Slack – with your data

Slack is a billion dollar San Francisco newbie that gives itself excessive license to play free and easy with stuff that doesn’t belong to it.

Slack is a product that enables teams to collaborate through ‘channels’. Individuals can, for example, work together on a customer’s files that they’ve uploaded to Slack, search them and so on.

We’re evaluating Slack and as part of that, we reviewed its privacy policy – which changed on 1st January 2015.

Here’s the intro…

Slack is the custodian of data on behalf of the teams that use Slack. We don’t own team communication data. Teams own their data. They like it that way and so do we.

So far, so cuddly.

Slack’s Privacy Policy refers to and identifies the information they ‘collect’ and ‘receive’.

Note that Slack receives and collects.  Slack doesn’t receive and ‘store’ for its customers.  Slack ‘collects’.  It hoards.

From a long list, this is a key item it ‘collects’

Communication content that you send and receive within Slack. This includes: The message content itself. This content can include messages, pictures, files and video among other types of files. When messages or files were sent and by whom, when or if they were seen by you, and where you received them (in a channel, private group, or direct message, for example).

And that’s no surprise. Slack can’t exercise its core functionality without this information.

What might Slack do with the information that it ‘collects’.  It can ‘share’ it.  With whom might it share its customers’ information?  Recalling that ‘information’ includes everything that Slack’s customers upload to Slack together with all surrounding meta data, Slack may share it with:

 ..hosting providers, payment processors, marketing vendors, and other consultants who work on our behalf

In summary, Slack’s privacy policy tells its customers (ever so nicely) that it collects, without exception, everything about its customers and similarly without exception everything that those customers upload to its service.  And it will potentially share all of that information with just about any person or organisation that it, in its sole discretion, chooses to share it with.

Slack may reply that it might share all of its customer data

”under contractual promises of confidentiality”

But Slack does not undertake to sue or otherwise enforce such a contract in the event of a breach which damages its customers.  Slack doesn’t even empower its customers to take action on its behalf.  A Slack customer would therefore be most unwise to rely on any ‘promise’ when considering whether to entrust its privacy to Slack.

Slack also has a security policy

Slack’s security policy refers to its own privacy policy. It says that

“there are limited circumstances when we ever share customer content without first obtaining permission.”

But it seems to me that those circumstances are not limited, they are in fact effectively unlimited and Slack need never ask permission to share anything at all.

Indeed, the word ‘permission’ simply does not appear in Slack’s privacy policy in relation to data sharing over which it has control.

Our tentative conclusion?

Gavurin handles highly sensitive data for its customers.  My own view is that even if we undertook not to upload anything about our customers to Slack, if it emerged that we used Slack, our reputation for data governance could take a damaging hit.

In summary, if you care about your information or that of your customers, you should think carefully before entrusting any of it to Slack.

Submit a Comment

Your email address will not be published. Required fields are marked *