[Governance] Slack and Privacy
noreen.whysel at owasp.org
Mon Jul 27 22:07:51 UTC 2015
I also think this would be a very interesting discussion at the chapter
leader workshops at AppSecUSA.
On Mon, Jul 27, 2015 at 6:07 PM, Noreen Whysel <noreen.whysel at owasp.org>
> I read through the policy and came up with similar reading as Jim. Most of
> the documented functions require a certain level of data sharing with Slack
> in order for it to work as intended. This is common in most social media,
> as is saving aggregate data for research purposes and to improve future
> service. There are ways to turn off location data sharing from mobile
> devices and other settings that improve privacy for users. But at a certain
> point a product like this is not usable and as Jim mentioned, not
> open/accessible as the OWASP mission requires.
> You know from our research into dynamic KBA that third parties do exist to
> process data from certain clients that they can ensure will remain out of
> reach of the client. Slack doesn't seem to go nearly to that level of
> identity authentication. I am not fully aware of all the ways that data is
> collected or used by these kinds of services, but it doesn't seem that
> Slack is nearly at that level.
> The Slack privacy statement does say that it holds third parties to
> contracted confidentiality requirements:
> "...we may share data with a security consultant to help us get better at
> preventing unauthorized access or with an email vendor to send messages on
> our behalf. We may also share data with hosting providers, payment
> processors, marketing vendors, and other consultants who work on our behalf
> and under contractual promises of confidentiality."
> I haven't gotten through the entire policy document, but I have taken
> notes in response to some of your concerns and was planning to share it
> with you. I could post to this thread if you like as well.
> Noreen Whysel
> Community Manager
> OWASP Foundation
> On Jul 27, 2015, at 4:01 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Slack is an optional communication platform for the OWASP community. I
> read the Slack policy and for a service of this nature the policy looks
> very honest and transparent. I do not think using slack for private
> communications is appropriate, I think we should think of it more as a list
> service or other public posting service.
> So after a first read of their policy, I like the detail, honestly and
> tradeoffs they are making.
> Perhaps OWASP should publish a little guide explaining that uses for Slack
> are most appropriate?
> On 7/27/15 9:55 AM, Ann Racuya-Robbins wrote:
> Thank you Fabio for the invitation to SLACK. It looks like this could be
> highlighted a number of concerns. Is OWASP not able to find a product with
> better Privacy protections?
> Ann Racuya-Robbins
> Governance mailing listGovernance at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/governance
> Jim Manico
> Global Board Member
> OWASP Foundationhttps://www.owasp.org
> Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Governance