Did you know that your boss can read your private Slack chats? That’s right — whenever you switch to a direct messaging session to avoid Slack’s public chat thread, you might think you are chatting away from your boss’s prying ears, the virtual equivalent of a quick word in the stairwell.
However, that’s not the case. The boss can drop in and spy on your “private” chats at any time. Luckily, there’s a way to fix that, using a tool called Shhlack.
Shhlack
Shhlack is a message encryption service for Slack. When you use it, you and your cohorts will be able to read each other’s messages, but when your boss goes into Big Brother mode and decides to take a sneaky look at whatever you’re saying behind her back, all she’ll see is gobbledygook.
Wait, my boss can read my private Slack chats?
Yup. Well, probably. If your company pays for Slack’s Plus plan, and has enabled the option to use “compliance reports,” then administrators can download your message sessions and view them at their leisure. To check whether this is the case for your Slack, go to teamname.slack.com/account/team and take a look at the Retention and Exports tab:
Photo: Cult of Mac
If compliance reports have been enabled, you’ll see it here. Admins will be able to download a .zip file of all your conversations, public and private.
If the Slack compliance reports have not yet been enabled, you’re safe to keep badmouthing your boss. And if these reports are enabled in the future, you should receive a message from Slackbot, according to Gizmodo‘s Melanie Ehrenkranz.
Does this seem creepy? Then try it from the other angle. You’re the boss, and you pay for a messaging platform for your employees to use for work. As the paying customer, you should have access to everything that goes on in this workspace, right? After all, if employees want to chat privately amongst themselves, there are plenty of options for encrypted group messaging, like iMessage and WhatsApp.
How to encrypt your Slack chats
If you fear that your boss is listening in, and have important information to share, then you can use Shhlack to encrypt messages. It’s not an add-on for Slack. Instead, you use either a browser extension (for Google Chrome or Firefox), or a patcher that works with the Slack app on Windows, macOS and Linux.
To encrypt your messages, all parties must use a version of Shhlack. They then need to generate and share an encryption key. After everyone gets everything up and running, they can send encrypted messages. It looks like this:
Photo: Shhlack
Anyone with the key who receives the message will see this:
Photo: Shhlack
And if your boss decides to eavesdrop, she’ll see this:
Photo: Shhlack
What’s the point?
From the user’s point of view, this works just like email encryption, and is just as annoying to set up. If you really have something so sensitive to talk about that it just has to be hidden from your Slack admins, why are you even using Slack to do it? After all, if you set this up right, you already had to exchange keys, which means that you must have an alternative communication method that you consider secure. That may be iMessage, or it might be that you can meet up in person. So, just do that instead.
Also, just because your messages are encrypted, you’re not off the hook. Even if she can’t read the content, your boss can see that you are using encrypted messages in the company Slack. That alone might be enough to cause trouble.
Also, if you’re going to use a tool like this, then you’d better make sure to fully vet Shhlack itself. After all, what’s the point of using encryption if you don’t trust the tools? Fortunately, Shhlack is open source, so you can dig in to the code. Not that you will. But you can tell yourself that someone probably looked at it, at least.
Perhaps the real point of this how-to, then, is to make you aware that your private Slack chats might not be as private as you think they are.
