Slack retains messages forever and is at risk from state hackers, experts warn

Workplace messaging app admits risk from 'sophisticated organised crime, nation-state, and nation-state supported actors'

Anthony Cuthbertson
Wednesday 03 July 2019 13:47 BST
Comments
The Slack messaging app was down across Windows, Mac, iOS and Android platforms on Wednesday 27 June
The Slack messaging app was down across Windows, Mac, iOS and Android platforms on Wednesday 27 June (REUTERS)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

An online privacy watchdog has issued a stark warning about the risks of using the popular workplace chat app Slack.

Gennie Gebhart, who serves as the associate director of research at the Electronic Frontier Foundation, outlined the threat of nation-state attacks using the troves of personal data that Slack stores.

In an op-ed in the New York Times, Ms Gebhart cited Slack’s recent filing with the Securities and Exchange Commission, which highlighted threats from “sophisticated organised crime, nation-state, and nation-state supported actors”.

In the filing Slack claimed it is “virtually impossible” to eliminate this risk, though Ms Gebhart claimed any such attack could be averted by simply readjusting Slack’s user policy.

“Right now, Slack stores everything you do on its platform by default – your username and password, every message you’ve sent, every lunch you’ve planned and every confidential decision you’ve made,” she wrote.

“That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers – including the nation-state actors highlighted in Slack’s [SEC filing] – can break in and steal it.”

Ms Gebhart warned that it is not just big companies that are at risk, but also political organisations, journalists, activists and other users of the messaging app.

Slack’s policy states that for both its premium and free service, “the default message and file retention settings is to keep everything for as long as the workspace exists”.

Those using the free version, however, will not be able to see the messages after a certain time limit or message count is reached – despite them remaining on Slack’s servers.

Slack explained this policy in a statement sent to media, claiming the data is stored in case a user chooses to upgrade.

“We take the security and privacy of our customers’ data very seriously, and have received internationally recognised privacy and security certifications for information security management and protecting personal data in the cloud,” a Slack spokesperson said.

“All Slack customers — including customers on free teams — can manually delete messages at any time.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in