What we know about video conferencing with Slack
Dr. Martin Shelton
May 22, 2024
If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of Slack. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.
In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Slack, we’ll examine…
Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
For a simple way to participate in scalable text chat with friends, colleagues, and internet strangers, Slack is ubiquitous. And while they do not provide end-to-end encrypted chat, ensuring the company cannot read users’ conversations, they’ve generally provided strong security assurances for users’ accounts.
We’re here to talk specifically about just one of its capabilities: Video chat. Slack offers one-on-one video calls on unpaid plans, and up to 15 users on paid plans. Their video chat only works with other users in the same “workspace” where users can message one another.
Note that Slack also supports third party apps, such as Google Meet or Zoom, but for now, we’ll just stay focused on Slack’s built-in video conferencing capabilities.
Slack supports two-factor authentication over traditional SMS text messages, as well as authenticator apps (e.g., Google Authenticator, Authy, FreeOTP).
Yes, Slack uses standard TLS to encrypt traffic between users and Slack’s servers.
Slack does not support end-to-end encryption. Slack uses DTLS-SRTP to secure connections between users in its video chats.
Slack says they regularly contract with external firms to conduct security audits. They have published the most recent findings of an independent SOC 3 audit on their website, describing Slack’s organizational controls and system requirements. From late 2019 through late 2020, the auditing firm said, Slack has provided “reasonable assurance” that Slack’s controls and requirements have been upheld.
In March 2015, Slack disclosed that attackers gained unauthorized access to a profile database, including usernames, email addresses, hashed passwords, and other information optionally added to their profile (e.g., Skype IDs and phone numbers). In response, the company looked for evidence that any passwords had been decrypted or misused, and reset passwords for a small number of affected users. Four years later in 2019, with additional evidence of abuse from the 2015 breach, they announced they would reset passwords for all users whose profiles were compromised in the breach — at the time, roughly 1% of Slack users.
Slack identified a bug in the December 2020 version of its Android app that inadvertently logged a subset of users' passwords to the device in plaintext. Slack promptly identified and fixed the bug. While they say they did not identify this bug being exploited in the wild, they nonetheless emailed and encouraged the affected users to change their passwords.
Slack offers a directory, allowing all users within an organization or workspace to search for one another. Users on paid plans can also share channels with external organizations, or search for pre-configured “user groups.” Likewise, users can search for others within an organization or workspace within their direct messages. A variety of third party services (e.g., Google Directory) can optionally also help to look up users from outside of the Slack organization or workspace.
No.
Slack says they do not store recordings or transcriptions of Slack call content. According to their privacy policy, certain types of data are explicitly shared by the user: name, email, phone number, password, and domain. Paid customers also provide their credit card or other payment information. And of course, Slack will store “Customer data,” which they describe as “messages, files or other content submitted,” using their services.
Slack details several types of metadata collected, only some of which are specific to calls. This includes call participants, where a call was started (e.g., via direct message), when a call is entered, when it ends, performance metrics (e.g., latency, jitter). In addition, according to their privacy policy, “Slack logs the Workspaces, channels, people, features, content and links you view or interact with, the types of files shared, and what Third Party Services are used (if any).” They log IP addresses, approximate location, and dates when users access their services. They also log device information, browser type and configurations, language preferences, and cookie data.
According to their privacy policy, Slack says they do not sell user data. Instead, their business relies on software subscriptions.
According to Slack's security white paper, "Customer data is removed immediately upon deletion by the end user or upon expiration of message retention as configured by the customer administrator. Slack hard deletes all information from currently running production systems (excluding team and channel names, and search 6 terms embedded in URLs in web server access logs) and backups are destroyed within 14 days."
According to their white paper, “Slack’s hosting providers are responsible for ensuring removal of data from disks is performed in a responsible manner before they are repurposed.”
Slack uses Amazon Web Services, and according to their separate documentation, Amazon will securely wipe used server hard disks before repurposing. In other words, Slack data is unlikely to linger on Amazon’s servers following deletion.
No.
Slack has published transparency reports since 2015. The transparency report does not say how often data requests involve Slack video chat data specifically. What we can say is that each year on record, Slack receives and responds to a relatively small handful of U.S. law enforcement data requests. Most recently in 2020, they received 10 warrants for user content data, and produced data in these cases.
According to Slack, they will notify users of data requests, except in specific circumstances.
As they say in their data request policy, “Unless Slack is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm, Slack will notify Customer of the request before disclosing any of Customer’s Customer Data so that the Customer may seek legal remedies”
We are not aware of any unsealed cases involving Slack’s video conferencing software specifically.
No.
Yes. However, only those in the Slack group can participate.
Sort of! The primary way to control who accesses a call is to invite individuals to participate. Users can start a call by opening an invitation to an entire Slack channel, but this allows anyone in that channel to join. To ensure only the right people enter, users must only invite one person at a time, either through opening a direct message with the right person, or by inviting new users to the call while it is ongoing.
Slack calls support up to 15 participants for paid accounts. Free accounts can only support one-on-one conversations.
Slack provides support for keyboard navigation, and screen readers. While their mobile apps work nicely with magnification, the mobile apps do not currently support video conferencing.
Slack does not natively allow video recording. However, workspaces can optionally use third-party apps that do support video recording (e.g., Zoom).
No. Users can only mute themselves.
Users can’t be removed from the call. Slack’s main way to address this issue is to allow users to selectively invite participants in the first place, either by opening a video chat invitation in a channel, DM, or starting a video chat and adding individual members one-by-one.
Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.
This article was updated on May 9, 2022.