Declined DiscordRep

I'd like to start by saying I'm glad to see someone is trying to fill the gap in Discord, which is for the most part fundamentally incompatible with our investigative policy. At a glance, I do believe you have your heart in the right place, so please don't take my criticisms personally. That said, there are a number of issues we need to address before considering your application.

Looking at your forums, with 18 threads in your report section, 12 threads in your staff applications section, less than 5 thread anywhere else, and less than 200 online users in your official Discord server at any of the random times I checked, I'm having a hard time believing your community has anywhere close to 1500 active members. Generally speaking, a single request taken from your access logs is not treated as an "active member". We can take that total (or other factors) into account if the number is very large, and your community is in a position that makes tracking active members fundamentally difficult, but neither of those apply in your case. Some examples of things we could conceivably take into account when deciding if a service like yours meets this threshold would include the number of servers your bot is in, how large and active they are, and how widely your API is used. But just meeting 1000 by those measures wouldn't be enough.

Additionally, your forums and parts of your site look strikingly like someone just blatantly copied and pasted the layout and wording from a bunch of places on our site, much like the name. Is this intentional? If so, we're flattered that you're inspired by us enough to create your own similar service, but that kind of rubs me the wrong way.

Discord is indeed overlooked, so it'd be great if someone filled the gap which we cannot. (One fairly large affiliated community who already does this to some extent is RLTracker.) Our use of forums in the structure you see is not because that works especially well, but rather because it's very difficult to safely migrate nearly 100,000 scam reports and 10,000 appeals from a forum created 8 years ago - which nobody expected to grow into what it is today - into a new platform safely and without data loss. I can understand having to start somewhere, and indeed that is where we ourselves started, so I can't really judge on it, but it seems like you copied everything from us, even the parts which don't always work especially well for us.

The reason we don't handle Discord reports at SteamRep is because of fundamental problems with provably verifying the scammers' identities - one of our 3 cornerstones of investigating scam reports - not because we don't feel it's our responsibility. Put simply, if we put someone in Steam (or Discord) shared ban list, they could claim they were never involved, and we'd have no way to prove or disprove it was them after all. A large part of this is that Discord conversations don't readily show any form of identification, and it's more complicated to even find the ID of who you're talking to. Not only are impersonation and mistaken identity reports widespread in Steam (nevermind Discord), but we have a demographic of users repeatedly doctoring evidence to get people banned - often scammers attempting to extort their victims - so our admins need to know what to look for in both those cases, differentiate the fake or misfiled reports from legitimate ones, and make an accurate decision without hurting an innocent victim. It's far easier to change your name and avatar to someone else's in Discord and impersonate them than it is in Steam, which is the main reason Discord is such a popular platform to scam on. We do have (undocumented) ways of spotting both when everything is kept within Steam, and ways to figure out who's lying if evidence comes into dispute, but that all goes out the window as soon as the evidence relies on Discord.

It's already an uphill battle getting users to understand checking Steam IDs, but teaching users to enable Developer Mode in Discord and find the ID of users (as opposed to messages, channels, or servers) and properly document that introduces a whole other level of complexity that I'd be surprised if very many children in CS:GO understood. Furthermore, with Discord, the ID is not readily available in any documented screenshots (only name), the linked Steam account is not always visible (user preference), the name can change very quickly, and there generally isn't an easy way to follow a scammer once they leave a server whereas you can always find a scammer's Steam profile after a trade is completed. Put simply, there is too much plausible deniability for both the Steam and Discord user with any report we would receive. How do you expect to prove the identity of potential impersonation or libel victims, in the face of misinformed or malicious reporters? What avenue is there for an innocent victim of such fake reporting to appeal a judgement?

Another issue I noticed is that your bot requires full administrator permissions on any server where it's invited. Is there some way it can work without that level of access, on principle of least privilege? Most of the time, you can simply grant a bot with a few select permissions, such as kick/ban, manage messages/channels, or manage roles, depending on what it's intended to do. But granting it the level you ask for is quite dangerous, and would make me reconsider running your bot anywhere myself.

I can see you already put some thought into this, so please don't take my concerns too harshly or personally, but I'd still like to see how you address these problems.

How do you ensure that?

So you would require users appealing a judgement to run your extension no matter what?

Does that mean a report made using your extension cannot be contested? Or can't be contested unless the appellant also uses your extension?

To rephrase my question: Does this mean evidence collected from your extension cannot be contested?

How do you prevent someone from tampering with the extension, reverse engineering, or otherwise uploading bogus data to the same upload destinations your extension would use in order to frame someone?

At SteamRep, we never require users to run any arbitrary software, or even provide it, and discourage affiliated communities from doing so themselves, as this creates a pretext for account hijackers to coerce users into clicking malware links. Quite a bit of malware today - at least most that we run into - is in the form of browser extensions, often with fake review bombs to appear legitimate. Are you concerned about malicious clones of your extension being used to steal accounts and personal information from people who think they're dealing with you?

Suppose someone comes to appeal your judgement, from a report made using your extension. They claim they're innocent, and never spoke with this reporter but that a different user was trying to extort them with the threat of framing them and getting them banned as a scammer in multiple places. They've never heard of your site before, and don't feel comfortable running your code, but offer to provide screenshots, or other information or evidence you might need to clear their name, on demand (e.g. Twitch stream). Do you require them to run your software? Do you allow them to appeal at all?

What technology or technique are you going to use to ensure evidence from your extension cannot be fabricated or "inspect elemented"? Specifically what level of accuracy are you claiming this extension is going to have?