[Governance] Slack and Privacy

Noreen Whysel noreen.whysel at owasp.org
Mon Jul 27 22:07:00 UTC 2015

I read through the policy and came up with similar reading as Jim. Most of
the documented functions require a certain level of data sharing with Slack
in order for it to work as intended. This is common in most social media,
as is saving aggregate data for research purposes and to improve future
service. There are ways to turn off location data sharing from mobile
devices and other settings that improve privacy for users. But at a certain
point a product like this is not usable and as Jim mentioned, not
open/accessible as the OWASP mission requires.

You know from our research into dynamic KBA that third parties do exist to
process data from certain clients that they can ensure will remain out of
reach of the client. Slack doesn't seem to go nearly to that level of
identity authentication. I am not fully aware of all the ways that data is
collected or used by these kinds of services, but it doesn't seem that
Slack is nearly at that level.

The Slack privacy statement does say that it holds third parties to
contracted confidentiality requirements:

"...we may share data with a security consultant to help us get better at
preventing unauthorized access or with an email vendor to send messages on
our behalf. We may also share data with hosting providers, payment
processors, marketing vendors, and other consultants who work on our behalf
and under contractual promises of confidentiality."

I haven't gotten through the entire policy document, but I have taken notes
in response to some of your concerns and was planning to share it with you.
I could post to this thread if you like as well.

Noreen Whysel
Community Manager
OWASP Foundation

On Jul 27, 2015, at 4:01 PM, Jim Manico <jim.manico at owasp.org> wrote:


Slack is an optional communication platform for the OWASP community. I read
the Slack policy and for a service of this nature the policy looks very
honest and transparent. I do not think using slack for private
communications is appropriate, I think we should think of it more as a list
service or other public posting service.

So after a first read of their policy, I like the detail, honestly and
tradeoffs they are making.

Perhaps OWASP should publish a little guide explaining that uses for Slack
are most appropriate?


On 7/27/15 9:55 AM, Ann Racuya-Robbins wrote:

Thank you Fabio for the invitation to SLACK. It looks like this could be
very useful. I have attached the SLACK Privacy Policy where I have
highlighted a number of concerns. Is OWASP not able to find a product with
better Privacy protections?


 Ann Racuya-Robbins

Governance mailing
listGovernance at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/governance

Jim Manico
Global Board Member
OWASP Foundationhttps://www.owasp.org
Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150727/554ec6fb/attachment.html>

More information about the Governance mailing list