A senior privacy researcher has warned that Slack conversations could be leaked, as well as passwords and usernames, in an opinion article for the New York Times.
Published on Monday, Gennie Gebhart, associate director of research at the Electronic Frontier Foundation, wrote that the business chat app does not have end-to-end encryption even though it “stores everything [a user] does on its platform by default.”
In her op-ed for the New York Times, she wrote: “...which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it." According to Slack’s S-1 form, the company has confirmed that it faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.”
Slack is a business tool which allows people to engage with one another whether they are in the office or not. Using channels to separate conversations and private messaging to enable people to directly communicate with one another, it has been received positively within the workplace in general.
However, Gebhart wrote that while Slack’s paying enterprise customers “do have a way to mitigate their security risk” it's not just them who might be vulnerable to cyber-attacks. She added: “Slack’s users include community organizers, political organizations, journalists and unions. At the Electronic Frontier Foundation, where I work, we collaborate with activists, reporters and others on their digital privacy and security, and we’ve noticed these users increasingly gravitating toward Slack’s free product.”
Slack's free product allows users to have up to 10,000 searchable messages, with any more being stored away on their servers. It also enables one-to-one voice and video calls and file sharing. On its website, Slack stated this about its security: “Slack takes privacy and data protection seriously. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security.
“We’ve received internationally recognized security certifications for ISO 27001 (information security management system) and ISO 27018 (for protecting personal data in the cloud).”
However, Gebhart was concerned that privacy could be breached with the collaboration tool. She said: “Free customer accounts don’t allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack’s servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers.
“Slack’s business case for keeping your old messages is to have them ready for you just in case you decide to upgrade to the paid product, which has no limit on the number of messages available for you to search and view. But many users — including those most likely to be in the cross-hairs of a law enforcement request or headline-grabbing nation-state hack — are unlikely to ever make that switch.”
Jake Moore, a cybersecurity specialist at ESET, said that while Slack is a “fantastic application” to help people break away from the downsides of email, it might now come with downsides of its own: “Admittedly, many people don’t think or even care about encryption or place it on a priority list when it comes to data or messaging but in a world where privacy is increasingly becoming more popular, companies need to be thinking about enforcing encryption and privacy for all of their customers by default with no option to bypass it.
“Similarly, companies who don’t use two-factor-authentication by default also put their customers data at risk of having their confidential data viewed by anyone with the right know-how and tools,” he added.
Ending her opinion article, Gebhart gave her recommendations for what the company should do for its customers: “Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete.”