Tech

Journalists, Activists: Slack Doesn’t Strip Image Metadata

Slack has become the centre of many journalistic organizations: reporters and editors use it to talk about stories, swap files, and generally run their day-to-day operations.

But using Slack or similar services for delicate work is not always a great idea; lawyers working for Hulk Hogan managed to get hold of Gawker staffs’ Campfire logs, in part, because the messages are not end-to-end encrypted.

Videos by VICE

There’s another, albeit slightly niche issue that journalists and activists may need to consider when using Slack: the service does not appear to strip uploaded images of metadata. Depending on the situation and the image itself, this could potentially expose where a photo was taken, or give clues as to who took it; not great if you’re working with a source.

Security analyst Jerry Gamblin recently highlighted the issue in a tweet, and Motherboard verified that Slack preserves image metadata when using the service’s web client. (In a second test, Motherboard was unable to replicate Gamblin’s results, and in a third, metadata was retained, including geolocation information).

Gamblin said he did his tests using Slack’s desktop client, and security consultant Ryan O’Horo said he tested the issue with the Android version. O’Horo has even written a script to quickly scrape photo metadata from Slack channels.

Slack would not talk on the record about the practice.

As for why this might be a problem, let’s say you’re a journalist working with a source who took photos from inside a government facility. You exchange the photos with your editor in Slack. Before publishing your article, you strip the metadata from the images, and then put a copy in your piece.

But, there is still a version with the metadata intact, sat in your Slack channel, which the government may obtain through legal orders. Details on the camera your source used, or when exactly the photo was taken, are now in the hands of people who want to find this leaker.

A similar sort of thing might happen for a human rights activist who manages to obtain photos of crimes and writes a report about them. The geo-location data in the source’s photos have now revealed exactly where they were.

These are just made up examples for the sake of argument, and photo metadata from a Slack image leading to a prosecution may seem far-fetched in some cases. Also, if a government goes to the length of obtaining your Slack records, presumably they may just get hold of your laptop and the original copy of the photo anyway.

But, depending on your own circumstances, there is the potential for a security issue there, and just something to bear in mind while working in Slack. Or, maybe, don’t put sensitive photos in Slack in the first place.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.