By Gennie Gebhart
Slack is one of many Silicon Valley unicorns going public this year, but it’s the only one that has admitted it is at risk for nation-state attacks. In the S-1 forms filed with the Securities and Exchange Commission, Uber, Lyft, Pinterest and Snapchat addressed threats that could lower the price of their stock — including malware, phishing, disgruntled employees and denial-of-service attacks — but only Slack explicitly highlighted “nation-states” as a potential threat.
According to Slack’s S-1 form, the company faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.” The company acknowledges that its security measures “may not be sufficient to protect Slack and our internal systems and networks against certain attacks,” and correctly assesses that it is “virtually impossible” for the company to completely eliminate the risk of a nation-state attack.
But it is possible for Slack to minimize that risk. Or it would be, if Slack gave all its users the ability to decide which information Slack should keep and which information it should delete.
Right now, Slack stores everything you do on its platform by default — your username and password, every message you’ve sent, every lunch you’ve planned and every confidential decision you’ve made. That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it.
Slack is widely marketed for and used in business settings, so the company’s servers hold a treasure trove of valuable, proprietary information. Slack’s paying enterprise customers do have a way to mitigate their security risk — they can change their settings to set shorter retention periods and automatically delete old messages — but it’s not just big companies that are at risk.
Slack’s users include community organizers, political organizations, journalists and unions. At the Electronic Frontier Foundation, where I work, we collaborate with activists, reporters and others on their digital privacy and security, and we’ve noticed these users increasingly gravitating toward Slack’s free product.
And that’s what makes the company’s warning to investors particularly alarming: Free customer accounts don’t allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack’s servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers.
Slack’s business case for keeping your old messages is to have them ready for you just in case you decide to upgrade to the paid product, which has no limit on the number of messages available for you to search and view. But many users — including those most likely to be in the cross-hairs of a law enforcement request or headline-grabbing nation-state hack — are unlikely to ever make that switch.
Some might argue that Slack is the wrong tool for high-risk activists, who would benefit from strong encryption and the ability to host on their own servers — features that Slack doesn’t provide. But for many people, especially small and under-resourced organizations, self-hosting is not a viable option, and using strong encryption is prohibitively difficult. Slack is convenient, easy to use without extensive technical expertise and already familiar to most.
As its website cheerily reminds us, Slack is a “collaboration hub for work, no matter what work you do.” Slack is responsible for protecting the privacy and security of all its users, even the ones whose work brings risks that the company didn’t originally anticipate.
Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete. It’s undeniably Slack’s prerogative to charge for a more advanced product, but making users pay for basic privacy and security protections is the wrong call. It’s time for Slack to step up, minimize the amount of sensitive data hanging around on its servers and give all its users retention controls.