Slack Says Letting Anyone Message Anyone With Few Limits Was ‘a Mistake’

On Wednesday, Slack launched a new feature that allows users to message anyone else via direct messages, even if the receiver is outside of the sender's organization. In other words, the feature allows anyone to connect with you privately on Slack. Critically, even if the feature is turned off on your Slack, you'll still get an email notification and message from anyone trying to connect with you—including people who don't work with you and can use this feature to sneak harassment into your inbox.  

After experts in content moderation, and several other people, complained about this risk, Slack is already backtracking and limiting the feature, admitting it "made a mistake." 

Before Slack changed it, I tested the feature, called Slack Connect, with a friend at another news organization, whose Slack I am not part of. My friend got a notification within Slack, and an email that contained the message I sent them.

My friend wasn't able to respond to me via Slack, as his company has the Slack Connect feature turned off. But he still got a notification. And, most importantly, he still saw my message in his emails. 

After Motherboard reached out to Slack asking about how the company planned to mitigate the risk of people getting harassed with this new feature, the company backtracked on it. 

"After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs," Jonathan Prince, Slack's vice president of communications and policy told Motherboard in an emailed statement. "We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage."

Before this change, a target of harassment would have seen the harassing message in their emails, even if they couldn't respond within Slack. 

When Slack introduced the feature today, it hadn't implemented any features that can help someone who gets harassed. There is no block button or built in mechanism to report the message to Slack or your company's Slack administrator. 

Caroline Sinders, the founder of Convocation Design + Research and an expert in content moderation, criticized Slack's new feature.

"It's irresponsible to build this global feature without having there be any guardrails for safety. By guardrails, I mean basic [User Interface] tooling we see in other social networks and platforms like blocking, like harassment reporting, like keyword muting and blocking," Sinders told Motherboard in an online chat. "All of those tools and features help make people safer. So I think it’s very strange to have rolled out this Connect feature without having created any harassment mitigations around it."

Before Slack changed course, hiding the content of the messages sent via Slack Connect, the company was telling people complaining about the risks that the solution was for administrators to disable the feature.

For Sinders, this was not an adequate solution.

"When you create new forms of messaging, you need better ways for people to mitigate harm, without having to opt in or out COMPLETELY of a feature," she said. "It shouldn't be so binary, is what I'm saying. Because those facing harm will have to turn it completely off."

In an email to Motherboard, a Slack spokesperson declined to say whether the company is planning to add a block feature. The spokesperson also said that the company has ad a Trust & Safety team has been in place since 2016. But, once again, Slack is deflecting the responsibility to moderate its platform, passing it on on the companies that use it.

“Slack is an enterprise software platform for business communication and, similar to other technologies used in the workplace, employers are generally in the best position to support their employees. That being said, if harassment is occurring on our platform and your employer is unable to intervene, we encourage you to contact us via Slack’s Help Center to report your concerns and we will investigate and take appropriate action. For more information on how Slack safeguards the privacy and security of our customers, please visit our Trust Center.”

This story has been updated to add comments from Slack’s spokesperson.

Subscribe to our cybersecurity podcast CYBER, here.