and the corresponding record(s) was removed from the database. However, it was noted that this would affect the accuracy of the anonymized statistics.

Contact

Hampus Kraft acted as the data controller, while Fly.io was the data processor. The data was stored in the United States of America and was encrypted at rest using AES-XTS.

For any questions or concerns regarding the terms of service or privacy policy, users were advised to send an email to [email protected].

For general inquiries, emails could be sent to [email protected]. Vulnerability disclosure was encouraged and could be sent to [email protected].

The source code is publicly auditable on GitHub.