Why Slack Isn’t Such a Good Idea

Disclaimer: I can’t tell you what to do. I am not dictating a policy here, nor do I have the means to enforce one. This is a discussion of basic security concepts as they apply to Indivisible teams & data and how Slack measures up. It also includes some mitigations to take if you do decide to use Slack.

Anything I say below can be applied to any/all communication technologies and methods: social media, email, signal, slack, face-to-face communication. Please keep our member & leadership data safe in the Era of Trump.

There’s been a lot of talk about using Slack as a communication tool to help keep all of our fast-growing Indivisible teams coordinated and moving forward. Although it has a very shiny interface and is fun and easy to use, it leaves a lot to be desired when it comes to security. In fact, lots of companies are leaping into the space to provide secure chat.

GROAN. YES! I can hear you groaning. “Oh, its the security guy, he’s always the party pooper.” Well guess what, I’m here to give you a few tidbits on security.

Focus on Security Essentials

Let’s think about what is most important to our cause:

  • Our member and leadership data. As in, anything that can personally identify them. Think to yourself, what happens if data about your members or leaders (names, emails, phone numbers, addresses) gets leaked or is hacked?Those people get PERSONALLY affected, is what happens. Think about that for a second. How effective will your teams be if they’re all doxxed? Or if just your leaders are doxxed? Or if people get fired because their Trump-loving boss figures out what they’re doing? Or if someone in a bright Red county loses all their business customers overnight because of a data breach? When you think about risk in this way, things come into sharp focus.
  • Our plans. Think how our adversary could mess with us if they knew what we were about to do. What if you’re planning to show up to a congressperson’s office and do all that planning in an open forum, and then the Congressperson decides to avoid you? And it’s because you talked about your plans on an open channel and all your efforts come to naught.
  • Our ability to coordinate and control effectively. Think about people with bad agendas inserting themselves into conversations. Impersonating users because they stole their passwords and assumed their identities or stolen their devices. Issuing commands to go one place across town when we were supposed be some other place. Or cancelling an event when in fact we were supposed to be there. In an era where Russians have likely hacked our elections, do you think any of this is far fetched? ARE YOU THINKING LIKE A SECURITY PERSON YET?

If you can secure these three aspects of our information security, you can go a long way toward keeping our members and initiatives safe across all of our Indivisible chapters.

The above should form the foundation of how you evaluate security on any platform: texting, email, Signal, Slack, whatever. If you can keep the three aspects of our operations secure, you know you’re on the right track.

So, think this through:

  1. You want your most sensitive data (member information, leadership data, plans) in your most guarded and secret places. That would be Signal for example.
  2. You want action messages and final plans to be on public spaces: blogs, social media, emails, mass texts.
  3. At all times you want to make sure that the person(s) you’re communicating with are actually, for real, the person(s) you intend to communicate with. And not someone who is impersonating them because they stole a password or cloned their phone number.

How Does Slack Rank Security-Wise?

Now that we have some basics down, let’s talk about Slack. It’s so SHINY and PRETTY. But you should know by now that pretty things aren’t necessarily good for you. Let’s see how it stacks up to our three criteria above.

  1. The encryption used on Slack is controlled by Slack. Which means no end-to-end encryption like on Signal. Which means that Slack admins can, according to their privacy rules and their own technical stack, look at your conversations. Even if they aren’t willing to do it, they can be subpoenaed to do so. So this means we can’t keep member/leadership data safe on Slack. Nor can we keep our plans safe on it.
  2. All conversations are kept on their servers. You don’t own those conversations. Slack has the data. In a centralized place. Where hackers can get into it. Which has happened. So, once again, our data is not safe on the platform.
  3. CAN I JUST ALL-CAPS REMIND YOU ALL THIS STUFF ON SLACK CAN BE SUBPOENAED? Okay, let’s see, let me give you an example. Hulk Hogan’s trial against Gawker, paid for by Peter Thiel, WHO IS ON TRUMP’S SIDE. Part of this involved Slack chat messages. Is it safe? Is it secure? NO GANDALF IT IS NOT.

Given all three things above, I’m personally never going to use Slack. There’s no end-to-end encryption, I don’t own the data (which hangs around forever and can be looked at by their admins) and it can all be subpoenaed.

I’m out.

You’re Totally Going to Use Slack, Aren’t You?

Here’s where the real world intrudes. As much as the security guy shouts from the rooftops about something, most people will do their own thing.

It’s okay, security people are used to being ignored until something horrible happens. At which point they can say, “I told you so!” while drinking numerous beers and catching up on favorite episodes of Firefly.

I can’t stop you from using Slack. I also can’t stop you from standing up in the middle of Main Street with a megaphone and telling anyone who cares to listen what our most secret plans are.

So you’re going to use Slack. Great! Here are some things to think about if you so choose to do this thing I’m begging you not to:

  1. Remember that Slack is an open channel. NEVER fully identify a member or leader on there. First names only. NEVER divulge emails or phone numbers. NEVER EVER EVER.
  2. Only use Slack to divulge last-minute coordination efforts, never for planning and discussion. Use Signal and face-to-face meetings for planning. Use Slack, social media,  and email to alert the necessary teams of final decisions.
  3. Turn on 2-factor authentication in Slack (this option was made available because they they were hacked, but okay they took a right step).
  4. Force everyone on your team to use 2-factor authentication. This way you’ll have some assurance you’re talking to the right person. Or at least, a real person. Try googling “how to not get catfished” if you want an entertaining evening.

Okay, that’s it. Go forth and do your thing. Remember to keep yourselves and other members of Indivisible safe!

Join the Conversation

5 Comments

  1. Thank you, Chaunticleer, for all the great info for us security newbs. What are your tips for groups who want to start thinking more about security of their member data? How secure are various email list managers, e.g. mailchimp?

    1. Great question! Most of the services like MailChimp do not offer encrypted data at rest (most offer encryption for data in transit, i.e., TLS/SSL). A lot of WordPress plugins for contact forms don’t do it either.

      If you can find a decent developer, it’s fairly easy to create a WP plugin that will encrypt the data you do store on your own sites (there are some steps you need to take for key management).

      You can also take advantage of data at rest encryption services for some of the cloud services – Amazon Web Services and Google Cloud do have options, although I’ve not used either – so your mileage will vary!

      1. Thanks for the response. I have yet to find a developer to make our site, let alone one with security chops, but I want to take security very seriously so I’m trying to learn as much as a layperson can keeping in mind triage of organizational tasks. It’s good to know what questions I should be asking of potential developers and what issue to bring up and be sure they cover. You have been a valuable resource!

        1. Prioritize data that is most at risk. That’s member/leadership PII. If any of that gets into the wrong hands, members of your team could be put at risk of disclosure, harassment, and other consequences.

          Other stuff to prioritize: logins and passwords. Anyone who steals a password will be able to unlock the keys to the kingdom. That’s what happened with John Podesta – he clicked on a phishing link that told him to reset his google password. He put in his old password (on the hacker’s site) and presto, they had access to all his stuff, and therefore, all of the Hillary Campaign’s stuff.

          Personal safety is also a must with me, but that’s a different discussion. I just want everyone to be safe and secure. We are about to enter a new period of American history, methinks, and I don’t want any one of us at risk.

  2. Thank you for the articles. As a “start up” Indivisible group, it’s not clear to me how to practically implement some of these recommendations:
    1) You recommend mandatory 2FA in Slack. This is only available in the paid version. Are groups or their members really shelling out $8/month per person to use paid Slack? I suspect many groups only have the option to use free Slack, in which you CAN enable 2FA but can’t enforce it for members.
    2) How *should* we store member/leadership contact data? At one point you suggested only storing this in Signal. It’s not clear to me how that’s possible, unless you mean creating contacts for everyone in Signal. There’s no way to store/exchange documents in Signal, correct?
    3) I’ve tried Semaphor as a Slack alternative but had issues getting it to run on Win8.1 (w/o some work that non-tech members couldn’t easily do). It seems difficult to recommend to a larger group w/ client-side install issues.
    4) Do you have any recommendations for securely collaborating/sharing documents? If we’re using Google Drive/Dropbox it’s not clear how we can encrypt AND securely share/collaborate between a dozen+ people.

    Thanks!

Leave a comment

Your email address will not be published. Required fields are marked *