Slack’s Top 5 Privacy Mistakes We Can’t Make

Last updated

 alt

Everyone makes mistakes. We do too. But when it comes to privacy, we keep our guard up and most businesses who collaborate online will appreciate it.

Slack is a great product and people love it. I get it. I think it’s great fun too, but it’s just not suited for business collaboration.

There are some popular features in Slack that we couldn’t include, and will likely never add to Semaphor. I wanted to explain why we didn’t and how including them endanger and compromise your most important and private online conversations.

1. The Browser “Playground”

Your browser is a vulnerable place. Think of it as a public playground where every website you’ve ever visited has left its germs and viruses. There are countless security vulnerabilities with deploying an application through the browser; everything from the browser itself, to your security settings, plugins, extensions, the code from every website you visit, and the cookies that track you. With one click, malware can easily get installed on your computer so while there are things you can do to try to protect your activity online, sometimes that’s just not enough.

This is why we built Semaphor to be a full application that you download and run on your own device. Slack is a web app, which means nearly everyone who uses it, including most everyone on your team, accesses it through a browser. And therefore anyone on your team can compromise the complete privacy of your conversations. Semaphor is a full application that communicates solely and directly with our servers. No extensions, no plugins or unknown browser cookies can compromise that privacy. If you’re curious what’s going on in our application, go review the source code yourself. Ask Slack if you can review their source code.

2. Integrations

We are supporting Bots before Integrations, but the truth is we might not ever support hosted integrations like Slack does. Integrations are small applications that extend the functionality of a platform. Slack impressively boasts both a marketplace and investment fund to get more Integrations built for Slack. Most every Integration people use is hosted by Slack meaning every bit and byte that comes through an Integration can be read by Slack. (But I guess if you’re already using Slack heavily, you’re already okay with their ability to read every bit and byte). Our Zero Knowledge commitment simply means we will not ever build something that allows anyone but you to read your data thus avoiding this sort of a “man-in-the-middle attack”.

Our first version of Bots will be self-hosted on your own gear, so from our server’s perspective it’s just another user sending encrypted text into the system. We already have bots running on our platform and are planning to release libraries with sample code here in the next few weeks.

3. Inline Pixie Dust

Most collaboration tools will overload posts that include URLs with metadata like images, titles, source content, and icons. This is also true of fun features like Giphy. While it might make the timeline more visually interesting, because Semaphor respects your privacy, we just can’t offer this feature.

Here’s the issue: Suppose someone in your channel includes a URL in a message. When you launch Semaphor and download that content, you may not want to automatically produce internet traffic back to that source website, along with your IP address. By implementing inline pixie dust, all of this content would get automatically downloaded to your device and you couldn’t control it. We most certainly support clickable URLs meaning you choose when you want to visit a site. (We saved our pixie dust for making all this wonderful privacy easy to use).

4. Email Digests

For those not familiar, lots of products use email digests as a way to summarize a day’s worth of conversations into one quick scannable list sent to your inbox at the end of each day.

The problem? When a team has a conversation, it would be a critical privacy compromise that one/some/all of that team now have those same messages sent over the internet in an email. Email is one of the most vulnerable methods of communication, with a 789% year-over-year spike in malware and phishing. People set weak passwords, which are easily hacked and constantly stolen (remember the 1.6 billion passwords stolen two years ago?). All you need to do it look at the news for the latest email scandal (for example, the DNC hack)

There is certainly value in having a quick way to “get back up to speed” and we plan to build a “While you were away” feature in Semaphor that gives users the same benefit without compromising the privacy of your conversations.

5. Presence

Is so-and-so online? Presence allows users to passively know if another user is on/offline. Unlike the above features, we are giving serious thought to adding this feature to Semaphor — it is quite handy. That said, it will most certainly be implemented in a privacy-minded way. Does everyone on your team want everyone else on the team to know they are online? Should this summer’s intern know the CEO of your multinational company is “In a Meeting?” This level of transparency has benefits, but it needs to be controlled by users. Defaults should be set to Hidden, and only the user should be able to opt-in to such a feature.

Don't be slack about privacy

Everyone makes mistakes. We do too. But when it comes to privacy, we have our guard up and expect most businesses who want to collaborate online will appreciate it. If you haven’t taken a look at Semaphor, you can learn more on our website. And if you’re technically curious, you can also dive a little more into its architecture with our encryption white paper.