Anyone who works in an office has said something meant to stay between them and their colleagues. It’s not guaranteed those words won’t get out when they live on in a chatroom like Slack, which experts warn may not be as secure as people think.

Slack is a communications platform that has been quickly adopted by startup businesses and major corporations. The souped-up, chatroom-style service has quickly grown to more than four million daily active users, with 1.25 million paying for additional features and services.

The messaging tool promises secure communications for teams of all sorts, but it may not be safe to rely on Slack as much as many organizations do. Trevor Timm, executive director of the Freedom of the Press Foundation, told Fast Company that Slack has access any and all internal communication, including talk that people may not want to be made public.

There are multiple ways those logs may eventually see the light of day—none of which are particularly ideal. While Slack is compliant with just about every security protocol imaginable and utilizes encryption to protect conversations and files—although only when the data is at rest or in transit rather than complete, end-to-end encryption—there is always a risk of a hack.

Slack, for its part, combats some of those concerns with a bug bounty program that provides rewards to users who report flaws and exploits. The company also claims in a blog post that it performs regular scans, penetration tests and is partaking in “a growing set of third-party audits that help our customers see for themselves what we’re doing, and how well it’s working.”

Perhaps more concerning is the possibility the government demands the information and Slack is forced to comply. According to the company’s data request policy, "Except as expressly permitted by the Contract or in cases of emergency to avoid death or physical harm to individuals, Slack will not disclose Customer Data, unless it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body."

The policy also notes Slack will notify a customer before disclosing any of their data, "unless Slack is prohibited from doing so" or if the data request is related to "illegal conduct" or the risk of harm to people or property.” In those cases, Slack will act on the request without providing users a head’s up.

This has caused issues for many cloud-based companies, which are often hit with a gag order when the government requests user data. Such an order prevents the company from informing its users that their data has been handed over to a law enforcement agency. Often times those gag orders have no end date, preventing the company from ever fully informing its users.

According to a recent lawsuit filed by Microsoft over the gag order practice, the computing giant had received 2,576 gag orders over demands for data—including 1,752, or 68 percent, that had no end date.

Slack claims it had received four requests for user data—one from a government agency and three from third party groups—as of last April. The company did not respond to any of the requests.

As of now, Slack does not utilize a “warrant canary”—a regularly updated statement designed to alert users if the company has received a data request from the government. The statement is usually hosted on the company’s site, then removed when a request for data has been made. It serves as a workaround to potential gag orders.

An update to the Electronic Communications Privacy Act (ECPA) passed by Congress earlier this month would also serve to quell some concerns of government overreach by requiring agencies to get a warrant before demanding user data. Currently, all that is required is a subpoena.

Slack also presents an issue of surveillance within a business or organization. The service allows members to create private channels, but those channels still belong to the business itself, especially for paying customers of Slack.

Employers who pay for Slack’s "Plus plan" and can access message archives and export conversations from private channels if they are able to demonstrate proper legal authorization to Slack.

Slack isn’t necessarily more or less vulnerable than any other communications platform out there, and its convenience and feature-rich setup may be enough to make most people overlook security concerns. But users should be aware that what is said on Slack won’t necessarily stay there.

RELATED STORIES
Software Security