Is Slack safe? Why abortion advocates are calling on the chat platform to up privacy protections

Mikhail Nilov from Pexels

In the wake of the overturning of Roe v. Wade, many employees are seeking discreet access to reproductive care, often turning to employers for help. But if those conversations take place on workplace chat platforms, they could end up being used against employees in a court of law. 

Earlier this year, as an increasing number of states cut access to reproductive care or even criminalized it, nonprofit advocacy group Fight for the Future published an open letter to Slack, calling on the workplace communication platform to implement end-to-end encryption. End-to-end encryption is a private communication system in which only users participating in the conversation can access its contents; the hope is that this would better protect abortion seekers who may be communicating with each other, colleagues or employers about company-provided resources and support.

The letter to Slack is part of the nonprofit's larger effort called Make DMs Safe, which is calling on Google, Apple, Twitter, Meta, Discord and Slack to make end-to-end encrypted messaging the tech industry the default.  

Read more: The fight for abortion rights

"We've seen so many of these big tech companies make statements supporting abortion access while taking minor, symbolic action," says Leila Nashashibi, a campaigner at Fight for the Future. "But when it comes down to the actions that would really make a difference — like protecting people's data and protecting people's privacy — they are failing."

Currently, Slack — which is used by more than 200,000 organizations, according to Statista — only uses symmetric or single encryption, which uses a backend "public key" to encrypt and decrypt data across the organization. While it offers a basic level of security, it doesn't do much to protect the individual users within an employer's digital community. 

End-to-end encryption, however, creates a single personalized key between both participants of a unique conversation, rendering the communication inaccessible to any other party, including the platform hosting the conversation, like Slack, a manager or employer, or even law enforcement.

"What's really important about end-to-end encryption is it brings us back to the protections of the warrant requirement, which limits indiscriminate searches and mass surveillance," says Jake Wiener, a lawyer at the Electronic Privacy Information Center (EPIC), which  specializes in state and local policing as well as immigration surveillance. (EPIC has worked with Fight for the Future on past projects, but is not actively involved in its Make DMs Safe project.) "It basically keeps the police doing the things that they're supposed to be doing more than the subpoena process, which has no legal protections functionally."

When a police officer issues a warrant, they have to first appeal to a judge — either by phone, email or fax — and present probable cause as to why they think a crime has been committed, which includes putting forward substantial evidence upfront. Warrants also have to be particularized, according to Weiner, which means it has to be about a specific person or a specific investigation. Subpoenas, in comparison, can be issued for most types of data without the need for specification. In theory, law enforcement could subpoena Slack for all of their messages about abortion and it would be up to the platform to challenge it or not.

Read more: Republicans are testing abortion restrictions to see what sticks

All of Slack's available employer plans offer customizable retention settings, where customers can automatically delete messages and files after set periods of time as well as enterprise key management, a security add-on that allows organizations to manage their own encryption keys. In addition, Slack's policy is to not share customer data with any third-party or government entity unless legally required to do so — including subpoenas. According to a spokesperson from Slack, the platform has committed to challenge any subpoena, unclear request or any ask deemed inappropriate. 

But that kind of promise doesn't hold any legal weight, according to Sarah Geoghan, a lawyer with EPIC specialized in abortion surveillance, and still puts users in a vulnerable position. 

"We cannot trust a large company's pinky-promise to protect abortion," she says. "For example, Google said that they would stop collecting location data, which could reveal whether someone was attending an abortion clinic, and that was not true. They're still collecting and retaining that information for longer than they had promised. So the reality is, abortion surveillance is happening and as of right now, companies have a lot of discretion on just how much they could comply with law enforcement requests for information." 

Geoghan referenced the recent case of a 19-year-old Nebraska woman and her mother, who were accused of performing an illegal pregnancy termination after obtaining abortion pills when the daughter was 17. (Nebraska prohibits abortions after 20 weeks and the teenager was around 28 weeks pregnant when her pregnancy ended.) Authorities accessed Facebook messages between the mother and daughter through a subpoena to establish that the two discussed obtaining abortion pills. In July, the 19-year-old was sentenced to 90 days in jail and two years of probation. 

"They looked through her Facebook messages, which are not end-to-end encrypted," Geoghan says. "Once they had those messages they were able to subpoena her full communications on Facebook Messenger and had access to all of it. If those messages had been end-to-end encrypted in the first place, they wouldn't have had a subpoena. And if those communications hadn't been subpoenaed, they wouldn't have been able to access what was encrypted."

Read more: 4 questions employers have about abortion care and coverage

End-to-end encryption would not make the information completely unattainable. If law enforcement were to present a suspect with a viable warrant, the employer would be forced to disclose the conversation regardless of whether it was single or end-to-end encrypted. 

What can, however, prevent law enforcement from accessing messages is if they're deleted entirely, making Slack's auto-deletion settings effective in that way. Once a message is deleted from a server, it is impossible for any third party regardless of warrants or subpoenas to access that information because it is unrecoverable.

"I would never recommend anyone discuss abortion activity on a workplace app — not even over text message," Geoghan says. "That being said, a person's privacy and autonomy should not depend on their employer and it shouldn't be up to the employer to decide what their policy is about abortion so that someone has protections. They should do the bare minimum to protect communications." 

Read more: Hundreds of drugmakers condemn Texas judge's abortion pill order

If employers want to actively share resources on abortion or offer their support, Geoghan suggests they use apps like Signal, an end-to-end encrypted messaging service for instant messaging, voice and video calls.

And while end-to-end encryption may not be a foolproof privacy protection, Nashashibi argues that adding any additional obstacle to platforms like Slack is still critical, and can give employees the time and space to make whatever arrangements they need to access the care they are seeking.

"It extends far beyond abortion seekers and providers in terms of safety — we have to think about people all over the world working under different political contexts and how the lack of encryption affects their safety," she says. "We know that there's a history of law enforcement, gathering and acquiring online communications from companies and as long as these companies own the communications, they're putting people at risk."

For reprint and licensing requests for this article, click here.
Technology Politics and policy Health and wellness
MORE FROM EMPLOYEE BENEFIT NEWS