What is the material difference between having employees save DM logs in an auditable, authenticated way and being able to view employee DMs?
If any employee can ostensibly be compelled to provide their logs when asked by their employer, you are getting just as much information as if IT can view them directly. The only way IT doesn't get as much information is if the system doesn't work, for example because employees can alter their logs or simply refuse to provide them. In that scenario having employees saving their own logs gives you more privacy, but doesn't solve the essential problem.
The tradeoff here is convenience of access versus friction. When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.
> What is the material difference between having employees save DM logs in an auditable, authenticated way and being able to view employee DMs?
> When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.
You just answered your own question.
You might not want them to know you're reviewing it but they most certainly do want to know that you are.
> You might not want them to know you're reviewing it but they most certainly do want to know that you are.
Of course they want to know. Everyone wants to know. But if they committed a crime, or at least are complicit in a lawsuit the company is facing, their desire for privacy on an information channel they don't own is irrelevant.
I don't understand why this is controversial. When the SEC, FBI, local police, opposing legal team, etc. want you to hand over information about an employee, having to ask the employee directly or even let them know is problematic.
Then Slack should (and indeed, does) have special processes for handing over private conversations when served with a warrant, subpoena, court order, etc. "The FBI should be able to do it with probably cause" and "your employer should be able to do it whenever they feel like" are radically different.
And I don't disagree that the company owns it and should have the right to do whatever they want with the things they own. But the employees should also have the right to think that's shitty, and companies should have the ability to demonstrate their lack of shittiness to their employees by configuring their environment in such a way that a higher barrier exists to snooping. This change doesn't actually make a new thing possible; Slack had a "compliance mode" before that companies could opt into, but it wasn't the default, and users were notified if it was enabled. This change just limits companies abilities not to have snoop mode turned on.
Maybe I missed some context but since when are we talking about committing crimes and the SEC or FBI getting involved? If it's that serious I assume they'd just get a warrant and get the logs directly from Slack.
To me that scenario is completely unrelated to the ability of an employer to silently read DMs of their employees for any reason they see fit.
Don't you think some companies need the ability to investigate things their employees are doing for the specific purpose of bringing it to the attention of government agencies PRIOR to warrants being issued and PRIOR to pissing off the entire federal government?
No? I'm being serious when I say this idea is absurd to me. If you have a serious level of concern about your employees doing something illegal then why are they your employee in the first place?
If you are going to use "We need to be checking for illegal activity" as a justification, why stop at DMs? Why not ask your employees to always be carrying around a recording device that is constantly sending their verbal conversations somewhere where they can be electronically filtered for suspicious keywords? Obviously that's crazy and I'm not saying anyone is suggesting that or would support that, but what exactly makes that scenario over the line that doesn't apply to DMs?
I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.
> If you have a serious level of concern about your employees doing something illegal then why are they your employee in the first place?
Because “we don’t hire criminals” is not sustainable, just like “we only hire the best engineers” is not realistic. Strive for the best scenario and prepare for the worst.
> I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.
But why? Why do you feel you’re entitled to privacy for your activity if it’s conducted over a communications medium in a workplace, owned by your employer and intended for work-related use? Your rights are guaranteed in the context of government transgression, not in the context of arbitrary corporate policy. For example, “freedom of speech” is not a meaningful right in a workplace setting either.
Your personal rights are not globally applicable in any context. You have avenues available to you for private communication if you’d like, but companies (rightfully) do not want to be responsible for that communication. They want to be responsible for workplace communication. So if you want a private chat, have a private chat outside of Slack. It’s very simple and straightforward.
Workplace communication channels are not intended to be, nor advertised as, safe harbors for digital privacy. You can have those, but companies have every right not support them for you. It’s not as though companies want you to have private conversations with people and then peek into them for juicy details. They want you to use their infrastructure for its indended purpose.
You pick the law of one of the weakest privacy jurisdictions and argue that Slack should standardize privacy on most invasive level this country's law allows.
What is this declaration of rights for corporate eavesdropping?
Why do you feel the need to defend Slack? It was their decision to do this to ensure they wouldn’t be forced out of the corporate market ($$$$$) and, I hate to break it to you, US and EU law are very similar in this regard. Corporations in the EU can listen to your business correspondence just as easily as US ones, and in neither do you have any real expectation of privacy at work.
You are wrong about the EU - the national legislation on right to privacy is stricter in many (most?) countries. EU only sets minimum levels of protection. And even EU law protects more than you imply(1).
I'm defending employee rights and generally the human right to privacy against arbitrary surveillance, not Slack.
In particular, the national courts had failed to determine whether the applicant had received prior notice from his employer of the possibility that his communications might be monitored; nor had they had regard either to the fact that he had not been informed of the nature or the extent of the monitoring, or the degree of intrusion into his private life and correspondence. In addition, the national courts had failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into the applicant’s private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge.
There is nothing in that case that prohibits EU companies from monitoring the communications of their employees. Half of that case revolves around legal procedural problems in the original case, and the other half is about whether the company could have fired him over his personal correspondence _without proper notice_. That case, if anything, only upholds corporate EU rights to monitor their employees, so long as they provide some trivial legal notice.
yes, EU law does protect private correspondence more than US law, but almost none of that applies to business correspondence, and the EU is just as liberal in that regard as the US.
Workplace communication between coworkers eg on Slack is not automatically business correspondence in this sense.
In any case, you repeat the oft debunked myth of corporate right to surveillance. It does not exist. There is just partial lack of EU level protections. The national laws can and do say otherwise in many cases. As can/do binding collective bargaining agreements.
We are not talking about some small made with love startup here that no one cares about. We are talking about military contractors, financial companies, law firms, consulting firms, public stock corporations, etc etc. places with hundred or thousands of employees and millions if not billions in revenue. You are woefully niave if you think you can run a major company in any of these areas without eventually having employees who are going to do illegal things. People do a lot of crazy things, some for personal reasons, some to get promoted, some because they think they were sanctioned by their boss, some perhaps thought it was best for the company, and so on.
I understand what you’re saying here, and sure, maybe in some small private companies or organizations this is a tragic loss of privacy, but everywhere else it is simply the cost of doing business.
If any employee can ostensibly be compelled to provide their logs when asked by their employer, you are getting just as much information as if IT can view them directly. The only way IT doesn't get as much information is if the system doesn't work, for example because employees can alter their logs or simply refuse to provide them. In that scenario having employees saving their own logs gives you more privacy, but doesn't solve the essential problem.
The tradeoff here is convenience of access versus friction. When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.