Slack, the messaging service of choice for tens of thousands of organisations, has given employers a considerable amount of access to the data and communications of employees. A new tool called Shhlack finally gives employees the power to shield their private conversations with end-to-end encryption.
Developed by information security consulting firm Minded Security, Shhlack allows users chatting via direct messages to trade encryption keys and protect their messages from prying eyes. Anyone who attempts to view the conversation without a key, be it a boss or a malicious actor, will just see a string of jumbled text rather than the contents of the communication.
Tools like Shhlack are an unfortunate necessity for users communicating over Slack because the popular platform doesn’t offer any sort of native support that protects conversations. In fact, Slack gives administrators a considerable amount of access to data, including conversations that take place in private channels and direct messages.
Things have only gotten worse over time for privacy-minded employees on Slack. An update implemented earlier this year discontinued the practice of “Compliance Exports” that provided team members with a notification when workspace owners and administrators flip a switch that allows them to export messages and files shared by team members. As of April 20, employers can request access to and utilise a “self-service export tool” that can export all communications that have taken place in a Slack workplace in a matter of just a few clicks.
While some may be quick to suggest that employees should have no expectation of privacy while chatting in their organisation's Slack, there are plenty of legitimate purposes for private conversations with fellow employers that Slack effectively stomps out in favour of giving employer’s more access. Conversations about everything from unionisation to sexual misconduct and other workplace-related concerns are best had outside of Slack if proper protections aren’t in place.
Shhlack reinstates some of the privacy that users expect, though it’s not the most intuitive solution. The tool is available as a browser extension on Google Chrome and an addon for Firefox. A patcher is also available to provide encrypted communications through the standalone Slack app for Windows, Mac, and Linux. It should go without saying, but Shhlack will only protect your messages on the platform you’ve installed it on. If you just install the Chrome extension, your conversations sent through Chrome will be secure but those sent through the standalone app won’t be.
Once installed, Shhlack will put a lock icon next to the message box. Click it, or hit Alt+S to open the Shhlack panel to send an encrypted message.
While communications services like Signal manage encryption keys for you, Shhlack works by using Pre-Shared Keys (PSK). Both parties wishing to use Shhlack’s protection will have to install the tool and exchange a key in the form of a passphrase in order to send and receive encrypted messages. You’re best not to share that PSK over Slack, as it could be retrieved from the archives and used to decrypt the communications. Instead, share the code over a secure communications service or in person.
Only parties with the passphrase will be able to see the decrypted messages. In group chats with multiple people, those who don’t have the key will just see a scrambled mess of characters.
Shhlack isn’t a perfect solution to the shortcomings of Slack, especially since there isn’t a mobile version yet—though Minded Security suggested one may be available in the future if there is enough interest. But for the time being, it can provide some much-needed privacy for the more than nine million weekly active Slack users. [Motherboard]