Slack Doesn’t Have End-to-End Encryption Because Your Boss Doesn’t Want It

A former Slack employee and the company's current chief information security officer say that Slack's paying customers aren't that interested in end-to-end encryption.

|
Oct 16 2018, 1:59pm

Image: Slack

End-to-end encryption—where keys are stored on individual devices by users, meaning only the intended recipients can read message content—is continuing to spread across messaging platforms. But work communication service Slack has decided against the idea of having end-to-end encryption due to the priorities of its paying customers (rather than those who use a free version of the service.)

Slack is not a traditional messaging program—it’s designed for businesses and workplaces that may want or need to read employee messages—but the decision still highlights why some platforms may not want to jump into end-to-end encryption. End-to-end is increasingly popular as it can protect communications against from interception and surveillance.

“It wasn’t a priority for exec [executives], because it wasn’t something paying customers cared about,” a former Slack employee told Motherboard earlier this year. Motherboard granted the source anonymity to speak about internal company deliberations.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

“Paying customers want enterprise key management,’” and not end-to-end encryption, the former employee said. This means that the customer is in control of their own keys as an organization, perhaps for things such as compliance, internal investigations, or securing their own keys rather than allowing Slack itself to handle them or users on a more individual basis.

Slack allows one-on-one messaging, as well as group chats and more structured rooms where users may join or be invited to chat. The service comes in a few different variations: the free version lets users search a limited number of messages. Paid versions, priced per user, provide unlimited search, group calls, and some security benefits. Finally, larger businesses, government departments, or other organizations may opt for a dedicated enterprise version, which is designed for bringing multiple Slack workspaces together.

It’s the enterprise customers that apparently aren’t too keen on end-to-end encryption.

On Saturday, Slack Chief Information Security Officer Geoff Belknap tweeted that end-to-end encryption is “not something we’ve had much demand for from customers.” He added that enterprise key management and Bring Your Own Key (BYOK) is coming this winter.

“There are several alternatives, if e2e [end-to-end encryption] is a feature someone explicitly needs,” Belknap wrote in his tweet.

The former employee said that it was free users who were asking for end-to-end encryption. There may be some exceptions: Motherboard previously published a piece laying out the benefits of end-to-end encryption in Slack for journalists. Many media organizations do pay for and use Slack daily, although perhaps other, non-editorial parts of those companies would also prefer enterprise key management over end-to-end encryption. And many workplaces across industries discuss sensitive issues and trade secrets on the service; a hack of Slack itself could potentially be devastating both professionally and personally. Many people gossip on Slack and Wired called a potential Slack hack “everyone’s worst office nightmare.” (If an organization was in control of its own keys, perhaps with enterprise key management, a hack against Slack itself would likely impact the organization less).

Despite the lack of demand from paying customers, Slack has discussed the idea internally: engineers did create a technical specification of what end-to-end encryption on the platform may look like, the former employee said. They also said that end-to-end encryption while maintaining Slack’s search functionality won’t be possible at the moment. In his tweet, Belknap said that end-to-end encryption “architecturally [...] isn’t ideal.”

In May, when Motherboard first started talking to sources about Slack’s lack of end-to-end encryption, the company declined a request for comment or to answer specific questions. On Monday, a spokesperson declined to comment once again.