This is a public service announcement.
If your job uses Slack, please remember that the administrators that have been configured can view any channel and download all files and all information published, including channels that are "private" or between 2 individuals.
Your discussions are not secure and can be snooped upon, even private conversations.
In other words: there is no privacy on Slack. Period.
This is the end of this public service
(Don't ask how I know that)
@ParadeGrotesque This is also true of most other "enterprise" software.
@ParadeGrotesque Oh I am sorry to hear that they didn't tell you.
Well, this is something I suspected of course, but that was neither confirmed nor denied by management at $WORK.
A in-depth perusal through the web interface (no information in the desktop client of course) turned up a couple of people that were both mysteriously very-well informed and admins under Slack.
@ParadeGrotesque The way I learned it was when we started digging into "What contracts can we talk about in Slack" which turned up some very interesting details, yeah.
@ParadeGrotesque org-level admins or slack-hq admins?
@ParadeGrotesque more info and cited sources -
there is actually a page you can go to in slack settings (for any user) to see if exporting is enabled. the API on enterprise grid allows anytime export, but free and plus plans require approval and "good reason" for export ability
i also run a slack workspace for a non-profit and these kinds of concerns have been brought up by members, we're on a free non-profit plan
@ParadeGrotesque Here's an interview with the founder. He freely admits he doesn't know why anyone is using it.
https://t3n.de/news/stewart-butterfield-slack-interview-591325/ (from 2015 and I dunno if there's an English version).
The question how a company can even consider outsourcing their internal communication to a third party still leaves me utterly bamboozled.
It's stupid in many ways. It isn't reliable, only claims to be. Worse, most slack or googlemail use I've seen is probably illegal under GDPR.
They just don't care.
@ParadeGrotesque I've heard people claim Mattermost "didn't work well". I don't have any experience with it (anyone here does?) but from my experience with trying to introduce self-hosted free alternatives to proprietary bullshit, they probably just didn't (get a chance to) try very hard ...
This is, unfortunately, the case for many solutions that aim to replace proprietary stuff like Slack.
A lot of companies, these days, just can't be bothered to run their own infrastructure and prefer paying a company to do it for them.
@ParadeGrotesque The sad thing is that you see it in tech companies as well. Full of people who should know better.
Tech companies are the worst in that respect.
Seriously the worst. I have seen old school industrial companies (think big polluting activities) that are more security conscious, and cautious,than the average tech companies.
@ParadeGrotesque you mean it is just like Mastodon
True, but Mastodon is not often used in Corporate settings.
Also, while your Mastodon posting may land you in hot water with your job, the average Mastodon user will get in trouble with their instance admins long before any corporate sanction.
Privé est extrêmement trompeur pour tout service en ligne.
... Et c'est bien pour cela qu'un petit rappel une fois de temps en temps ne fait pas de mal !
@ParadeGrotesque Just _saying_ this with no source or what not is a potential form of FUD. Did you test this out with a sample Slack site?
@jalcine @ParadeGrotesque This did the rounds a year ago. https://mashable.com/2018/03/21/slack-direct-message-privacy-change/?europe=true#mjLeNqrTtaqM
I saw this with a major commercial Slack installation at $WORK.
This is not FUD. This is fact, and plenty of people have posted links to that effect.
Make of that what you will.
@ParadeGrotesque AH okay. I'm just asking something I _know_ someone else might ask (including myself!)
At the end of the day it comes down to the difference between:
* A professional admin and an idiot.
* A well-run organisation and one that is not.
Agreed. Let's just say that the company I belong to is not very well run. And I'll leave it at that.
You do have my sympathy. 👍
Also: fuck admins who limit chat history to 30 days.
@ParadeGrotesque hi, is that the same with mattermost ?
@lm Nope. Slack is the "commercial" version, so to speak, and Mattermost is the open source "copy" of Slack.
@ParadeGrotesque yes, I know that, but nothing is secured either on mattermost so the admin could see everything, no ?
@ParadeGrotesque Public service announcement 2: same occurs for Mastodon (and maybe Pleroma)
What worries me is why would anyone assume a service like Slack offers any kind of privacy to begin with.
Well, there are rules and regulations on privacy at your workplace.
For example: in my country, a folder named "Personal" in your email client is supposed to be off-limits for your employer.
Yes, it's stupid / ridiculous / impossible to to enforce, but still.
There are, as far as I can tell, no privacy guarantee in Slack *at all*. None.
And that bears repeating.
@ParadeGrotesque Thank you for affirming my paranoia
You are very welcome.
(This is not paranoia, by the way: a lot of people have confirmed what I wrote)
@ParadeGrotesque I recently wrote up guidance to a group that suggested as much. It may be fine if the use case is entirely professional/transparent/flat organisation but most people don't get the access a super admin has until you show them the screen shots.
Afair the people affected by the snooping are informed of this by slack. Correct me if I'm wrong. Our company transitioned to self hosted mattermost and decided to show images posted in private chats (nothing embarrassing, but without consent) on our Christmas party. Needless to say it caused quite the shitstorm. I'd say there's no privacy in anything not using e2e encryption.
"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko