Even slacker with your data

Even slacker with your data

This time last year, I wrote about Slack’s privacy policy. I explained why our company wouldn’t be using Slack for fear that our data and that of our customers would be at risk.

Now, we see that Slack is very actively going to be exploiting its users’ data.  Slack has established a team focused on “mining the chat corpus.”

So what might this mean and since last January has Slack changed its Privacy Policy?

I won’t recap our concerns from last year, you can read those here.  But in essence, we were concerned that Slack’s privacy policy gave it almost unfettered license to pass data to third parties – for example, the policy referenced marketing consultants amongst others.

There’s a lot of data that Slack identifies which it might pass to third parties but the most fundamental is all that information which its own users collect and receive. That is:

  • The message content itself. This content can include messages, pictures,
    files and video among other types of files.
  • When messages or files were sent and by whom, when or if they were seen
    by you, and where you received them (in a channel or direct message, for example)

What makes this challenging is the very nature of the service that Slack provides. Even if Slack is scrupulous about anonymising its users when passing data to third parties, that is no protection whatsoever for those other people and organisations identified in “the message content itself”.

Thinking about privacy in a Law Firm

Let’s imagine a law firm advising on a merger or takeover. The name of the law firm is of no consequence at all but the likelihood of Slack chats mentioning the parties is very high indeed. Of course, that is highly price sensitive; disclosure would be profoundly damaging to the parties involved and their advisors.  For any one of the many parties to whom Slack might disclose message content, the temptation to exploit the knowledge gained would be almost irresistible and furthemore, relatively low risk.

Which brings me to an interesting change to Slack’s Privacy Policy. It’s noteworthy that Slack changes its privacy policy with considerable regularity. We’re on the fourth iteration since January 2015.  So keeping up is itself a challenge and frankly not something that customers should find themselves having to do with this kind of frequency.

I haven’t compared these four forenscially. However, there’s one stand out change. This is what the current Slack Privacy Policy says

We may also share data with hosting providers, payment processors, marketing vendors, and other consultants who work on our behalf.

A year ago, this is what it said:

We may also share data with hosting providers, payment processors, marketing vendors, and other consultants who work on our behalf and under contractual promises of confidentiality.

Is there anyone out there who, like me, thinks this is serious?

And we did ask Slack for their comments on this before we published. They replied that “as a general rule, we don’t comment on blog posts so won’t be commenting on this”.

Submit a Comment

Your email address will not be published. Required fields are marked *