This is a summary of the Q&A regarding the new API ToS that took place in the #api channel on the Discord API server, starting around midnight UTC on Thursday, August 17, 2017.
All answers are from b1nzy unless marked otherwise. This is just a summary of my (meew0) own interpretation of the Q&A; obviously this shouldn't be interpreted as anything legally binding. If in doubt, ask the devs yourself or consult a lawyer. I'm not responsible if you get banned or sued because of this document. All subsequent usages of first-person pronouns refer to the people asking/answering the questions, respectively.
Q. How do we detect users deleting their accounts, if we have to delete their data within 7 days?
A. You will get an email by Discord if that happens. Make sure the account that registered the bot application has an email attached to it that you actually get messages with. This may change in the future but if it will, there will be plenty of time before the new mechanism goes into effect.
Q. Do we need to detect e. g. cached data in libraries?
A. No, that mostly applies to content data you store. So if you store messages somewhere, they need to be encrypted.
Q. Does the "You are not permitted to disclose [tokens]" part mean you're not allowed to share tokens with co-developers?
A. Not necessarily, it's OK to share them with others working on the project but at the end of the day they're your responsibility: if it gets leaked and causes damage it's your liability.
Q. What specifically is meant by "Chat logs"?
A. Content data related to messages, i. e. message content, message embed contents, etc. User IDs are non-content information and don't need to be encrypted. The purpose of the encryption clause is mostly to keep you from getting in trouble for having personally identifiable information or other data, and to protect us by ensuring users don't break the law around that.
Q. Does the section on developer account data mean we need to give Discord data other than our email address?
A. When talking about the API, that clause is only related to your email.
Q. Is non encrypted data in encrypted storage considered encrypted? (NOTE from meew0: This was clarified later on in the Q&A, see below)
A. Encryption is vague in this sense.
Q. What method do we need to use for encryption?
A. We're not going to discuss the semantics or method you use to implement that. The end of the clause makes the intent clear, take reasonable steps to secure End User Data.
Q. Do audit log channels such as mod-log count as encrypted?
A. (Talon) A #mod-log channel (or any data stored on Discord) is fine — you'd need to encrypt if you stored the data elsewhere (e.g. a SQL server on your desktop).
Q. How do we know that Discord encrypts our data then?
A. All of our data is encrypted at rest.
Q. Is it fine to aggregate mod log data from several Discord servers onto one?
A. (Talon) That's fine.
Q. Do encrypted drives count as encryption?
A. Yes.
Q. Do we have to encrypt old data currently logged?
A. Yes.
Q. What is the best way to get permission from users to store their data?
A. You only need to get permission in case you want to store data after they delete their account.
Q. Can we have a personal account and a developer account?
A. Yes, but you shouldn't have applications on more than one account.
Q. Will there be any system to transfer applications from one account to another, and will there be any request system to request space for additional applications?
A. For right now, no, but we'll consider these options moving forward.
Q. So are we not allowed to log anything?
A. You're allowed to store any data that's related to the user and function of your app/bot. If you have a bot that logs message deletes or provides message stats, it's OK to store all messages; if you're not explicit about it or don't need that information it's not OK (e. g. a music bot that stores all messages would be a violation of these terms).
Q. How explicit do we need to be about the fact that our bot logs stuff?
A. It's explicit enough if people know when they add it, e. g. in the description of the bot, or where they get the invite link from. You don't have to notify every user; adding your bot is consent.
Q. If we have logs to debug stuff, do we need to get consent by users?
A. If you need the contents to debug stuff, then it's probably OK. It shouldn't be bulk collection though, e. g. if you log the message that triggers a command, that's OK.
Q. So if a bot is added to a server, that counts as consent for everyone on the server?
A. In regards to storing data, yes.
Q. Who would be defined as the "End User" in relation to content that is not explicitly created by a single user? For example wikis, community-created content, anything that multiple people can edit. Who would be able to request that it be taken down?
A. Not sure how that would apply here — End Users are Discord users, Content is content sent or distributed via Discord.
Q. What constitutes the "other materials" we need to provide Discord with? Also, what protects my "Application and/or other materials" from things such as confidentiality, for example?
A. This clause is a vague clause intended to protect us, but my reading of it is, libraries/data/etc. you used in your application.
Q. What if there's other confidential material in my application that I don't want you guys to be able to see during an audit?
A. Then you would have to terminate your application. I have a feeling if we ever used that clause we would take steps to ensure the user is comfortable with it. But it's very much there to protect us.
Q. If we have our code under non-disclosure, and Discord staff wants to take a look, can we safely assume Discord staff will follow that without it spreading elsewhere?
A. That's a good assumption to make, yes.
Q. Are user IDs/message IDs/other snowflakes considered End User Data?
A. Snowflakes are not End User Data ever, because they're generated by us.
Q. Are images considered End User Data?
A. Images are End User Data.
Q. Are usernames considered End User Data?
A. (Talon) Generally yes; while it's not data associated with the content of the message, it's associated with the metadata. It may also be personally identifiable information, whereas for example IDs aren't.
Q. Are avatar hashes considered End User Data?
A. No.
Q. Are CDN links considered End User Data?
A. Probably, because they contain the filename.
Q. Are custom emoji considered End User Data?
A. Yes, both the name and the image.
Q. Is <some other data point> considered End User Data?
A. If you have to ask, encrypt them.
Q. How does this make sense if you have e. g. thousands of people with the username "Danny"?
A. (Talon) It's not the number of people that make something EUD or not EUD. You have thousands of people typing 'kek' as a message but that's still content.
Q. How about my own username in my code somewhere?
A. That's fine.
Q. Are tags (i. e. ?tag create hello world) considered End User Data?
A. (Talon) ?tag create hello world could conceivably be EUD, but it's EUD that you would be allowed to retain anyway pursuant to 2.5(c). The KVP is 'your' data and thus wouldn't fall under 2.5(f). (https://gist.githubusercontent.com/Rapptz/c3391f58a3cbd3e463834000a72d4d42/raw/32ab86b76b90e68a88af7d3459c207521495fc08/tags_legal.txt)
Q. What about personalised settings, i. e. booleans in a setting tree? Do those have to be encrypted?
A. I think it's OK actually, if a user gives you the information through a command and it's clear that the command would save/store the data, e. g. a setting, I do not believe that would count as EUD.
Q. If a user explicitly runs a command to, for example, send an email containing the message, would that be allowed? The message would be stored by the reciever of the email.
A. If it's clear what will happen when you execute the command I believe that is OK.
Q. If I have a command that posts data onto a public website, do we need explicit permission to store the data?
A. (Talon) No, running the command is an express opt-in.
Q. Do bridge bots break the new ToS? (NOTE from meew0: This question was asked in the context of a bridge to a service that doesn't persistently store messages. If the messages are eventually stored somewhere the ToS applies as normal.)
A. No, because the messages wouldn't be persistent.
Q. If I use voice data to train a neural network and then discard the data, is there anything else I should do other than letting the guild owner know?
A. You would need to be explicit. I'm guessing the neural net is kind of EUD at that point. I think it's a grey area though.
Q. If I have data that pertains to multiple users, e. g. markov data or a collage of avatars, how does this pertain to the deletion clause?
A. You would need to delete the user's data in question. If that means nuking it all, you would have to do that.
Q. Can we use selfbots?
A. You cannot use selfbots.
Q. Why are selfbots restricted?
A. Because they aren't part of the API. You are automating a normal user account which isn't allowed, it still falls under our previous "use at your own risk".
Q. But they're so useful, like for quoting!
A. It's not allowed, and you will be banned if someone reports a self-bot that is acting maliciously.
Q. Is it still allowed to make a service that mocks the API?
A. Yes.
Q. Can the deadline (August 20) be extended? (NOTE from meew0: The deadline was not extended and the ToS went into effect on August 20)
A. At most we'd extend it to sometime mid next week (around August 23-25), which I don't think is gonna happen based on the input I've gotten from people
Thanks meew <3