Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Exploring a Loophole in Slack’s Team Privacy

A colleague recently left a job, and I suggested that, as part of her purge of personal data associated with her work accounts, she delete her Slack account in order to destroy personal messages sent through direct messages (what Slack often refers to as “conversations”) or in private channels. My understanding was that her public messages would persist, thus not violating any employment agreement or making older public conversations incomprehensible, while no one would ever have access to her non-public communications.

I was wrong. Slack doesn’t let users delete their accounts. Instead the company deactivates them, which isn’t the same thing. That would be fine if the member were the only person who could reactivate the account. But there is a gap through which access can slip. While I don’t believe this design is intentional, it undermines some of Slack’s statements about user privacy. Slack has strong privacy protections, even among members of a team and the owner of the team.

The hole in this case relies on a combination of how Slack uses email addresses and its lack of a true bulk delete option for member messages. Other services in which messages, files, or other interactions are hosted may have a similar way around the privacy expectations of many users, even business users.

Slack Private Message Policies -- According to Slack, all posts in direct messages and private channels can be seen only by recipients and participants in those channels. This claim isn’t explicitly noted on Slack’s site, but I confirmed it with the company in several different ways while writing “Take Control of Slack Basics” and “Take Control of Slack Admin” earlier this year.

Paid team owners can configure message retention policies, which can either enhance retention by creating a log of every edit and deletion, or limit retention by deleting messages (public, private, and direct) and files after a certain number of days. (Some companies routinely age out messages to limit their ability to provide old information in lawsuits or prosecutions.) Free teams can see only the last 10,000 messages, but older messages are retained and can’t be deleted; they become available if a free team upgrades to paid.

However, setting a message retention policy doesn’t give admins access to direct messages and private channels. Conceivably, Slack could be compelled by law enforcement to provide such messages that remain in the system, but that’s a far cry from any team admin being able to snoop on private messages.

There is another way that private messages can cease to be private. An owner of a Plus tier paid team can request compliance exports, which can be required for certain kinds of businesses. Compliance exports include all private and direct messages. Slack says it evaluates each request, and an organization has to prove to Slack that such an export is needed. Team members are notified if compliance exports are turned on when they join a team, or if they’re enabled afterward. However, no direct messages or private channel messages from before compliance exports are approved by Slack will be included in the export.

In other words, unless you’re in a team with a retention policy that retains edited and deleted messages, you can delete all your messages from conversations, private channels, and public channels at any time — one by one — and they disappear forever.

However, all these protections assume you maintain control of your email account and that an admin can’t change your Slack account’s associated email address.

Email Is the Weak Link -- What I didn’t previously anticipate, and what Slack technical support has now confirmed, is that a team member who wants to delete their account is disabling the account, not removing messages. As noted, Slack describes this action as account deactivation, not deletion, and the company is up front about how deactivating an account does not remove messages or files you’ve posted.

This fact puts privacy pressure on the email address associated with your Slack account. If your employer controls that address, as is common, any admin with sufficient privileges could reset your email password, request a password reset for your Slack account, and access the new Slack password link. That would make all of your private messages in the team available, subject to either the 10,000-message limit of a free team or the retention policy of a paid team.

And if you’re on a paid team, a team admin could simply change the email address associated with your Slack account. Changing it to an address that the admin can access is all that’s necessary to receive a Slack password reset request and get into your private message traffic.

The solution, which Slack mentions, is that you can go through your private messages and delete them manually before deactivating your account. However, there’s no “nuke DMs” button, so you would have to go through and delete messages one at a time. Possible, but tedious at best.

Slack isn’t doing anything wrong here — there are good reasons why even private message traffic can be accessed with some effort. In America, firms typically have legal access to all communications on company-owned equipment or using corporate servers and services, and they own all the data — even supposedly private data — transmitted. There’s no default expectation of privacy, though companies may offer privacy guarantees through employment policies or under union contracts. (Promising nothing should impose no burden, but I am not offering legal advice here.)

When you leave a job, you probably shouldn’t be able to delete all your associated correspondence, whether public or private. In the wrong circumstances, deleting files (including email) when you’re leaving to set up a new business or going to work for a competing company could lead to a lawsuit under a federal law designed to help businesses protect trade secrets!

Plus, private messages sometimes turn out to hide illegal behavior, discrimination, and other problems, as we’ve seen in lawsuits and criminal trials since companies began to use email. Companies want to protect themselves against rogue employees (or have a scapegoat handy), and retaining private messages helps.

Disclosure is always the key. If a company promises you as an employee that your non-public company communications are yours to delete, great; if you sign a contract that says the company might inspect any message and that you can’t delete data, you should avoid corporate services for anything truly private.

How Can Slack Clarify and Fix This? -- Given the intention towards privacy that Slack consistently expresses, the company could offer better explanations and clarify expectations with a few minor changes. Slack could:

  • Explain better just how private messages really are when someone joins a team. While Slack mentions compliance exports, the company should also note: “Direct messages and those posted in private channels remain private unless a team owner or admin controls your email address, in which case they may be able to read messages at some point in the future. Post accordingly.” For paid teams, the warning should also include, “Your account’s associated email address can be changed by a team owner or admin, who could then reset your Slack password and access past private messages.”

  • Disclose privacy expectations at the start of every new conversation. Right now, the message Slack shows reads, “Direct messages are private between the two of you” for a two-person conversation. That should be modified to include the provisos about resetting a password via email or changing an account’s email address, depending on the team type.

  • Offer a “nuke DMs” option for users leaving a team, but give team admins the capability to override it. For the admin, the setting could be described as, “You can let team members who deactivate their accounts delete their side of all conversations.” And in the team member’s deactivation process, explanatory messages could include: “Your team lets you delete all your direct messages,” “You can only delete direct messages one at a time,” or “You cannot delete any direct messages.” (I’d argue private channels aren’t intended to have the same level of eternal privacy.)

Should you use a company-owned service to discuss things you don’t want your employer to find out about ever? No. Setting up a separate free Slack team to have bitch sessions with fellow employees might be a safer course of action, though it could have its own legal problems, depending on the confidentiality of the topics discussed.

People are better served when they know more about a situation. Slack’s intent is transparent disclosure of message privacy, and the company could do a better job in this hazy area. More generally, if you work for or contract with any organization, it’s best to assume that you have no expectation of privacy for communications on work-owned devices or services. If you’re concerned about that, bring your own device and keep work and personal communications completely separate.

 

Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <https://www.backblaze.com/tb>
 

Comments about Exploring a Loophole in Slack’s Team Privacy
(Comments are closed.)

Lewis Butler  An apple icon for a TidBITS Benefactor 2016-08-31 09:48
Some slack teams that one would think are free tier teams are not, so you may be in a slack where admins have complete control over your posts, DMs, history, and email link and not even know it.

For example, I am on a large team for admins which I would expect is a free team, but I know for a fact that someone at slack has elevated this team to behave as it if was one with top-tier payment options, so I have to be aware that anything I say not hat team, even in DM, is not private. I bet a lot of the people on this team have no idea about this, however. As far as I know, there is no way for a USER to know what sort of team they are on.
Glenn Fleishman  An apple icon for a TidBITS Staffer 2016-08-31 12:50
That’s fascinating. And it is an issue. Not to assume anyone is malicious, but any system in which you can’t completely control who has access to your account — which here is a Slack admin in a paid team being able to change the email address of your member account — means that you can’t truly know who could read your messages.