Douglas Crawford

Douglas Crawford

January 15, 2018

What is Slack?

Slack is a cloud-based team collaboration tool used by some six million people on a daily basis. It is primarily an Instant Messaging platform similar to Skype. It allows you to talk in private to other team members, or to create and join more open group “Channels” with other team members. File sharing, screen sharing, and voice/video call features are built-in.

So are my Slack conversations private?

This is a complicated question; Note that almost all of the information below is gleaned simply from what Slack has chosen to share.

Data is encrypted in transit and when stored, and Slack now supports the HIPAA and FINRA data protection standards required by the health and financial services industries respectively.

Slack was also not, however, built with end-to-end encryption or zero-knowledge cryptography in mind. Data is encrypted when stored, but Slack hold the encryption keys, and can therefore access it. Slack is also a proprietary clouded source product, so there is no way to independently audit what the software is actually doing.

All of that means we just have to take Slack’s word for what it does with our data.

Can my boss read my messages?

This is probably most employees’ most pressing question! And the answer is… maybe. For a start, all admins can download a “standard export” of all conversation on public channels. This is probably to be expected, but what about private Direct Message (DM) conversations with other team members?

Well, it all depends on what settings your boss has put into place. To find out:

  1. In Slack, go to your Profile -> Profile and Account -> Account Settings -> Workspace Settings.

Slack

Or just visit teamname.slack.com/account/team in your browser.

  1. Scroll down to Compliance Exports.

Luckily for me, my boss can’t read my private messages. Phew!

If Compliance Exports are enabled, then the Primary Owner of your slack account (your boss) can download a zip file containing all your private conversations. Note that this option is not enabled by default, and is only available to bosses who sign up to the Slack Plus plan.

Even then, they must submit an application which must be approved by Slack. No information is available, however, on what criteria must be met for this approval to be granted.

Good news is that if Compliance Exports are not already enabled, your boss cannot sneakily enable them without you knowing.* If the Compliance Exports feature is turned on when it was previously turned off, you will get a Slackbot notification. Your boss will not be able to access messages sent prior to Compliance Exports being enabled.

*Update March 2018: a change in policy means that under limited circumstances your boss might be able to access private DMs, even when using the free or Standard plans. For mo5e information please see here.

Can Slack staff read my messages?

Despite having lengthy Privacy Policy and Security Practices pages, exactly what data Slack staff members can see, and who can see it, remains clear as mud. Slack told Gizmodo pretty much what I would expect: Employees can access your messages, and will do so in an emergency or for other “valid, justifiable reason[s].”

No employee, however, has “standing access” (unrestricted access) to users’ data. Slack security chief Geoff Belknap also assured Gizmodo that:

It’s a very small number and a very controlled number of people that have what I would phrase as the ability to follow a process that puts them in a place they potentially have access to data.”

What about unauthorized access?

Slack insists that it has a set of protocols in place that would result in alarms being triggered should an unauthorized attempt be made to access users’ data. Belknap also stated that there is “no intentional tooling built” that would allow employees to access specific conversations. He did admit, however, that such a tool could be built if required.

As Nate Cardozo, Senior Staff Attorney at the Electronic Frontier Foundation (EFF) notes:

Slack could have built this system in a way that no one within the company had access into user data. What it comes down to is, ‘trust us.’ That’s the same thing that Uber said and then they were caught with their pants down with God mode. If you wouldn’t put it in email don’t put in Slack.

Can the police read my messages?

Slack is a US company, and must therefore comply with valid requests for information by US law enforcement bodies. Slack says compliance with such requests “requires a search warrant issued by a court of competent jurisdiction.”

According to its own transparency report, which covers all such requests received from 1 May through to 31 October 2017, only one request resulted in “content data” being disclosed. Content data includes user-generated data such as public and private messages, posts, files, and DMs.

The report says that Slack received no National security letters (NSLs) during this period, but it should be noted that NSLs are typically accompanied with gag orders. This would prevent Slack from disclosing the fact that it had received an NSL.

If Slack does hand over your data to the police, it will usually notify you of the situation. This does not apply, of course, if it is legally prohibited from doing so. More worryingly, Slack will not inform people who are engaging in illegal conduct, or where there is deemed to be “risk of harm to people or property.”

Until a case has been brought to court, however, who is to say whether a customer has engaged in illegal conduct?

Can hackers read my messages?

In theory, no. As noted earlier, messages are encrypted both in transit and when at rest. In practice, Slack has not yet suffered a major data breach. However:

  • In 2014, security researcher Tanay Sai discovered a bug in the Slack software. This allowed anyone to see a company’s internal Slack teams just by entering a fake email address for that company.
  • In 2015, Slack suffered a four-day security breach in which users’ account details and passwords were accessible to hackers. Fortunately, this data had been hashed using the bcrypt password hashing function. This makes it is very unlikely (to the point of being impossible) that hackers could mass-convert the hashed passwords into plain text ones. It might still be possible, however, to crack individual password hashes. Following this incident, Slack began to offer (optional) two factor-authentication (2FA) for accounts.
  • In 2017, Slack disclosed the discovery of a security vulnerability that could allow a hacker to log in to Slack as if they were a legitimate user. They would then have full access to a group’s chat history, channels, and shared files. It is believed the vulnerability was patched before being discovered and exploited by malicious attackers.

Can advertisers read my messages?

Good news here – no. Slack has a subscription-based business model and makes no money from advertising. Not only has Slack stated that it has no plans for this situation to change in the future, but it also makes little business sense.

People might be willing to put up with ads and other privacy invasions in exchange for a free service during their leisure time (looking at you, Facebook and Google!). They are unlikely to accept this when working, however, as it would have a negative impact on productivity.

Conclusion

Slack was not designed for strong privacy. If Compliance Exports have not been enabled then your DM chats are safe from your boss, but all bets are otherwise off. In general, it is probably best to think of Slack as you would email – if something is not safe to say in public, then don’t say it on Slack.

My thanks to Melanie Ehrenkranz from Gizmodo, whose article I acknowledge a great debt to.

Image Credit: Giorgio Minguzzi /flickr.com/Some rights reserved.