Journalists, how private are your Slack messages really?


Senior Software Engineer

It's time to rethink your privacy on Slack. Photo by Adam Levine. CC BY 2.0

As the COVID-19 pandemic hit, workplaces were forced to rapidly switch from in-person settings to fully remote. Slack, which was already a key tool in many newsrooms, has reached new levels of usage. In late March 2020, Slack announced it had significant user growth, nearly doubling the number of new customers.

When Slack went public in 2019 with a valuation at $23 billion, Nieman Lab suggested that there might be more newsrooms that run Slack than use Microsoft Word—it’s everywhere. Yes, even here at Freedom of the Press Foundation, we use Slack for coordination across multiple teams.

So this is a good time to remind everyone, while Slack can make communication and team coordination easier: your Slack messages are not as private as you may think.

In a 2019 op-ed in the New York Times, the Electronic Frontier Foundation’s Gennie Gebhart summed up the problems with using Slack:

"Right now, Slack stores everything you do on its platform by default — your username and password, every message you’ve sent, every lunch you’ve planned and every confidential decision you’ve made. That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it."

The security and privacy properties of Slack are vastly different than face-to-face conversations that it’s replacing. You can’t look around to see if someone might be trying to eavesdrop, because Slack always is.

To make informed decisions about how to use Slack safely, especially for journalists working on sensitive stories with at-risk sources, it’s important to know who exactly can read your messages.

As a U.S. company, Slack will hand over its records upon request from government agencies like the FBI or even your local police department, following a warrant, subpoena, or other court order. And while Slack will attempt to notify users before handing over user data, the company’s broad exceptions to this user notification rule did not garner credit in the EFF’s 2017 “Who has your back?” report.

Your Slack messages might contain discussions about confidential sources, future story ideas, or seemingly unimportant office gossip.

No one knows the consequences of this more than the former employees of Gawker. During the Hulk Hogan lawsuit against Gawker (details about the case), chat transcripts from Gawker’s internal work chat (hosted on Campfire, a similar tool to Slack), were read in the courtroom as evidence.

Former Gawker editor-in-chief Max Read felt so strongly about his internal office jokes becoming a matter of public record that he wrote a piece for New York Magazine titled “Hulk Hogan Taught Me Never to Make a Bad Joke on Slack Again.”

In the United States, there are different policies about what kinds of data Slack is legally required to hand over. In civil discovery, “non-content” metadata records such as user identity and location are fair game without the presentation of a warrant or other court order. Our friends at the EFF have some more details about the differences.

One way to mitigate the impact of this is to control how long your messages are available in Slack channels and private message logs. This can be seen on the same page from earlier, “Retention & Exports.” All Slack data is held for the entire lifespan of the workspace unless otherwise restricted, and non-paid users must switch to a paid plan before they can add fine-grained deletion rules. In addition to these limits, Slack says they will delete all backups from their servers within 14 days.

Slack admins can set custom data retention rules in your workspace's settings.

Consider asking your Slack workspace administrators to lower the retention period of messages so it becomes more ephemeral. We recommend setting it to a maximum of 30 days for all messages and files. After setting a responsible retention period, administrators can prohibit workspace users from extending the timeframe by disabling the “Let workspace members override these settings” checkbox.

Limit your data retention period to a responsible length. We recommend 30 days maximum.

If your workspace administrator chooses not to lower retention settings, but you have the ability to override the settings - take advantage of it. In a DM or private group chat, click the settings gear and select “Edit message retention…” to use a lower, custom retention setting for your messages.

If your Slack admin doesn't enforce a responsible retention period, you may be able to set custom retention lengths on channels and direct messages.

Your email provider

By default, Slack enables email notifications that include the text of messages. If someone mentions you by saying your @username while you’re away, the text of those messages will end up in your inbox. This potentially defeats the advantage in having low retention settings in Slack since that same content might be saved in your email.

If you receive Slack notifications on your mobile device and don't need them in your inbox, disable them in your preferences under “Notifications.”

Uncheck the box that grants Slack permission to send email notifications for missed messages.

If you choose to keep email notifications enabled, be aware of how long your email provider retains them, even if you regularly delete them.

Slack employees

According to their own security practices, Slack employees do have access to look at user data when “it is necessary to do so.” The same is true for any communication service, whether it’s Gmail, Facebook or others, when the service is not end-to-end encrypted.

Slack says that any such access is logged, and told Gizmodo that accessing user data would trigger alerts and reviews from superiors. Despite these controls, users have little choice but to trust that Slack will use their access responsibly. Unfortunately, there’s clear precedent for abuse among large tech companies. For example, Uber employees abused similar access in their “God view” mode, spying on celebrities, politicians, and exes. If you’re a reporter covering Slack the company, consider staying off the platform entirely while doing your story.

Users on Slack’s Enterprise plan do have an extra way to protect themselves from this kind of attack. The Enterprise Key Management feature allows organizations to manage and store their own encryption keys using AWS’s Key Management Service. Those keys encrypt all content in the workspace, but Slack doesn’t have access to them, and therefore can’t read your messages.

Your boss

In 2017, administrators of CNN’s Slack instance notified reporters that they enabled a “feature” that would give them unfettered access to read any messages, including private DMs, from then onwards. Later communication from their Slack administrators announced, “The company has certain legal preservation obligations which required this feature to be active.”

The message that CNN reporters received from their Slack administrators.

Newsrooms may need to retain reporters’ Slack conversations for compliance reasons, but you don’t see companies placing audio recorders at physical water coolers.

Some journalists end up covering the parent company that owns their news organization. Be extra careful when doing this in case you are worried executives may attempt to peek at your communications.

This feature is available to workspaces on the “Plus” or “Enterprise” plans, and Slack has made it straightforward for any user to figure out what policy your instance has, just visit https://<your-instance-name> and click “Retention & Exports.”

Check to see what export privileges your workspace's admins and owners have in your settings.

If that had included “private information,” workspace administrators would have been able export DMs and private chats.

Administrators on Enterprise workspaces also have access to Slack’s Audit Logs API, a toolkit designed to help administrators and developers organize data about activity in their workplace. While the API doesn’t appear to provide access to message contents, it does track various sensitive user actions including uploading and downloading of files.

Even if you’re on the lower “Free” or “Standard” plans, you’re not necessarily in the clear. Another route that workspace administrators could use to access your messages is through third-party apps.

Some third party apps grant sweeping permissions to your Slack data.

In this case, the app could read DMs and private messages, potentially logging them. You can see which apps your workspace has installed by going to https://<your-instance-name> and filtering based on permission, such as “Access type: Can access messages”.

What should you do?

Slack is still an incredibly useful tool for newsrooms. For resource-strapped newsrooms, Slack can be easy to set up, and it just works. But it’s important to be mindful of the limitations that Slack as a platform provides. For some types of conversations, moving to a different platform will help ensure your messages stay private.

If you’re discussing confidential sources, documents, or stories, consider using an end-to-end encrypted messenger (e.g., Signal).

If you feel like privately talking to a coworker to discuss a gripe with management, instead of Slack, consider instead speaking in person or over an end-to-end encrypted channel. If you’re already using Signal for messaging or calls, it can fill this need as well.

Longer-term, it may be worth entirely moving your Slack workspace to end-to-end encrypted alternatives like Matrix and Wire. And while not end-to-end encrypted, Mattermost is another Slack alternative that can be self-hosted, preventing a third party service provider from seeing any messages.

Donate to protect press freedom.

Your support is more important than ever.

Read more about Security

That USB drive might not be safe. What now?

To be curious is to be human — including about what’s on that USB drive. But first, let’s think through how to access it safely.

Reporting on the 2024 elections? We're here to help

Our Digital Security team is on hand to help you and your devices stay safe in the 2024 election year

New guide helps journalists know their rights when police come knocking

Guide responds to confusion (at best) among law enforcement and judges evidenced by recent raids of newsrooms and journalists' homes in Kansas and Florida