- The Electronic Frontier Foundation, one of the most powerful internet privacy watchdog groups, has written an op-ed in the New York Times to warn people about using chat app Slack.
- Specifically, the EFF takes issue with the fact that Slack is set to retain all messages forever by default.
- The EFF wants Slack to give individual users more control over their data.
- Slack only makes data control features available to people who pay to use its service. Free users have to manually delete messages to remove them from Slack’s servers.
- Visit Business Insider’s homepage for more stories.
One of the most powerful internet privacy watchdog groups, The Electronic Frontier Foundation, has written an op-ed in the New York Times to warn people about using the work chat app Slack – which recently went public, and is now valued at some $18 billion on the public market.
The EFF’s main complaint is that Slack retains all messages forever by default and does not give individual users, particularly those using its free accounts, enough options to control their own data themselves.
“It is possible for Slack to minimize that risk. Or it would be, if Slack gave all its users the ability to decide which information Slack should keep and which information it should delete,” wrote the EFF’s associate director of research Gennie Gebhart, in the Times.
“Right now, Slack stores everything you do on its platform by default – your username and password, every message you’ve sent, every lunch you’ve planned and every confidential decision you’ve made,” she writes.
Slack’s privacy page explains that with all plans, paid or free, “the default message and file retention setting is to keep everything for as long as the workspace exists.”
Slack says it keeps all that data so if someone upgrades from free to a paid account, all their messages will still be there. Only paid customers get tools for managing data retention, however.
For people using the free plan, the only option to control data is to manually delete any message you don’t want Slack to store forever. And even that is limited, since it limits access to the most recent 10,000 messages. There’s no going back earlier than that, even to manually delete messages, without upgrading to a paid account.
A Slack spokesperson explains:
“We do not offer a free version of our product that allows for unlimited message access because at our core, we are an enterprise software platform and our policies, practices, and default settings are aligned to that mission. If a customer exceeds a 10,000 message limit and chooses to upgrade to a paid plan, they are able to access their full archive of messages and files as well as use custom retention settings. All Slack customers – including customers on free teams – can manually delete messages at any time.”
It’s also worth noting that it’s up to the administrator of a paid Slack account to set the policies on data retention. For instance, Business Insider uses Slack, and our administrators have set it up to delete everything after two weeks by default.
There’s pluses and minuses to that. The data retention issue is solved, but if you want to refer back to a message or file shared with your team – or even a note you made to yourself – from longer than two weeks ago, it’s gone, and employees cannot do anything on our own accounts to change that.
Businesses on some plans can also gain access to everything their employees enter in Slack, even private messages, and even messages before they were edited.
Employees can find out their company’s policies on this, although the screen to find that info isn’t especially easy to find. Users need to login to their corporate Slack in a browser and then go to the URL “/account/workspace-settings.”
The EFF also isn’t happy with how Slack encrypts messages – although Slack’s policies on this are not, perhaps, as dire at the EFF alleges. The EFF wants Slack to implement end-to-end encryption, which means only the sender and intended recipient can see any messages.
Slack encrypts messages in transit, as many websites do, and while data is stored on its servers, it says. This keeps data safer from hackers, but also means that Slack can hand over plain text data over to law enforcement should they come calling with appropriate legal documents, it says.
The important point to understand is that Slack is a for-profit business and one of the things it charges for is better control over data. The company also emphasizes that its a tool really designed to be used by businesses, not consumers. For conversations that need to be extra private, like communications between activists, community organizers, journalists, Slack may not be private enough.
A spokesperson tells us:
“Slack is a business tool with both free and paid subscription models that allow us to meet customers where they are. We take the security and privacy of our customers’ data very seriously, and have received internationally recognized privacy and security certifications for information security management and protecting personal data in the cloud.