Accountable Disclosure of Sensitive Data in Team Chat: The SealedChat System
DOI:
https://doi.org/10.63282/3050-9246.IJETCSIT-V7I2P118Keywords:
Accountable Disclosure, Team Chat Security, Sensitive Data Sharing, Auditability, Break-Glass Access, Usable Security, Collaboration PlatformsAbstract
Collaboration platforms such as Slack, Microsoft Teams, and Discord are widely used for operational coordination, where sharing sensitive data such as credentials, tokens, personally identifiable information (PII), and protected health information (PHI) is sometimes unavoidable. In public channels, such data becomes persistently and passively exposed through message history, search, notification previews, and screen sharing. Existing approaches, including data loss prevention (DLP) systems, focus on blocking, detecting, or removing content, but do not provide a mechanism for controlled, accountable disclosure when sharing is operationally necessary. We introduce Accountable Disclosure, a security model that replaces ambient visibility with intentional, auditable access to sensitive data in team chat. In this model, sensitive content is sealed from the channel and revealed only through explicit user action that requires justification and produces a visible accountability event. Disclosure is constrained by time-bounded viewing, shifting the security objective from strict prevention to reduction of passive exposure and deterrence through auditability. We present SealedChat, a system design that realizes this model across heterogeneous collaboration platforms. SealedChat stores sensitive payloads outside platform message histories and enforces disclosure through a secure view mechanism with strict temporal bounds. We analyze how accountable-disclosure semantics can be realized across Slack, Microsoft Teams, and Discord despite differences in platform messaging, interaction, and visibility primitives. Finally, we outline an evaluation methodology for measuring passive exposure reduction, usability costs, and accountability effects in realistic operational workflows, while identifying the platform-specific constraints that affect faithful realization of the model. Our approach demonstrates how accountability-driven disclosure can complement existing preventive controls in collaborative systems.
Downloads
References
[1] M. Vaughan, S. Chong, and A. C. Myers, "Evidence-Based Audit," in Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF), 2008.
[2] D. Butin, F. Kelbert, and M. Tai, "Log Design for Accountability," in Proceedings of the IEEE Security and Privacy Workshops, 2013.
[3] S. Etalle and W. H. Winsborough, "A Posteriori Compliance Control," in Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT), 2007.
[4] J. Cederquist, R. Corin, M. Dekker, S. Etalle, and J. den Hartog, "Audit-Based Compliance Control," International Journal of Information Security, vol. 6, no. 2-3, pp. 133-151, 2007.
[5] J. Feigenbaum, A. Jaggard, and R. N. Wright, "Towards a Formal Model of Accountability," in Proceedings of the 2011 New Security Paradigms Workshop (NSPW), 2011.
[6] L. Rostad and O. Edsberg, "A Study of Access Control Requirements for Health Care Systems Based on Audit Trails from Accesses to Electronic Patient Records," in Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), 2006.
[7] A. Ferreira et al., "How to Break Access Control in a Controlled Manner," in Proceedings of the 19th IEEE International Symposium on Computer-Based Medical Systems, 2006.
[8] A. D. Brucker and H. Petritsch, "Extending Access Control Models with Break-Glass," in Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT), 2009.
[9] C. A. Ardagna et al., "Supporting Emergency Access in Healthcare Systems," in Proceedings of the 2007 ACM Workshop on Computer Security Architecture, 2007.
[10] S. Marinovic, N. Dulay, and M. Sloman, "Rumpole: A Flexible Break-Glass Access Control Model," in Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT), 2014.
[11] National Institute of Standards and Technology, Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Rev. 5, 2020.
[12] K. Kent and M. Souppaya, Guide to Computer Security Log Management, NIST Special Publication 800-92, 2006.
[13] Slack Technologies, "chat.postEphemeral," Slack Developer Documentation.
[14] Slack Technologies, "Modals," Slack Developer Documentation.
[15] Slack Technologies, "Slack Data Loss Prevention," Slack Help Center / Documentation.
[16] Microsoft, "Task Modules for Bots and Adaptive Cards," Microsoft Teams Developer Documentation.
[17] Microsoft, "Data Loss Prevention in Microsoft Teams," Microsoft Purview Documentation.
[18] Discord, "Receiving and Responding to Interactions," Discord Developer Documentation.
[19] Discord, "Ephemeral Messages FAQ," Discord Support Documentation.
