
HipChat Will Grant Employers Access To 1-to-1 Chat History - espinchi
http://blog.hipchat.com/2014/04/25/hey-were-changing-our-terms-of-service/
======
etchalon
I sent the following email to HipChat:

As an employer, and account holder, I am not a fan of this feature.

My team must feel free to use our internal communication tools to have
private, perhaps critical, conversations between each other without worrying
about me, or other members of management, from reviewing them.

If the tools cannot be trusted, employee will not use them. If they don’t use,
they’ll revert to other methods of communication, which will consume their
attention.

This should be an option, and one whose affect is in plain view of users.

Lacking such an option, or clear disclosure, I will be canceling our account,
as well as reviewing my companies use of other Atlasssian tools.

Please reconsider this feature, or at least, reconsider its implementation.

Thank you.

~~~
teacup50
I don't get your concern _at all_.

We run local e-mail and IM servers; the only thing that protects user
communications on company owned infrastructure is our company _policy_. How is
this any different?

What I find far more alarming -- and quite hypocritical from SaaS users
seemingly suddenly concerned with privacy -- is that when I communicate with
companies and individuals that use SaaS providers like Google Apps, the party
with which I'm communicating implicitly shares my private correspondence with
a SaaS company that engages in massive cross-internet data collection.

By comparison, employers having access to data that flows over employer-owned
infrastructure is barely worth mentioning, has been the status quo for
decades, and I'm absolutely stunned that _anyone_ is shocked by this.

~~~
etchalon
You honestly don't see the difference between the amount of interest a third-
party software company would have in the private conversations of a team than
the amount a person's immediate manager might have in them?

Second, simply because something is "status quo" does not mean it's OK.

As this is my company, I can chose to run it in a way that doesn't make me
feel like an asshole.

~~~
teacup50
You're being disingenuous; it's the status quo because having the _ability_ to
monitor user communications is the default and inherent legal and technical
nature of conveying communications over company owned infrastructure.

If you don't want to "be an asshole", set a clear company policy and move on.

Having been in the position of _needing_ to access historical e-mail records
while investigating CFO malfeasance and fraud, I'd say its downright
irresponsible to not have the ability and policy necessary to monitor and
review communications in extenuating circumstances.

~~~
calibraxis
You're looking at it from the perspective of malfeasance/fraud. The other
poster is looking at it from teamwork/management.

They're not being "disingenuous". Ironically, speaking of trust/management,
criticizing people's personal motivations like that is precisely one thing I'm
taught _not_ to do, for effective, healthy teamwork. (Whereas, if I must
investigate antagonistically, like if a boss is harassing employees, I must
assume the possibility.)

~~~
teacup50
No, I'm looking at it from the perspective of simple rationality: SaaS does
not mystically change the technical and legal nature of administrative access
to communications over company controlled infrastructure.

As for criticizing motivations, disingenuity was the more polite assumption
compared to the alternative: that he is ignorant of the legal, technical, and
historical context to the degree that he actually believes HipChat's changes
are unique or novel or questionable in any way.

Entities in a technologically privileged position are limited only by policy.
The fact that he accepts that truth simply by relying on SaaS demonstrates the
significant incongruity of logic at question here.

~~~
etchalon
It's hilarious that you're implying it's hard to understand that the guy with
the server password has can read everything. I mean, really?

The entire point of my protest to this change is specifically to stop either
myself, or any member of management team from having a "technologically
privilege position".

Your arguments about SaaS are irrelevant and juvenile. Just cause Atlasssian,
or any SaaS provider, has access doesn't mean I, or my management team,
should.

Saying "well we run our email server in house so we just solve this problem
with a policy" is fine.

~~~
teacup50
So you're OK with SaaS being protected by policy, but not the behavior of your
own company's executive staff and delegated administrators?

Hardly seems irrelevant to me, and the free pass you give to SaaS is
nonsensical and hypocritical.

~~~
etchalon
You're either being purposeful dense or you have an agenda.

~~~
teacup50
Whereas you appear to be simply dense given your inability to see the
hilarious hypocrisy of surrendering the privacy of yourself and others to SaaS
vendor policies while calling them to task for giving you the equivalent
privilege of policy choice.

------
bredren
At least it isn't retroactive.

I suppose workers need to assume any communication system that is provided by
the company may be read at any time by management.

The bummer about this is probably many people use private communications
expecting them to stay that way. They don't realize companies like Hipchat do
not have architecture to support data impermanence or encryption between
parties.

Nor do these companies go out of their way to highlight this, as people
probably did not understand the distinction until recently.

~~~
bdunbar
"I suppose workers need to assume"

We use hipchat at work. I've been assuming since day one my employer can read
everything I write. They are _paying_ for it after all.

~~~
jessriedel
> They are _paying_ for it after all.

They pay for the toilets too, but that doesn't mean they have surveillance
access to everything you do in the bathroom.

Not saying that there might not be a good argument that they ought to have
read access to company chats, but it certainly doesn't follow from the fact
that they pay for it.

~~~
username223
> They pay for the toilets too, but that doesn't mean they have surveillance
> access to everything you do in the bathroom.

It's only a matter of time before they drug test every flush. As Eric Schmidt
said, "if you don't want your urine tested, maybe you shouldn't drink water at
work."

------
1stop
Hipchat should have stuck gone the opposite, and made their policy explicitly:
"1-to-1 is private".

Mimic the real workplace, I have a 1-1 meeting with someone, it isn't recorded
(usually).

It's annoying, because it puts up barriers to communication, people talk
differently when they know they are being recorded.

I hope they implement this as an option (like they do room history).

EDIT: Thinking more, it should be an option, and when enabled/disabled, all
users should receive an email explaining the change. (If you are reading
bitbucket devs, do it! Please!)

------
zacwest
This is a pain point for me because HipChat's permissions granularity is
really bad: my organization gives everybody admin access so we can configure
API tokens, emoticons, etc. Things we want to do pretty often. Now, we'll have
to restrict everybody to a normal user and have a single administrator do
these very normal operations.

~~~
sukuriant
Talk to HipChat, that sounds like something they might be able to change in
their service. Perhaps have a super-admin or user groups or something that
give intermediate permissions.

Your circumstances don't sound like they would be rare.

~~~
TheSwordsman
They definitely aren't rare. We have the same pain where I work. We just end
up having a limited number of HC admins and make them do all our API requests.

It'd be nice if you could take a conversation off the record. Is it
inconceivable that HipChat may be used for human resource like discussions? I
see some risks with this, and not sure I agree.

However, I do understand why they would do this. Bummer.

~~~
orbitur
HR-level discussions should be documented at all times, so that seems like a
poor example to use here.

I truly feel that if the chat platform is being provided by the employer, then
they have every right to disallow you from taking conversations offline.

The problem really lies with Atlassian for not offering better permissions.

------
dccoolgai
The forced arbitration seems a bit odious... general mills just got dinged for
that and had to apologize...I wonder if the same thing will happen here. For
those who don't know, forced arb basically gives them carte blanche to harm
you and have the case handled by their "friends" instead of the justice
system.

~~~
1stop
Will it work?

Surely I can still take them to court and argue the forced arbitration is part
of my grievance. IANAL but surely one can argue that removing the judicial
system from anything is illegal?

~~~
lobotryas
>I can still take them to court

Of course you can take them to court, however, do you have enough money to
sustain the effort?

Forced Arb. clauses mean little for large corporations (who have the legal
muscle to either reach a settlement or win a battle of legal attrition),
however they absolutely screw "the little guy" who has zero choice but to
follow the contract.

~~~
ams6110
Courts will often order arbitration in civil cases anyway, moving to a trial
only if the arbitration fails.

------
powdahound
Hey everyone - Garret from HipChat here.

I'm sorry for the way we presented this information. We definitely should have
explained these changes more clearly, because they do NOT mean that admins can
browse your 1-1 chats. Our blog has been updated with a better explanation:
[http://blog.hipchat.com/2014/04/25/hey-were-changing-our-
ter...](http://blog.hipchat.com/2014/04/25/hey-were-changing-our-terms-of-
service/)

If you still have questions or concerns, feel free to email me directly
(address in profile here) and I can answer them or put you in touch with
someone who can.

~~~
officialjunk
"Under the Atlassian Privacy Policy, HipChat administrators will have the
right to access all information in the HipChat account they manage, including
1-to-1 chat history and files shared in those 1-to-1 chats."

I'm still reading this as admins have access to our 1-1 chats...

~~~
powdahound
If you've signed a policy with your employer giving them access to data in the
services they pay for, we will have access to provide them, just like they can
with the email account they provide you (if they do). They won't be casually
browsing your chats, as that is not a feature we provide.

------
nedwin
We trust our employees. I don't feel the need to access personal
communications between employees.

We also give some oef our senior guys admin access so they can manage other
users - I don't particularly want them to read my private communications with
other employees either.

I love Atlassian (go aussies!) and Slack is expensive. Bummed.

~~~
coolsunglasses
We use Slack at my company (switched to it from Kato) and we're very happy
with it.

~~~
eli
Were non technical staff able to grok it? I recently went with HipChat over
Slack mainly because Slack just seemed too confusing, but now I'm kind of
regretting it.

It took _me_ a minute or two to figure out how to change rooms in the Slack
Android app (it has menus that slide from the left AND the right).

~~~
coolsunglasses
Nobody I know has found it confusing, it's a mix of technical faculty. I've
only used the desktop app.

~~~
joshmn
You mean the website-in-an-app-looking-frame right?

~~~
eli
At least the OS X version installs and runs mostly like a regular app. The
Windows one requires installation through Chrome.

------
shravan
Somewhat tangential to this story, but we recently moved our team over from
HipChat to Slack [1]. I initially thought that we'd miss the sheer number of
integrations HipChat offers, but Slack seems to cover almost all of the ones
we use regularly and some HipChat doesn't yet offer, like Asana.

[1]: [https://slack.com/](https://slack.com/)

~~~
lobster_johnson
Our team tried out Slack, but the Mac app isn't native, just a rather weak
wrapper around the normal web page. And the web experience just isn't as good
as HipChat.

Also, no in-app voice/video integration that I could find. HipChat's one-on-
one video is great, although waht I really wish for is conferencing built in.
Google Hangouts is just too annoying to set up (first it pesters me about
signing up for Google Plus, which I don't want, then it shows a blank screen
with a "start a hangout" button, then it opens a GH video _in a separate
window_ , which is just stupid), and doesn't have a desktop app.

------
vodo
I guess that's one way to lose your customer base. We have a team of 50 that
will be switching to another platform shortly. Good bye HipChat...

~~~
teacup50
Why do you care? If you ran the chat server locally, you'd have the ability to
snoop already.

Atlassian themselves could snoop on your traffic; the only thing stopping them
is their terms of service. All you have to do to protect your employees is
publish clear guidelines on when and how your company will access employee
communications on company-owned infrastructure -- bingo, problem solved.

~~~
vodo
Because this isn't communist Russia/China. There is a certain level of implied
freedom and privacy here in America. That's why I fucking care.

~~~
akerl_
If the company is paying for the chat service, it's the company's chat, and
the company owns the logs. It's no different than a work email address/inbox.

~~~
krisdol
And if I'm running the company, I don't want my employees to have to go
through loopholes to chat privately. The company owns the water cooler too but
putting a mic into it is not ethical behavior.

~~~
teacup50
So set a policy that you won't read their messages. There's nothing new here.

It's nothing but a policy that prevents your SaaS provider from reading your
data in the first place.

~~~
krisdol
Employees don't generally have to worry about their SaaS provider having an
impact on their performance review, paycheck, or continued employment.

------
cjbarber
Well, it was great while it lasted.

I'm working on compiling a list of alternatives right now, and will edit this
comment in the next few minutes.

Edit:

[https://github.com/cjbarber/hipchat-
alternatives](https://github.com/cjbarber/hipchat-alternatives)

------
leetrout
I don't see much positive coming from this.

At a previous company a round of firings were commenced with evidence
contributed from HipChat logs... That was followed by a rash of everyone using
the XMPP interface so they could encrypt their chats- I thought that was a bit
much but now their paranoia has been proven wise...

~~~
eli
People were typing incriminating things in a _chatroom_ on your company's
HipChat server?

I could believe that they were surprised management decided to track what they
were saying, but I can't believe anyone thought HipChat would protect chatroom
logs against the account administrator.

~~~
leetrout
That's what we were told at an all hands meeting to squelch the morale decline
after a handful of people were sent packing... That they were being poisonous
in a group room and it backed up allegations about their behavior.

I was surprised at the same foolishness. But it's inline with the story we
were told about their rather cavalier attitude about coming to work inebriated
and abusing substances on company time. I didn't know any of them at take the
information at face value- the message was don't come to work high and you
won't get fired. The takeaway was don't brag about your activities on the
company HipChat...

------
epayne
All they had to write was "It’s been two years since HipChat joined the
Atlassian family"... the rest is obvious. IMHO Atlassian is a company focused
on helping enterprises control users of their software, not help them. JIRA's
maddening UX is Exhibit A.

~~~
samhoggnz
How is JIRA's UX maddening? It's so highly configurable that it really depends
on how it is set up, and what the patterns of use are within your
organisation.

~~~
liquidise
I would argue that "maddening" is an understatement. JIRA' ui tries to do so
much and allows such granular customization that it takes an age of expertise
in the tool to simply properly configure it to your organization. In fact, one
of my college buddies job's is exactly that.

------
sylvinus
Really disappointing move. If you don't trust your developers, maybe you
shouldn't have hired them in the first place.

Our team loves HipChat, and they will probably end up feeling the opposite
because of this. Please provide a way for us not to activate that "feature".

~~~
Alex3917
> If you don't trust your developers, maybe you shouldn't have hired them in
> the first place.

Companies are basically required by law to store all the communications of
their employees, it has nothing to do with trust. I forget the entire reason,
but basically Bill Clinton cut some crazy deal with radical feminists in order
to get reelected whereby he signed some sexual harassment law that basically
required employers to monitor all employee communications. Jeffrey Rosen has a
book about it called The Unwanted Gaze.

~~~
djur
> Bill Clinton cut some crazy deal with radical feminists in order to get
> reelected

I had no idea that radical feminists, or indeed feminists in general, had such
immense power that they could affect an election where the incumbent won by
9%.

~~~
Alex3917
They don't. That was only one of dozens of such deals with various
organizations. The Adam Curtis documentary Century of the Self goes into some
of the others.

------
seanmcelroy
I'd expect an organization who pays for the service should have access to
their data in it. If you fear the change, you really fear the people who are
or will someday become a service administrator. If you fear that, perhaps you
should consider if you're really happy where you are. I'd suspect you either
have trust issues with your corporate or IT management, or you work at a place
that moves too slow for IT to have anything better to do than troll through
private chats.

In many cases, IT can already do a lot of other things like span your port,
read your e-mail, shadow your terminal, capture all printer output, etc. But
in practice, this kind of permission is usually used when someone is stuck and
an employee unreachable or out on vacation, or an employee is terminated and
you need some critical piece of information they might have in their chat
history.

~~~
nedwin
I pay for the service for my company. I trust my employees. I don't want them
to think I'm snooping on their personal conversations between each other.

~~~
teacup50
You also control the routers, the email server, any other form of digital
communications, and possibly even the software in their desktop.

What's the difference? Just because an employer _can_ snoop -- and might be
legally _obligated_ to snoop -- doesn't mean your company can't have a clear
policy regarding when and how you will exercise that ability inherent in
owning infrastructure.

~~~
nedwin
Well most of the team is remote and we use Google Apps which doesn't allow
email access (as far as I can tell, at least not without changing passwords
and a few other tricks).

There is a difference between having a feature which allows someone to view
your private chat logs (something Google Apps doesn't have) and what it sounds
like HipChat are implementing - though maybe they're going to make it just as
difficult?

------
eddieroger
This seems like an appropriate time to remind everyone that your work email
belongs to your boss, not to you. Don't send private emails from your work
account. Likewise, your work laptop isn't yours, it's your employers. Don't do
personal work on it.

My team tested out HipChat, and it's rad, but I had trouble convincing anyone
it was worth the cost over terrible Lync, which we already have, despite it's
complete lack of stability on the Mac. We're now secretly using Slack, and
enjoying it pretty well. The "native" client is also really nice, bringing
just enough native experience to a web view.

------
mullethunter
This is garbage. We have over 250 people using Hipchat and we use the 1:1 as
the way to vent outside of the rooms that we're also part of. Better? I'm an
admin and I'm so pissed that they decided to change a feature that I sung
praises of for so long. Just like another company tool, we'll start to use
another outlet to "really" communicate to each other while the HipChat rooms
will be relegated to PMs and business owners fishing for updates.

------
Zigurd
I don't know if you can blame Atlassian for being "anti user" here. In some
businesses and government settings data retention is a regulatory requirement.
It's not ideal. It doesn't fit human patterns of communication. There are
obvious back-channels. So systems like that catch only the dumbest violators.
But Atlassian probably has customers who are required to specify communication
systems that can be monitored.

~~~
Maxious
eg section 802 of the Sarbanes-Oxley Act

[https://en.wikipedia.org/wiki/Libor_scandal](https://en.wikipedia.org/wiki/Libor_scandal)
shows the value of logging private IM in a financial context.

------
alexnking
I wish there were more companies that were more worried about doing the right
thing than serving their paying customers. Especially when those customers are
businesses who want to snoop on their employees, or ad agencies that want to
sort through your mail.

I'm tired of constantly being screwed over by any company that I'm not paying
directly.

------
nedwin
The only question I have is: how good are the emoticons on Slack.com?

~~~
kyleknighted
Full emoji support and users can upload custom emoticons. It's full of win!

------
balls187
While this is probably helpful in some situations, my expectation is that like
monitoring interwebs traffic, most tech companies don't care and won't bother.

This is really only something that probably matters if company has to take
legal action and needs the CYA.

~~~
eli
Probably true, but I think a lot of Atlassian customers (maybe most) aren't
tech companies, but tech departments within big enterprises. I think most big
companies actually do have web and email monitoring in place.

~~~
balls187
Agreed they have monitoring in place, but I'm curious how many actively review
it on a day to day basis.

I know my company has web monitoring in place, because we got a note about
people using their cell phones to access raunchy sites while on corp-wifi.

------
brianpgordon
Does anyone know if Google has a similar policy for GMail or Google
Hangouts/Google Talk?

~~~
trefn
With Google Apps for Domains you can take over an email address, for example
after you fire someone. Nothing prevents you from seeing old emails.

~~~
bagels
Even if they're deleted?

------
ajsharp
Slack tho.

------
lchengify
I wonder if they will implement a "off the record" feature similar to Google
Chat. Even if the company has access to private chats, some legal departments
recommend their employees not use chats or emails for certain correspondence.

------
codemac
The binding arbitration clause is predatory and an unfortunate addition to
their terms.

------
ultimoo
The title reads as though HipChat are releasing _previous_ chat history to
administrators although the ToS clearly states that this is not retrospective
and only _future_ 1-to-1 conversations will be impacted by this.

~~~
espinchi
I tried my best not to word the title in a misleading way. Sorry if it still
mislead you, though.

------
bowmanb
We use Flowdock. We're happy with it and it's actually quite fun (custom
emojis are a blast). I would never consider using a chat client with this
limitation and strongly consider not working for anyone who does.

------
jypepin
Does this applies even if no chat history is being saved?

------
KillerRAK
Will have to give hall.com another serious look...

