More than six million people use Slack daily, spending on average more than two hours each day inside the chat app. For many employees, work life is contingent on Slack, and surely plenty of us use it for more than just, say, work talk. You probably have a #CATS and a women-only channel, and you’ve probably said something privately that you wouldn’t want shared with your boss. But that’s not really up to you.
When you want to have an intimate or contentious chat, you might send a direct message. Or perhaps you and a few others have started a private channel, ensuring that whatever you say is only seen by a handful of people. This may feel like a closed circuit between you and another person—or small group of people—but that space and the little lock symbol aren’t actually emblematic of complete privacy.
Do Slack employees have access to your chats? The short answer is: sort of. The long answer is... below. Can your company peek at your private DMs? It’s entirely possible. Slack’s FAQ pages help elucidate some of these concerns, but at times the answers are frustratingly vague and difficult to navigate. So we dug into it for you. Read more to find out what Slack—and your company—is actually doing with your data.
Before you slide into your colleague’s DMs to drag your employer or disclose some sensitive information, check the settings your company has in place. Go to your profile and click Account Settings and then Workspace Settings (Or visit: teamname.slack.com/account/team). Here, you’ll find a full list of admins as well as the settings for public channels, private channels, direct messages, and files.
So, who can see what? There are two types of privileged Slack users: admins and “workspace owners.” Both of these special users can download a “standard export” of anything posted to public channels, but only workspace owners can see your DMs, through what’s called a “compliance export.” Not all workplaces have compliance exports enabled.
You can see whether compliance exports have been turned on for your team at the bottom of your Team Settings page. Slack added the compliance exports feature in 2014 for some of its paid customers and the feature is only available on the Plus plan. If your workspace owner has the feature turned on, they will have access to a .zip file with your message history, both from private channels and direct messages. But if your company has such exports currently turned off, you will get a Slackbot notification if any change happens, and your message history prior to the feature being enabled will not be available to view.
An allegedly small number of people at Slack have access to the systems that store and process your data, but it’s unclear exactly how many Slack employees do, and who, exactly, those people are.
When I asked Slack if employees have access to user data, including messages, the spokesperson said “yes,” because the operation of the chat app “requires that some employees have access to the systems which store and process Customer Data.” However, when I asked what percentage of the company’s employees have access to customer data, the Slack spokesperson replied, “No employees have standing access to the systems which store and process customer data.”
So what is “standing access?” In an interview with Gizmodo, Slack security chief Geoff Belknap described standing access as the ability for an engineer to simply open up a window and rifle through data. Belknap said Slack gives its employees the ability to exercise some commands in the event of an emergency, or for a “valid, justifiable reason,” which could potentially expose them to customer data. However, Belknap said the process triggers alerts and is reviewed by the employee’s manager or superior. Slack declined to share additional details about this alert and reviews process.
This scenario typically occurs, Belknap said, if there is a major outage, if Slack is performing maintenance on a database, which might hold customer data or content, and if “something is really wrong with the platform.”
When I asked Belknap which Slack employees have access to the systems that store and access customer data, he declined to name the exact number of people. “It’s a very small number and a very controlled number of people that have what I would phrase as the ability to follow a process that puts them in a place they potentially have access to data.”
When I asked a spokesperson if, theoretically, a Slack employee could break a policy and open a company’s Slack—if they technically have that capability, they said, “there are technical, audit and policy controls in place to both prevent and detect employees from viewing customer data without authorization.”
According to Belknap, there is “no intentional tooling built” to allow an employee to do that. He said there is no administrative tool that would let him, even if he had been granted permission, “to say, I would like to see a message between Jane and Sam on September 1st at this date on this team.” However, he acknowledged that because Slack built the platform, the company has the capability to build that type of tooling, “if that was something we felt like we needed to do to operate the platform,” but said that “it’s just not what Slack is.”
In a call with Gizmodo, EFF Senior Staff Attorney Nate Cardozo characterized this policy as typical, but nevertheless criticized it.
“Slack could have built this system in a way that no one within the company had access into user data,” said Cardozo, referencing zero-knowledge encryption, an end-to-end encryption method. “What it comes down to is, ‘trust us,’” Cardozo said. “That’s the same thing that Uber said and then they were caught with their pants down with God mode,” a widely available internal tool that allowed Uber staffers to spy on both drivers and passengers. “If you wouldn’t put it in email don’t put in Slack,” said Cardozo.
While there are Slack employees who can do so-called “maintenance,” reply to legal data requests “from US law enforcement and governmental entities,” and extract data under certain circumstances, Belknap said “nobody can specifically go in and say, I want to go see what these two people said to each other.” Belknap added that it wouldn’t be possible to attempt to do so “without all kinds of logging alarm bells and diligence happening as a result of that.”
When I asked a Slack spokesperson if there had been incidents in the past where alarm bells have gone off, they declined to share specific information. “Any system that is set up well will regularly have alerts to investigate,” the spokesperson said. “Alerts are a sign of well-functioning controls, and zero alerts is a sign of a broken security program.”
Slack’s data request policy states that if a third party wants someone’s customer data, they should contact the customer. But like Apple, Snap, Facebook, Twitter, Google, and other tech platforms, Slack submits to law enforcement requests. The company says it “requires a search warrant issued by a court of competent jurisdiction.”
Slack’s most recent transparency report includes legal requests for data received from May 1st, 2017 through October 31st, 2017. In that period of time, Slack says it received four subpoenas—two resulted in “no information disclosed,” while the other two resulted in disclosing “basic account information” and “other non-content metadata.” Slack was also served one search warrant in that time period, which resulted in the disclosure of “basic account information,” “other non-content metadata,” and more notably, “user generated data.” This includes “public and private messages, posts, files and DMs,” according to Slack. The report says Slack had received zero national security letters—US government orders that compel companies to hand over data in secret.
Belknap described Slack’s relationship with law enforcement as “professional,” and said “they are not here having coffee on Fridays or anything like that.”
In response to law enforcement requests, a Slack spokesperson said the company “will notify Customers before disclosing any of Customer’s Customer Data so that the Customer may seek protection from such disclosure, unless Slack is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm to people or property associated with the use of such Customer Data.”
The EFF has an internal policy that prohibits teams from using Slack, because of what Cardozo calls Slack’s “incredibly weak customer notice policy.” Cardozo said in an email that Google, for example, will notify users of requests for their data unless they are legally prohibited or if there is risk of death or injury to a human. Google also won’t notify users if it is counterproductive to do so, such as if the account has been compromised and the notice would be sent to a hacker, not the user. Apple’s caveats are the same as Google, except that it also won’t notify users in the event of an emergency.
Slack’s policy enables it to choose not to inform users for the same reasons, with two additional caveats: if the user is engaging in illegal conduct or if there is a “risk of harm to people or property.” Cardozo challenged the former caveat by questioning whose laws Slack judges conduct by, pointing out that homosexuality is illegal in dozens of countries, and that copyright infringement is illegal. “Does this mean that Slack will withhold notice in every single copyright case?” Cardozo said. “What about in defamation cases?” In regards to the risk of harm to property exception, Cardozo questioned whose property Slack is referring to. “Legally, harm to reputation is included within harm to property,” he said. “Does that mean that Slack is reserving the right to withhold notice to a user if giving notice would damage Slack’s reputation?”
Slack declined to expand on any of the specific questions posed by Cardozo.
Slack does not sell consumer data or make money off of advertising, Belknap said. That is in contrast to many of the other online platforms you use, like Facebook, Twitter, and Google, to name a few.
Belknap said that monetizing customer data is something Slack has no plans to do in the future. “I mean, who would want to use a platform where you’re having a work conversation and an ad pops up in the midst of the conversation,” said Belknap. “And I think, quite frankly, if we were going to do that, we would have done that from the outset.” Beyond not selling user data for targeted ads, a spokesperson said the company does not sell user data for any other purpose.
“Not to demonize them,” Belknap said, referring to online platforms like Google and Facebook, whose customers are ultimately marketers and advertisers and not the individual end users, “but our customer really is you, the person using the product. So our topline objective here is to make sure that you’re comfortable and feel like we are trustworthy of your work.”
Whether your data is deleted, and when, is determined by the owner of your Slack team. In most cases, this is your employer. They’re able to configure when and what data is deleted. If they set channels to automatically delete every 30 days, then “all deleted data is deleted,” a spokesperson said of the process, which runs on a nightly basis. The spokesperson added that when an owner initiates the deletion of data, Slack “hard deletes all information from currently-running production systems (excluding team and channel names, and search terms embedded in URLs in web server access logs)” within 24 hours. “Services backups are destroyed within 14 days,” the spokesperson said. If a channel is set to auto-delete every 24 hours, then generally a warrant for that information can only yield the past 24 hours of data, however a spokesperson said that “some data may remain in backups for 14 days,” as is noted in Slack’s security policy. The spokesperson would not further explain why data can “remain in backups for 14 days.”
Like any company, Slack is not immune to a breach or an oversight. In 2014, a programmer spotted a vulnerability in the chat app that let anyone view a company’s internal Slack teams. And in February 2015, the company suffered a data breach. In a March 2015 blog post, Slack described the news as a “security incident” and announced the rollout of two-factor authentication. However, Slack has yet to make headlines for leaked chatlogs or passwords and hopefully never will.
A lot of this boils down to trust. You’ll have to trust that Slack will choose to give you notice if it is forced to hand over your data. You have to trust that no staffers are abusing their access. And you have to trust, even if all of the best intentions are there, that systems are in place to protect your data from outside offenders.
Do you have a question or information about how Slack handles user data? Email me: firstname.lastname@example.org.
Correction 2:10 PM: Slack’s security chief Geoff Belknap’s name was misspelled. We regret the error.