Don't get me wrong--it's not like I want to read your messages and very likely won't. But there are times when I have no choice. A few years back, a group of interns started privately harassing other interns via Slack. Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening. We had to make all intern accounts into multi-channel guests after that. Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons.
Edit: I'll say this is still not an ideal solution. I don't go into private communications unless I have to, and I'd rather have the option to review specific DMs / private channels than dump everything. I really don't want everything; that's more than I care to see. Also, to clarify, I'm in the US and our employees are well aware that communications on company-operated platforms should not be considered private. I want them to be careful how they communicate in writing, not because they should be worried about me, but because they should be worried about Slack getting hacked/leaked. With the recent Facebook news, I should have thought that sort of concern was obvious.
If two people want to have a private conversation, they'll just find another means by which to do it. In the long run, abusing your privileged access to conversations intended to be private (however justified you may consider it to be) will just breed mistrust among employees. I would quit a job that treated me as a child which must be supervised in such a manner.
I hate to tell you this but if you would quit a job for this reason you probably can't work in the US. The US has laws about corporate compliance, and it has requirements for things like dealing with sexual harassment. There is no such thing as a "private conversation" that takes place over a corporate network.
For example, in the US sexual harassment is taken seriously. If a company gets a complaint of sexual harassment on Slack they are legally obligated to look into it, and if they refuse to the individual managers could personally be held liable for it. This includes situations where the person being harassed isn't directly in the conversation- the above example of harassment over slack could have evidence of coordination in a different private channel than the ones the harassment target is in.
> There is no such thing as a "private conversation" that takes place over a corporate network.
It's a tech issue, cultural issue, and a legal issue, but it's harmful that we seem to be forgetting the wisdom of discretion as life become more digitized. If the law or culture says "no expectation of discretion", they're just wrong and likely hypocritical.
It's healthy, normal, and appropriate to tell specific things to specific people. If we're worried about abuse, there are other solutions to those problems, like letting the harassed share the conversation later, which they can already do, with screenshots if nothing else.
Discretion still has its place, but that's different from privacy and compliance.
Most admins aren't going to spend all day reading other people's conversations, and good companies have explicit policies as to when they will do so. The thing we're discussing here isn't whether companies should spy on everything their employees do- it's about what happens when an issue does occur where they do need to look into things.
I would not work for a company where I thought my managers were looking over my shoulder at every single thing I was doing, but at the same time I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.
People are also ignoring another aspect of this- if a company does get sued by an outside party they have to make internal data available through discovery. These laws about corporate compliance also exist to make it so corporations can be held accountable.
> Discretion still has its place, but that's different from privacy and compliance.
It should be, but often digital tools obliterate discretion in the service of compliance or even just monitoring employee work habits.
> I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.
A healthy workplace needs to solve the underlying issue, here. But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed. Managers and compliance officers are reluctant to let the investigated employees know they're being investigated, which I understand, but I don't think throwing out discretion-oriented communication is worth the benefits there.
> But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed.
Are you serious? So, someone accuses an employee of abuse and you casually stroll by and ask them to send relevant conversations your way? And you expect them to comply without cheating? Why don't we try this approach with other misdeeds, for example, when someone complains about theft, we just ask thieves to come by the police station with the stuff they stole. Do you think that would work?
Before tech, witness testimony was the same thing.
Old boys club keeps it "verbal only", but someone blows the whistle and testifies regarding the conversation.
Technology didn't change anything. You can't have a private conversation at work. Period end of story. If you manage to conceal your communications, not only could you be violating laws (depending on your industry and relevant regulations) but you're likely violating corporate policy and in need of corrective actions.
It's a liability problem for a company if employees are circumventing documentation and potentially covering up crimes.
The way I see it, you have three options:
* Be rich enough to not work
* Get paid by someone who accepts the liability of your work and has the legal right to all of your business communications
* Be the guy paying other people who accepts liability for their work and has the legal right to their business communications
Spoiler, even if you're the last guy, chances are there's lawyers doing the same thing to you.
I was talking about discretion, not privacy. Those are two different things. Discretion is controlled sharing of thoughts, ideas, and information. Marking documents "trade secret" is an example of discretion. Trade secrets are not private information.
I'm not arguing that information should be unavailable when a warrant or subpoena requires disclosure. I'm arguing that doing the digital equivalent of bugging every conference room in the building is a toxic thing to do, culturally. If the law compels the bugged rooms, we have bad laws on the books.
Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.
> Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.
If you are worried about this, the issue isn't Slack. I don't worry about my boss reading my slack DM's - I'm well aware of what process would be involved there (my boss would be fired immediately, and wouldn't even have access without Legal involved). If you're worried about your company 'snooping' on you that's an underlying, unrelated problem.
Note that there's also a difference between work-mandated communication channels (for which there is no "opt-in"--there is a directory with your email address, you're on the list of Slack users, etc) and channels outside of work that you can opt into and out of (you can not give your personal number when the company is big enough for that to be an option, block people when they abuse it, not reciprocate keybase follows or leave signal chat groups, etc). A channel that is mandated to be kept open loses some discretion for its users, and the loss of power has to be compensated in some way.
(This is the more charitable way of looking at it, obviously. There are plenty of other reasons things are the way they are, and they aren't all good for us, there is just also this)
> A channel that is mandated to be kept open loses some discretion for its users, and the loss of power has to be compensated in some way.
Yeah, I was hinting at that a bit. I think tools like SnapChat and encrypted chat clients are reaching for discrete and healthy digital relationships. A lot of the conversation about these tools is about privacy, which is really something else. How someone looks naked is often private. How that biopsy turned out should be shared with people, just discretely.
That line or reasoning makes no sense. If that were true, then states like California couldn't make it illegal for companies to eavesdrop on its employees(e.g. recording audio, bugging offices). But allowing companies to read direct messages is very, very similar.
Also, what's preventing a victim of harassment from handing over the offending messages? I don't see how this helps anyone.
Recording audio and bugging offices is a completely different matter than reading through already preserved text that exists on company infrastructure (email or slack conversations). The records already exist in the case we're talking about.
Presumably the victim would share the harassing messages, but by being able to review the records directly the supervisors can gain more information such as whether the harasser was also harassing others, whether there was coordination between multiple people, or even if the original shared messages were missing some context which would vindicate the accused harasser. There's a lot of reasons why a real investigation will bring up more information than a simple one sided copy/paste would.
I'd argue that it isn't. I'm not a legal expert, but it seems that it could be argued that direct messages are implied private conversations, and that laws around recording audio implies that private spoken conversations can occur in offices. The fact that direct messages leave a history is merely a side effect that does not suggest that they are any less private than a spoken conversation behind closed doors.
However, I would need to know the actual intent of such laws, which I don't. Let's say that the intent is to allow for private conversations, then that premise also suggests that messages between two individuals(as opposed to ones in a channel) are only intended to be read by those two participants, hence a conversation that is private. Nobody sends direct messages with the intent that they be read by people besides the recipient.
Why would you need a crude one-sided copy and paste? A password, a cookie, or even an API token, can already provide as much information to authorities as would be provided by that of Slack team admins. There is no need for anyone besides the messaging participants and authorities to see someone's DM history, either technically or philosophically.
Well, as you said, you aren't an expert on this and apparently haven't ever been briefed by your company's legal team, and presumably have never been in charge of compliance. So your arguments about how the law works are in this situation pretty useless.
Jumping away from that angle though, there's still a lot of issues with what you are presenting. For one thing you keep referring to "authorities" without defining who those authorities are. If you're referring to the company IT, HR, and Compliance officers then it seems like you agree with us that the information should be available to those people. However, since that would be a bit odd with the rest of the context you're speaking about I'm going to assume you mean authorities in some sort of government or law enforcement sense.
The thing is that authorities rarely get involved in most of the cases where this information is needed. Sexual Harassment is not a criminal offense, it's a civil one- people don't go to jail for it, they lose money from it. Outside of taking reports these types of things are rarely investigated by authorities in that sense, and there are remarkably different burdens of proof for each of those. Most companies (and individuals I would imagine) also don't want to make a legal issue out of work ones if they can help it, which means it is often in everyone's best interest to handle certain types of problems in house.
Now, as for the philosophy aspect of things, as long as companies are responsible for managing their own trade secrets, sexual harassment complaints, and security in general then all company property (which includes conversations on company servers and services) are open to that company. This is why I do not sign up for company phone plans (except when I want a separate company phone and phone number), and why my work computer does not have my personal accounts on it.
I simply would have hoped that Slack wouldn't give too much control to employers when there are already viable ways of providing message history without resorting to copy-paste. It makes for a lousier product, and it would have prevented me from having candid conversations that involved no company secrets or harassment of any kind.
And what if the issue is two employees are using Slack to discuss using a competitors proprietary information on a contract proposal? Or two employees are discussing how to arrange the books so that they don't receive margin calls while trying to hide large trading losses?
You can't depend on everyone being on the up and up.
Replace "are using Slack" with "discussing at the bar across the street from the office" and what changes about the situation? If the company has an obligation to look into something, they have to look into it. They don't necessarily (and in my opinion shouldn't ever) have the need to, say, record audio of everything you ever do. What does the gray-er area of conversation in the break room at the office look like? What about the darker, gray-er area of conversation in the parking lot before you drive home at the end of the day?
My personal opinion, having avoided the MS IM client at work, is that you never say anything in writing that you wouldn't walk into the CEOs office and say to him in person. Chat of any kind, Slack included, is "in writing" and will have the same full force legal effect as email, so who's honestly surprised by this news?
This idea that, because you can't perfectly stop something, you shouldn't try to do it at all is madness. Yes, they could get around it. But in this situation, they're not.
Do you think you will go over every single DM to see if your employees are doing this? That's insane amount of time wasted. How do you think you will capture all of that? AI? Good luck. We had a system in my previous job that highlighted conversations which had keywords and we just abused it by mentioning those keywords constanly in "relevant" contexts. And if you really wanted to get the password (one of the monitored keywords) you'd just say: "Can you give me the details for ..."
You're missing the point. You don't actively monitor it, you record it so that later you can go back and review those conversations in the event you are required to by law. I don't know where you've worked, but this standard in any sizable company, or any involved in particular industries, and is not that difficult to arrange. There are specific legal requirements to keep records of certain types around for 2, 5, 10+ years, whether it's email, chat, file servers, etc. And yes, that includes Slack.
Why do you think Slack is any different than the systems that we have in place already? What makes Slack any different from email? Answer: nothing.
And if Slack didn't do this, they'd eventually find themselves filtered out of nearly every corporate network due to the inherent legal risk.
Doesn't the same logic also apply to internal phone calls?
Or is the main point here about giving access to data that has been collected already and not requiring the business to collect this data.
If for example the used instant messaging solution didn't keep any log files - what problems would arise for the business?
If any arise, why would phones be exempt? Or do businesses in the US really record all internal phone calls?
> If two people want to have a private conversation
You response is based on a false fact: that anything you use official company communication channels for should be considered private.
HR functions can and will access such communication to investigate complaints about behaviour and similar. Compliance and legal functions can and will access such communication to investigate complaints relevant to them. They can, will, and often must provide access to such communication to relevant external bodies (legal authorities, regulators) under some circumstances too. Heck, in some regulated environments compliance functions are required not just to view your communications for specific reasons but to actively monitor them for certain activity (if they fail to do so they could be liable for punishments for a due diligence failing). For instance our email is monitored to block distribution of client data, accidental or otherwise.
If you want a private conversation, use a truly private channel not an employer provided/related one.
> they'll just find another means by which to do it
The fact that people will find away around rules, restrictions, and monitoring, is not a good reason for not implementing such rules, restrictions, and monitoring in the first place.
If the private conversation is in no way a problem then, well, there isn't a problem.
If it is something that would cause the participants trouble if performed over an official channel then when/if the matter does come to light it shows malice of forethought and planning (i.e. that the participants knew they were in the wrong and took specific action to hide their behaviour rather than correct it).
> I would quit a job
In many (most?) industries you would not even get a job without explicitly agreeing to the fact that your communications using employer provided/related services can be accessed by some functions of the organisation and distributed to external authorities, so you would not be in a position to need to quit.
That is only according to some law systems though. It does not work like that at all in many European countries. For instance in France the employer cannot read any private conversation (mail/message) of the employee, even when using work email. And no internal rule can change that (it is a criminal offense). If the employer suspects a leak of information by the employee, they can read the message in presence of the employee and a union member, and only in those circumstances.
> If the employer suspects a leak of information by the employee
or if they suspect any other illegal activity.
Even in EU countries where arbitrary inspection/monitoring is not permitted wholesale, there are exceptions where regulatory or other legal requirements trump privacy. Though often there needs to be sufficient suspicion of something worth looking for, I still wouldn't count that as a truly private channel (nor would I expect my employer to provide me with one).
But as I said even in those cases the employee needs to be present when the employer accesses private messages, in addition to a union member. So as an employer you cannot just sneak in and check what has been said, it has to be public. Which I think greatly mitigates the risk. It is not a secret conversation like you would have between lawyer and client but it is rather private.
>I would quit a job that treated me as a child which must be supervised in such a manner.
Are you replying to the right comment? From the example given, it seems no action was taken until the parties involved proved such supervision was necessary.
No one is watching you or treating you like a child. This is important for security and legal reasons.
Insider threat is a serious, real world problem - consider employee harassment, exfiltrating data, sharing secret information, a compromised slack account DM'ing people malware, etc.
No one wants to read your messages, and it's probably a small set of people that even can.
So what would your solution to the OP's problem be? If harassment is happening, I expect the company has some legal requirement to act. I also expect that you support the company making a safe workplace. How does the company do that if it cannot verify that something is actually going on? Just blindly believe the accuser without confirming if it's true? Just disbelieve the accuser? Tell them to work it out themselves?
> abusing your privileged access to conversations intended to be private (however justified you may consider it to be) will just breed mistrust among employees
Abusing your privileged access?!? You do realize some of us are required to access those communications for a variety of reasons especially because a threat is happening? Also, I don't get a choice when the lawyer shows up and says we need to look at X's account.
> I would quit a job that treated me as a child which must be supervised in such a manner.
Well, that might save me a bit of trouble, but at the point I am asked to look at your account, I get the feeling you are on your way out anyway or will shortly have a lawyer or the police contacting you.
The communication systems you use as an employee are not yours.
While I sympathize with that concern, I do really believe that actively preventing employees from employing natural means of 'private' conversation is squarely in the 'panopticon' sphere of employment. I find it difficult enough that people can be 'owned' for full work weeks as far as their physical presence, but I suppose I'm pragmatic enough to accept that this is the status quo. But the thought that they are actively monitored during this time, preventing them from even private venting and communicating in a way that is not monitored, is much harder to accept.
We're talking about people here. While I personally have never understood how anyone can accept being under the thumb of an employer for such long periods of time out of their productive years, I've learned to see that this is bearable within the relative freedom that this usually entails (complaining about x colleague, grumbling about the boss with the support staff, after-work beers with a manager who grumbles about his manager), I truly cannot understand how one can have a dignified life as an individual when all your forms of communication are being watched by your overlords.
You think I like any of this? Do you really think I get my jollies from looking in someone's e-mail to find a picture they e-mailed another employee that is so far into NSFW that it is sickening. Or the fun of finding out how some employee is plotting with others to make life miserable for someone else? I would prefer people keep their crap off the servers intended to do business.
We have folks here who have argued that a remark at a conference should get someone fired from work. We are talking about something owned and operated by a company that they will be legally liable for unless they are vigilant. Something that hits the press and people will be saying "why didn't the company know?" and "how could they not stop it?".
Yeah, we are talking about people here. Companies get sued and people lose their jobs.
Never mind the professions that absolutely have every communication logged and monitored.
If you want something the company cannot look at then use something outside the company. Its really that simple[1]. Its really simple, if you don't pay for it then it is not yours. If its not your computer then don't expect privacy.
I still cannot understand the folks who want to use stuff from work systems even when they are not work related. Have your own life, interests, and stuff. You are trading your time and work for money. Don't give companies something beyond what they pay for.
I truly cannot understand how one can have a dignified life as an individual when all your forms of communication are being watched by your overlords.
If your place of employment owns all your forms of communication then you have a lot more problems beyond this.
1) well, unless you get into something really nasty and the court discovery orders start flying.
I can't seem to edit my comment, so I'll comment on my comment instead:
To put this in a broader perspective, because I'm tired of the comment-sniping that doesn't seem to lead anywhere:
I find myself already a bit uneasy with the whole idea that an individual can write away their freedom to spend their daylight hours tethered to an employer to the point where their every (productive, sunlit) hour needs to be accounted for.
At the same time I can understand that this is how things are, and we are trying to be human within that sphere, and perhaps for many this is not so bad as long as they can live in a microcosm of society within this world. That includes gossip, complaining, semi-secret conversation, and even romance (while that's often not smart).
I'd really prefer to engage with those who employ and get to dictate the behavior of said employees, instead of comment-sniping where we never bridge that 'gap' between me, a self-employed, individual (because I reject all that), and someone who actively is 'in charge' of people who submit to it.
I do realize that my wording in itself is not neutral, but I hope acknowledging that helps bridge that gap a bit at least. And I have counted those 'in charge' as friends in the past, plus I know I'm not a typical 'person', so I'm open to learning to understand this whole thing.
because an "alleged" threat is happening. Still, cause for gathering evidence, sure.
> I don't get a choice when the lawyer shows up and says we need to look at X's account
And now with this, they'll use a different communication method that you dont have access to and now youre back to square one. The best you can hope for is that theyre ignorant of these changes so you can catch them.
> ... at the point I am asked to look at your account, I get the feeling you are on your way out anyway or will shortly have a lawyer or the police contacting you.
ah, guilty until proven innocent
> The communication systems you use as an employee are not yours.
This is true, and I dont think slack is necessarily wrong in providing this access - but you shouldnt assume that communications that the user doesnt want the company to be privy to is necessarily malicious or illegal.
If you are having legitimate complaints about your job and you want to vent or validate your concerns before proceeding, you might want to have a private conversation with a coworker - and you might legitimately be afraid that your unfiltered, undiplomatic private conversation might be taken out of context or retaliated against.
You made many good points, but I'll take issue with this one:
> If you are having legitimate complaints about your job and you want to vent or validate your concerns before proceeding, you might want to have a private conversation with a coworker - and you might legitimately be afraid that your unfiltered, undiplomatic private conversation might be taken out of context or retaliated against.
If you were retaliated against for your legitimate complaints in private Slack conversations (via firing, harassment, etc) then the records could be subpoenaed for you to prove WHY you were being targeted.
The company isn't a court "alleged" is plenty enough for the company to look at the communication system it pays for to figure out what is going on. It has a communication system to communicate about business.
> And now with this, they'll use a different communication method that you dont have access to and now youre back to square one. The best you can hope for is that theyre ignorant of these changes so you can catch them.
Good, then its security and HR's problem. We tell everyone we own the communications systems (its even in the employee handbook).
> ah, guilty until proven innocent
Yep. Welcome to the corporate environment in the US. Frankly, if they think you used the company e-mail / Slack to do your activity then I don't think we are dealing with Moriarty here.
> but you shouldnt assume that communications that the user doesnt want the company to be privy to is necessarily malicious or illegal.
Then use your own non-company communication system (e.g. text, home e-mail) or go to lunch - how hard is that?
It would make a lot more sense to take your unfiltered and undiplomatic private conversation to a nearby private establishment. If you are remote and can not do this I would simply use a not supplied by work phone. This is for your protection and whoever you bring along to vent. There have been at least two occurrences in my career which have forced my hand on employee communication and in both cases, a blanket refusal was not an option. If you don't want to say something publically don't assume anything your company pays for is private until our society changes its views on where the expectation of privacy exists.
> The communication systems you use as an employee are not yours.
Yes they are. I work as a contractor, remotely, using my own personal equipment, my own personal email account, and either my home internet connection or that of whatever coffee shop or co-working space I happen to be in on any given day. My clients are all located in other cities and countries and lack a physical presence where I live. I've never had any complaints about these arrangements (yes, I do realise I'm very fortunate to be able to work in this manner).
I also work for multiple clients. Allowing one of them access to all my work-related communications would involve violating the confidentiality agreements I've signed with the others. Should I be required to divulge the trade secrets or intellectual property of one client to another to satisfy a corporate IT policy? And if I have a personal conversation with someone, which client(s) should I share that with?
Should I be required to divulge the trade secrets or intellectual property of one client to another to satisfy a corporate IT policy? And if I have a personal conversation with someone, which client(s) should I share that with?
Contractors are always in an odd position, but its pretty logical and a lot easier these days. If I was a contractor again, I would probably put my communications and project files on VM of their own[1]. You should have a procedure to clearly separate your time, communications, and work product for each client. If you are using your company e-mail then separation is well understood by lawyers. I would make sure to have separate Slack accounts per client.
1) This assumes I am not assigned a PC and accounts by the employer because its a staffing position instead of a work product arrangement.
Hope this doesn't sound too harsh but your reply comes off as extremely self-centered. What about looking—at the very least—at it from a legal perspective? It's not like lawsuits and aspects related to discovery haven't been in the tech news lately.
It’s sad how many bullshit decisions were buldozed by “because legal” excuse. By that logic eveything should be recorded everywhere — including bathrooms.
Sure, but then the communication doesn’t happen in the space where your boss is partially responsible for what's happening there.
It’s very simple: use your employers tools and networks only for business stuff, do personal stuff unrelated to work in your own networks and software...
Besides that, just in case you didn’t notice, the original poster did not say hes reading employee private messages for fun, but only to act as law prescribes.
Nobody can or should stop you from finding private spaces to talk to fellow employees -- but you have to provide the space yourself. Slack is part of the work environment being set up for you by your employer, so they're responsible for being able to make sure that it's free of harassment and illegal activity.
> would quit a job that treated me as a child which must be supervised in such a manner.
Then you should be prepared to be permanently out of work.
You are NOT entitled to private communications on company-sanctioned channels. Full Stop. End of story. This isn't an issue of "trust" or having faith in your employees, but this is how business is done.
Hey, don't let the door hit yourself on the way out. There are very valid legal reasons for a business to need at least the option for discovery, e.g., legal suits, fraud, violation of trade secret or export controls, serious employee harassment, etc. This goes for chat just as much as email or anything else electronic. If you think this is "treating you like a child", well, perhaps you are the child.
> If two people want to have a private conversation,
Emphasis is mine. If one person can have a private conversation with an unwilling participant, that is entirely different. I have worked in places with heavy logging requirements, and for sure we created ways to have private conversations. The point is that everyone in these private chats was a willing participant, and could leave if they wanted.
> I would quit a job that treated me as a child which must be supervised in such a manner.
Agreed this can lead to abuse. But investigating employee behavior while using employer provided communication platforms doesn't immediately fall under abuse. No more than police subpoenaing phone records during a criminal investigation would.
I think one of the side-effects of this is that there are other slack teams created to help keep communications among colleagues private-ish. This leads to cliques and tends to isolate new employees who may not yet be in those "teams".
If you're required to be on Slack to do your job, then your employer is obligated to make sure going on Slack is safe and free from harassment. You can't just sign off or block other employees.
I mean, if you're using that capability to harass other employees, as the interns in the story were, then yeah, you deserve to be treated as a child, because you basically are.
> Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening.
Why couldn't you just ask the recipient to look on his station?
> We had to make all intern accounts into multi-channel guests after that
Are 2 interns ever allowed to be alone together? I mean it's essentially the same, you are saying they can't be trusted so either you always need them in groups of 3, or you should put cameras everywhere with microphones...
I am glad that you are serious about tackling abuse, but more monitoring and rules about congregation are not the right solution imo.
You are assuming that harassment was direct, sending messages to the accusers. My impression is that this was a group chatting privately about the accusers either making fun of them or coordinating actions.
While this can be done through other channels (in person or private cellphone) allowing it on corporate infrastructure without monitoring is not acceptable.
If harassers, as you have mentioned, can simply switch to another channel, then what problem exactly is this measure trying to solve? I'm honestly confused.
Before this change, would the company have been liable for harassing DMs on Slack, an unaffiliated service where they previously were not able to read peoples DMs?
Friction. Yes they could use PGP messages. But most people are idiots and use the systems that are available and simple. If somebody needs to think "I've got to go through these extra steps to be an asshole" then they might think twice in the first place.
Now the harassers are doing more and more to harass and leaving more evidence behind. And you have a more compelling case, "they were on Slack, they were on email, they were texting, they set up their own ICQ server..."
What's stopping the harassers from setting up a secondary Slack install for coordination of such nefarious ends?
The only use I can see for this would be evidence after the fact. Surveillance is almost never the proper way to enforce acceptable standards of behavior.
> What's stopping the harassers from setting up a secondary Slack install for coordination of such nefarious ends?
Company policy for one could be applicable.
You’re missing the point though, what you do with non-company provided tools is held to a different standard from officially blessed and sanctioned ones.
I don't know about parent, but I did notice that! I saw it clearly written there. I read it and understood it. I understand that the person who wrote it believes it is sufficient to cover all relevant needs.
I would posit that this person may not be familiar with the importance of collecting evidence against possible future needs. An IT manager's testimony from memory, no matter how perfect, is not as useful as evidence collected in a technological manner at the time of offense.
With that in mind, walking over and looking at the intern's screen might be considered by some to be less than a full replacement.
You're right! The log can be easily viewed or accessed later. This of course occasionally requires an annoying amount of screwing around with reactivating old accounts, resetting passwords, and so on. Irritating, but of course a price well worth paying for employee privacy.
With that said, is it perhaps possible that direct access is preferable for reasons other than sheer laziness? Chain of custody and provenance both come to mind as items that some enterprise users of Slack might find worthy of consideration in some circumstances. This is obviously not nearly as important as employee privacy, but still...
Reactivating accounts would only need to happen if the accuser had left immediately, which doesn't seem likely.
I think it is just that big companies have a way of doing things, are paying the bills, and employee privacy is close to last on their priority list—far behind CYA. They don't care that there is another potential solution.
A person leaving a company after filing a harassment complaint strikes me as very likely. I personally know people who have very precisely that. It's a very common scenario in large companies.
Having personally dealt with some of those companies and situations, I can tell you quite simply that people are definitely aware that there are other potential solutions. Such approaches are seen as not adequate for purpose. The reasons for this judgment are not merely arbitrary or capricious. They are broadly quite sound and reasonable, and I touched on them above in an effort to give you an opportunity to grow in your understanding of those you disagree with.
And yes, as you say, companies are far more interested in limiting liability than they are in employee privacy on company-controlled systems. It's not, as some might suggest, that employee privacy is not valued. It's a question of priorities, and companies tend to place being able to defend themselves and control their risks adequately over an employee's right to leverage their privacy and incur liability for the company.
Though I understand why some might prefer to dismiss the above and think of it as just another example of big, stupid, corporate laziness and refusing to consider alternatives.
Here's where you made a detour, agreeing and disagreeing with a side order of condescension.
A significant portion of folks stick around for a long time in a poor situation as it isn't so easy leave a job at a moment's notice. For those that don't there is the simple matter of not deleting everything. Nothing is actually deleted any more anyway. Brave new world.
Big, stupid, and corporate are synonyms, government too. It goes with the territory of any large group of humans. As they grow they get dumber and further out of touch until they are overturned by a smaller, nimbler version where the process is repeated in Innovator's Dilemma fashion.
You have to ask why they wouldn't want to talk to an individual suspected of wrongdoing? Why look at security footage, when you can "just ask" the suspect?
I wish a compromise between willy-nilly dumps of private DMs and their Compliance Exports could have been found. As a user who is not the head of IT this is frustrating. Now frank discussions have to go back to out-of-band channels.
If anyone thinks this won't get abused, think again. I've worked with IT folks of all shapes and sizes over many years and a tiny percentage do abuse the privilege. Including heads of IT. And those are just the ones I know about.
I mean, how do you think your email is handled? Your internet traffic? This stuff has been monitored and recorded by companies for decades, why would Slack be any different?
> "Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons."
I was under the impression it WAS legal in Europe as well after being litigated to the Court of Human Rights[1]. The requirement is simply that they inform you ahead of time that they can (and will) monitor your email.
In the US there is usually a form you sign at your hiring that says you understand the company may monitor your email. It is couched in terms like "to ensure compliance with laws and company policy" but the actionable part is that they assert the right to monitor it and you agree to that (or you don't work for them).
Note that the ECHR has jurisdiction over the European Convention on Human Rights, which is attached to the Council of Europe, which is a pan-European organization that provides the "lower end" of protection in Europe. Even Russia is a member of the COE.
The EU, on top of requiring COE/ECHR membership provides additional protections under the EU Charter of Fundamental Rights. The highest court for EU law is the European Court of Justice, not the ECHR.
Then on top of that, a number of EU/EEA countries have much stricter rules, some are outlined in the article.
So it's technically right in that it is legal in signatories to the ECHR provided they are not covered by other, stricter rules via one of the other routes, and many are.
We're US based, and it's very explicit that we can and will do this if necessary. We state clearly to all employees that the computers and accounts we give them are not theirs and are subject to monitoring. Thankfully, it's almost never necessary.
Certainly illegal in Norway. Hell, I've heard stories of corporate networks up here that MITM all their computers for security monitoring, and where the admins routinely see evidence of searches for sketchy pornography, but can't legally do anything because this kind of surveillance of your employees is illegal.
This isn't exactly true. Employees do have a higher right of privacy even when using company resources than they do in the US, but monitoring is allowed within certain parameters, and that can include searching email or other "private" storage spaces.
Companies must still be able to comply with eDiscovery and data preservation requests from various police agencies (such as Økokrim), and these may be performed without informing individuals that it is happening.
>Compare that to our email, where I can go into anyone's messages immediately if need-be
The only opening for reading employees' communications that I can find by some quick googling, are (1) if there is good reason to believe that information contained there is required to keep the concern going or (2) if there is suspicion of serious dereliction of duties. And even then, there is a significant checklist required in order to do it legally. (Obviously, legal police requests can be fulfilled without necessarily alerting the owner).
My point being, this is a far cry from legally being able to go into anyone's communications immediately if need-be.
Are you aware of further openings than this, apart from the obvious in the case of a court-ordered request? I am basing this on the statement from Datatilsynet at https://www.datatilsynet.no/rettigheter-og-plikter/personver.... General monitoring would seem like a big no-no.
Datatilsynet's statement actually does give quite a bit of leeway, but I do agree that you can't just monitor without reasonable suspicion that the employee is acting improperly.
In the UK they're allowed to monitor work email[0]. I'm not sure how that compares to the rest of Europe.
In financial services they monitor all kind of chat rooms, especially after the LIBOR scandal. Every chat I open gives me a disclaimer saying that chats will be monitored.
Really? I like to consider myself much more privacy-minded than most, but I would expect an email assigned to an employee to be used for official business purposes should definitely have a paper trail that higher-ups can audit if necessary.
I don't think so. The employer has all the rights to look at company emails, there is no right to privacy when using the company's email addresses. There are quite recent verdicts in Germany IIRC, considering if it was unlawful termination if your employer uses information gathered from your emails as reason for the firing. Looking at the emails in the first place was totally lawful, IIRC.
Please state the relevant law that it'd be breaking, I'm genuinely curious. Compliance tools are built into most cloud and enterprise offerings that allow this. Do you not have experience of enterprise/cloud email offerings?
At least in Switzerland and Germany, I thought they can record, and, in case of legal case, also read your emails provided that it is expected to give strong supporting material for the case.
Well...most work contracts I've signed said something like "working here is not mandatory and we may need access to the mailbox (which we're providing to you for your work duties), such access cases are logged and externally audited. Sign here to agree, take that door to disagree." As long as this is agreed beforehand, I'm not aware of a European state banning it - this is somewhat different from "let's go digging around the computers out of curiosity". (I am in GMT+1, for the reference)
I've seen a situation where this was invoked - employee was fired for an unrelated issue, only kept some documentation in their inbox for whatever reason. Without such a provision, our options would have been a) legally questionable, b) up shit creek sans paddle.
In most of Europe what the employment contract says must be compared to local law - it varies greatly how many rights you are able to contract away in an employment contract.
E.g. while employment contracts in the UK are often fairly long, employment contracts in Norway can be as short as a couple of paragraphs, as almost all the terms are regulated and are costly and/or difficult to deviate from for most roles and most additional terms you might add will be null and void.
Europe consists of plenty of countries, all of them different. It seems like statements on HN about how it is "in Europe" is usually Americans writing fan fiction about some never-never land.
> Europe consists of plenty of countries, all of them different. It seems like statements on HN about how it is "in Europe" is usually Americans writing fan fiction about some never-never land.
Yes, this is a common trope on HN (and the Internet in general). People have selective memories, and it's easy for people - unintentionally - to remember the most favorable laws from individual countries, stitch the together in their minds, and then form perceptions on the composite image. It's generally not conscious, but it happens pretty frequently.
And in some cases - such as this one - people are just flat-out misinformed about the situation in Europe. (As pointed out in other comments, this is legal in the EU, subject to comparable restrictions as it is subject to in the US). It's not surprising that a feature Slack is marketing specifically to business users is, in fact, legal for businesses to use in one of their largest markets.
To wit: “Today’s ruling is fairly clear in how it outlines the parameters of monitoring employees,” said Stephen Ravenscroft, a London-based partner specializing in employment law at White & Case, a law firm. “It won’t be sufficient for employers to have a general policy permitting monitoring — the policy will need to be much more detailed, outlining why, how and where employees may be monitored and explaining how any information gathered through monitoring may be used.”
> In an 11 to 6 ruling, [the ECHR] found that Mr. Barbulescu’s privacy rights had been violated [after he had been fired for sending personal messages using his corporate account].
and
> Furthermore, the chamber found, Romanian courts did not sufficiently examine the company’s need to read the entirety of Mr. Barbulescu’s messages, or the seriousness of the consequences of the monitoring, which resulted in dismissal.
and
> The chamber ruled that countries should ensure that companies’ efforts to monitor employees’ communications are “accompanied by adequate and sufficient safeguards against abuse.”
So at least it's a more nuanced view than "I can go into anyone's messages immediately if need-be".
One might argue that this is exactly the reason why slack should not have made this decision.
Inevitably, some communications channels are audit-able and some are not. Modern employees (being modern people) use a lot of channels. They call eachother, SMS, Whatsapp, Slack, email ...sometimes people even talk. Companies have only partial control.
Anyway, harassment or other misbehavior can happen on any of these. In some cases (like your intern case) companies have to audit, if they can.
Can Audit = Must Audit
If slack gives employers the option to read messages, they've given employers the responsibility to do it.
It's not cut and dry. You could argue that companies won't/can't use slack unless they can read messages. This is doubtless true in some cases and I imagine slack has it's eye on these cases right now. But, I think it's hard-ish to argue the magnitude is all that big today.
Companies did use slack before this feature existed, including yours.
> "This is all very standard corporate IT stuff that you need for HR and legal reasons."
there's the problem right there.
(1) need =/= want. you want those things to cover your butt. you're not entitled to them. do you really want to live in a surveillance/nanny state?
(2) the legal system can't save every person from negative consequences, nor can it truly compensate for negative consequences without other negative actions. stuff happens. let's be adults and sort them out ourselves rather than hoping some (imperfect) higher power can do it for us.
Instant messaging is used to express instant thoughts. Instant thoughts can be used against you if accessible by the employer. So why using instant messages over email if you anyway need to think through your instant messages in Slack like you do with emails? Let's use emails then.
I think most people will only learn the importance of privacy after having been affected personally.
Provenance. I can doctor my local logs just about as quickly as I can type. True, it's a bit harder than some people estimate to keep the whole thing coherent, but that just means that you hear about the people who get caught, but not the ones who do it successfully. If I am capable of doctoring Slack's copy of the logs with sufficient effort, it is certainly orders of magnitude harder and much legally riskier (as I would be committing many felonies in the process).
The parent I was replying to said they ought to keep the Slack logs themselves. If they're logging into Slack to get them, then it is Slack doing the keeping and we're back to Slack doing the storage.
What is the material difference between having employees save DM logs in an auditable, authenticated way and being able to view employee DMs?
If any employee can ostensibly be compelled to provide their logs when asked by their employer, you are getting just as much information as if IT can view them directly. The only way IT doesn't get as much information is if the system doesn't work, for example because employees can alter their logs or simply refuse to provide them. In that scenario having employees saving their own logs gives you more privacy, but doesn't solve the essential problem.
The tradeoff here is convenience of access versus friction. When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.
> What is the material difference between having employees save DM logs in an auditable, authenticated way and being able to view employee DMs?
> When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.
You just answered your own question.
You might not want them to know you're reviewing it but they most certainly do want to know that you are.
> You might not want them to know you're reviewing it but they most certainly do want to know that you are.
Of course they want to know. Everyone wants to know. But if they committed a crime, or at least are complicit in a lawsuit the company is facing, their desire for privacy on an information channel they don't own is irrelevant.
I don't understand why this is controversial. When the SEC, FBI, local police, opposing legal team, etc. want you to hand over information about an employee, having to ask the employee directly or even let them know is problematic.
Then Slack should (and indeed, does) have special processes for handing over private conversations when served with a warrant, subpoena, court order, etc. "The FBI should be able to do it with probably cause" and "your employer should be able to do it whenever they feel like" are radically different.
And I don't disagree that the company owns it and should have the right to do whatever they want with the things they own. But the employees should also have the right to think that's shitty, and companies should have the ability to demonstrate their lack of shittiness to their employees by configuring their environment in such a way that a higher barrier exists to snooping. This change doesn't actually make a new thing possible; Slack had a "compliance mode" before that companies could opt into, but it wasn't the default, and users were notified if it was enabled. This change just limits companies abilities not to have snoop mode turned on.
Maybe I missed some context but since when are we talking about committing crimes and the SEC or FBI getting involved? If it's that serious I assume they'd just get a warrant and get the logs directly from Slack.
To me that scenario is completely unrelated to the ability of an employer to silently read DMs of their employees for any reason they see fit.
Don't you think some companies need the ability to investigate things their employees are doing for the specific purpose of bringing it to the attention of government agencies PRIOR to warrants being issued and PRIOR to pissing off the entire federal government?
No? I'm being serious when I say this idea is absurd to me. If you have a serious level of concern about your employees doing something illegal then why are they your employee in the first place?
If you are going to use "We need to be checking for illegal activity" as a justification, why stop at DMs? Why not ask your employees to always be carrying around a recording device that is constantly sending their verbal conversations somewhere where they can be electronically filtered for suspicious keywords? Obviously that's crazy and I'm not saying anyone is suggesting that or would support that, but what exactly makes that scenario over the line that doesn't apply to DMs?
I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.
> If you have a serious level of concern about your employees doing something illegal then why are they your employee in the first place?
Because “we don’t hire criminals” is not sustainable, just like “we only hire the best engineers” is not realistic. Strive for the best scenario and prepare for the worst.
> I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.
But why? Why do you feel you’re entitled to privacy for your activity if it’s conducted over a communications medium in a workplace, owned by your employer and intended for work-related use? Your rights are guaranteed in the context of government transgression, not in the context of arbitrary corporate policy. For example, “freedom of speech” is not a meaningful right in a workplace setting either.
Your personal rights are not globally applicable in any context. You have avenues available to you for private communication if you’d like, but companies (rightfully) do not want to be responsible for that communication. They want to be responsible for workplace communication. So if you want a private chat, have a private chat outside of Slack. It’s very simple and straightforward.
Workplace communication channels are not intended to be, nor advertised as, safe harbors for digital privacy. You can have those, but companies have every right not support them for you. It’s not as though companies want you to have private conversations with people and then peek into them for juicy details. They want you to use their infrastructure for its indended purpose.
You pick the law of one of the weakest privacy jurisdictions and argue that Slack should standardize privacy on most invasive level this country's law allows.
What is this declaration of rights for corporate eavesdropping?
Why do you feel the need to defend Slack? It was their decision to do this to ensure they wouldn’t be forced out of the corporate market ($$$$$) and, I hate to break it to you, US and EU law are very similar in this regard. Corporations in the EU can listen to your business correspondence just as easily as US ones, and in neither do you have any real expectation of privacy at work.
You are wrong about the EU - the national legislation on right to privacy is stricter in many (most?) countries. EU only sets minimum levels of protection. And even EU law protects more than you imply(1).
I'm defending employee rights and generally the human right to privacy against arbitrary surveillance, not Slack.
In particular, the national courts had failed to determine whether the applicant had received prior notice from his employer of the possibility that his communications might be monitored; nor had they had regard either to the fact that he had not been informed of the nature or the extent of the monitoring, or the degree of intrusion into his private life and correspondence. In addition, the national courts had failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into the applicant’s private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge.
There is nothing in that case that prohibits EU companies from monitoring the communications of their employees. Half of that case revolves around legal procedural problems in the original case, and the other half is about whether the company could have fired him over his personal correspondence _without proper notice_. That case, if anything, only upholds corporate EU rights to monitor their employees, so long as they provide some trivial legal notice.
yes, EU law does protect private correspondence more than US law, but almost none of that applies to business correspondence, and the EU is just as liberal in that regard as the US.
Workplace communication between coworkers eg on Slack is not automatically business correspondence in this sense.
In any case, you repeat the oft debunked myth of corporate right to surveillance. It does not exist. There is just partial lack of EU level protections. The national laws can and do say otherwise in many cases. As can/do binding collective bargaining agreements.
We are not talking about some small made with love startup here that no one cares about. We are talking about military contractors, financial companies, law firms, consulting firms, public stock corporations, etc etc. places with hundred or thousands of employees and millions if not billions in revenue. You are woefully niave if you think you can run a major company in any of these areas without eventually having employees who are going to do illegal things. People do a lot of crazy things, some for personal reasons, some to get promoted, some because they think they were sanctioned by their boss, some perhaps thought it was best for the company, and so on.
I understand what you’re saying here, and sure, maybe in some small private companies or organizations this is a tragic loss of privacy, but everywhere else it is simply the cost of doing business.
Arguably, but what if the company wants to find proof of, say, two employees colluding to exfiltrate sensitive data or something like that? Would they have to convince them to turn in the PGP signed logs?
More generally like the parent I don't see why a company couldn't have full control over their corporate tools.
> two employees colluding to exfiltrate sensitive data or something like that
In that case spying Slack usage is simply not enough: the employer should need to spy every single move every employee makes inside and outside the company, which of course it's not possible (well, except if the company is located in a fascist state).
What if those two employees collude to do something like that via their own private phones? Should employers have access to those too?
It doesn't seem to me like any of this really does anything, since there are (and should be) plenty of ways that employees can communicate without their employer having access.
There are security issues here that you may not be aware. For one example, if technically knowledgeable people want to falsify signed logs without having the signing key, they can simply keep a separate set of logs with actual innocuous conversations. Slack would sign those in your scenario without a problem. This is the canonical problem of keeping "double-books".
While I agree with auditable access to employee DMs, there is a middle ground solution that trivially solves the problem you've presented. Instead of providing the employer with access to the employee's messages directly, logs can be signed at both the blob and message level. Then if an employee selectively turns over only some of their logs, the mismatch will be readily apparent.
Of course it can be solved! I was pointing out that the prior comment was incorrect.
If an employee is in possession of chat logs that if divulged will get them fired, they can simply delete the logs. "Sorry, the drive crashed. IT is working to fix it right now." Stepwise refinement to insecurely re-create security solutions is one of the reasons for many security vulnerabilities.
Logs are well understood, and logging of sensitive information is not just a small technical issue but a security issue. The same way that people shouldn't design their own crypto, when people design logging mechanisms for sensitive data, which is seemingly simple, they will almost always introduce these security errors, as in your post.
Unfortunately, there are also a number of legal issues (and possibly compliance issues) that need to be accounted for from redaction to anonymity and from GDPR to encryption.
Not sure what you mean by blobs? If Slack implemented a scheme like this, they should sign a message which includes metadata like the org name, channel name and timestamps in addition to text.
By blob I mean an archive dump of every message and the metadata you're describing. If that dump is hashed, selectively presenting messages in the dump is obvious.
As I do not know which country you are from I really hope you checked before if what you did complies with the legislation as for example in many european countries this would be very illegal.
Typically management is not exempt. If management == admin, then there'll be a user mode in which management uses the app normally, and an admin mode where you do admin-y stuff.
Every big enterprise on the planet has your email to whip-out and read if legal issues arise, whether that's for internal reasons or for something like SOX compliance or running into problems with the SEC. It's a total necessity for big public companies.
I apologize if this seemed personal. I just think that information asymmetry is a type of power differential. HN does not have such a n asymmetry when it comes to chat history.
It's called "private" for a reason. If someone harasses me on Slack, I have proof of that, because they wrote me a message. If people have private conversations about anything, it should be of no one's concern. Same goes for Signal or Whatsapp, it's a private conversation. It's like putting microphones everywhere and then fire people who have a bad day and say something stupid once in a while, would you like that? This is not a world I wanna live in and it's a serious move against privacy and freedom of speech.
Yeah, and there's a reason some places have laws against bugging offices. One key thing is that everyone should be clear on what's recorded and what's not, and "if it's written down" at least has the virtue of relative simplicity. Probably if it's not supposed to be fair game for later investigation it shouldn't be logged at all.
I think part of the trouble is that we spend too much time at work for most people to actually be productive the whole time -- if you buy the notion that it's reasonable for people to be at work to work, and they shouldn't be socializing whathaveyou, then logging everything seems more reasonable than if you recognize that no one can actually be a drone 40/hr a week, then the surveillance starts to look like de facto surveillance of stuff other than the job, which is more worrying.
I am in the privileged position of doing freelance work, on my own machine, mostly remote. As such, if I'm using a client's communication systems it is essentially guaranteed to be work related, so having it logged doesn't bother me; if I'm not working I'm using something else. But being monitored for half your waking hours five days a week feels much more onerous.
I suspect some of a this is tension with reasonable expectations of levels of monitoring from when less of our communication was via the network.
> This is all very standard corporate IT stuff that you need for HR and legal reasons.
I doubt that, but it is country dependant. In some of the countries I have worked in it is quite the opposite. You get drilled for legal purposes you are not to look at people's personal emails and if possible DMs. Mostly as it is potentially illegal. I have not worked in the US though.
I was however unaware that in Norway then can access your email in exceptional circumstances: https://www.datatilsynet.no/en/privacy-and-society/personver... It seems in case of gross breach of duty, the employee has to be notified, then they can access their work email.
There's an infinite space of solutions to your particular problem, but your chosen solution is totalitarian surveillance in the workplace because an intern got offended?
I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.
Bullies are pretty adept at functioning in these environments. Instead of harassing on monitored DMs, they'll make verbal comments with double meanings, use their leverage to put their targets in unpleasant situations, undercut their targets at meetings etc. Totalitarian surveillance doesn't stop bullies. It just makes your workplace a soul-destroying shithole for the employees who are forced to work in it.
> but your chosen solution is totalitarian surveillance in the workplace because an intern got offended?
Sigh
Totalitarianism is a socio-political paradigm, not a stand-in word to describe things you think constitute surveillance in the context of a business. Companies require the capability to maintain auditable records of employee activity on the information channels they own and manage. Your company is not recording your activity in the privacy of your home or on the street, it's protecting itself and other employees from potentially problematic abuse scenarios. These requirements are also directly imposed by a variety of regulations in various countries.
When you twist the meaning of loaded words like this to describe things you don't like, you make it very difficult for people to get past the hyperbole and take you seriously. You're conflating assaults on personal rights with the routine and mundane business practice of keeping auditable logs.
> I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.
I'm not sure what you're getting at here, because almost all the good developers I know work in environments like this. So where does trading these anecdotes leave us? Do you really believe most competent software engineers don't work in companies that do this? In most cases, that means the company is actively breaking the law, or at best making adherence with the law very difficult and error-prone.
I think the bigger problem that the OP pointed at is that whatever adjectives you attach to this, surveillance is almost always the wrong way to change behavior, unless your desired outcome is to make everyone suspicious of everyone else.
What's stopping these folks from creating an out-of-company channel to do the bullying and attacking in coordination via that means, or tricking the victim into joining them in the new side channel?
The answer to bullying or shitty office behavior is not monitoring. That cover-your-ass because the real answer is hard. Improve your company culture. Fire people who are detrimental to the team. KNOW YOUR TEAM! So often I hear about these things and what you find is a shitty manager who has no idea how to be a manager and says "well they get their work done."
You realize this has far more to do with than workplace harassment, right? Have you never heard of employees using a competitors proprietary information? Or arranging fraudulent financial transactions to cover losses? Or discussing how to mislead investors or watchdog agencies? What do you expect this company to do when they are involved in a legal dispute like this, and have to explain to the court why they have company sanctioned, un-auditable computer systems/applications that helped their employees break serious state and national laws?
I suppose my experience in large corporations is limited. But I'm going to hazard a guess that for all but the biggest corps "company sanctioned" is a not an official term, and that most have given little-to-no thought about all the various ways they need to keep track of the way their employees communicate.
Keeping in context with the OP, Slack allowing admin access to all conversations is a cover-your-ass corporate move, not a solid new tool to combat workplace cultural issues. Perhaps once in a blue moon employee surveillance and bad culture might intersect and prove useful. But that should in no way be used to justify corporate surveillance.
As an elected government official, I understand the importance of papertrails and record-keeping. But the mere fact that so many companies USED SLACK WITHOUT THIS FEATURE, means most had no qualms about side channels being un-auditable before. And now this is just sweet sweet honey to corporate overlords.
And workplaces are socio-political contexts... I didn't find it very difficult to get past his hyperbole, and I frankly find it hard to believe that you did. It isn't hard to argue that monitoring channels that even just imply privacy, regardless of whether they take place in the workplace (or in academia, or at home) is a violation of personal rights - regardless of the fact that you arbitrarily draw the line at "recording your activity in the privacy of your home or on the street."
> monitoring channels that even just imply privacy, regardless of whether they take place in the workplace (or in academia, or at home) is a violation of personal rights
It isn't, unless your definition of "personal rights" includes "things I personally want which are neither codified in, nor protected by, laws."
You're right, it's important to note they are more powerful and exercise more control over the lives of their employees than many governments, though employees often have the same opportunity to leave their company as they do their government (none).
>It isn't, unless your definition of "personal rights" includes "things I personally want which are neither codified in, nor protected by, laws."
Yes that's literally exactly what personal rights always means. Legal rights are legal rights, personal rights are a conception of what the person who uses the term wants or believes rights to be.
> You're right, it's important to note they are more powerful and exercise more control over the lives of their employees than many governments, though employees often have the same opportunity to leave their company as they do their government (none).
Especially when they're also dependent on their corporation for healthcare and retirement...
This is exactly my point, it's effortless to compare corporations to government, especially in this context. For the other comment to base his argument around the word "totalitarian" seems nothing if not disingenuous, given that the meaning behind the word is clear.
In what way are companies not trivially compared to states (governments) in this context (surveillance)? You're being intellectually disingenuous.
I mean, you completely (amusingly) misquoted that sentence. I said "it isn't hard to argue that [...]". I did not make an absolute statement that it is (a violation)... Come on now.
Okay...let me see if I understand you correctly. You're defending the other commenter's description of corporate logs as totalitarian surveillance, but you're saying that I'm being intellectually disingenuous because I'm pointing out that companies are not governments?
No, I'm calling you intellectually disingenuous for reading a comment about internal corporate surveillance, and choosing to pontificate on word choice when the meaning is trivial to understand. Blatantly misquoting me also doesn't help.
Workplace provided communication mechanisms do not in any way imply privacy. Best practices are that staff sign an acknowledgement of such, so that there is no such confusion.
Generally speaking it’s easy to argue that employees have no expectation of privacy on the work network for the following reasons:
1. Regulation in most countries requires it to be this way, we’ll most countries any of us is likely to work in. Which is to say: The Law Hath Spoken, which is to say: The People Hath Decided.
2. The employer should have spelled this out to you at time of hire, and had you sign a document to verify you understand.
The problem here isn’t that the direct messages take place in the workplace, it’s that they take place on infrastructure owned by the workplace.
I didn't actually argue that there was an expectation...
I only said that the comment I replied to relied on a purely arbitrary definition for what an invasion of personal privacy was... He argued that because "your company is not recording your activity in the privacy of your home or on the street" it wasn't unreasonable (or totalitarian), because the company was "protecting itself and other employees from potentially problematic abuse scenarios." Even though it's amusingly easy to imagine that a totalitarian regime would make the same argument for its own surveillance practices....
Well yes, this is a good idea, democratization of the workplace and worker co-ops generally promote better quality of life for employees and the surrounding community, less exploitation, less corruption, more justice and similar or better efficiency as the normal dictatorial corporate model.
Infinite space of solutions? I think not. If the harassment was in any way sexual, the company had a legal responsibility to investigate. It may have been a timely matter and the best and/or only solution was to read the messages at the offending intern's workstation.
If you've worked anywhere with more than 50 employees, your emails are available for an admin to look at. This is required for legal discovery whenever a company is sued. For companies in regulated industries (healthcare, finance, etc) they may actually be required to keep all your communications for a period of time so that they can track if you leaked sensitive data (PHI, PII, trade secrets, etc)
People can only candidly speak their minds on touchy subjects through anonymity. What a shock, if only we came up with a name for this effect a long time ago? If only that very effect wasn't so ironically relevant to the subject at hand?
In Germany (and probably the whole EU) it's illegal for an employer to read an employee's mails without approval of the workers' council for each individual case.
"probably the whole EU" [citation-needed]. German privacy law is very strict. This might be a good thing, don't get me wrong - but extrapolating this to all the other 27 member states is pure nonsense.
Requiring approval of the worker's council is how an employer's demand to read an employee's mail is usually handled in Germany. I did not mean to imply that it is handled the same way in the whole EU, just that unsubstantiated monitoring is likely illegal in the whole EU.
The European Court of Human Rights recently ruled that an employee's communication may not be monitored without prior notice and without specific reasons. [1]
This ruling applies not only to the whole EU, but to the 47 member states of the Council of European, including for example Russia and Turkey.
Businesses are society, we are forced to spent the vast majority of our waking life under the thumb of one so we should absolutely decide how we want that life to go.
You may be speaking legally in your final sentence but in natural language terms I'd say there is definitely an expectation of privacy in DMs to a named account; and it's not an unreasonable expectation.
If one DMs "Alex Murdo" then the expectation would be that they alone would read it, or their nominated person. If one DMs "Graphic Design" department then obviously that doesn't stand.
I'd expect contracts and such to contradict this natural expectation however.
Looking at all positive comments here, this is generally a bad news.
Not sure how much compliant this is with the law, but in this case the law should be more protective towards employees.
I imagine the following situation
I write on a company-owned piece of paper - "My boss is an idiot". Then take this piece of paper put it in an envelope ( owned by the company as well ), write the name of my colleague and seal the envelope. Then put the envelope on the recipient's desk.
I bet it would be illegal for my boss to take that letter, open it and read it.
P.S.
Looks like with e-mails the law is more protective towards employees :
Your boss is absolutely allowed to open an envelope on your desk if it's clearly a business-related piece of mail, and your employee handbook almost certainly says that your corporate Slack account is only to be used for business purposes.
In fact, your boss is allowed to open any mail sent to your work address.
Ah, Europe might be different. In the US, if your employer owns the platform, they have the right to all the messages for compliance. We view this as "if you have something private, don't do it on corp channels." This is usually fine unless you're harassing someone or engaging in something against corp ethics.
It really depends on national legislation, as well as individual contracts with unions or work councils. At least here, as a rule of thumb, as long as private internet use is permitted, the employer can't legally monitor traffic outside of very specific circumstances. AFAIK you can't get around that by prohibiting personal internet usage without generally enforcing that prohibition.
> At least here, as a rule of thumb, as long as private internet use is permitted, the employer can't legally monitor traffic outside of very specific circumstances. AFAIK you can't get around that by prohibiting personal internet usage without generally enforcing that prohibition.
This isn't relevant here. ECHR has ruled that employers do have the right to read emails, as long as employees are notified in advance (which can include blanket notification as part of their employment agreement). ECHR has jurisdiction over all ECHR countries, which is a superset of EU countries and includes several non-EU countries, like Norway. Other European countries, like Germany, Switzerland, and the UK have also affirmed this right.
Email being roughly analogous to Slack, in the eyes of the law, there's little room for doubt that employers in Europe have the right to read Slack messages on the company's Slack account.
> The ECHR has ruled that it is not a violation of the convention on human rights, that does not override national law that limits employers if it exists.
It doesn't override national law, but national law is pretty consistently clear that employers have this right as well - that's why the case was before the ECHR in the first place.
You claimed that specific rules the poster you replied to mentioned aren't relevant due to the ECHR decision, and that's just not true. E.g. here in Germany, an employer needs to explicitly forbid private e-mail to be allowed simple access to employee mail, which is why basically everyone does that, often allowing private internet use to access webmail instead. (I've also seen employee agreements where there's different rules for specific folders: a private archive folder is never accessed, work-related folders can be easily accessed and e.g. looking at new mail in the inbox is allowed if it's done under supervision and e-mail that's clearly recognizable as private isn't opened, since private mail was hard to avoid in the specific case)
This is something were you likely can not make useful blanket "in Europe" statements.
Again, it depends on individual agreements. If the employee is not allowed to use his work company mail for private stuff, he has no reasonable expectation of privacy that goes beyond obvious cases. Like, for example, if your wife sends you a mail with the subject "here are my nudes!", your employer isn't allowed to access the content.
It doesn't contradict what I'm saying. If you mean the Romanian case, the ultimate resolution was that 1) an employee has an expectation of privacy for personal communication on personal channels on a corporate machine, and 2) if an employee's personal internet usage is going to be monitored on a corporate machine, they must know before the monitoring begins. The ECHR didn't have any problem with the monitoring in general; what they ruled against was the legality of personal internet usage monitoring before the employee knew about it and agreed.
In the ECHR case, the employee's personal communications over an instant messenger were being monitored just because they were happening on the employer's machine, and without the employee knowing ahead of time. That's the no-no. But Slack is not a personal communications medium; it's maintained and administrated directly by an employer for the explicit purpose of work-related communication. In the context of the ECHR case, Slack doesn't qualify.
Circling back to Slack and the GDPR: as a direct result of the GDPR, Slack now needs to align their desire for full employee auditability with full data transparency. There's a tension between competing regulations, but there's no contradiction here.
Slack can be used for e.g. union organizing, which an employer may not read either, and "they must know before the monitoring begins" is obviously not given here.
In broker-dealer finance, it is illegal to not log and audit all business communications. Additionally, you have to contract with a government-approved agency to save the logs in a manner that cannot be tampered with. I think we even have to save it in a format that is easy for government agencies to review and search if necessary.
I'm lost on the employees needing protection concept here.
If you're going to call your boss an idiot, don't do it with the company tools. That seems like a pretty reasonable boundary to maintain.
I've never thought of much of anything that was my employer's as mine. If I wanted a private email conversation, I'd use my email, same with chatting and etc... that's just smart no matter what the local legal traditions are.
The volume of negativity surprises me if only because there are all sorts of ways to obtain some private channel communication.
Do people need to talk shit about their boss THAT often, but they feel they should use a work provided tool to do it?
Previously, you could only see employee DMs if you turned on Compliance Exports, at which point you could download all of them going forward. Now it sounds like everything you've ever written could be downloaded at any time without notice.
So, all of those communications you had with co-workers based on the promise they would be private until you were notified future ones wouldn't be anymore? Now it's ALL available to your employer.
Meh. Nobody should be surprised by any of this in the slightest. If your employer provides / pays for any kind of communications tool, the only sane position is to assume that they can - and probably do - monitor every single byte you send.
Honestly I didn't realize my Slack DMs on my work account weren't private until I saw this. I assumed that since my employer pays for the account, any message I sent was being monitored.
That's what I'm thinking. I mean... of course employers expect to be able to have access to communication done by employees in the course of doing their jobs. They've been able to do this with every (archivable) communication medium since the invention of writing. Where is the news here?
If you want privacy use a private channel. Your employer's work tools don't qualify.
By private channel, I assume you mean a completely separate system that is not slack, and not a private slack channel (which, prior to this, was private from slack workspace admins, with hilarious results).
I think there's some middle ground, some grey area where whether it's alright is murky. It's kind of pulling the rug out from under people when the policy of a 3rd party provider abruptly changes and suddenly tons of messages become available to the company.
There are a number of things I might mention to a coworker over a private IM which wouldn't necessarily put my employment at risk, but would be awkward for management to suddenly have access to.
A couple made up examples:
"I'm super sick, but $boss is really pushing me to get the report out. I just want to go home and be sick all alone."
"I hate management's decision to reduce vacation days. No wonder we can't keep people around here."
"Did you see Tom's email? It's kinda awkward that he thinks he's a strong contributor to the group..."
No they don't, but I work at a large megacorp. At a small 10-20 person non-technology company startup, the admin on Slack is likely to be the owner or general manager. It could be another 5-10 people before a person is hired on as full-time IT.
These are all the sorts of things that you would ideally want management to know about so they can make better informed decisions. Assuming of course that you have competent and trustworthy managers.
>Assuming of course that you have competent and trustworthy managers.
You're begging the question.
"Competent and trustworthy" people won't abuse their power by definition. Anyone who abuses their power intentionally is untrustworthy, and anyone who abuses their power unintentionally is incompetent.
In the real world there are many incompetent and untrustworthy leaders. Slack has no choice but to operate in the real world.
Additionally, unless your work environment is sophisticated enough to fiddle with the certificates on your machine, and run a MITM proxy, you should be safe using something like GMail over https. Now I'm sure some companies do manage to intercept outgoing https traffic, but I doubt that most companies do.
OTOH, I still think being paranoid is the safest policy, so if you're plotting to overthrow your boss, or sell secrets to your biggest competitor, I still wouldn't do it on the company networking, and/or using a company computer.
Agreed. I was referring to the parent post's comment about using personal accounts at work. That might be safe, to some extent. But again, I would lean on the side of paranoia if you're talking about anything that could get you (fired|put in jail).
In any case, if you would plan any of that, I would guess that it would most probably leak out through entirely nontechnological channel - e.g. by somebody overhearing in person, or even by a co-conspirator defecting for their own gain.
Cloak-and-dagger games are very similar to building your own crypto: likely to be broken at a fundamental level, never mind the amount of magic security glitter that you pile on top.
Yeah, they said it here[1], and basically, given cause and given notice, they can still access private communications on work property. So not exactly what you are implying.
Thanks for the document. I think it still says that the employer should notify the employee beforehand of any potential monitoring of communications, which is different from assuming that every byte is being monitored.
You should not assume your communications are private if there is no end-to-end encryption. Also, the employers are often required to do this because of regulations. (I think those are silly regulations given that end-to-end encryption is so easily available nowadays, but the companies don't really have a choice here.)
You shouldn't assume they're private just because they're encrypted. Employers can and will install SSL certs on your desktop machine so that they can decrypt and scan/archive everything at the gateway. This is standard practice in financial companies, and is easily done anywhere.
They can also install screen capture and key logging software if they want, but that's less common and without disclosure is a lot shadier (although certainly legal in the US). I wouldn't expect it most places; it's a more extreme step.
But never trust encryption at work unless you know your company's policies.
If the employer had physical access, what would prevent them installing a rootkit? Then you couldn't detect a fake certificate no matter what you tried. Or deeper, if you distrust the provided software, what makes you trust the hardware? It's turtles all the way down ;)
I'm not talking about anything shady here. We're told that they're going to update our desktop SSL certificates for this reason. Partially CYA, partially compliance/legal. I'd probably quit if someone were keylogging or screengrabbing my work machine without my knowledge, but I'm not talking about employers being sneaky.
And this is exactly end-to-end encryption that the original thread responder mentioned; I know it's in place so I won't connect to my personal accounts from the work machine. That's what my phone is for (and I won't use their wifi for my phone, either).
The OS should have a trusted CA list somewhere (not sure where OSX does); checking that it matches a fresh install should be the first step. Note that there might be multiple lists - Firefox, for one, tends to keep their CA list separate.
I doubt this has anything to do with GDPR which is about personal information of customers and users. In this case the customer is the company and I don't think GDPR applies.
The announcement email says "As part of our growth and in support of upcoming changes to EU data protection law, we’re launching new tools and features and updating our Privacy Policy and User Terms."
"As part of our growth and in support of upcoming changes to EU data protection law, we’re launching new tools and features and updating our Privacy Policy and User Terms."
That sounds like a convenient marketing bullshit bogey man to me.
Actually GDPR also applies to your personal information that a company holds about you as an employee. However GDPR doesn’t apply if there are other laws that also apply to the data, which will be the case in a lot of circumstances for employees.
Why would you have such conversations or expectations when using company chat? That's unprofessional and, frankly, stupid because it puts one's job in danger (as could an in person conversion heard by the wrong people at work). If you want to talk in private, there's dozens of other chat programs out there you can run on your own devices.
You really thought Slack somehow didn't have access to those messages or deleted them? That this feature wouldn't be inevitable? Their whole sales spiel is that they can keep all your messages forever. This shouldn't be surprising. I'm not missing the point at all. I always assumed they had an entire history and could reveal it at any time. It's not end to end encrypted. Assuming otherwise is dangerous and frankly, idiotic in today's world.
why presumably due to GDPR? I would think it was a possible GDPR problem for them in the future. Specifically, you wrote it based on expectation it was private and now it is not, when did you give permission for sharing that data?
An employee's use of a company-provided communication channel like Slack isn't covered by GDPR, but the company is liable for the content that's stored in their Slack account. Under GDPR, I, as a customer of Company X, have a right to know about and request a copy of any data stored about me by that company, which includes Slack conversations, in both open and "private" channels. GDPR also applies retroactively, so the old compliance export process wouldn't cover it.
If it's your company's asset, you gave permission for sharing that data when you signed the e-handbook at orientation, the same document that gives them the right to monitor your work emails, put MDM on your work-issued phone, and log your work machine's network traffic into their SIEM.
You have no right to privacy when you're inside your company's office using your company's computers to access your company's network. They own it all, you just have permission to use it within the guidelines they set and you signed off on when you were hired.
Then your mistake was having conversations you wouldn't like your boss to read using your company's internal messaging system. How is this any different than e.g. emails?
This is to be expected from Big Brother. These days one should assume the telescreen is always watching and so should be very cautious as to not commit a thoughtcrime.
---- Edit ----
To clarify; my comment is referring to the novel 1984. While a bit tongue in cheek, it was not meant entirely as a joke.
This is a forum visited mostly by IT workers. I would assume most of us here know enough (or should know enough) to realize that any of our communications at work can be read by someone else and so you may want to treat it a bit as such.
In my personal programming working experience I have seen data captured in all of the following forms, reviewed, and then used to fire or prevent firing individuals.
Jesus, nobody here has any clue what they're talking about.
Slack has allowed companies to read private messages for well over a year. It has been called "compliance exports" and you as a slack user could always see if you had them turned on, as well as which individuals had access to read your private messages. Source: CTO of a unicorn confirmed he had used this feature to read private communications (private rooms and DMs), source 2 - used this page myself at multiple companies
Employers had to pay for this privilege. It's super unclear to me what the new policy is-- it looks like there's still no privacy but it happens via API.
Previously if compliance exports were turned off, then later turned on, users would receive a notification that all future DM's would be available for export by their employer.
My understanding is that now the entire archive is readily available for download, including the content from before compliance exports was turned on.
The fact that they specify that consent is required on the free plan but not on the Plus or Enterprise plan suggests that the old compliance export requirements have changed. The old compliance export process required consent AND it only allowed you to access data from that point forward. The changes introduced today seem to suggest that historic data is now available by default.
How fine-grained is the tool? Do you select a channel and export only the contents of that? Can you select only two users and only get messages between them? Or is it blunt and you simple download all data (the text makes it seem that way)?
I ask, because if it's the latter it borders on illegal to click on that button (and get ALL private conversations), at the very least it needs to be heavily regulated within the firm who can click it and how the downloaded data is stored / accessed.
It is incredibly blunt, at least for compliance exports — all you can do is export the whole workspace — and once exported it's just a ZIP of thousands of JSON files. There is no tool to look at it with. When I had to do an export I found a PHP script somebody had written to turn the JSON into thousands of HTML files, but otherwise it was grep and jq.
That sounds less promising, I had hoped you could select a single channel and export it. Or even better give permission to a user to be able to export one channel. We often have Slack channels shared with clients etc. and they have asked before to get a transcript of chats for reference. If you had fine-grained control, you could give that access to the project manager for the client in question, without having to share the access / have a central moderator handle all requests.
You can tell who here has worked for a large American company and who hasn't.
If you've ever worked for a large American company, you know that nothing you do on company equipment or with a service the company pays for is ever private, and you should never assume it is.
I'll be honest, I always thought Slack DMs were viewable by the admin. As a Slack admin myself, I always assumed I had that ability. Never used so, I never found out I was wrong, but just always assumed it was there.
To me this is a no-op: Anyone who worked for a large American company should have assumed that this ability was always there or could be there in the future, or at the very least, your employer could have always required you to log in and show them your DMs.
It is very odd. We've had corporate monitoring of practically all employee electronic activities for decades. It's enshrined in legislation and tested in case law. The capabilities are built into practically every major business software. There are whole industries built up around it. Yet suddenly everyone is losing their mind over some corporate IMs just because it's Slack?
I feel like I'm on Reddit, not a site ostensibly catering to _computer professionals and experts_.
The difference is their privacy policy has been changed retroactively against the good faith their users had. That's the problem. Of course if it's corporate it's usually monitored, but when Slack championed the user and only catered to the company when forced (via compliance reports which told you they were enabled) and now suddenly switches to a model where past contracts are broken, people have a right to be upset.
Yeah, it kinda sucks that they changed the privacy policy, but if you had actually read it, you'd have seen the part that says that they can change it any time for any reason.
And also, all they've done is give the corporation the technical ability to do something they've always been able to do -- read your private chats. It's just that before they had to do more work to do it, but they've always had the right to do it, regardless of what Slack's privacy policy said.
I mean, it sounds more like people are upset because they are embarrassed how they acted in DMs, or said things they shouldn’t have about their colleagues, and now are worried someone will see that. It doesn’t sound accidental, but that they didn’t get an Export notice, so they thought they were free to talk shit and act however they wanted to. Presumably a lot of these individuals are at smaller companies where a “CIO” might be more inclined to go in and read everyone’s private drama.
I dunno, it’s hard for me to have much sympathy. It’s a rough lesson to learn if you are in your mid 20s and maybe didn’t know any better, but anyone who has been around for any length of time should know better than to put certain things in writing. That is, like, a life skill, not some Bay Area social contract.
I know in general there's the whole "the company pays for it, the company owns it, the company can audit it" corportesse oblige, enshrined in case-law yada yada, but one of the things I always liked about Slack was it seemed to have a bit of that old counter-culture sneer around "yeah, that may be true, but we code for the user anyway". This is very much an anti-user, pro-corporate maneuver, and I think it's a shock to many who took Slack's long-time messaging to the contrary at face-value.
Well, on the other hand, some of us checked, read the privacy policy, and found it acceptable. Compliance reports came out, with the caveat that that was from point in time forward, and that was also acceptable.
This is rewriting the privacy policy we agreed to retroactively, and it's not OK in my mind. I don't say anything stupid on company slack, but in principle this is a bad move.
Yes, this is what happened with me too. I assumed there was some way for the admin to view DMs, but on inspection, discovered there wasn't without first activating Compliance Exports. While it would be great to say that I was a hardened corporate peon that knew better than to fall for this, it wouldn't be completely true; I actually expected Slack to live up to that and not retroactively disclose DMs.
It's not that I necessarily wrote anything that would be a problem if it was disclosed (as others have pointed out, there were other workarounds to get DMs if the company really wanted them) -- it's just broken trust.
Access to DMs would've been par for the course if it had been the way Slack worked all along, but it's really disappointing to see them change it retroactively, insofar as that's what's actually happening.
The consensus here is of course correct: never trust anything done on company equipment, whether it's owned or rented (as in the case of a Slack channel) to be private, even if the owner of the rented property has given certain assurances. Money makes the world go 'round.
Yeah, it kinda sucks that they changed the privacy policy, but if you had actually read it, you'd have seen the part that says that they can change it any time for any reason.
And also, all they've done is give the corporation the technical ability to do something they've always been able to do -- read your private chats. It's just that before they had to do more work to do it, but they've always had the right to do it, regardless of what Slack's privacy policy said.
IMHO I don't think this is a fair title change. What is important here is the fact that access to DMs have changed. Not that the general import/export tools have changed.
If Google changed their TOS to suddenly make everyone's search history public, would the title read "Google changes TOS"?
This confused me as well, especially after coming back to it after the change. I had assumed some other Slack post went up and received equally or greater activity than the original post.
Part of the reason why Slack has been so successful vs. other corporate messaging solutions is that it encourages employees to bring their “whole self” to work.
It’s perhaps the most important thing at work to feel like you can communicate easily and without fear of reprisal from managers and in my opinion had a lot to do with my extensive use of Slack.
It felt like, for the first time, the communications platform wasn’t “owned” by the strict hierarchy of the company. I created my own channels, and felt no fear when I communicated with co-workers. I wasn’t doing anything “wrong” ever in my communications, but, let’s face it: there are things that you don’t want your boss to know, especially if like the majority of people, you’re working for a bad boss that has to be “managed” himself.
If Slack continues in this manner, while it may make sense from a liability and business perspective, employees aren’t going to trust the platform anymore the first time a manager reads a private conversation and uses it against someone. And generally I’ve found it’s not hard to figure out you’re being spied upon.
I’m not sure what the solution is, but definitely if Slack allows managers private access (without a court order or similar serious situation where such access would be warranted), they can no longer claim they want employees to “bring their whole self” to work anymore.
I agree. It feels like Slack broke our trust. I don't have any records, but do remember slack in it's earlier days promised of not sharing private communication to the employers and sending the logs directly to govt agencies or 3rd party audit agencies.
> It’s perhaps the most important thing at work to feel like you can communicate easily and without fear of reprisal from managers and in my opinion had a lot to do with my extensive use of Slack.
This is a problem with your management, not with Slack. If your managers are abusing such a tool to read everything you write then you have much much bigger problems.
Yep. I work totally remotely and Slack felt fundamentally different to email: my extensive DM's with coworkers felt very analogous to physical contact.
Sometimes, if you're working in an office, you just want to lean back in your chair and whisper to your coworker "what a fuckin awful meeting, what was [boss] thinkin?". And as a full-time remote worker, Slack was the only place for that. I feel this will make 100% remote a lot tougher and more isolating because the life-line that was private contact has been severed.
I think if the employer provides the tool, it is their data.
I know there are different traditions in other places where they consider something like work email to be more of an employee owned or privacy issues. I always thought that was a bit wonky and it is easier to identify who owns what by ... who owns it.
I may agree with result regarding Slack. But your argument doesn’t really work if you consider who owns a rented apartment, leased car, or company phone officially allowed to be used for personal matters.
>I think if the employer provides the tool, it is their data.
Not really. Just because the employer pays for the office building doesn't give them access to my private conversations with other members of the team.
I guess it depends on where and lots of details and such as to what exactly you're talking, but provided you're all employed by the same person... it's their team too.
what if your cafeteria conversation is recorded on a camera without your consent and used as an evidence against you? is it legal or invasion of privacy?
of course if you are in group chat on slack. One on One messages with friends with in the company, except your managers etc, cant be a cafeteria conversation?
For companies, yeah, this makes sense. It was nice when this wasn't true, but never really expected nor required.
Unfortunately, Slack also gets used for a lot of OSS communities. Arguably this was already a poor fit, but now it's even more obviously a mismatched relationship; it's unclear whether one could just start paying for a Slack account and immediately pull all DM history for something that didn't come with the expectation of corporate ownership.
Rocket Chat is something I've been looking into. It's...well pretty amazing so far. Open source, self hosted, bridges to slack fairly reasonably, and gives IRC style permissions. Slightly nicer for the "I'm not always logged in"/"We need a log bot" issues IRC has had.
> it's unclear whether one could just start paying for a Slack account and immediately pull all DM history for something that didn't come with the expectation of corporate ownership
I've tried. In my experience, Slack will not approve your compliance export application without articles of incorporation.
Let's clarify a bit, this is for the employer owned Slack workspace. If you have the client and have your employer workspace and then another random workspace that is not owned by your employer, then they can only see the messages on the workspace owned by the company.
And this is meant for backups really, it's not going to be easy to just follow random conversations of yours on a daily basis. If they want to go back and dig up some dirt they can though.
That said, if you are worried about it, and working on a computer owned by your employer, you should just assume everything you do is logged. Because some do that.
It seems like this requires Slack Plus and not just the Standard plan. It's not clear to me if you can access all historical data immediately after upgrading to Plus, though.
Since the email to each slack user is an @company.com address all you need to do is take control of the employees email address, reset the slack password and login as the target user.
In the end that's your responsibility to maintain professional level when using internal company tools.
Not surprisingly the three persons who forwarded me this thread with comments like: "shit", "is this legal or allowed?", or even "I'm screwed if they read my messages" - are the ones who are always trash talking colleagues, pairs and the company itself.
Reading the comments it seems nobody is concerned about this broad access leading to sexual harassment of women who are constantly exposed to glances and stronger forms of abuse and may vent in a private channel, or may have discussed intimate concerns with friends (now past conversations are also available). Nobody paints the picture of the boss reading girls logs? This is pathetic. US, land of the well paid slaves.
Always assume any communication on your work network can and will be monitored... If you want a private discussion, best to do it in person or on your own devices, not using any company resources.
As an owner of a free slack that has thousands of historical and unaccessible messages by the users, how can I delete these stored but not unaccessible messages to protect them?
It seems unconscionable that Slack retains messages but provides no way to remove them without paying.
I suspect that if they allow admins to download DMs, they also probably soft-delete messages, so deleted messages would still show up in the exports. Can anyone confirm?
I have never really understood the notion of needing communication privacy in the workplace. To be honest, without having seen this story, I would have assumed this was a feature of Slack already!
I can't remember where/when I heard this advice but it seems relevant and helpful for this matter:
"Write/speak all communication in the workplace as if the CEO themselves were CCd on the email."
Work is stressful and communication can reach straight into your brain. People go through periods where they're not handling stress very well, and they will often express ideas that, divorced from the context of the stress and bad feelings they have at that point, don't reflect what they really believe or intend to say in public.
I think that part's easy to understand. The tougher part is why one would put that communication in text, enter it into a company-provided system, and then be offended / dumbfounded when it's accessed by one's superiors at that company.
We all get stressed sometimes, but we don't all do that.
How is this possibly news? Besides the fact than Slack has let owners read DMs through compliance export since forever, most company Slacks authenticate via mail (usually Google mail), which your employer controls.
This is no different than company emails, which (I hope this isn't surprising) your employer can also read.
Don't have personal conversations on your company Slack!
> Don't have personal conversations on your company Slack!
You may be discussing unionization on your company Slack, though, and the employer may now use that against you. There’s a lot more than strictly work-related content, and strictly private content. A huge grey area is inbetween, and the employer shouldn’t be able to access any of them (and as the ECHR ruled, the employer may now)
If you’re worried about that, don’t use company Slack. But you should know that federal law protects employee organizing, especially for unions; if your employer retaliates, you can bring a claim against them.
So my longstanding "never write anything in corporate correspondence that I wouldn't want revealed some day" principle seems like a great one.
Seriously. It's not your platform, they are not your emails, they are not your chatlogs, and you should never act as if what you put in will remain private and yours to control.
Yesterday, a private channel existed where your employee Jim may have mentioned to his friend and coworker that he had a date with his male partner. Today, that data became available to you. You were planning to fire Jim, but now there's a risk that it would look discriminatory. Do you risk a wrongful termination lawsuit and dragging your company's name through the mud? You could check his slack messages to assess that risk, but if you do find something then you're in an even worse situation.
This seems like the same minefield as asking an employee to login to his facebook. The main difference is that this time, slack did it to you -- you were not given a chance to opt-out.
Wait a month and then do it while making sure you have a clear case. I believe similar advice is given if there is an OSHA check -- since you can't know why you were checked, it's best to wait before firing anyone for non-blatant/egregious, even if it's with cause and evidence.
> This seems like the same minefield as asking an employee to login to his facebook.
How is this like facebook? It's a corporate medium, just like email would be, or like a company-run XMPP or IRC server.
It's like facebook in that the employees had a guarantee of privacy (insofar as most private communication is private; obviously the recipient can expose the message, or someone can coerce you to login to your account). Some people are waving this away with, "oh, probably the employee signed some contract saying that it wasn't private" but even if that's often true it's of course sometimes not true. Certainly I've never signed a contract with that kind of clause, but I've generally worked for small companies.
I suppose there's nothing preventing a company from using facebook as a corporate communication medium. That'd of course not a good idea since they don't have access to some of what goes on at facebook. The same thing was true for slack. Some companies used slack without considering that the data wasn't really under their control, which was perhaps not a good idea. This change is akin to facebook recognizing that blunder, and "fixing" it by making DMs between employees available to their employer.
"Wait a month" if you do that, then slack just cost you thousands of dollars. How mad I'd be at slack would be proportional to how may thousands of dollars they just cost me.
Such is the cost of constant surveillance? You need to weigh the pros and cons in any situation. If you don't think that you saw such a DM is relevant, then consult your lawyer and fire them. If you feel it best to wait, you wait.
On a semi-side topic: Canadian dev here, I always immediately hard delete e-mail correspondence (both inbox and sent) with HR on anything that I feel private about, as I don't want the guys in IT reading it. I know they don't, but I also know they can.
For example, I might trust the head of IT but I might not trust that new intern or "new guy" they just hired.
What do you guys do when it comes to HR correspondence at your places of work?
Well, there's nothing I can really do about it. When I hit "delete", my company email doesn't actually get deleted. It just disappears from my view. I believe the stated policy is they delete after 3 years post "delete".
If I worked in or near the office, I'd walk over to HR and request printouts instead of emails, but since I work remotely, I'm stuck.
companies that care about that have email gateways that will store all messages, regardless of you saving/deleting them. this is not something they do at individuals inbox, to prevent what you do with the HR emails.
With most corporate email systems, I'm pretty sure you can't hard delete any message. Sure, it may no longer show up in your inbox but it won't be vanishing off of the compliance logs.
What do you mean "hard delete"? If your place of work is using any of the big cloud email services, they should be able to get at those emails regardless of whether you've deleted them.
This does not necessarily prevent them from being able to read these emails. If the email system has journaling enabled then a copy of every email sent and received is retained.
Bear in mind my opinion is coming from the US ITOps perspective, outside of this my opinion may not travel as far pun intended re:the rest of the world.
There are a lot of out of touch concerns here in regards to privacy. I think this basically shows the diff between INDependent devs and employEE devs.
At any point in time a company who owns and pays for all IT related accounts and services can look, monitor, export disable, enable, delete, log or secure their systems as they need to either by compliance requirements, legal, policy or for any business or nonbusiness reason at anytime.
At the least you do not have a right to privacy to at the best limited privacy when communicating on a company provided communications platform.
Most companies worth their salt have this written down in their company handbook or manual etc. Most companies also have reasonable "you may use company systems for limited private exchanges"
This is even more true when the company has government or gov facing clients or does business in certain market sectors like Finance.
It is good to see the new kid on the block (Slack) is growing up and getting more focused on its core business clients: companies/b2b.
The same goes for company provided laptops, equipment.
I think it is also super important above all that the vast majority of people and companies enter into these things in good faith and reasonableness. We just do not live in a world where the honor system can be the only safeguard for these things. And of course with all things businessey -- the more money is riding on top of something -- the more important it is to be wise in regards to risk in and out of business matters.
I was always under the impression this was already going on. I don't see the surprise here: there shouldn't be any expectation of privacy with regards to conversations between employees happening on company virtual grounds.
Heck, in my previous company when we wanted to talk about something off-the-record, we'd even physically go off campus due to the sheer amount of walls equipped with 'ears'.
A one-way paper trail in favor of the company. If a boss tells me I'm fired for being "too black" and then deletes my slack (and I don't have a screenshot), I'm not going to have any leverage to get proof unless I can get a subpoena (which I wouldn't be able to, most likely)
I think you’re wrong. A subpoena would probably be granted for a situation where you know that the relevant evidence exists and exactly where it is. But it might not come to that in the scenario you describe, since the employer would also know that a third party has this incredibly damning evidence and would likely try to settle.
I'm always surprised by the amount of DMs people send in Slack. I've worked in 2 companies using Slack and, in both, about 80% of the total messages were DMs. It seems crazy high to me. I wonder if people just send all day private stuff unrelated to work, or if people have trouble with trust and transparence on the workspace..
I don't find that surprising. Most of the communications I have at work are with a specific person, not with a whole channel. It's not because I don't want other people to know what I'm saying to someone, it's that I don't want to bother them with stuff that isn't relevant to them.
How do you know you bother them? Your comment makes me think to daily meetings in SCRUM. Sure most of the stuff people are working on or that blocks them is not relevant to everyone else, but we do it because it's good for the whole team to share and stay up-to-date on what is going on. As a tech lead/manager, I apply the same logic for my communication. I use DMs only for stuff that shouldn't be discussed publicly.
This is going to be a problem for open source communities that use a semi-public slack as the communication platform. I don't think the users expect the DMs to be public to the project admin.
Its not necessarily bad. Bit it might be time for those communities to move.
My employment contract says something to the effect of "using internet facilities for work only". I mean, duh. I have a cellphone with a 4G signal that I pay for.
What next, employers are going to be able to choose the color of elevator buttons. Tyranny!
I read the message retention policy as a true delete for anyone not wanting to get their previously private messages grandfathered into a newly non-private policy.
Slack warns you for a channel that setting the retention policy is "truly, permanently deleted. These messages can't be restored or recovered, even by Slack"
This should not be surprising to anyone. You're giving your data to a corporation who has every incentive to give it to your employer. The only real surprise here is that they weren't doing this earlier.
That's backwards. You're working for an employer who has every responsibility to monitor business communication. Slack can't "give" something they were never supposed to control in the first place and only have by accident of architecture. This fixes an old bug.
> You're working for an employer who has every responsibility to monitor business communication.
Setting aside for a second the unusual ethics being proposed here: it's trivial to bypass official channels if you want to say something you don't want your employer to see. It's fairly standard practice to not put anything you don't want someone else to read in text at all, but rather to pick up the phone--it's too easy for someone to copy/paste a Slack message or Forward an email. This can't be a responsibility of employers because very few employers can live up to that responsibility.
They had compliance exports and I wish they'd stuck with that since turning them on notified everyone that your employer could now see everything and prevented them from exporting anything private prior to that.
I know why they did this but a compromise could have been found. With this ability someone can dump everything and just read through it with users none-the-wiser. If users read the previous documentation they'd even believe they were safe from snooping and would be notified when it started. At least with compliance exports the users were informed and had privacy.
I'm finding myself in a situation where this is actually kind of welcome news involving a workplace bully who operates via DM.
I'm moving on very soon, but I've shared many of our interactions with management, management has even seen first hand how he openly insults other engineers.
Instead of doing anything about it, management announced we had been acquired and over the course of about 12 days slowly resigned leaving us with the new company.
New company promoted the bully.
Hopefully others speak up as I have and this new feature can help some people get relief from the guy.
I don't understand how this feature changes anything? If he operates via DM them you and his other victims can pretty easily share the evidence with management today. I don't think this feature is going to a be a magic cure-all where management pro-actively monitors communications for this type of behavior - it will still require individual(s) to escalate a complaint that management can then investigate.
In our unique case, it would have meant we could have exported old DMs from users who have since left the company after a recent merger.
I'm using my example to think forward: an employee leaves due to workplace conflicts, and later (not to intimate this is the path I'm taking, I'm merely walking out the door, as my issue was a mere personality conflict not something that I can seek damages over) pursues civil action, a responsible export and archive policy from HR the way IT departments may sometimes be required to retain email messages for a period of time can be a benefit if the departed employee cites their interactions with an abusive manager for their departure and subsequent litigation.
I'm glad that this isn't going to affect the free tier users (rather, they'll need to provide legal reasoning for it and consent) since there are a bunch of communities on slack.
If you publicize that you can read the messages, no problem.
I had a boss that liked to spy in the private messages of the employees without their knowledge. A bunch of interns started to privately create offensive nicknames for a fat employee. They didn't used the name in public. The read and started to use to use the nicknames in his conversation.
Well, this guy also publish jobs ads for our old tech stack with a false company name to see if any of his employees were applying.
I think Gitter is architected differently and doesn't allow this. Your private chats aren't in the context of some company, but the network.
Again, look at this everybody! We are relying on some third parties merely to facilitate our conversations! And they are relying on the "SAAS" developer who hosts all the conversations (not open source) to determine one-size-fits-all rules.
There's actually a Slack competitor called Symphony that exists solely because it allows thorough auditing/monitoring/spying on all communications. It's ugly and is missing a ton of features. It's used by a bunch of financial services firms that have a lot of compliance rules they can't enforce with Slack. This move is probably to start getting Slack into that space.
I used to be a teacher, and have recommended Slack to an old colleague as a way facilitate staff communication at their school. Additionally my current organization quite often works with children at workshops and the like.
For an admin not to be able to look through DMs is a serious safeguarding issue, so I'm happy this is now possible.
The surprising thing to me is that this was not already a feature of Slack. Isn’t the ability to view employee communication a very basic requirement of corporate communication platforms? Does anyone have an expectation of privacy on any corporate infrastructure? I certainly never have.
I thought this was a feature all along. From an HR and legal perspective, this is necessary, right? My emails on the company server are subject to discovery. I was coached at onboarding on what I could and could not say in an email. Down to, "when it doubt, schedule a call."
I have a rudimentary tool (written in Ruby) that can be used to delete your history across channels & DMs that might come in handy: https://gitlab.com/reagent/slack-purge
Glad this is happening. It's not fair to use DMs to form alliances against colleagues in order to increase one's bottom line. That is exactly what I've observed in agencies that run on Slack. If life is a game, this is a backdoor worth closing.
I am mostly worried about the bait and switch. If this feature was only applied to messages after the announcement then that would be fine. I am sure many of you have had conversations over slack thinking well it was okay because nobody could see them.
I can't seem find the article where an employer was sued for failing to inform authoritied about a monitored work email that indicated one of their employees was about to commit suicide. I'm not sure what ever happened in that case.
You should never talk about extremely personal / private stuff via DMs anyway. I don't really care if my employer could read my DMs because they're mostly work-related small talk anyway.
Like everyone else I'm more shocked that this wasn't available by default.
I'm not sure if this applies to the last (work) Slack I was part of. The company blocked it over a year ago and presumably deleted it shortly after. I just checked and it is deleted now.
As far as I know, since it was setup by a middle manager (who lasted two weeks) and then blocked, it was probably on the free plan as well.
I'm not really concerned for myself, as I always assume all my interactions on a work machine are monitored, but people did occasionally send me things that they probably wanted to be off the record. Not sure if I should warn them that there's a (small) chance that their messages could now be read.
I think this holds true for all slack teams I joined online. Online i mean, like golang slack or any other community created slack team I joined. Is this correct ?
As a basic user of the platform (where my employer has Slack Enterprise Grid), I've always expected this is the case and planned my communication accordingly.
As a manager, if I fire somebody or they leave, I get access to their mailbox via Outlook365 for like 3 months, just in case I need to grab something from it.
So there must be a way to assign ownership of a mailbox to another user.
It depends on the setup. There are different nuances but through an Admin granted API key you could potentially access all emails. There are safeguards that companies put in place to restrict this as well.
You mean like with Google's G-Suite? Admins can always change your password to one that they know and log in with it. Even with a 2FA policy, they can generate backup codes to use. Generally assume that yes, corporations can read their corporate email accounts. However, they may have policies that prevent their staff from accessing other employees email accounts without a specific need.
It's hard to see how this is bad -- they have/should be able to have access to your other work-related communication and work product (modulo the weird rules around things like salespersons' "rolodex"es).
It's so easy to have private channels these days it's hard to see how this should even inconvenience anyone.
It's not, not in Europe, not anywhere. Saying it a couple of times doesnt make it true. Your boss can read your emails and most likely already does. This is exactly the same with any internal messaging and it's perfectly legal in the workspace.
The European Court of Human Rights recently ruled that an employee's communication may not be monitored without prior notice and without specific reasons. [1]
Wherever you work in the USA there's a note in the employee handbook saying that the company may monitor any communications using company equipment for any business purpose, which is completely consistent with that ruling (and, even if it applied in the us, would render it moot).
No, "we may monitor your communication for any business purpose" would not be consistent with that ruling. There's no chance "any business purpose" would qualify as a legitimate reason for monitoring communications.
From the PDF press release linked on the COE site:
"The national courts [have not] carried out a sufficient assessment of whether there had been legitimate reasons to justify monitoring Mr Bărbulescu’s ommunications."
"Neither of the national courts had sufficiently examined whether the aim pursued by the employer could have been achieved by less intrusive methods than accessing the contents of Mr Bărbulescu’s communications."
In other words: You need a legitimate reason for accessing your employees' communication and you need to consider less intrusive ways of achieving your aim first.
So your boss is not allowed to just read your mail whenever he likes. Or maybe he is, if you're working in the US. But European courts, especially the international ones, are very strict about privacy and protecting personal rights.
Nah. Slack was already open to them. You just had to enable the compliance audits. This is mostly interesting only because it's retroactive. A fact which of course wouldn't matter for anyone that wasn't already using slack.
Is this available for Gsuite as well? My former office had employees mocking others for their age, gender, etc. No way to show management without revealing I'd found a way to spy on them.
I dislike Slack as much as the next guy, but I honestly thought this was already the case. It was in general for work emails, why would it be any different for another office communication tool? Shouldn't be a surprise for anyone.
Whenever I’ve been a SA I wouldn’t let a manager access an employee’s email without written authorisation from HR. How does that work here, what are the safeguards?
Your employer pays for slack and it is a work related tool, just like your emails. If you want to have private communications then send a text. BTW they can also search your desk because, you know, it's not yours.
Depends on the state I would assume, but of course IANAL. Some states have single party consent, and you're certainly not in a private area. You'd have to look into the eavesdropping laws where you live. You realize that many buildings have security cameras, right?
I'm still very confused as to why you believe that your communications over a company owned platform should/would be private.
>> I'm still very confused as to why you believe that your communications over a company owned platform should/would be private.
Is this a generational thing? When I got my first job, there were cultural norms about not making personal calls on the company phone (this was a time when people still used paper for memos) or using company resources like copiers.
While I realize times have changed and things appear much more relaxed today, I don't understand why people would even think to use company owned devices/servers/resources for personal stuff for anything short of an emergency.
because I dont see the difference between having direct conversation vs having electronic conversation in the office premises. why would there be different rules for them?
Well, one is a platform provided specifically for work related communications (again, like your email). Also, read the above linked article which discusses wiretapping:
>employers are given an exemption for calls made “in the ordinary course of business.” Courts interpret this to mean that employers can eavesdrop on all business telephone calls but cannot listen to or record messages it knows are personal.
Also:
>ECPA also applies to audio monitoring of the workplace. Employers can install recording devices in any location that is used primarily for work. But employers may not conduct audio recording of nonworking areas such as cafeterias, break rooms, or locker rooms. In practice, this means little because employers are not required to notify employees that they are being recorded and employees are unlikely to discover the hidden microphone.
So there is an obvious legal distinction between communications which are intended to be work related and those which are not. In your cafeteria example, no, they should not (assuming this article is the entire story.) However, your slack messages are not considered the same as a cafeteria conversation.
Again, I'm not a lawyer and have zero real knowledge here, but I think it's silly to expect privacy in your work provided messaging system.
Your employer owns the data, not you. The owner of something doesn't need special permission to look at it. It could be a company provided computer, email, or filing cabinet; they all belong to your work and they do not need to ask anyone to get in and look at the contents.
Even something that has a reasonable expectation of only containing personal belongings (eg. a locker) may or may not be protected from employer search as each state in the US has slightly different rules.
For work related tools, the rules are almost entirely stacked towards having no right to privacy whether a company policy exists or not.
> you mean they can potentially sell my personal conversation with a friend as if its a company owned data
Don't do it on company slack then?
Whether or not this news is a surprise to you, you must already be separating concerns. At most competently run places emails/chat logs etc are logged.
Assuming you and your friend both work at the same company using the same Slack Workspace and someone would be willing to pay for the data? Yes, it is a possible scenario. I have no idea why a company would offer to sell it's employee chat logs but I am sure there's a more clever individual out there who can think of reasons.
they don't however, need to provide a warrant for their own apartment. that's effectively what slack is implementing, it does not mean that they can go through your personal slack setups.
just fyi, any application that is provided by your employer is theirs and most likely in your contract is that everything you say or write is their own property.
if your mobile is paid for by your employer, they have access to anything on that as well, this include texts, mms, and call logs.
If you are employed in the US, your information and device use policy is very likely to say that, or your HR handbook, that you agreed to when you are hired.
Wow. Ya know, for every case this might "help" solve (workplace harassment and the like), I just can't help but say ultimately it will hurt far more.
"But employers/managers/execs will operate more responsibly with more data about their employees!"
Will they really? I think they'll be able to operate more "powerfully" with respect to controlling employees... but with that power I wouldn't be surprised if the abuse outweighs the positive utility.
Additionally... this is going to kind of kill the culture between people (ESPECIALLY REMOTE) using slack. Do you really want to talk about your weekend, or forge any type of bond over chat now? Why would anyone every do anything rapport building over slack now?
Yeah yeah "but managers/employers won't be that extreme, you're being extreme." There's a lot of cases in the past where I've thought "sure an exec or manager wouldn't do X" and then sure enough, there it is at the top of HN, and the company is going under.
So...someone else on here speculated correctly. It's clearly a selling point for employers since they're the main target to increase revenue. Unfortunately I guess that means using it for interest groups goes out the window though.
If this is what finally makes you behave appropriately on work comms and start communicating out of band, then they are doing your future a favor. It should have been common sense.
Don't get me wrong--it's not like I want to read your messages and very likely won't. But there are times when I have no choice. A few years back, a group of interns started privately harassing other interns via Slack. Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening. We had to make all intern accounts into multi-channel guests after that. Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons.
Edit: I'll say this is still not an ideal solution. I don't go into private communications unless I have to, and I'd rather have the option to review specific DMs / private channels than dump everything. I really don't want everything; that's more than I care to see. Also, to clarify, I'm in the US and our employees are well aware that communications on company-operated platforms should not be considered private. I want them to be careful how they communicate in writing, not because they should be worried about me, but because they should be worried about Slack getting hacked/leaked. With the recent Facebook news, I should have thought that sort of concern was obvious.