Please stop sending sensitive messages via Slack
5 min read

Please stop sending sensitive messages via Slack

Please stop sending sensitive messages via Slack

No matter how much you may want to snarkily rip into a co-worker over Slack, you may want to think twice before hitting Send. While Slack channels might look and feel private, they’re just as exposed to monitoring as most email. And it’s not just Slack: Many messaging apps are about as secure as a postcard.

Passwords, direct messages, and so-called private channels aren’t necessarily enough to actually keep our data—and opinions—private. How each service sends and stores your data is confusingly inconsistent.

Because apps with varying levels of encryption, including Slack, may retain messages on their servers for a period of time, they could expose message data to snooping or sanctioned monitoring.

Some “secure messaging” apps, including Signal and WhatsApp, have default end-to-end encryption that protects your communications, as long as both the sender and recipient are using the platform.


Meet WeChat, the app that’s ‘everything’ in China
What ‘EFail’ means for your email privacy
Beyond Signal: How Trump staffers could encrypt and archive
Can we abandon email for secure messaging? Not so fast
Primer: Why people are flocking to messaging app Signal
How to securely send your personal information
Organizing a protest? Consider using encrypted apps

Others have opt-in encryption: Facebook Messenger’s Secret Conversations feature, through which you can set a timer for a message to be deleted from your device, requires users to opt in for each conversation. Apple’s iMessage is encrypted end to end, if chats are sent between Mac OS or iOS devices. (If a recipient is not using an Apple device, the conversation turns into unencrypted text messages. Encrypted messages appear in blue bubbles, while those that are unencrypted turn green.)

And yet other popular platforms, including those of Google Hangouts and Slack, simply rely on encryption protocols like HTTPS to protect the communications between your device and the site or service. Unlike messages protected with end-to-end encryption, which can be decrypted only by the sender or recipient, messages protected with HTTPS (or SSL or TLS) can be intercepted at the server. Slack and Google both offer encryption at rest on their servers, but data can still be accessed by those who have the correct decryption key.

“It just shows how much education users need to do when they switch around between half a dozen apps, trying to figure out how each one works,” says Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society. “It would be great if we had a default encryption that any service would use so you wouldn’t have to be such a detective on your own behalf.”

The way Slack portrays its security and privacy measures may be adding to consumers’ detective work. While its “approach to security” outline states that it offers “data encryption in transit and at rest,” experts say this doesn’t mean that your messages are encrypted end-to-end and completely unreadable by anyone other than the sender and recipient.

“Encryption in transit” simply means that the information is jumbled in the link between the sender and the Slack server, as well as between the Slack server and the recipient, explains Erica Portnoy, a security technologist at the Electronic Frontier Foundation. Slack employees could still access decrypted messages on the server, and employers could even regularly download them through its Corporate Export feature.

Slack messages that are encrypted “at rest” are decrypted again when customers actively use the data, she adds. The encryption might garble data when it’s stored on a server or device, and not in use, but it doesn’t necessarily prevent a user or administrator from accessing the messages via the app or exporting them elsewhere.

“Just because it’s not showing up on your screen anymore doesn’t mean that it’s going away.”—Riana Pfefferkorn, cryptography fellow, Stanford Center for Internet and Society

Even using an app touting true end-to-end and at-rest encryption, of course, won’t ensure that no one will ever be able to obtain your messages. As Pfefferkorn explains, if you haven’t set your messages to disappear, anyone who gains access to your device and its apps—if you leave them unlocked, or if they get hacked—could view your conversations. And if you’ve backed up your messages to the cloud or exported your chat history, the data may not be fully protected with at-rest encryption.

“It’s not an absolute,” Pfefferkorn says.

Some encrypted services may also keep metadata that shows when you last connected and what other accounts you communicated with—even if your actual messages aren’t readable.

Encrypting and deleting also doesn’t necessarily ensure that your messages fully vanish. If a person you communicate with doesn’t delete the chat on his end—or if he took a screenshot or photo of the conversation, or copied and pasted it into another window—your messages will live on and potentially be read by others.

“Just because it’s not showing up on your screen anymore doesn’t mean that it’s going away,” Pfefferkorn says.

Slack users can add an extra layer of protection to their conversations by using an extension called Shhlack that encrypts messages end-to-end using keys users pre-exchange with each other.

Stefano Di Paola, chief technology officer and co-founder of Shhlack developer Minded Security, says the tool is meant to protect messages from being logged by Slack and exported to employers in plaintext. Shhlack’s end-to-end encryption prevents what users send via direct message from being read by people with administrator accounts, access to the Slack database, or the ability to exploit security flaws. However, Di Paola is careful to call the extension an “experiment,” not a security solution.

“Slack with Shhlack cannot compare to actual encrypted services,” he told The Parallax in an email. “It is absolutely not to be used as a comparable alternative to services like those. We are aware that encryption is serious stuff.”

Experts agree that third-party add-ons that attempt to secure online services with encryption aren’t as protected as services that have strong built-in encryption. That’s because if third-party developers don’t keep up with changes to the original app or product, the plug-in or extension could easily break and leave users’ data vulnerable.

“Slack with Shhlack cannot compare to actual encrypted services.”—Stefano Di Paola, chief technology officer and co-founder, Minded Security

“The Internet is littered with formerly supported projects that people liked but just got abandoned, or didn’t keep up with the underlying software that they were built to interact with,” Pfefferkorn says.

Secure-messaging use cases vary widely. Some people may simply be worried about their employers reading their shit-talk or casual (but private) conversations, while others may be more concerned about law enforcement gaining access to chat transcripts in the event their company is involved in litigation. Still others may fear that hackers will intercept their sensitive messages and steal personal information, or that they’ll be identified as a whistleblower.

“When a user is considering their privacy, they have to ask themselves, ‘What is the information I’m trying to hide, and who am I trying to hide it from?’” the EFF’s Portnoy says. “There are levels of security that apps provide, and it is possible to send messages that are secure enough for a particular use case, given a lot of care.”

If you’re questioning whether the contents of a message you’re about to send will remain private, proceed with extreme caution. Portnoy notes that it can be difficult for the average user to parse the specific security features offered by the apps we regularly use. So before you hit Send, read third-party or user reviews of the messaging service, paying close attention to what they say about security and privacy.

“If you’re worried about what you’re putting in writing enough that you’re off reading a privacy policy,” Portnoy adds, “that’s not the place that I would be putting that information.”

Enjoying these posts? Subscribe for more