In context: Slack, a collaboration and messaging platform used daily by millions of people, has a well-known security issue. The Salesforce-owned company doesn't encrypt chat content. This has emerged as a significant risk factor for activists, journalists, and communities in the US and around the world.
According to the Make Slack Safe campaign, Slack is in desperate need of an urgent security upgrade. On Wednesday, a group of more than 90 organizations staged a protest outside of Slack offices in San Francisco and Denver, showing the "Slack isn't safe" slogan on billboards and t-shirts. Meanwhile, the company says its communication platform is secure enough even without E2EE.
A letter signed by Mozilla, Fight for Future, digital activists, pro-abortion lobbyists, and security-focused businesses described the current situation with Slack ahead of the protest. Tools like Slack are essential for connecting people online, the letter says, for protecting sources of sensitive stories journalists are working on, sharing ideas and content (i.e. in game creation ventures), and everything in between.
Despite its importance, the letter continues, Slack is putting all these communities in danger by not taking steps to ensure proper user safety. Safety should be a built-in feature of all technology, so the protesters are calling on Slack to protect its users by providing the option to enable end-to-end encryption for messages, to add blocking, muting, and reporting features to help protect users from harassment.
When implemented properly, E2EE is an effective way to bring reasonable privacy protection to online communication and data sharing services. E2EE should (in theory) prevent anyone but those involved in a conversation from seeing its content, leaving the platform provider or third-party organizations out of the chat.
E2EE is an increasingly debated topic among technology companies and government organizations. Apple and Meta are busy implementing total encryption into all of their services, while the FBI (plus international law enforcement agencies) try to hinder this much awaited security upgrade.
In the US and around the world, the letter continues, governments are using data and digital communications to target human rights defenders and people exposing human rights violations. After the Supreme Court's reversal of Roe v. Wade, personal communication has become a target for criminalizing abortion seekers and providers.
Slack, however, doesn't seem interested in providing any form of E2EE on its platform. The company said data at rest and data in transit is encrypted "by default" for all its customers, while organizations can use Enterprise Key Management (EKM) features to manage their own encryption keys through the Amazon Key Management Service (KMS). Slack will not share customer data with government entities or third parties "unless we're legally obligated to do so," a company spokesperson confirmed.