Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Communications

Why Is Slack Retaining Everyone's Chat History? (nytimes.com) 104

The associate director of research at the Electronic Frontier Foundation published a new warning in the Opinion section of the New York Times this week, calling Slack the only unicorn going public this year "that has admitted it is at risk for nation-state attacks" and saying there's a simple way to minimize risk -- that Slack has so far refused to take:

Right now, Slack stores everything you do on its platform by default -- your username and password, every message you've sent, every lunch you've planned and every confidential decision you've made. That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers -- including the nation-state actors highlighted in Slack's S-1 -- can break in and steal it...

Slack's paying enterprise customers do have a way to mitigate their security risk -- they can change their settings to set shorter retention periods and automatically delete old messages -- but it's not just big companies that are at risk... Free customer accounts don't allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack's servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers...

Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete. It's undeniably Slack's prerogative to charge for a more advanced product, but making users pay for basic privacy and security protections is the wrong call. It's time for Slack to step up, minimize the amount of sensitive data hanging around on its servers and give all its users retention controls.

The article notes that Slack's stock filings acknowledge that it faces threats from "sophisticated organized crime, nation-state, and nation-state supported actors."

The filings even specifically add that Slack's security measures "may not be sufficient to protect Slack and our internal systems and networks against certain attacks," and that completely eliminating the threat of a nation-state attack would be "virtually impossible."
This discussion has been archived. No new comments can be posted.

Why Is Slack Retaining Everyone's Chat History?

Comments Filter:
  • For the money (Score:5, Insightful)

    by nospam007 ( 722110 ) * on Saturday July 06, 2019 @09:38AM (#58881944)

    Next question?

  • by Anonymous Coward

    And will mine it to sell to advertisers. Grow up you tards. Its free, meaning you are the product. Shit even if its not free, you are the product

  • by DontBeAMoran ( 4843879 ) on Saturday July 06, 2019 @09:47AM (#58881986)

    We can only read 10 articles per month from https://www.nytimes.com/ [nytimes.com]

    • by tepples ( 727027 )

      As I understand it: Slashdot links to paywalled sites for the benefit of the fraction of Slashdot users who subscribe to those sites. In some cases, this includes The Wall Street Journal, which offers zero (0) free articles per month. The rest of users are not expected to read the featured article before commenting but are expected to read the summary in its entirety.

      • by Anonymous Coward

        Could you explain what "reading the article" and "reading the summary" means to those of us here on Slashdot?
        -Thanks!
        Long time Slashdot user; posting as AC.

      • Whoa whoa whoa, take that $#!% somewhere else. You can't just go accusing people of reading TFA. Even suggesting someone read TFS is bad enough.

        Okay, off to /b/ with you. Let the punishment fit the crime.

    • You can get around the paywall for NYT. I would tell you how, but if you can't figure it out, you probably shouldn't be here.
  • by Improv ( 2467 ) <pgunn01@gmail.com> on Saturday July 06, 2019 @09:58AM (#58882032) Homepage Journal

    When I join a new company that uses Slack, I have access to chat history for all the channels I'm on, and can find solutions to concrete problems and see discussions that led to a decision. It's very useful. That's why Slack uses limitations on search on the free version as a way to get people to upgrade - history is a feature. Short retention periods may be useful for some limited kinds of discussion, but it would be an awful default for most.

    • by tippen ( 704534 )
      ^ this
    • Comment removed based on user account deletion
    • by tlhIngan ( 30335 )

      When I join a new company that uses Slack, I have access to chat history for all the channels I'm on, and can find solutions to concrete problems and see discussions that led to a decision. It's very useful. That's why Slack uses limitations on search on the free version as a way to get people to upgrade - history is a feature. Short retention periods may be useful for some limited kinds of discussion, but it would be an awful default for most.

      That's what wiki sites are for, because the information is now n

      • by Improv ( 2467 )

        There's a place for wikis too, but they usually capture more tested information and howtos, and they usually cover less. Slack (or Flowdock, or other competitors) are a much larger, non-curated resource that you go to if the wiki doesn't cover it. Important to have both.

  • EFF does lots of good work, but Gennie Gebhart is dangerously wrong on this one.

    The entire premise of "services should be free" is what has enabled the Surveillance Society on the Internet. Trying to shame Slack into giving a token more privacy merely extends the problem, and in doing so makes it worse. They're still not e2e and of course they have incentive to mine the chat data for sale to the highest bidder. The cynic may say that they are taking this IPO opportunity to try to get some free press, but

    • The entire premise of "services should be free" is what has enabled the Surveillance Society on the Internet. Trying to shame Slack into giving a token more privacy merely extends the problem, and in doing so makes it worse.

      It's terrible karma to ignore fixing $IMMEDIATE_PROBLEM in the hope—often naive—that by doing so you can turn collective attention toward addressing a deeper root problem.

      Often the deepest root meta problem is that people don't want to solve the deepest root problem. Or they

  • because it's work, not sexting with your boyfriend

  • Because the can, and they'll probably want to monetize it someday.
  • If you want to replace email you need to do it with something that meets current legal discovery guidelines, or you'll be toast in court.
    • by anegg ( 1390659 )

      If you want to replace email you need to do it with something that meets current legal discovery guidelines, or you'll be toast in court.

      Legal discovery is a process through which an adversary gets to troll through one's records looking for clues that will bolster their suit against one. It is generally in one's best interests to have as few records available for discovery as possible, if only to avoid the expense of having to make those records available. The dynamic tension for a business lies in the need of that business to maintain some historical records for their own benefit, and to meet specific legal record-keeping requirements bas

  • That feature is for micromanaging peanut-brain managers.

    I worked for a guy who would trawl the logs looking for any little detail to ding you on. We had to report arrival, breaks, (yes potty breaks too), lunch, and departure. All communications were done on Slack first with email for cya backup.

    Didn't stay there long.

    But yes, that's what it's for. It's for incompetent impotent managers.

  • by Vandil X ( 636030 ) on Saturday July 06, 2019 @11:32AM (#58882398)
    Everything you post/text/send over a network is bound to be logged by someone or something along the way. Be mindful of what you post.
  • >Right now, Slack stores everything you do on its platform by default -- your username and password, every message you've sent //

    Ok, everything else is a given, but do they really store passwords? Nothing in the link documents suggested that they actually did? What's Slacks password set up?

  • by Anonymous Coward

    If you have any sense, you switch to Mattermost and set it up on your own server. All data and user details secured.

  • Surely apps like Keybase provide much of the capability of Slack, with full end to end encryption?

    Are there others?
  • For a sensitive topics, we have a basic app we created that uses slack's api to post messages to a special channel and use end-to-end encryption and just store pre-encrypted junk in the channel. Slack still knows what user posted the message and at what time but not the content.

If you steal from one author it's plagiarism; if you steal from many it's research. -- Wilson Mizner

Working...