
Guide to Slack import and export tools - larrik
https://get.slack.help/hc/en-us/articles/204897248-guide-to-slack-data-exports
======
tvanantwerp
As head of IT for a company using Slack: FINALLY.

Don't get me wrong--it's not like I _want_ to read your messages and very
likely won't. But there are times when I have no choice. A few years back, a
group of interns started privately harassing other interns via Slack. Only way
to see it was to boot an offending intern from his work station and go into
his Slack to see what was happening. We had to make all intern accounts into
multi-channel guests after that. Compare that to our email, where I can go
into anyone's messages immediately if need-be. This is all very standard
corporate IT stuff that you need for HR and legal reasons.

Edit: I'll say this is still not an ideal solution. I don't go into private
communications unless I have to, and I'd rather have the option to review
specific DMs / private channels than dump everything. I really don't want
_everything_ ; that's more than I care to see. Also, to clarify, I'm in the US
and our employees are well aware that communications on company-operated
platforms should not be considered private. I _want_ them to be careful how
they communicate in writing, not because they should be worried about me, but
because they should be worried about Slack getting hacked/leaked. With the
recent Facebook news, I should have thought that sort of concern was obvious.

~~~
peterkelly
If two people want to have a private conversation, they'll just find another
means by which to do it. In the long run, abusing your privileged access to
conversations intended to be private (however justified you may consider it to
be) will just breed mistrust among employees. I would quit a job that treated
me as a child which must be supervised in such a manner.

~~~
tedivm
I hate to tell you this but if you would quit a job for this reason you
probably can't work in the US. The US has laws about corporate compliance, and
it has requirements for things like dealing with sexual harassment. There is
no such thing as a "private conversation" that takes place over a corporate
network.

For example, in the US sexual harassment is taken seriously. If a company gets
a complaint of sexual harassment on Slack they are legally obligated to look
into it, and if they refuse to the individual managers could personally be
held liable for it. This includes situations where the person being harassed
isn't directly in the conversation- the above example of harassment over slack
could have evidence of coordination in a different private channel than the
ones the harassment target is in.

~~~
humanrebar
> There is no such thing as a "private conversation" that takes place over a
> corporate network.

It's a tech issue, cultural issue, and a legal issue, but it's harmful that we
seem to be forgetting the wisdom of discretion as life become more digitized.
If the law or culture says "no expectation of discretion", they're just wrong
and likely hypocritical.

It's healthy, normal, and appropriate to tell specific things to specific
people. If we're worried about abuse, there are other solutions to those
problems, like letting the harassed share the conversation later, which they
can already do, with screenshots if nothing else.

~~~
tedivm
Discretion still has its place, but that's different from privacy and
compliance.

Most admins aren't going to spend all day reading other people's
conversations, and good companies have explicit policies as to when they will
do so. The thing we're discussing here isn't whether companies should spy on
everything their employees do- it's about what happens when an issue does
occur where they do need to look into things.

I would not work for a company where I thought my managers were looking over
my shoulder at every single thing I was doing, but at the same time I would
not refuse to work for a company just because they _could_ look into my
conversations if I was accused of wrongdoing.

People are also ignoring another aspect of this- if a company does get sued by
an outside party they have to make internal data available through discovery.
These laws about corporate compliance also exist to make it so corporations
can be held accountable.

~~~
humanrebar
> Discretion still has its place, but that's different from privacy and
> compliance.

It should be, but often digital tools obliterate discretion in the service of
compliance or even just monitoring employee work habits.

> I would not refuse to work for a company just because they could look into
> my conversations if I was accused of wrongdoing.

A healthy workplace needs to solve the underlying issue, here. But there are
simple ways (i.e., asking or ordering the employee to send you conversation
transcripts) to get the information needed. Managers and compliance officers
are reluctant to let the investigated employees know they're being
investigated, which I understand, but I don't think throwing out discretion-
oriented communication is worth the benefits there.

~~~
MadWombat
> But there are simple ways (i.e., asking or ordering the employee to send you
> conversation transcripts) to get the information needed.

Are you serious? So, someone accuses an employee of abuse and you casually
stroll by and ask them to send relevant conversations your way? And you expect
them to comply without cheating? Why don't we try this approach with other
misdeeds, for example, when someone complains about theft, we just ask thieves
to come by the police station with the stuff they stole. Do you think that
would work?

------
drinchev
Looking at all positive comments here, this is generally a bad news.

Not sure how much compliant this is with the law, but in this case the law
should be more protective towards employees.

I imagine the following situation

I write on a company-owned piece of paper - "My boss is an idiot". Then take
this piece of paper put it in an envelope ( owned by the company as well ),
write the name of my colleague and seal the envelope. Then put the envelope on
the recipient's desk.

I bet it would be illegal for my boss to take that letter, open it and read
it.

P.S.

Looks like with e-mails the law is more protective towards employees :

[1] : [https://www.reuters.com/article/us-privacy-emails-
echr/europ...](https://www.reuters.com/article/us-privacy-emails-
echr/european-court-rules-companies-must-tell-employees-of-email-checks-
idUSKCN1BG0YA)

[2] :
[http://www.internationallawoffice.com/Newsletters/Employment...](http://www.internationallawoffice.com/Newsletters/Employment-
Benefits/Luxembourg/Castegnaro/Reading-employees-private-emails-exposes-
employer-to-criminal-liability)

[3] : [https://www.womblebonddickinson.com/uk/insights/articles-
and...](https://www.womblebonddickinson.com/uk/insights/articles-and-
briefings/right-private-life-work-monitoring-employees-communications-was)

~~~
imglorp
Ah, Europe might be different. In the US, if your employer owns the platform,
they have the right to all the messages for compliance. We view this as "if
you have something private, don't do it on corp channels." This is usually
fine unless you're harassing someone or engaging in something against corp
ethics.

[https://www.privacyrights.org/consumer-guides/workplace-
priv...](https://www.privacyrights.org/consumer-guides/workplace-privacy-and-
employee-monitoring)

~~~
thomasz
It really depends on national legislation, as well as individual contracts
with unions or work councils. At least here, as a rule of thumb, as long as
private internet use is permitted, the employer can't legally monitor traffic
outside of very specific circumstances. AFAIK you can't get around that by
prohibiting personal internet usage without generally enforcing that
prohibition.

~~~
chimeracoder
> At least here, as a rule of thumb, as long as private internet use is
> permitted, the employer can't legally monitor traffic outside of very
> specific circumstances. AFAIK you can't get around that by prohibiting
> personal internet usage without generally enforcing that prohibition.

This isn't relevant here. ECHR has ruled that employers _do_ have the right to
read emails, as long as employees are notified in advance (which can include
blanket notification as part of their employment agreement). ECHR has
jurisdiction over all ECHR countries, which is a superset of EU countries and
includes several non-EU countries, like Norway. Other European countries, like
Germany, Switzerland, and the UK have also affirmed this right.

Email being roughly analogous to Slack, in the eyes of the law, there's little
room for doubt that employers in Europe have the right to read Slack messages
on the company's Slack account.

~~~
detaro
The ECHR has ruled that it is not a violation of human rights, that does not
override national law that limits employers if it exists.

~~~
chimeracoder
> The ECHR has ruled that it is not a violation of the convention on human
> rights, that does not override national law that limits employers if it
> exists.

It doesn't override national law, but national law is pretty consistently
clear that employers have this right as well - that's why the case was before
the ECHR in the first place.

~~~
detaro
You claimed that specific rules the poster you replied to mentioned aren't
relevant due to the ECHR decision, and that's just not true. E.g. here in
Germany, an employer needs to explicitly forbid private e-mail to be allowed
simple access to employee mail, which is why basically everyone does that,
often allowing private internet use to access webmail instead. (I've also seen
employee agreements where there's different rules for specific folders: a
private archive folder is never accessed, work-related folders can be easily
accessed and e.g. looking at new mail in the inbox is allowed if it's done
under supervision and e-mail that's clearly recognizable as private isn't
opened, since private mail was hard to avoid in the specific case)

This is something were you likely can not make useful blanket "in Europe"
statements.

------
larrik
Previously, you could only see employee DMs if you turned on Compliance
Exports, at which point you could download all of them _going forward_. Now it
sounds like everything you've ever written could be downloaded at any time
without notice.

So, all of those communications you had with co-workers based on the promise
they would be private until you were notified future ones wouldn't be anymore?
Now it's ALL available to your employer.

Surprise!

(This is presumably due to GDPR)

~~~
mindcrime
Meh. Nobody should be surprised by any of this in the slightest. If your
employer provides / pays for any kind of communications tool, the only sane
position is to assume that they can - and probably do - monitor every single
byte you send.

~~~
froindt
I think there's some middle ground, some grey area where whether it's alright
is murky. It's kind of pulling the rug out from under people when the policy
of a 3rd party provider abruptly changes and suddenly tons of messages become
available to the company.

There are a number of things I might mention to a coworker over a private IM
which wouldn't necessarily put my employment at risk, but would be awkward for
management to suddenly have access to.

A couple made up examples:

"I'm super sick, but $boss is really pushing me to get the report out. I just
want to go home and be sick all alone."

"I hate management's decision to reduce vacation days. No wonder we can't keep
people around here."

"Did you see Tom's email? It's kinda awkward that he thinks he's a strong
contributor to the group..."

~~~
Null-Set
As a company policy I sure hope your IT doesn't make emails available to your
management.

~~~
froindt
No they don't, but I work at a large megacorp. At a small 10-20 person non-
technology company startup, the admin on Slack is likely to be the owner or
general manager. It could be another 5-10 people before a person is hired on
as full-time IT.

~~~
stedaniels
If the owner or GM has enough time to dip into Slack DM's, or even emails, the
company has bigger issues.

------
alexandercrohde
Jesus, nobody here has any clue what they're talking about.

Slack has allowed companies to read private messages for well over a year. It
has been called "compliance exports" and you as a slack user could always see
if you had them turned on, as well as which individuals had access to read
your private messages. Source: CTO of a unicorn confirmed he had used this
feature to read private communications (private rooms and DMs), source 2 -
used this page myself at multiple companies

Employers had to pay for this privilege. It's super unclear to me what the new
policy is-- it looks like there's still no privacy but it happens via API.

~~~
hjnilsson
How fine-grained is the tool? Do you select a channel and export only the
contents of that? Can you select only two users and only get messages between
them? Or is it blunt and you simple download all data (the text makes it seem
that way)?

I ask, because if it's the latter it borders on illegal to click on that
button (and get ALL private conversations), at the very least it needs to be
heavily regulated within the firm who can click it and how the downloaded data
is stored / accessed.

~~~
wrs
It is incredibly blunt, at least for compliance exports — all you can do is
export _the whole workspace_ — and once exported it's just a ZIP of thousands
of JSON files. There is no tool to look at it with. When I had to do an export
I found a PHP script somebody had written to turn the JSON into thousands of
HTML files, but otherwise it was grep and jq.

~~~
hjnilsson
That sounds less promising, I had hoped you could select a single channel and
export it. Or even better give permission to a user to be able to export one
channel. We often have Slack channels shared with clients etc. and they have
asked before to get a transcript of chats for reference. If you had fine-
grained control, you could give that access to the project manager for the
client in question, without having to share the access / have a central
moderator handle all requests.

------
jedberg
You can tell who here has worked for a large American company and who hasn't.

If you've ever worked for a large American company, you know that nothing you
do on company equipment or with a service the company pays for is ever
private, and you should never assume it is.

I'll be honest, I always thought Slack DMs were viewable by the admin. As a
Slack admin myself, I always assumed I had that ability. Never used so, I
never found out I was wrong, but just always assumed it was there.

To me this is a no-op: Anyone who worked for a large American company should
have assumed that this ability was always there or could be there in the
future, or at the very least, your employer could have always required you to
log in and show them your DMs.

~~~
Cacti
It is very odd. We've had corporate monitoring of practically all employee
electronic activities for decades. It's enshrined in legislation and tested in
case law. The capabilities are built into practically every major business
software. There are whole industries built up around it. Yet suddenly everyone
is losing their mind over some corporate IMs just because it's Slack?

I feel like I'm on Reddit, not a site ostensibly catering to _computer
professionals and experts_.

~~~
bbarn
The difference is their privacy policy has been changed retroactively against
the good faith their users had. That's the problem. Of course if it's
corporate it's usually monitored, but when Slack championed the user and only
catered to the company when forced (via compliance reports which told you they
were enabled) and now suddenly switches to a model where past contracts are
broken, people have a right to be upset.

~~~
jedberg
Yeah, it kinda sucks that they changed the privacy policy, but if you had
actually read it, you'd have seen the part that says that they can change it
any time for any reason.

And also, all they've done is give the corporation the technical ability to do
something they've always been able to do -- read your private chats. It's just
that before they had to do more work to do it, but they've always had the
right to do it, regardless of what Slack's privacy policy said.

------
MarcScott
IMHO I don't think this is a fair title change. What is important here is the
fact that access to DMs have changed. Not that the general import/export tools
have changed.

If Google changed their TOS to suddenly make everyone's search history public,
would the title read "Google changes TOS"?

~~~
savanaly
I agree, and this is the first time I can ever recall disagreeing with one of
HN's admin title corrections that I noticed.

------
iamleppert
Part of the reason why Slack has been so successful vs. other corporate
messaging solutions is that it encourages employees to bring their “whole
self” to work.

It’s perhaps the most important thing at work to feel like you can communicate
easily and without fear of reprisal from managers and in my opinion had a lot
to do with my extensive use of Slack.

It felt like, for the first time, the communications platform wasn’t “owned”
by the strict hierarchy of the company. I created my own channels, and felt no
fear when I communicated with co-workers. I wasn’t doing anything “wrong” ever
in my communications, but, let’s face it: there are things that you don’t want
your boss to know, especially if like the majority of people, you’re working
for a bad boss that has to be “managed” himself.

If Slack continues in this manner, while it may make sense from a liability
and business perspective, employees aren’t going to trust the platform anymore
the first time a manager reads a private conversation and uses it against
someone. And generally I’ve found it’s not hard to figure out you’re being
spied upon.

I’m not sure what the solution is, but definitely if Slack allows managers
private access (without a court order or similar serious situation where such
access would be warranted), they can no longer claim they want employees to
“bring their whole self” to work anymore.

Oh well. It was nice while it lasted.

~~~
tapsboy
I agree. It feels like Slack broke our trust. I don't have any records, but do
remember slack in it's earlier days promised of not sharing private
communication to the employers and sending the logs directly to govt agencies
or 3rd party audit agencies.

------
duxup
I think if the employer provides the tool, it is their data.

I know there are different traditions in other places where they consider
something like work email to be more of an employee owned or privacy issues. I
always thought that was a bit wonky and it is easier to identify who owns what
by ... who owns it.

~~~
6d6b73
>I think if the employer provides the tool, it is their data.

Not really. Just because the employer pays for the office building doesn't
give them access to my private conversations with other members of the team.

~~~
duxup
I guess it depends on where and lots of details and such as to what exactly
you're talking, but provided you're all employed by the same person... it's
their team too.

------
Arubis
For companies, yeah, this makes sense. It was nice when this wasn't true, but
never really expected nor required.

Unfortunately, Slack also gets used for a lot of OSS communities. Arguably
this was already a poor fit, but now it's even more obviously a mismatched
relationship; it's unclear whether one could just start paying for a Slack
account and immediately pull all DM history for something that didn't come
with the expectation of corporate ownership.

#freenodeforlyfe, I suppose.

~~~
zifnab06
Rocket Chat is something I've been looking into. It's...well pretty amazing so
far. Open source, self hosted, bridges to slack fairly reasonably, and gives
IRC style permissions. Slightly nicer for the "I'm not always logged in"/"We
need a log bot" issues IRC has had.

~~~
ianmiers
If it's self hosted, then DMs cannot be private from the company/organization
since they literally have root on the box.

------
dumbfounder
Let's clarify a bit, this is for the employer owned Slack workspace. If you
have the client and have your employer workspace and then another random
workspace that is not owned by your employer, then they can only see the
messages on the workspace owned by the company.

And this is meant for backups really, it's not going to be easy to just follow
random conversations of yours on a daily basis. If they want to go back and
dig up some dirt they can though.

That said, if you are worried about it, and working on a computer owned by
your employer, you should just assume everything you do is logged. Because
some do that.

~~~
cirgue
> Let's clarify a bit, this is for the employer owned Slack workspace.

My company doesn't use slack, but it is a little crazy to me that this wasn't
already the case for employer-owned workspaces.

------
DanBlake
Technically this was possible before this.

Since the email to each slack user is an @company.com address all you need to
do is take control of the employees email address, reset the slack password
and login as the target user.

~~~
reustle
> Since the email to each slack user is an @company.com address

Not necessarily

~~~
gburt
It turns out administrators could change the email address anyway. :)

~~~
vuln
Right?

------
postit
In the end that's your responsibility to maintain professional level when
using internal company tools.

Not surprisingly the three persons who forwarded me this thread with comments
like: "shit", "is this legal or allowed?", or even "I'm screwed if they read
my messages" \- are the ones who are always trash talking colleagues, pairs
and the company itself.

------
deltaprotocol
Reading the comments it seems nobody is concerned about this broad access
leading to sexual harassment of women who are constantly exposed to glances
and stronger forms of abuse and may vent in a private channel, or may have
discussed intimate concerns with friends (now past conversations are also
available). Nobody paints the picture of the boss reading girls logs? This is
pathetic. US, land of the well paid slaves.

------
phillipwills
Always assume any communication on your work network can and will be
monitored... If you want a private discussion, best to do it in person or on
your own devices, not using any company resources.

~~~
acangiano
Traveling all the way to Lanchasire seems excessive. Surely you can just have
the conversation in person. ;)

------
kingnight
As an owner of a free slack that has thousands of historical and unaccessible
messages by the users, how can I delete these stored but not unaccessible
messages to protect them?

It seems unconscionable that Slack retains messages but provides no way to
remove them without paying.

------
keeler
Use slack-cleaner[1] to nuke messages you've sent. You need to generate a
legacy token[2].

[1] [https://github.com/kfei/slack-cleaner](https://github.com/kfei/slack-
cleaner)

[2] [https://api.slack.com/custom-integrations/legacy-
tokens](https://api.slack.com/custom-integrations/legacy-tokens)

~~~
Spoom
I suspect that if they allow admins to download DMs, they also probably soft-
delete messages, so deleted messages would still show up in the exports. Can
anyone confirm?

~~~
wrs
For compliance exports at least, preserving deletes and edits is an option you
can set.

------
nkcmr
I have never really understood the notion of needing communication privacy in
the workplace. To be honest, without having seen this story, I would have
assumed this was a feature of Slack already!

I can't remember where/when I heard this advice but it seems relevant and
helpful for this matter:

"Write/speak all communication in the workplace as if the CEO themselves were
CCd on the email."

It has served me well.

~~~
ben509
Work is stressful and communication can reach straight into your brain. People
go through periods where they're not handling stress very well, and they will
often express ideas that, divorced from the context of the stress and bad
feelings they have at that point, don't reflect what they really believe or
intend to say in public.

~~~
moduspol
I think that part's easy to understand. The tougher part is why one would put
that communication in text, enter it into a company-provided system, and then
be offended / dumbfounded when it's accessed by one's superiors at that
company.

We all get stressed sometimes, but we don't all do that.

------
tptacek
How is this possibly news? Besides the fact than Slack has let owners read DMs
through compliance export since forever, most company Slacks authenticate via
mail (usually Google mail), _which your employer controls_.

This is no different than company emails, which (I hope this isn't surprising)
your employer can also read.

Don't have personal conversations on your company Slack!

~~~
kuschku
> Don't have personal conversations on your company Slack!

You may be discussing unionization on your company Slack, though, and the
employer may now use that against you. There’s a lot more than strictly work-
related content, and strictly private content. A huge grey area is inbetween,
and the employer shouldn’t be able to access any of them (and as the ECHR
ruled, the employer may now)

~~~
tptacek
If you’re worried about that, don’t use company Slack. But you should know
that federal law protects employee organizing, especially for unions; if your
employer retaliates, you can bring a claim against them.

------
darkstar999
I had a toxic manager who would screenshot DMs and post them publicly.

Just consider any work communication of any form to be public.

~~~
cirgue
If someone is determined to be an ass, technology isn't a barrier.

~~~
drngdds
Technology helps asses act like asses more effectively.

------
orbitur
So my longstanding "never write anything in corporate correspondence that I
wouldn't want revealed some day" principle seems like a great one.

Seriously. It's not your platform, they are not your emails, they are not your
chatlogs, and you should never act as if what you put in will remain private
and yours to control.

------
thefifthsetpin
Yesterday, a private channel existed where your employee Jim may have
mentioned to his friend and coworker that he had a date with his male partner.
Today, that data became available to you. You were planning to fire Jim, but
now there's a risk that it would look discriminatory. Do you risk a wrongful
termination lawsuit and dragging your company's name through the mud? You
could check his slack messages to assess that risk, but if you do find
something then you're in an even worse situation.

This seems like the same minefield as asking an employee to login to his
facebook. The main difference is that this time, slack did it to you -- you
were not given a chance to opt-out.

~~~
jimktrains2
Wait a month and then do it while making sure you have a clear case. I believe
similar advice is given if there is an OSHA check -- since you can't know why
you were checked, it's best to wait before firing anyone for non-
blatant/egregious, even if it's with cause and evidence.

> This seems like the same minefield as asking an employee to login to his
> facebook.

How is this like facebook? It's a corporate medium, just like email would be,
or like a company-run XMPP or IRC server.

~~~
thefifthsetpin
It's like facebook in that the employees had a guarantee of privacy (insofar
as most private communication is private; obviously the recipient can expose
the message, or someone can coerce you to login to your account). Some people
are waving this away with, "oh, probably the employee signed some contract
saying that it wasn't private" but even if that's often true it's of course
sometimes not true. Certainly I've never signed a contract with that kind of
clause, but I've generally worked for small companies.

I suppose there's nothing preventing a company from using facebook as a
corporate communication medium. That'd of course not a good idea since they
don't have access to some of what goes on at facebook. The same thing was true
for slack. Some companies used slack without considering that the data wasn't
really under their control, which was perhaps not a good idea. This change is
akin to facebook recognizing that blunder, and "fixing" it by making DMs
between employees available to their employer.

~~~
jimktrains2
> It's like facebook in that the employees had a guarantee of privacy (insofar
> as most private communication is private;

Nope. You could be compelled to show your DMs on a work system.

There is no such thing as privacy on a work system.

------
xwvvvvwx
Very surprised to find that this was not already the case.

In general I think you should assume that all communication on a work provided
tool are not private.

Private conversations belong on whatsapp / signal.

------
crescentfresh
On a semi-side topic: Canadian dev here, I always immediately hard delete
e-mail correspondence (both inbox and sent) with HR on anything that I feel
private about, as I don't want the guys in IT reading it. I know they don't,
but I also know they _can_.

For example, I might trust the head of IT but I might not trust that new
intern or "new guy" they just hired.

What do you guys do when it comes to HR correspondence at your places of work?

~~~
unit91
Well, there's nothing I can really do about it. When I hit "delete", my
company email doesn't actually get deleted. It just disappears from my view. I
believe the stated policy is they delete after 3 years post "delete".

If I worked in or near the office, I'd walk over to HR and request printouts
instead of emails, but since I work remotely, I'm stuck.

------
sirmike_
Bear in mind my opinion is coming from the US ITOps perspective, outside of
this my opinion may not travel as far pun intended re:the rest of the world.

There are a lot of out of touch concerns here in regards to privacy. I think
this basically shows the diff between INDependent devs and employEE devs.

At any point in time a company who owns and pays for all IT related accounts
and services can look, monitor, export disable, enable, delete, log or secure
__their __systems as they need to either by compliance requirements, legal,
policy or for any business or nonbusiness reason at anytime.

At the least you do not have a right to privacy to at the best limited privacy
when communicating on a company provided communications platform.

Most companies worth their salt have this written down in their company
handbook or manual etc. Most companies also have reasonable "you may use
company systems for limited private exchanges"

This is even more true when the company has government or gov facing clients
or does business in certain market sectors like Finance.

It is good to see the new kid on the block (Slack) is growing up and getting
more focused on its core business clients: companies/b2b.

The same goes for company provided laptops, equipment.

I think it is also super important above all that the vast majority of people
and companies enter into these things in good faith and reasonableness. We
just do not live in a world where the honor system can be the only safeguard
for these things. And of course with all things businessey -- the more money
is riding on top of something -- the more important it is to be wise in
regards to risk in and out of business matters.

------
decebalus1
I was always under the impression this was already going on. I don't see the
surprise here: there shouldn't be any expectation of privacy with regards to
conversations between employees happening on company virtual grounds.

Heck, in my previous company when we wanted to talk about something off-the-
record, we'd even physically go off campus due to the sheer amount of walls
equipped with 'ears'.

~~~
Piskvorrr
Never mind the walls: what about the people equipped with literal ears?

------
089723645897236
This is a good thing. People need to realize work chat is a paper trail...

~~~
alexandercrohde
A one-way paper trail in favor of the company. If a boss tells me I'm fired
for being "too black" and then deletes my slack (and I don't have a
screenshot), I'm not going to have any leverage to get proof unless I can get
a subpoena (which I wouldn't be able to, most likely)

~~~
bdowling
I think you’re wrong. A subpoena would probably be granted for a situation
where you know that the relevant evidence exists and exactly where it is. But
it might not come to that in the scenario you describe, since the employer
would also know that a third party has this incredibly damning evidence and
would likely try to settle.

------
ggregoire
I'm always surprised by the amount of DMs people send in Slack. I've worked in
2 companies using Slack and, in both, about 80% of the total messages were
DMs. It seems crazy high to me. I wonder if people just send all day private
stuff unrelated to work, or if people have trouble with trust and transparence
on the workspace..

~~~
simonbw
I don't find that surprising. Most of the communications I have at work are
with a specific person, not with a whole channel. It's not because I don't
want other people to know what I'm saying to someone, it's that I don't want
to _bother_ them with stuff that isn't relevant to them.

~~~
ggregoire
How do you know you bother them? Your comment makes me think to daily meetings
in SCRUM. Sure most of the stuff people are working on or that blocks them is
not relevant to everyone else, but we do it because it's good for the whole
team to share and stay up-to-date on what is going on. As a tech lead/manager,
I apply the same logic for my communication. I use DMs only for stuff that
shouldn't be discussed publicly.

------
forgotmypw
I've always assumed everything I type on a work machine is property of my
employer, and thus can be reviewed, copied, etc.

I find astounding how many companies use a third-party messaging system for
all their communications.

Do they not realize that anyone with access to Slack's data can read their
stuff? That's over 1,000 people[1] if you only count Slack employees!

Do you really think that competitors or blackhats are above blackmailing or
paying one of them for a data dump?

[1] As of March 2018, according to this Mashable article:
[https://mashable.com/2018/03/10/how-slack-uses-
slack/](https://mashable.com/2018/03/10/how-slack-uses-slack/)

------
dbalan
This is going to be a problem for open source communities that use a semi-
public slack as the communication platform. I don't think the users expect the
DMs to be public to the project admin.

Its not necessarily bad. Bit it might be time for those communities to move.

------
thanatropism
My employment contract says something to the effect of "using internet
facilities for work only". I mean, duh. I have a cellphone with a 4G signal
that I pay for.

What next, employers are going to be able to choose the color of elevator
buttons. Tyranny!

------
mayneack
I read the message retention policy as a true delete for anyone not wanting to
get their previously private messages grandfathered into a newly non-private
policy.

Slack warns you for a channel that setting the retention policy is "truly,
permanently deleted. These messages can't be restored or recovered, even by
Slack"

[https://i.imgur.com/63x2oee.png](https://i.imgur.com/63x2oee.png)

[https://get.slack.help/hc/en-
us/articles/203457187-Customize...](https://get.slack.help/hc/en-
us/articles/203457187-Customize-message-and-file-retention-policies)

------
kerkeslager
This should not be surprising to anyone. You're giving your data to a
corporation who has every incentive to give it to your employer. The only real
surprise here is that they weren't doing this earlier.

~~~
fjsolwmv
That's backwards. You're working for an employer who has every responsibility
to monitor business communication. Slack can't "give" something they were
never supposed to control in the first place and only have by accident of
architecture. This fixes an old bug.

~~~
kerkeslager
> You're working for an employer who has every responsibility to monitor
> business communication.

Setting aside for a second the unusual ethics being proposed here: it's
trivial to bypass official channels if you want to say something you don't
want your employer to see. It's fairly standard practice to not put anything
you don't want someone else to read in text at all, but rather to pick up the
phone--it's too easy for someone to copy/paste a Slack message or Forward an
email. This can't be a responsibility of employers because very few employers
can live up to that responsibility.

------
brazzledazzle
They had compliance exports and I wish they'd stuck with that since turning
them on notified everyone that your employer could now see everything and
prevented them from exporting anything private prior to that.

I know why they did this but a compromise could have been found. With this
ability someone can dump everything and just read through it with users none-
the-wiser. If users read the previous documentation they'd even believe they
were safe from snooping and would be notified when it started. At least with
compliance exports the users were informed and had privacy.

------
iamdave
I'm finding myself in a situation where this is actually kind of welcome news
involving a workplace bully who operates via DM.

I'm moving on very soon, but I've shared many of our interactions with
management, management has even seen first hand how he openly insults other
engineers.

Instead of doing anything about it, management announced we had been acquired
and over the course of about 12 days slowly resigned leaving us with the new
company.

New company promoted the bully.

Hopefully others speak up as I have and this new feature can help some people
get relief from the guy.

~~~
bspn
I don't understand how this feature changes anything? If he operates via DM
them you and his other victims can pretty easily share the evidence with
management today. I don't think this feature is going to a be a magic cure-all
where management pro-actively monitors communications for this type of
behavior - it will still require individual(s) to escalate a complaint that
management can then investigate.

~~~
iamdave
In our unique case, it would have meant we could have exported old DMs from
users who have since left the company after a recent merger.

I'm using my example to think forward: an employee leaves due to workplace
conflicts, and later (not to intimate this is the path I'm taking, I'm merely
walking out the door, as my issue was a mere personality conflict not
something that I can seek damages over) pursues civil action, a responsible
export and archive policy from HR the way IT departments may sometimes be
required to retain email messages for a period of time can be a benefit if the
departed employee cites their interactions with an abusive manager for their
departure and subsequent litigation.

Other commenters have referenced this as well.

------
jgh
I'm glad that this isn't going to affect the free tier users (rather, they'll
need to provide legal reasoning for it and consent) since there are a bunch of
communities on slack.

~~~
neposesame
Could this be backdated upon upgrade to enterprise i.e the admin is able to
access private conversations prior to upgrade from free tier?

------
neves
If you publicize that you can read the messages, no problem.

I had a boss that liked to spy in the private messages of the employees
without their knowledge. A bunch of interns started to privately create
offensive nicknames for a fat employee. They didn't used the name in public.
The read and started to use to use the nicknames in his conversation.

Well, this guy also publish jobs ads for our old tech stack with a false
company name to see if any of his employees were applying.

Talk to me about lack of ethic.

------
EGreg
I think Gitter is architected differently and doesn't allow this. Your private
chats aren't in the context of some company, but the network.

Again, look at this everybody! We are relying on some third parties merely to
facilitate our conversations! And they are relying on the "SAAS" developer who
hosts all the conversations (not open source) to determine one-size-fits-all
rules.

This is nearly 2020, why is it still the norm?

------
tootie
There's actually a Slack competitor called Symphony that exists solely because
it allows thorough auditing/monitoring/spying on all communications. It's ugly
and is missing a ton of features. It's used by a bunch of financial services
firms that have a lot of compliance rules they can't enforce with Slack. This
move is probably to start getting Slack into that space.

------
MarcScott
I had just assumed this was the case anyway.

I used to be a teacher, and have recommended Slack to an old colleague as a
way facilitate staff communication at their school. Additionally my current
organization quite often works with children at workshops and the like.

For an admin not to be able to look through DMs is a serious safeguarding
issue, so I'm happy this is now possible.

------
baxtr
That’s probably a very good reason to fall back to WhatsApp or whatever else
for things I don’t want my employer to read.

------
downer72
This is basically the end of Slack for me. It's over. I'm done.

I am now anti-slack. I am an opponent of slack.

You had me, but now you lost me.

------
mulmen
The surprising thing to me is that this was not already a feature of Slack.
Isn’t the ability to view employee communication a very basic requirement of
corporate communication platforms? Does anyone have an expectation of privacy
on any corporate infrastructure? I certainly never have.

------
reagent
I have a rudimentary tool (written in Ruby) that can be used to delete your
history across channels & DMs that might come in handy:
[https://gitlab.com/reagent/slack-purge](https://gitlab.com/reagent/slack-
purge)

------
intopieces
I thought this was a feature all along. From an HR and legal perspective, this
is necessary, right? My emails on the company server are subject to discovery.
I was coached at onboarding on what I could and could not say in an email.
Down to, "when it doubt, schedule a call."

------
gitpusher
Good. If you have to say something work-inapproriate, don't use your work
communication tools.

------
jeznag
Old news

[https://www.theverge.com/2014/11/24/7255199/slack-alters-
pri...](https://www.theverge.com/2014/11/24/7255199/slack-alters-privacy-
policy-to-let-bosses-read-your-messages)

------
mbritton72
Glad this is happening. It's not fair to use DMs to form alliances against
colleagues in order to increase one's bottom line. That is exactly what I've
observed in agencies that run on Slack. If life is a game, this is a backdoor
worth closing.

~~~
aquadrop
Your problem is with people, not slack, they can just go to skype or whatever
tool they want.

------
mbrumlow
I am mostly worried about the bait and switch. If this feature was only
applied to messages after the announcement then that would be fine. I am sure
many of you have had conversations over slack thinking well it was okay
because nobody could see them.

------
rsuelzer
I can't seem find the article where an employer was sued for failing to inform
authoritied about a monitored work email that indicated one of their employees
was about to commit suicide. I'm not sure what ever happened in that case.

------
ljubo_opaki
[https://gph.is/1maiw0M](https://gph.is/1maiw0M)

This sucks so much.

Does anybody know if deleted messages get deleted for real? Or only just
marked as deleted in the database?

This couldn't be an early April Fools joke, could it?

------
Dirlewanger
I dislike Slack as much as the next guy, but I honestly thought this was
already the case. It was in general for work emails, why would it be any
different for another office communication tool? Shouldn't be a surprise for
anyone.

------
foobaw
You should never talk about extremely personal / private stuff via DMs anyway.
I don't really care if my employer could read my DMs because they're mostly
work-related small talk anyway.

------
reificator
Like everyone else I'm more shocked that this wasn't available by default.

I'm not sure if this applies to the last (work) Slack I was part of. The
company blocked it over a year ago and presumably deleted it shortly after. I
just checked and it is deleted now.

As far as I know, since it was setup by a middle manager (who lasted two
weeks) and then blocked, it was probably on the free plan as well.

I'm not really concerned for myself, as I always assume all my interactions on
a work machine are monitored, but people did occasionally send me things that
they probably wanted to be off the record. Not sure if I should warn them that
there's a (small) chance that their messages could now be read.

------
gaius
Whenever I’ve been a SA I wouldn’t let a manager access an employee’s email
without written authorisation from HR. How does that work here, what are the
safeguards?

------
technological
I think this holds true for all slack teams I joined online. Online i mean,
like golang slack or any other community created slack team I joined. Is this
correct ?

------
brokentone
As a basic user of the platform (where my employer has Slack Enterprise Grid),
I've always expected this is the case and planned my communication
accordingly.

------
paulie_a
Personally I assumed that capability was always available. So it was
interesting when I received a private SMS about this story from a coworker.

------
amriksohata
Goodbye slack, time to delete you like Facebook too

------
RRRA
So how does one delete his previous history before he was made aware of this
change?!

in other news, I guess this means shadow IT is back in style! :P

------
sakuronto
After dropping IRC supoort, this makes two controversial changes in a very
short span of time. Did something change at Slack?

------
guelo
Based on experience I have somewhat related advice for employees: don't
connect your personal phone to the office wifi.

------
kawsper
This might break EU law, at least e-mails marked private are considered
private, so your employer can't snoop in those.

------
dep_b
I always assumed they could. As I always assume that basically everything I
trust to a computer system could be public.

------
astro_robot
Do employers have the same tools with email?

~~~
joshenglish
Yes. You can access Outlook365 and Exchange via APIs as well as Google Apps
for Business.

Plus Calendars, etc. Anything that uses LDAP locally and now through the 365
APIs.

~~~
mistermann
How does it work, an outlook 365 admin(?) Can read anyone's email that they
want? Do they essentially just log onto the normal Hi as that user?

~~~
softawre
As a manager, if I fire somebody or they leave, I get access to their mailbox
via Outlook365 for like 3 months, just in case I need to grab something from
it.

So there must be a way to assign ownership of a mailbox to another user.

~~~
Inverte
Yeah, you can attach mailboxes to other users with Powershell.

You could also just create a mail rule that sends a copy of every email
everytime someone sends and receives one and they wouldn't know.

------
asow92
If you don't trust your employees enough maintain private discourse, why would
you hire them in the first place?

~~~
lolsal
Some companies have more than 10 employees.

~~~
asow92
what if your company hires more than 1000? Does that mean you should
compromise your values and integrity?

------
thrillgore
I'm disappointed, but not surprised. If you are on a company network, assume
everything you do is logged.

------
billions
Controlling thoughts reduces creativity

------
eecc
Illegal in any country with just about decent employee protection. Looking
forward to the lawsuits in EU

~~~
jasonlotito
EU court of human rights disagrees with you.

[https://www.echr.coe.int/Documents/Press_Q_A_Barbulescu_ENG....](https://www.echr.coe.int/Documents/Press_Q_A_Barbulescu_ENG.PDF)

------
sergiotapia
I've always assumed that was the case. Company stuff is company stuff, don't
assume otherwise.

------
jcims
This will open up Slack to industries that frown upon creating communication
channels between employees that cannot be recorded.

[http://bizblog.blackberry.com/2015/07/chatrooms-in-
finance-w...](http://bizblog.blackberry.com/2015/07/chatrooms-in-finance-
whats-all-the-fuss-about/)

~~~
thefifthsetpin
Nah. Slack was already open to them. You just had to enable the compliance
audits. This is mostly interesting only because it's retroactive. A fact which
of course wouldn't matter for anyone that wasn't already using slack.

------
gumby
It's hard to see how this is bad -- they have/should be able to have access to
your other work-related communication and work product (modulo the weird rules
around things like salespersons' "rolodex"es).

It's so easy to have private channels these days it's hard to see how this
should even inconvenience anyone.

~~~
yiiii
Because it is illegal in many countries to access somebody's personal
communication even if it uses eg. a corporate email address?

~~~
Jenssen1234
It's not, not in Europe, not anywhere. Saying it a couple of times doesnt make
it true. Your boss can read your emails and most likely already does. This is
exactly the same with any internal messaging and it's perfectly legal in the
workspace.

~~~
enzo1982
The European Court of Human Rights recently ruled that an employee's
communication may not be monitored without prior notice and without specific
reasons. [1]

[1] [https://www.coe.int/en/web/human-rights-rule-of-
law/-/echr-m...](https://www.coe.int/en/web/human-rights-rule-of-law/-/echr-
monitoring-an-employee-s-electronic-communications-amounted-to-a-breach-of-
his-right-to-private-life)

~~~
gumby
Wherever you work in the USA there's a note in the employee handbook saying
that the company may monitor any communications using company equipment for
any business purpose, which is completely consistent with that ruling (and,
even if it applied in the us, would render it moot).

~~~
enzo1982
No, "we may monitor your communication for any business purpose" would not be
consistent with that ruling. There's no chance "any business purpose" would
qualify as a legitimate reason for monitoring communications.

From the PDF press release linked on the COE site:

"The national courts [have not] carried out a sufficient assessment of whether
there had been legitimate reasons to justify monitoring Mr Bărbulescu’s
ommunications."

"Neither of the national courts had sufficiently examined whether the aim
pursued by the employer could have been achieved by less intrusive methods
than accessing the contents of Mr Bărbulescu’s communications."

In other words: You need a legitimate reason for accessing your employees'
communication and you need to consider less intrusive ways of achieving your
aim first.

So your boss is not allowed to just read your mail whenever he likes. Or maybe
he is, if you're working in the US. But European courts, especially the
international ones, are very strict about privacy and protecting personal
rights.

------
cvaidya1986
This will help the regional manager detect any secret employee after work
house parties.

------
mbrumlow
And with that slack is not something I will be using. Way to mess up a good
thing.

------
akerro
*can access.

In some countries it's illegal for employer to read employees private
messages.

------
benatkin
It's an email replacement. Seems like an obvious choice to me.

------
anotheryou
Does this affect the basic plan?

If upgrading to Plus, does it include past messages?

------
Overtonwindow
Is this available for Gsuite as well? My former office had employees mocking
others for their age, gender, etc. No way to show management without revealing
I'd found a way to spy on them.

------
isatty
Why was the title of this submission changed?

------
emodendroket
I had assumed they already did this.

------
geggam
pidgin / adium OTR has been around for a long time.... for a reason

------
vernie
I'm surprised that Slack was so widely adopted without this capability already
available.

------
taylorcooney
Slack...the big brother you never asked for!

------
dugluak
with or without my consent?

~~~
darkstar999
Without.

~~~
dugluak
how is it legal. Even the law enforcement needs to provide a warrant in case
they want to search my apartment.

~~~
EpicEng
Not if you're living in one of their cells.

Your employer pays for slack and it is a work related tool, just like your
emails. If you want to have private communications then send a text. BTW they
can also search your desk because, you know, it's not yours.

~~~
dugluak
what about, lets say, conversations in the company owned cafeteria? can the
employer record them without your consent and use as evidence against you?

~~~
EpicEng
Depends on the state I would assume, but of course IANAL. Some states have
single party consent, and you're certainly not in a private area. You'd have
to look into the eavesdropping laws where you live. You realize that many
buildings have security cameras, right?

I'm still very confused as to why you believe that your communications over a
company owned platform should/would be private.

~~~
dugluak
because I dont see the difference between having direct conversation vs having
electronic conversation in the office premises. why would there be different
rules for them?

~~~
Tyrannosaur
Because one of them is almost literally a paper trail and the other is
ephemeral?

~~~
dugluak
But if you record the ephemeral, there is essentially no difference.

------
MisterBastahrd
This is the greatest advertisement for IRC ever.

~~~
darkstar999
No it isn't. They would own the IRC server and see everything.

~~~
ben509
I think Off the Record encryption on IRC is done entirely by the clients, so
the server can only store an encrypted blob. It also has forward secrecy.

There's no reason you couldn't do the same with a slack client, of course, but
your employer could see you had encrypted chats.

------
xstephen95x
So then employees just switch to Signal for DMs...

------
BLanen
I don't know why people assumed they couldn't.

Before this, they would've been behind, at max, a subpoena, right?

------
colemorrison
Wow. Ya know, for every case this might "help" solve (workplace harassment and
the like), I just can't help but say ultimately it will hurt far more.

"But employers/managers/execs will operate more responsibly with more data
about their employees!"

Will they really? I think they'll be able to operate more "powerfully" with
respect to controlling employees... but with that power I wouldn't be
surprised if the abuse outweighs the positive utility.

Additionally... this is going to kind of kill the culture between people
(ESPECIALLY REMOTE) using slack. Do you really want to talk about your
weekend, or forge any type of bond over chat now? Why would anyone every do
anything rapport building over slack now?

Yeah yeah "but managers/employers won't be that extreme, you're being
extreme." There's a lot of cases in the past where I've thought "sure an exec
or manager wouldn't do X" and then sure enough, there it is at the top of HN,
and the company is going under.

So...someone else on here speculated correctly. It's clearly a selling point
for employers since they're the main target to increase revenue. Unfortunately
I guess that means using it for interest groups goes out the window though.

~~~
always_good
If this is what finally makes you behave appropriately on work comms and start
communicating out of band, then they are doing your future a favor. It should
have been common sense.

