Electronic Frontier Foundation calls out Slack on retention policies – how does Teams compare?

The Electronic Frontier Foundation (EFF,) an international non-profit digital rights group, recently took their agenda to the New York Times, writing an op-ed warning the general public about Slack’s data retention policies.

In what some might consider a scathing article, the EFF detailed that Slack stores all of its users’ messages and everything else shared on the platform by default, unless admins configure optional settings under a paid plan. EFF also detailed that Slack’s data is not end-to-end encrypted, and can be intercepted or read by both hackers and authorities.

Considering that Slack is in use by millions of businesses and individuals across the world, there is a lot to worry about with these revelations. All Slack users simply don’t have fair enough control of their data.

However, we here at OnMSFT are a Microsoft-centric news website. Given the natural comparisons that come with Microsoft Teams and Slack, we also wondered how do Microsoft’s policies compare to Slack? And what happens with your data shared in Teams? We did some digging, and here’s more on what we found.

Microsoft Teams Admins can configure their own retention policies

Slack’s policies state that under all plans, paid or free, it will keep all data by default as long as a workplace exists (unless configured otherwise with a paid plan.) Microsoft’s policies part from that a bit and put admins in more control of data. According to this documentation, all Microsoft Teams conversations are persistent and can be retained forever by default. However, Teams admins do have the choice of configuring custom retention policies.

This can be achieved via the Office 365 Security and Compliance Center. When configured, and when data is deleted, it will be removed from all permanent data storage locations on Teams, with the following three conditions.

• Preservation: Keep Teams data for a specified duration and then do nothing
• Preservation and then delete: Keep Teams data for a specified duration and then delete
• Deletion: Delete Teams data after a specified duration

We created a free Microsoft Teams account using a standard @live.com Microsoft Account and email to see if we would have access to the Security and Compliance Center, but we couldn’t access it. So, it looks as though only if a Teams subscription is covered under Office 365 can admins go on and configure retention policies to delete data. That’s somewhat similar to Slack, as it retains all messages forever by default with free plans.

Microsoft, though, explains that advanced retention policies do not yet apply to Teams chat and Teams channel message locations. Retention policies also can’t go on less than 30 days. That means it would appear as though admins cannot yet set up to delete Teams data on a nightly basis (as you can on paid Slack plans.) Separate retention policies can’t be configured for Teams private chats, and channel messages.

A separate document also explains that Microsoft Teams chats are stored in a hidden folder in the Exchange mailbox of each user included in a chat, and Teams channel messages are stored in a similar hidden folder in the group mailbox. It’s also explained that teams is a Microsoft Azure-powered chat service that will store all data by default forever. Microsoft recommends that admins use Teams location to retail and delete data.

Microsoft Teams has the same encryption as Slack

While companies like WhatsApp or Telegram have come on board with end-to-end encryption, Microsoft joins Slack by using the lesser secure type of encryption policy. According to this support page, Microsoft Teams data is encrypted in transit and at rest. Files in Teams are shared through SharePoint and are backed by SharePoint encryption, and Notes are stored in OneNote and are backed by OneNote encryption.

That brings us back to the second argument from the EFF. Like Microsoft, Slack does not use end-to-end encryption, but rather only in transit and at rest. This means the data is only protected as it moves across the network, and then as it gets stored on a server. Unlike with end-to-end encryption, the data is not encrypted on a sender’s system or device, and not only the recipient is able to decrypt it. Best put by Business Insider, in transit and at rest. “keeps data safer from hackers, but also means that Slack can hand over plain text data over to law enforcement.”

While in transit and at rest is secure, Microsoft and Slack are on the same page with encryption, and could both be putting user data at risk. There have been several user voice requests for Microsoft to use end-to-end encryption in Teams, but we haven’t seen official responses from the company on forums.

Data retention is a problem for everyone, not just Microsoft and Slack

In the world where every device is coming online, and we’re becoming ever so more connected, putting users in control of their data is a big issue. The EFF has a valid point, and the retention of customer data is this is a problem not just for Microsoft or Slack, but for other companies too. A recent report from CNET indicates that Amazon keeps all Alexa transcripts and voice recordings, and will only remove it at the request of a user. Amazon also revealed it shares Alexa requests that involve a transaction. While Microsoft and Slack offer up options to delete user data, be it paid, or free, it’s time we step up for user privacy.