If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of Slack. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.
In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Slack, we’ll examine…
Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.
Table of Contents
- Background
- Evaluating the platform’s security properties
- Evaluating the platform’s privacy properties
- Can I get the job done easily and without abuse?
Background
For a simple way to participate in scalable text chat with friends, colleagues, and internet strangers, Slack is ubiquitous. And while they do not provide end-to-end encrypted chat, ensuring the company cannot read users’ conversations, they’ve generally provided strong security assurances for users’ accounts.
We’re here to talk specifically about just one of its capabilities: Video chat. Slack offers one-on-one video calls on unpaid plans, and up to 15 users on paid plans. Their video chat only works with other users in the same “workspace” where users can message one another.
Note that Slack also supports third party apps, such as Google Meet or Zoom, but for now, we’ll just stay focused on Slack’s built-in video conferencing capabilities.
Evaluating the platform’s security properties
Does the platform support two-factor authentication? By what methods?
Slack supports two-factor authentication over traditional SMS text messages, as well as authenticator apps (e.g., Google Authenticator, Authy, FreeOTP).
Does the platform support transit encryption? How is it implemented?
Yes, Slack uses standard TLS to encrypt traffic between users and Slack’s servers.
Does the platform support end-to-end encryption? How is it implemented?
Slack does not support end-to-end encryption. Slack uses DTLS-SRTP to secure connections between users in its video chats.
Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?
Slack says they regularly contract with external firms to conduct security audits. They have published the most recent findings of an independent SOC 3 audit on their website, describing Slack’s organizational controls and system requirements. From late 2019 through late 2020, the auditing firm said, Slack has provided “reasonable assurance” that Slack’s controls and requirements have been upheld.
Has the platform been breached before? How did they respond?
In March 2015, Slack disclosed that attackers gained unauthorized access to a profile database, including usernames, email addresses, hashed passwords, and other information optionally added to their profile (e.g., Skype IDs and phone numbers). In response, the company looked for evidence that any passwords had been decrypted or misused, and reset passwords for a small number of affected users. Four years later in 2019, with additional evidence of abuse from the 2015 breach, they announced they would reset passwords for all users whose profiles were compromised in the breach — at the time, roughly 1% of Slack users.
Slack identified a bug in the December 2020 version of its Android app that inadvertently logged a subset of users' passwords to the device in plaintext. Slack promptly identified and fixed the bug. While they say they did not identify this bug being exploited in the wild, they nonetheless emailed and encouraged the affected users to change their passwords.
Evaluating the platform’s privacy properties
How does the platform handle contact discovery?
Slack offers a directory, allowing all users within an organization or workspace to search for one another. Users on paid plans can also share channels with external organizations, or search for pre-configured “user groups.” Likewise, users can search for others within an organization or workspace within their direct messages. A variety of third party services (e.g., Google Directory) can optionally also help to look up users from outside of the Slack organization or workspace.
Can I use the platform without making an account?
No.
What user metadata and content is logged by the platform?
Slack says they do not store recordings or transcriptions of Slack call content. According to their privacy policy, certain types of data are explicitly shared by the user: name, email, phone number, password, and domain. Paid customers also provide their credit card or other payment information. And of course, Slack will store “Customer data,” which they describe as “messages, files or other content submitted,” using their services.
Slack details several types of metadata collected, only some of which are specific to calls. This includes call participants, where a call was started (e.g., via direct message), when a call is entered, when it ends, performance metrics (e.g., latency, jitter). In addition, according to their privacy policy, “Slack logs the Workspaces, channels, people, features, content and links you view or interact with, the types of files shared, and what Third Party Services are used (if any).” They log IP addresses, approximate location, and dates when users access their services. They also log device information, browser type and configurations, language preferences, and cookie data.
What user data does the platform sell?
According to their privacy policy, Slack says they do not sell user data. Instead, their business relies on software subscriptions.
How long does the platform hold on to user data after the user deletes it, or shuts down their account?
According to Slack's security white paper, "Customer data is removed immediately upon deletion by the end user or upon expiration of message retention as configured by the customer administrator. Slack hard deletes all information from currently running production systems (excluding team and channel names, and search 6 terms embedded in URLs in web server access logs) and backups are destroyed within 14 days."
According to their white paper, “Slack’s hosting providers are responsible for ensuring removal of data from disks is performed in a responsible manner before they are repurposed.”
Slack uses Amazon Web Services, and according to their separate documentation, Amazon will securely wipe used server hard disks before repurposing. In other words, Slack data is unlikely to linger on Amazon’s servers following deletion.
Can the platform be self-hosted?
No.
Does the platform publish a yearly transparency report?
Slack has published transparency reports since 2015. The transparency report does not say how often data requests involve Slack video chat data specifically. What we can say is that each year on record, Slack receives and responds to a relatively small handful of U.S. law enforcement data requests. Most recently in 2020, they received 10 warrants for user content data, and produced data in these cases.
Does the platform alert users to requests for their data?
According to Slack, they will notify users of data requests, except in specific circumstances.
As they say in their data request policy, “Unless Slack is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm, Slack will notify Customer of the request before disclosing any of Customer’s Customer Data so that the Customer may seek legal remedies”
Are there any publicly documented cases of law enforcement requests for user data?
We are not aware of any unsealed cases involving Slack’s video conferencing software specifically.
Can I get the job done easily and without abuse?
Does the platform offer the ability to broadcast?
No.
Can I use this platform to host closed room meetings?
Yes. However, only those in the Slack group can participate.
Can I control who can access my call if I want to?
Sort of! The primary way to control who accesses a call is to invite individuals to participate. Users can start a call by opening an invitation to an entire Slack channel, but this allows anyone in that channel to join. To ensure only the right people enter, users must only invite one person at a time, either through opening a direct message with the right person, or by inviting new users to the call while it is ongoing.
What is the maximum meeting group size?
Slack calls support up to 15 participants for paid accounts. Free accounts can only support one-on-one conversations.
Are there accessibility features? If so, what are they?
Slack provides support for keyboard navigation, and screen readers. While their mobile apps work nicely with magnification, the mobile apps do not currently support video conferencing.
Who can record meeting video? Audio? Chats?
Slack does not natively allow video recording. However, workspaces can optionally use third-party apps that do support video recording (e.g., Zoom).
Is there a way to mute participants in the call? How does it work?
No. Users can only mute themselves.
Is there a way to kick participants off the call? How does it work?
Users can’t be removed from the call. Slack’s main way to address this issue is to allow users to selectively invite participants in the first place, either by opening a video chat invitation in a channel, DM, or starting a video chat and adding individual members one-by-one.
You made it to the end!
Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.
This article was updated on May 9, 2022.