Dear Slack, Please Add OTR

Slack, the messaging app for teams used by NASA, newsrooms around the world, a slew of advocacy groups, and more, should give users an option to use end-to-end Off The Record (OTR) encryption.

We live in a world full of surveillance programs that indiscriminately sweep up our data. Every messaging service should give users an option to send messages that only the recipient and the sender can read.

This is especially true for Slack because of its widespread adoption by organizations like advocacy groups and newsrooms, groups that are especially prone to government surveillance or potential malicious actors.

OTR is widely considered the most robust form of encrypted one-to-one instant messaging. It's loaded with features that make it easy to connect with someone without having to find out their cryptographic key, a process that tends to bog down other encrypted messaging options such as PGP. It's also easy to authenticate who you're talking by using a secret question that you and your contact have decided on before hand, avoiding a situation where the person you're talking to isn't who they say they are. To top it off, OTR uses forward secrecy, which means that if the key for your previous OTR sessions are compromised, it won't affect your later sessions as a new key is generated each time.

OTR is used by journalists like Glenn Greenwald and Laura Poitras, who reported the disclosures of National Security Administration whistleblower Edward Snowden, to protect their sources. Hackers I've interviewed who have taken down the services of Microsoft and Sony, hijacked Tesla's website and Twitter account, and infiltrated the databases of Planned Parenthood all told me they used OTR to coordinate and plan their attacks. Even the NSA reportedly hasn't cracked it.

It's important to keep in mind that theoretically, no encryption is uncrackable. Encryption, at its core, is a mathematical algorithm. As computing power continues to advance at exponential rates, supercomputers may be able to crack advanced encryption protocols. However, OTR is widely considered to be as good as it gets, and is recommended by privacy and cybersecurity advocates including the Calyx Institute.

Slack is primarily a group chatting app, and cryptographers haven't yet figured out a way to seamlessly implement encrypted group chatting using the OTR protocol. However, Slack could theoretically add the feature for two-party chat. (It's also worth mentioning that the web-based messaging app Cryptocat has managed to get end-to-end encrypted group conversations using other protocols.)

"OTR would be a terrific idea," Matthew Green, a professor of cryptography at Johns Hopkins University told Motherboard. It would also be pretty easy to implement, Green said. "They could just add it over their existing channels. It wouldn't be crazy to do it. It would be relatively easy."

Green doesn't have the intimate knowledge of Slack's backend setup that would be essential in knowing how easy it would be to implement this feature, and the company didn't respond to a request for comment. But with a $2.8 billion valuation, one could safely assume the company has the resources to implement OTR if it so chose.

Slack's FAQ also acknowledges that some Slack employees can read your messages.

"While the operation of the Slack service would not be possible unless there were some technical employees with sufficient system permissions to enable them to access and control software that stores and indexes the content you add to your Slack team, this team is kept purposefully small and are prohibited from using these permissions to view customer data unless it is necessary to do so."

Not only does that mean a rogue Slack employee may be able to access your data—remember that creepy Google engineer?—it also implies that a successful hack against Slack itself could result in your messages becoming public.

Finally, Slack is not one of the companies that notifies users about government data demands. Unlike Apple or Facebook, if the FBI or any other government agency comes knocking on the door of Slack headquarters asking for your data, it won't let you know it ever happened.

It shouldn't be this way. Working as a journalist who sometimes covers sensitive material, I've oftentimes wished that I could have an OTR encrypted conversation with a colleague without opening up a separate client. Not all of my colleagues and editors frequently use OTR, so the ability for everyone on Slack to have an OTR conversation which each other would be a godsend. Slack is teeming with sensitive information belonging to the companies that use it. It's being labeled as the platform that could replace email, so everything that might have been in the emails of companies employees has now moved to Slack. Business plans, confidential memos, reports and the like are all sent through Slack.

The Grugq, a widely known security researcher who sometimes gives talks about operational security, said lack of OTR support is what keeps his security-conscious company from using Slack.

Using OTR wouldn't come without tradeoffs. One of the most appealing Slack features is the ability to quickly search through all of your old messages and find that one message you had forgotten to keep a note of. Since only you and the recipient can read the message, Slack would have a tough time indexing your conversations, thus making search more difficult.

Slack says it uses "256-bit AES, supports TLS 1.2 for all [user] messages, and uses the ECDHE_RSA Key Exchange Algorithm." These encryption algorithms and protocols are the industry standard for safely transmitting your data, keeping it protected as it travels over the internet. This is a great start, but it doesn't protect your correspondence from a malicious Slack system administrator, a government agency that could force Slack to hand over your data, or a really good hacker.

In early September Slack's official Twitter account said OTR support is not "on the roadmap currently" but "it's something we could consider for the future." Slack is a massive platform with over a million users, and adding easy-to-use encryption would raise awareness about how simple it can be to protect your communications. More importantly, the sheer number of communications that are end-to-end encrypted would explode—and the more people using encryption, the more effective it is for everyone.