It's a "Searchable Log of All Conversation and Knowledge," and we're just living in it.
Slack knows all your secrets. Your trash talking DMs, your business plans made with the boss, numerous untold corporate musings — they all fill the San Francisco-based company's servers, waiting to be viewed by a nosey CEO, a skilled hacker, or the entire world.
The communications platform that many have come to rely on for both work and staying in touch with friends is, like most things online, a potential privacy disaster waiting to happen. And while you may not have a choice in whether you use the tool, you do have the option to lock its privacy settings down to mitigate any fallout before it's too late.
1. Bosses reading your DMs
If you're using Slack for work, chances are it's a paid plan. This differs from the free version — which, say, your D&D crew might utilize to coordinate campaigns and meet ups — in several important ways.
One is that with the paid version, your boss might be able to read your direct messages. Determining if this setting is enabled is the first step in keeping your DMs secret. Thankfully, there's a way to do this.
While signed into Slack in a web browser, head to slack.com/account/team and then click on "Retention & Exports." Scroll down to "What data can my admins access," and you'll have your answer.
If the page only says that public data can be exported, your DMs are safe from your boss. However, if it says that "Workspace Owners can also export messages and files from private channels and direct messages," then your corporate overlords have the ability to pull your direct messages.
2. Retention settings
OK, so you now know that your boss has the ability to read your direct messages. That sucks, but not all is lost. There are still several ways to protect yourself, or at least reduce the harm that will inevitably come from this.
For starters, you should tweak the so-called retention settings on all of your direct messages. Slack gives workspace owners (i.e. the person managing your company's Slack account) the ability to determine how long messages — both in public channels and direct messages — are saved. That could be for 90 days, for example, or forever. However, said workspace owners can give users the ability to change the retention settings in conversations they're a part of.
You can, and should, adjust this setting in your own direct messages if you've been given this power. Think of it this way: When your boss pulls a record of employee DMs, would it be better if said boss got years of your direct messages or only the past 24 hours worth? Yeah, exactly.
While in a direct message conversation, click on the gear icon in the upper-right corner, then select "edit message retention." Next, select "Use custom retention settings for this conversation," choose one day (the shortest period of time you can do), and then select save.
Your messages will now automatically delete after 24 hours. Notably, this doesn't necessarily mean they are off Slack's servers once they're a day old (they are likely not), but the messages should no longer be within reach of the aforementioned workspace owner once a day has passed.
Unfortunately, you have to do this for every single direct message conversation, but it's a quick change and definitely worth it.
3. Encrypt it
Slack does not offer end-to-end encryption for your messages.
There's a way around that, however, in the form of a free browser extension called Shhlack. The extension, available for Chrome, lets you and your coworkers encrypt any and all of your messages. It's pretty simple to use, and means your private convos won't be viewable in cleartext when your boss — or hackers — takes a peek.
Importantly though, as the GitHub page warns, "This is an experimental and ongoing project" that you should use "with a grain of salt." In other words, if anything serious like your job or corporate secrets depend on keeping your messages 100 percent private, then you'll want to take more extreme privacy measures.
4. A change of venue
This one is less of a setting than straight up piece of advice, but it might just save you, so listen up: Any message that, if made public, could get you in trouble should not be sent via Slack at all.
Instead, try creating a private Slack channel (with a short retention setting!), getting the phone numbers of the people you want to chat with, and then messaging them on the encrypted messaging app Signal. You can place encrypted phone calls over the free app, have huge group threads, send files, conduct video chats, and set messages to automatically delete after a predetermined amount of time.
There's even a desktop app if you don't like typing with your thumbs.
5. You can't edit away your problem comments
Editing Slack messages after the fact may seem like a surefire way to remove any potentially problematic content. But guess what? Some Slack accounts track edits and maintain records of the messages before they were edited.
Knowing if this setting is enabled will help you avoid making the mistake of thinking you're in the clear when, in fact, the only thing you've succeeded at is making it obvious you're trying to cover your tracks.
While logged into your Slack account, go to https://my.slack.com/account/workspace-settings and click "Retention & Exports." If there are any answers to be had, you'll find them here.
But regardless of Slack's settings, it's always best to think twice before sending a message that might come back to bite you.
6. 2FA
Keeping your account private means keeping it secure. Protecting your account with two-factor authentication is a great way to keep hackers and snoopers out.
To set it up, when signed in, head to my.slack.com/account/settings. If you're able to enable the feature, you'll see a "Two-Factor Authentication" option. Click "expand," and follow the necessary prompts. You'll need to have an authenticator app downloaded on your smartphone to make this work, but there are a ton of safe choices that work with Slack.
Trust me: You really want this security feature enabled.
7. A clean slate
Let's say you want to leave Slack, or you're leaving a company and will no longer be using that Slack account. You might assume that deleting your account takes care of any residual personal data of yours, but that is definitely not the case.
Instead, you actually have to ask the workspace "primary owner" to ask Slack to delete your profile info.
"When members leave a workspace or org, they may have the right to request their profile information be deleted by the primary owner," explains the company. "As the data controller, the primary owner is responsible for determining whether profile information requires deletion."
That primary owner must then email Slack at [email protected] with a specific deletion request, noting "the member’s email address and your workspace URL."
Once you've taken that step, you're finally free to enjoy your privacy.
UPDATE: Jan. 22, 2024, 5:55 p.m. AEDT This article was originally published in July 2019, and has since been updated in Jan. 2024.
Topics Cybersecurity Privacy