Disclaimer: I can’t tell you what to do. I am not dictating a policy here, nor do I have the means to enforce one. This is a discussion of basic security concepts as they apply to Indivisible teams & data and how Slack measures up. It also includes some mitigations to take if you do decide to use Slack.
Anything I say below can be applied to any/all communication technologies and methods: social media, email, signal, slack, face-to-face communication. Please keep our member & leadership data safe in the Era of Trump.
There’s been a lot of talk about using Slack as a communication tool to help keep all of our fast-growing Indivisible teams coordinated and moving forward. Although it has a very shiny interface and is fun and easy to use, it leaves a lot to be desired when it comes to security. In fact, lots of companies are leaping into the space to provide secure chat.
GROAN. YES! I can hear you groaning. “Oh, its the security guy, he’s always the party pooper.” Well guess what, I’m here to give you a few tidbits on security.
Focus on Security Essentials
Let’s think about what is most important to our cause:
- Our member and leadership data. As in, anything that can personally identify them. Think to yourself, what happens if data about your members or leaders (names, emails, phone numbers, addresses) gets leaked or is hacked?Those people get PERSONALLY affected, is what happens. Think about that for a second. How effective will your teams be if they’re all doxxed? Or if just your leaders are doxxed? Or if people get fired because their Trump-loving boss figures out what they’re doing? Or if someone in a bright Red county loses all their business customers overnight because of a data breach? When you think about risk in this way, things come into sharp focus.
- Our plans. Think how our adversary could mess with us if they knew what we were about to do. What if you’re planning to show up to a congressperson’s office and do all that planning in an open forum, and then the Congressperson decides to avoid you? And it’s because you talked about your plans on an open channel and all your efforts come to naught.
- Our ability to coordinate and control effectively. Think about people with bad agendas inserting themselves into conversations. Impersonating users because they stole their passwords and assumed their identities or stolen their devices. Issuing commands to go one place across town when we were supposed be some other place. Or cancelling an event when in fact we were supposed to be there. In an era where Russians have likely hacked our elections, do you think any of this is far fetched? ARE YOU THINKING LIKE A SECURITY PERSON YET?
If you can secure these three aspects of our information security, you can go a long way toward keeping our members and initiatives safe across all of our Indivisible chapters.
The above should form the foundation of how you evaluate security on any platform: texting, email, Signal, Slack, whatever. If you can keep the three aspects of our operations secure, you know you’re on the right track.
So, think this through:
- You want your most sensitive data (member information, leadership data, plans) in your most guarded and secret places. That would be Signal for example.
- You want action messages and final plans to be on public spaces: blogs, social media, emails, mass texts.
- At all times you want to make sure that the person(s) you’re communicating with are actually, for real, the person(s) you intend to communicate with. And not someone who is impersonating them because they stole a password or cloned their phone number.
How Does Slack Rank Security-Wise?
Now that we have some basics down, let’s talk about Slack. It’s so SHINY and PRETTY. But you should know by now that pretty things aren’t necessarily good for you. Let’s see how it stacks up to our three criteria above.
- The encryption used on Slack is controlled by Slack. Which means no end-to-end encryption like on Signal. Which means that Slack admins can, according to their privacy rules and their own technical stack, look at your conversations. Even if they aren’t willing to do it, they can be subpoenaed to do so. So this means we can’t keep member/leadership data safe on Slack. Nor can we keep our plans safe on it.
- All conversations are kept on their servers. You don’t own those conversations. Slack has the data. In a centralized place. Where hackers can get into it. Which has happened. So, once again, our data is not safe on the platform.
- CAN I JUST ALL-CAPS REMIND YOU ALL THIS STUFF ON SLACK CAN BE SUBPOENAED? Okay, let’s see, let me give you an example. Hulk Hogan’s trial against Gawker, paid for by Peter Thiel, WHO IS ON TRUMP’S SIDE. Part of this involved Slack chat messages. Is it safe? Is it secure? NO GANDALF IT IS NOT.
Given all three things above, I’m personally never going to use Slack. There’s no end-to-end encryption, I don’t own the data (which hangs around forever and can be looked at by their admins) and it can all be subpoenaed.
You’re Totally Going to Use Slack, Aren’t You?
Here’s where the real world intrudes. As much as the security guy shouts from the rooftops about something, most people will do their own thing.
It’s okay, security people are used to being ignored until something horrible happens. At which point they can say, “I told you so!” while drinking numerous beers and catching up on favorite episodes of Firefly.
I can’t stop you from using Slack. I also can’t stop you from standing up in the middle of Main Street with a megaphone and telling anyone who cares to listen what our most secret plans are.
So you’re going to use Slack. Great! Here are some things to think about if you so choose to do this thing I’m begging you not to:
- Remember that Slack is an open channel. NEVER fully identify a member or leader on there. First names only. NEVER divulge emails or phone numbers. NEVER EVER EVER.
- Only use Slack to divulge last-minute coordination efforts, never for planning and discussion. Use Signal and face-to-face meetings for planning. Use Slack, social media, and email to alert the necessary teams of final decisions.
- Turn on 2-factor authentication in Slack (this option was made available because they they were hacked, but okay they took a right step).
- Force everyone on your team to use 2-factor authentication. This way you’ll have some assurance you’re talking to the right person. Or at least, a real person. Try googling “how to not get catfished” if you want an entertaining evening.
Okay, that’s it. Go forth and do your thing. Remember to keep yourselves and other members of Indivisible safe!