This is a public service announcement.

If your job uses Slack, please remember that the administrators that have been configured can view any channel and download all files and all information published, including channels that are "private" or between 2 individuals.

Your discussions are not secure and can be snooped upon, even private conversations.

In other words: there is no privacy on Slack. Period.

This is the end of this public service

(Don't ask how I know that)

@ParadeGrotesque Oh I am sorry to hear that they didn't tell you.


Well, this is something I suspected of course, but that was neither confirmed nor denied by management at $WORK.

A in-depth perusal through the web interface (no information in the desktop client of course) turned up a couple of people that were both mysteriously very-well informed and admins under Slack.

@ParadeGrotesque The way I learned it was when we started digging into "What contracts can we talk about in Slack" which turned up some very interesting details, yeah.

@ParadeGrotesque I have been a Slack administrator and can confirm this is true. Also, I have been told that Slack is now phishing through your messages for advertising purposes as well.

@MrRaptor @bamfic

I am not entirely sure. I believe this is true of all Slack administrators that were defined when setting up the channels of your org.

@ParadeGrotesque more info and cited sources -

there is actually a page you can go to in slack settings (for any user) to see if exporting is enabled. the API on enterprise grid allows anytime export, but free and plus plans require approval and "good reason" for export ability

source & read more:

i also run a slack workspace for a non-profit and these kinds of concerns have been brought up by members, we're on a free non-profit plan

@ParadeGrotesque Here's an interview with the founder. He freely admits he doesn't know why anyone is using it. (from 2015 and I dunno if there's an English version).

The question how a company can even consider outsourcing their internal communication to a third party still leaves me utterly bamboozled.

It's stupid in many ways. It isn't reliable, only claims to be. Worse, most slack or googlemail use I've seen is probably illegal under GDPR.

They just don't care.

@ParadeGrotesque I've heard people claim Mattermost "didn't work well". I don't have any experience with it (anyone here does?) but from my experience with trying to introduce self-hosted free alternatives to proprietary bullshit, they probably just didn't (get a chance to) try very hard ...

This is, unfortunately, the case for many solutions that aim to replace proprietary stuff like Slack.

A lot of companies, these days, just can't be bothered to run their own infrastructure and prefer paying a company to do it for them.

@ParadeGrotesque The sad thing is that you see it in tech companies as well. Full of people who should know better.

Tech companies are the worst in that respect.

Seriously the worst. I have seen old school industrial companies (think big polluting activities) that are more security conscious, and cautious,than the average tech companies.

@quincy @ParadeGrotesque I use Mattermost, and it works quiet well. Also used IRC which was OK but terrible when trying to send anything else ie images as it's not supported by the protocol.
I don't like stuff like Slack and Discourse.

True, but Mastodon is not often used in Corporate settings.

Also, while your Mastodon posting may land you in hot water with your job, the average Mastodon user will get in trouble with their instance admins long before any corporate sanction.


Privé est extrêmement trompeur pour tout service en ligne.


... Et c'est bien pour cela qu'un petit rappel une fois de temps en temps ne fait pas de mal !

@ParadeGrotesque Just _saying_ this with no source or what not is a potential form of FUD. Did you test this out with a sample Slack site?

I saw this with a major commercial Slack installation at $WORK.

This is not FUD. This is fact, and plenty of people have posted links to that effect.

Make of that what you will.

@ParadeGrotesque AH okay. I'm just asking something I _know_ someone else might ask (including myself!)

Also: fuck admins who limit chat history to 30 days.

Suffer slow.

@ParadeGrotesque And this is one of various reasons as to why I prefer #XMPP + #SIP instead of #Slack or many others. For other reasons see .

@lm Nope. Slack is the "commercial" version, so to speak, and Mattermost is the open source "copy" of Slack.

@ParadeGrotesque yes, I know that, but nothing is secured either on mattermost so the admin could see everything, no ?

@ParadeGrotesque Public service announcement 2: same occurs for Mastodon (and maybe Pleroma)

@Darks @ParadeGrotesque And approximatively all chat services… on Rocket Chat you can use OTR between two individuals, but all other conversations are stored in clear text in the MongoDB database…
@ParadeGrotesque I have to imagine Microsoft teams is probably just as bad, maybe worse... does anybody know?

@ParadeGrotesque very this.
Also slack: no we can't tell you who made the private channel named #dj and can't free up the name for you

@ParadeGrotesque @Lapineige on Slack our local admin cannot see private channels by default. And they cannot access to them or direct messages without an official request to Slack, that have to warn us about it. So yes, they can technically access, but nit directly and not so easily.

@linuxine @Lapineige

Congratulations! Your organization is less evil than mine, since they assigned "all powerful" admins to our Slack channels. All of them.

@ParadeGrotesque @Lapineige ouch :/ I must say, I do not trust Slack to keep my data secret, that's why I invited my favorite colleagues to my self hosted Matrix server :D

@linuxine @Lapineige

Which is also why me & a lot of friends at work use Signal for important stuff...

@ParadeGrotesque @pertho
The people at GoodGame Studios who wanted to start a works council a few years back (and used the company slack to organize) had to learn this the hard way - they were fired under some pretence..

You are very welcome.

(This is not paranoia, by the way: a lot of people have confirmed what I wrote)

@ParadeGrotesque I recently wrote up guidance to a group that suggested as much. It may be fine if the use case is entirely professional/transparent/flat organisation but most people don't get the access a super admin has until you show them the screen shots.

@ParadeGrotesque @phessler Meanwhile #IRC has been around since 1988, solving the problem of discussion channels and provides functionality for direct peer-to-peer communication and file exchange when needed.

Afair the people affected by the snooping are informed of this by slack. Correct me if I'm wrong. Our company transitioned to self hosted mattermost and decided to show images posted in private chats (nothing embarrassing, but without consent) on our Christmas party. Needless to say it caused quite the shitstorm. I'd say there's no privacy in anything not using e2e encryption.

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko