Are Slack messages really private? Here’s what you need to know

CACTUS creative studio/Stocksy
Originally Published: 

Slack has become the de facto water cooler for thousands of companies, especially in the startup world. One part chat app, one part "email killer" and business organization tool, the communication platform is an invaluable tool that lets you easily keep in touch with every member of your team. But any platform that you do your work on is going to be tasked with handling some sensitive information. That might mean work files that contain proprietary information, or it might mean office gossip that gets spread through direct messages. Either way, you're absolutely going to want the peace of mind knowing that those bits of private information in your Slack messages are going to remain private. So, just how secure are the conversations that you're having on Slack?

Are my Slack messages encrypted?

Encryption is an important feature for any messaging app to ensure that your conversations can't be intercepted by any third parties. When conversations are encrypted, it means that only person sending the message and the person meant to read it can actually discern what the text says. This works by essentially giving each person's device a digital key that can be used to read the message. If a malicious actor were to somehow snag the message while in transit, they wouldn't be able to read it because they don't have a key. It would appear as a random string of essentially meaningless letters and numbers.

The good news: Slack does encrypt your messages. According to the company's security page, it secures your messages both when they are in transit between parties (i.e., when you send them) and when they are at rest. This wasn't always the case. Previously, Slack only encrypted messages at rest, or when they are simply sitting on the Slack server and not moving between parties, which put them at risk of being intercepted. That could occur if, for instance, an attacker was on the same network and snagged the data containing the messages or was able to get their hands on the messages while they were being moved between either the sender or recipient and the Slack server. But that is no longer a concern.

The bad news: Slack isn't end-to-end encrypted, and it gives a lot of control to companies over how they want to protect their data. Earlier this year, the company announced that it was introducing an Enterprise Key Management (EKM) feature that would allow companies that operate in heavily regulated industries like financial services, healthcare, and government to choose how they want to encrypt messages, files, and other information shared on the platform. When the company announced the feature, it also made clear that it currently has no plans to make end-to-end encryption available by default because of the limitations it puts on the platform, particularly when it comes to using the search feature and third-party integrations. So, while your messages are encrypted in a limited capacity and are unlikely to be intercepted by attackers, they are still accessible in some contexts, unless your work has enabled a stricter set of rules using EKM.


Can my boss read my Slack messages?

While encryption is the way that you secure your messages from potential outside sources, there's a different concern when it comes to your work conversations: what if your boss or supervisor is capable of reading your messages? When you're actually working in a physical office, there is always the potential of eavesdroppers catching bits of your private conversations, but it's unlikely that anyone would have a full transcript of each and every thing you've said to your coworkers. That is exactly what they would get if they saw your Slack messages, since everything is contained right there in the app.

So, can your boss see all of your messages? Well, probably.

Slack has always given office administrators the ability to download and access conversations that take place on the platform. Previously, that just meant messages sent in public channels. But an update made to the platform in 2018 expanded the ability to access direct messages and conversations had in private channels.

Some things to note, here: the ability to read your messages requires the workplace owner to export and download all of the content of your Slack. It's not like they can read what you're saying in real-time. There doesn't seem to be any sort of "god's eye" tool for Slack that would work in that way. And, let's be frank, most of what we say during the day isn't that interesting or worth monitoring. The ability to download all conversations, including private ones, is also only available to companies that have purchased Slack's "Plus" plan, a paid membership subscription that is based on how many active user accounts the workplace has. According to Slack, Plus users can download "all data from their workspace" including "content from public and private channels and direct messages."

For the most part, you won't have to worry about this if your workplace has a free or standard plan, but there are some exceptions to this. Those types of free and standard plan workspaces can access private information if they go through a legal process and get the consent of their employees who are in the Slack. In that case, you can choose not to permit the company the ability to access your messages and private conversations.

That said, in the case of the Plus plans, you won't have any idea if the company decides it wants to take a look at your direct messages. Slack used to warn employees when an employer decides to export data from the workspace, but that is no longer the case. Instead, the company will decide on its own if it wants to inform employees that their messages are being exported and could potentially be read by people other than the intended recipients.

If you want to see if your company has the ability to export your information without your explicit knowledge, you can take a quick look at the Workplace Settings and find out for sure. Here's how:

Open the Slack app and tap on the arrow next to your workspace's name. From here, click the Customize Slack menu, which will open a new tab in your browser containing some of the more customizable aspects of Slack. Click Menu, then About This Workspace. Here, you'll get a three-part menu that will tell you what kind of plan your company has and what the data retention and export policy is. If your company has a Plus plan, they have the ability to export your direct messages and conversations in private channels. You can confirm if the company has that setting enabled in the Retention and Exports tab.

Can anyone at Slack view my conversations?

Slack is a platform, and like any platform there are more people with access to information than you might imagine. Conversations you have with your coworkers don't just live on your devices, they are on Slack's servers. Without the proper protections in place, it is possible that a Slack employee could potentially take a look at your conversations. Does Slack actually have the necessary protections needed to keep you safe? Not really, per a 2018 report from Gizmodo. The publication found that Slack claims it hasn't built any tools that would enable its employees to look at conversations taking place on the platform. However, such a tool is possible. In choosing not to implement end-to-end encryption, Slack has left open the possibility that it could potentially access user information at some point. Does it exist now? Probably not. Is that enough for you to feel safe in sending sensitive material on the platform? It probably shouldn't be.