Slack is going to start letting its users direct-message people outside of their company with the new Slack Connect DMs feature.
The service was originally announced back in October, but it’s only just started rolling out. The goal is to ensure companies working with partners or clients can communicate, though there are so many more possibilities than that.
However, it could also be regarded as a bad move, much like how publishing your personal email address on 4chan could be considered a very bad idea.
Connect DMs functions through Slack’s Connect feature, which launched last year and was built to help businesses collaborate through shared channels. Adding DMs into the mix is the latest part of that.
The good news is that it’s not like email or text messaging, where anyone can send you a message provided they have the right address.
Connect DMs work by sending a special link and force both sides to start the shared conversation. Depending on how a business has set up their Slack channel, it may require admin approval as well.
Connect DMs could have security and privacy issues
A lot of the outrage against this feature on Twitter has focussed on the risk of abuse and spam that stems from letting outsiders send messages to private Slack channels. Those concerns are because Slack has no options to block or report other users.
If this makes you uncomfortable, remember that Slack doesn’t encrypt your messages, can store them indefinitely even if you don’t have access to them, and that in many cases your employer can read and search for everything you’ve posted, even DMs.https://t.co/xojPTurlF8March 24, 2021
But there are, rightfully, concerns about security and privacy, such as the fact that Slack doesn’t encrypt your messages, and stores them indefinitely. That includes direct messages, which can be accessed archived and exported if your employer has a Slack Plus plan.
That will likely include direct messages sent between companies, and presumably those conversations would be available to admins on both sides.
But personal privacy isn’t the only issue, because it could expose company’s sensitive information.
Remember the big Twitter hack from last year? The one that had celebrities tweeting out an almost-identical Bitcoin scam?
According to a New York Times investigation, it all happened because a hacker managed to get into Twitter’s private Slack channel. Once there “Kirk”, as he was known, was able to access a service that gave him access to Twitter servers. Access that was then reportedly used to launch the crypto scam.
The story hasn’t been confirmed by Twitter, which declined to comment at the time. But it does go to show how something could go wrong if you give private Slack access to someone with nefarious intentions.
Last week, an 18-year-old Florida man was sentenced to three years in prison for the hack, which took place while he was a juvenile. Florida authorities said he convinced a Twitter employee that he also was a Twitter employee and deserved access to Twitter’s internal systems.
Connect DMs won’t give outsiders unfettered access to a private Slack channel, but it does mean there’s another potential hole in security. Slack may not be the most obvious target for hackers, but we’ve already seen what can happen if they manage to access the wrong conversations. So Slack admins take note.
Slack Connect DMs is rolling out to paid users today, and will eventually come to free users “soon”.