Follow

This is a public service announcement.

If your job uses Slack, please remember that the administrators that have been configured can view any channel and download all files and all information published, including channels that are "private" or between 2 individuals.

Your discussions are not secure and can be snooped upon, even private conversations.

In other words: there is no privacy on Slack. Period.

This is the end of this public service
announcement.

(Don't ask how I know that)

@ParadeGrotesque Oh I am sorry to hear that they didn't tell you.

Jerks.

@sng
Well, this is something I suspected of course, but that was neither confirmed nor denied by management at $WORK.

A in-depth perusal through the web interface (no information in the desktop client of course) turned up a couple of people that were both mysteriously very-well informed and admins under Slack.

@ParadeGrotesque The way I learned it was when we started digging into "What contracts can we talk about in Slack" which turned up some very interesting details, yeah.

@ParadeGrotesque I have been a Slack administrator and can confirm this is true. Also, I have been told that Slack is now phishing through your messages for advertising purposes as well.

@MrRaptor @bamfic

I am not entirely sure. I believe this is true of all Slack administrators that were defined when setting up the channels of your org.

@ParadeGrotesque more info and cited sources -

there is actually a page you can go to in slack settings (for any user) to see if exporting is enabled. the API on enterprise grid allows anytime export, but free and plus plans require approval and "good reason" for export ability

source & read more: mashable.com/2018/03/21/slack-

get.slack.help/hc/en-us/articl

i also run a slack workspace for a non-profit and these kinds of concerns have been brought up by members, we're on a free non-profit plan

@ParadeGrotesque Here's an interview with the founder. He freely admits he doesn't know why anyone is using it.

t3n.de/news/stewart-butterfiel (from 2015 and I dunno if there's an English version).

The question how a company can even consider outsourcing their internal communication to a third party still leaves me utterly bamboozled.

It's stupid in many ways. It isn't reliable, only claims to be. Worse, most slack or googlemail use I've seen is probably illegal under GDPR.

They just don't care.

@ParadeGrotesque I've heard people claim Mattermost "didn't work well". I don't have any experience with it (anyone here does?) but from my experience with trying to introduce self-hosted free alternatives to proprietary bullshit, they probably just didn't (get a chance to) try very hard ...

@quincy
This is, unfortunately, the case for many solutions that aim to replace proprietary stuff like Slack.

A lot of companies, these days, just can't be bothered to run their own infrastructure and prefer paying a company to do it for them.

@ParadeGrotesque The sad thing is that you see it in tech companies as well. Full of people who should know better.

@quincy
Tech companies are the worst in that respect.

Seriously the worst. I have seen old school industrial companies (think big polluting activities) that are more security conscious, and cautious,than the average tech companies.

@quincy @ParadeGrotesque I use Mattermost, and it works quiet well. Also used IRC which was OK but terrible when trying to send anything else ie images as it's not supported by the protocol.
I don't like stuff like Slack and Discourse.

@quincy @ParadeGrotesque mattermost works rather well. Integrates with gitlab as wel too

@ParadeGrotesque To extend this PSA: Unless a communications system uses end-to-end encryption, the administrators can see your traffic if they need to or want to. In general, you'll know if the system you're on uses end-to-end encryption, because it's generally either non-trivial to set up, or uses a niche product, or likely both.

So basically, unless you are already aware of everything in this thread, assume the admins of whatever services you're using can see your messages.

@arjen
True, but Mastodon is not often used in Corporate settings.

Also, while your Mastodon posting may land you in hot water with your job, the average Mastodon user will get in trouble with their instance admins long before any corporate sanction.

@ParadeGrotesque

Privé est extrêmement trompeur pour tout service en ligne.

@mortal

... Et c'est bien pour cela qu'un petit rappel une fois de temps en temps ne fait pas de mal !

@ParadeGrotesque yep, if you need privacy you should be using an out of band communication method.

@ParadeGrotesque Just _saying_ this with no source or what not is a potential form of FUD. Did you test this out with a sample Slack site?

@jalcine
I saw this with a major commercial Slack installation at $WORK.

This is not FUD. This is fact, and plenty of people have posted links to that effect.

Make of that what you will.

@ParadeGrotesque AH okay. I'm just asking something I _know_ someone else might ask (including myself!)

@ParadeGrotesque

I imagine that's the case. Same with #email, #XMPP, #Mastodon, #IRC, #SMS and in principle anything that doesn't use end to end encryption, and even then you still have the #metadata.

At the end of the day it comes down to the difference between:
* A professional admin and an idiot.
* A well-run organisation and one that is not.

@61

Agreed. Let's just say that the company I belong to is not very well run. And I'll leave it at that.

@ParadeGrotesque
Also: fuck admins who limit chat history to 30 days.

Suffer slow.

@ParadeGrotesque And this is one of various reasons as to why I prefer #XMPP + #SIP instead of #Slack or many others. For other reasons see libreplanet.org/wiki/XMPP .

@ParadeGrotesque
How is this any different than Skype for Business. Also what moron assumes that their employer provided communications channel is private and not auditable?

@lm Nope. Slack is the "commercial" version, so to speak, and Mattermost is the open source "copy" of Slack.

@ParadeGrotesque yes, I know that, but nothing is secured either on mattermost so the admin could see everything, no ?

@ParadeGrotesque Public service announcement 2: same occurs for Mastodon (and maybe Pleroma)

@Darks @ParadeGrotesque And approximatively all chat services… on Rocket Chat you can use OTR between two individuals, but all other conversations are stored in clear text in the MongoDB database…
@ParadeGrotesque I have to imagine Microsoft teams is probably just as bad, maybe worse... does anybody know?

@ParadeGrotesque very this.
Also slack: no we can't tell you who made the private channel named #dj and can't free up the name for you

@ParadeGrotesque
What worries me is why would anyone assume a service like Slack offers any kind of privacy to begin with.

@strider

Well, there are rules and regulations on privacy at your workplace.

For example: in my country, a folder named "Personal" in your email client is supposed to be off-limits for your employer.

Yes, it's stupid / ridiculous / impossible to to enforce, but still.

There are, as far as I can tell, no privacy guarantee in Slack *at all*. None.

And that bears repeating.

@ParadeGrotesque @Lapineige on Slack our local admin cannot see private channels by default. And they cannot access to them or direct messages without an official request to Slack, that have to warn us about it. So yes, they can technically access, but nit directly and not so easily.

@linuxine @Lapineige

Congratulations! Your organization is less evil than mine, since they assigned "all powerful" admins to our Slack channels. All of them.

@ParadeGrotesque @Lapineige ouch :/ I must say, I do not trust Slack to keep my data secret, that's why I invited my favorite colleagues to my self hosted Matrix server :D

@linuxine @Lapineige

Which is also why me & a lot of friends at work use Signal for important stuff...

@ParadeGrotesque @pertho
The people at GoodGame Studios who wanted to start a works council a few years back (and used the company slack to organize) had to learn this the hard way - they were fired under some pretence..

@Doomed_Daniel @ParadeGrotesque Oof. That is horrible. Yeah, never use Slack if you want privacy.

@spamilton
You are very welcome.

(This is not paranoia, by the way: a lot of people have confirmed what I wrote)

@ParadeGrotesque I recently wrote up guidance to a group that suggested as much. It may be fine if the use case is entirely professional/transparent/flat organisation but most people don't get the access a super admin has until you show them the screen shots.

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko