How mindful should you be of what you’re sharing on Slack? The short answer is: very.
With a larger-than-usual percentage of employees working from home, Slack—the revolutionary collaboration tool that has become a ubiquitous verb in most offices—has gained even more prevalence in our work days. And, as the lines between our personal and professional lives tend to blur in the comfort of our home offices, Slack channels can end up vacillating between strictly work-related, to frivolous (like a #cat_memes_only channel), to personal.
In the WFH era, we’re also seeing employers find different ways to monitor employee productivity, so it’s natural to wonder about the security of your Slack messages. Here’s what you need to know:
Does my company have the right to read my Slack messages?
On Slack, you can chat in a general channel with a wider group of teammates, through direct messages, or in private channels with smaller groups. While your boss may not be able to simply hop into a private chat between you and a coworker—nor are they likely to spend their time doing this—it doesn’t mean that they can never find your messages.
According to Vox, if an employee is part of a lawsuit, for example, or if your company launches an internal investigation, the company may have the right to acquire your so-called “private messages,” just as they would have had this right with your company email. Slack goes into detail with a few more examples on their website.
In this case, employers would need to submit a request to Slack to export a JSON version of your chat history, but there are additional obstacles:
If your company uses the Standard or Free version of Slack: They need to submit a request to Slack for a one-time export of your conversations, including from private channels. Slack will only approve this with employees’ consent, if it is required in a legal proceeding, or if it is within your employer’s rights—this is based on an agreement between you and your employer, not determined by Slack. As a Slack spokesperson told Vox, “Employers ultimately own their company’s Slack data and are responsible for complying with the laws that govern how they access that data.”
If your company uses a paid version: Even if your employer pays for Slack, they still need to submit a request in order to export conversations, but they can continue to do so once they gain initial approval. This feature is called a Corporate Export, which can only be accessed with Slack’s Plus and Enterprise Grid plans. Again, your employer needs to prove in their request that “(a) appropriate employment agreements and corporate policies have been implemented, and (b) all use of Corporate Export is permitted under applicable law.”
You can check to see what kind of plan your company uses, and if any conversations have been exported by going to yourworkplacedomain.slack.com/account/workspace-settings.
How do I know if a channel is public or private?
Any member of a Slack channel can create a public or private channel. In order to make a channel private, you must toggle on Make Private. Private channels will not show up in the directory to anyone except for those who have been invited to the channel. Private channels have a lock symbol next to their names. Direct messages between one or several members are private by default. These chats will be listed in a separate group under Direct Messages below the list of private and public channels on the left of your Slack window.
Can they see older messages?
Another factor to consider is your Slack channel’s retention settings. Chats can disappear as quickly as after 24 hours depending on your settings. You can check your Workplace’s retention settings at your yourworkspacedomain.slack.com/workspace-settings. Standard and Plus plans allow admins and owners to adjust retention settings. The Free version retains your messages for the lifetime of your workspace by default; however, edited and manually deleted messages are not retained.
Who else can read my Slack?
Just as an internal investigation may give your employer the right to request your Slack messages, a lawsuit or legal process may give law enforcement or the government access to your messages as well (or give you the right to request that your company make Slack messages available). Slack revealed in their Transparency Report that data collected by the company has been requested by 66 government agencies (though only a third were actually approved), and through legal processes, including court orders and search warrants.
Could Slack get hacked?
It’s not just a fun rhyme. When it comes to user platforms, it’s best to refrain from sharing any personal data, such as credit card numbers, etc. Slack uses enterprise-grade data protection, so your secrets are mostly safe with them (but seriously, you should stop sharing secrets on Slack). While it is difficult for a bad actor to gain access to your Slack messages, it’s not impossible, as The Next Web reported in 2017. There was also a Slack security breach in 2015, which prompted the implementation of their two-factor security tool, which they recommend all users enable. In 2019, the company reset the passwords of 1% of its users who had not yet changed their passwords since their information had been compromised in 2015.
Especially considering the fact that Slack enables third-party integration with apps like Google Drive, you should encourage your admin to set up a two-factor identification on your company’s Slack channel, and maintain best practices in terms of not sharing secure data.
So, what can my boss see?
Unless you’ve given Slack or your boss explicit permission to view your private chats, it’s unlikely that they will see your chat history (screenshots and copy and pasting notwithstanding). However, Slack launched a new analytics tool which allows greater insight into your workspace. Here your boss can see the percentage of messages sent within private channels, though not the actual content. You can see the analytics for yourself by going to yourworkplacedomain.slack.com/analytics. Paid plans offer more insights, but only about public channels.
It’s important to remember that when you’re on Slack, you’re using a service provided by your company, not your own personal communication channel. If possible, familiarize yourself with your corporate policies regarding communication tools like Slack, and check the status of your Slack channels, the plan your company is using, and whether channels are public or private.
If you suspect Slack snooping—and even if you don’t—it’s unsecure to share passwords over Slack. Dashlane offers simple, secure password management for people and businesses. Start a free trial for you or a free trial for your company today.