Hacker News new | past | comments | ask | show | jobs | submit login
Guide to Slack import and export tools (slack.help)
635 points by larrik on Mar 21, 2018 | hide | past | web | favorite | 509 comments



As head of IT for a company using Slack: FINALLY.

Don't get me wrong--it's not like I want to read your messages and very likely won't. But there are times when I have no choice. A few years back, a group of interns started privately harassing other interns via Slack. Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening. We had to make all intern accounts into multi-channel guests after that. Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons.

Edit: I'll say this is still not an ideal solution. I don't go into private communications unless I have to, and I'd rather have the option to review specific DMs / private channels than dump everything. I really don't want everything; that's more than I care to see. Also, to clarify, I'm in the US and our employees are well aware that communications on company-operated platforms should not be considered private. I want them to be careful how they communicate in writing, not because they should be worried about me, but because they should be worried about Slack getting hacked/leaked. With the recent Facebook news, I should have thought that sort of concern was obvious.


If two people want to have a private conversation, they'll just find another means by which to do it. In the long run, abusing your privileged access to conversations intended to be private (however justified you may consider it to be) will just breed mistrust among employees. I would quit a job that treated me as a child which must be supervised in such a manner.


I hate to tell you this but if you would quit a job for this reason you probably can't work in the US. The US has laws about corporate compliance, and it has requirements for things like dealing with sexual harassment. There is no such thing as a "private conversation" that takes place over a corporate network.

For example, in the US sexual harassment is taken seriously. If a company gets a complaint of sexual harassment on Slack they are legally obligated to look into it, and if they refuse to the individual managers could personally be held liable for it. This includes situations where the person being harassed isn't directly in the conversation- the above example of harassment over slack could have evidence of coordination in a different private channel than the ones the harassment target is in.


> There is no such thing as a "private conversation" that takes place over a corporate network.

It's a tech issue, cultural issue, and a legal issue, but it's harmful that we seem to be forgetting the wisdom of discretion as life become more digitized. If the law or culture says "no expectation of discretion", they're just wrong and likely hypocritical.

It's healthy, normal, and appropriate to tell specific things to specific people. If we're worried about abuse, there are other solutions to those problems, like letting the harassed share the conversation later, which they can already do, with screenshots if nothing else.


Discretion still has its place, but that's different from privacy and compliance.

Most admins aren't going to spend all day reading other people's conversations, and good companies have explicit policies as to when they will do so. The thing we're discussing here isn't whether companies should spy on everything their employees do- it's about what happens when an issue does occur where they do need to look into things.

I would not work for a company where I thought my managers were looking over my shoulder at every single thing I was doing, but at the same time I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.

People are also ignoring another aspect of this- if a company does get sued by an outside party they have to make internal data available through discovery. These laws about corporate compliance also exist to make it so corporations can be held accountable.


> Discretion still has its place, but that's different from privacy and compliance.

It should be, but often digital tools obliterate discretion in the service of compliance or even just monitoring employee work habits.

> I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.

A healthy workplace needs to solve the underlying issue, here. But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed. Managers and compliance officers are reluctant to let the investigated employees know they're being investigated, which I understand, but I don't think throwing out discretion-oriented communication is worth the benefits there.


> But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed.

Are you serious? So, someone accuses an employee of abuse and you casually stroll by and ask them to send relevant conversations your way? And you expect them to comply without cheating? Why don't we try this approach with other misdeeds, for example, when someone complains about theft, we just ask thieves to come by the police station with the stuff they stole. Do you think that would work?


Does Sarbanes-Oxley require an audit trail whenever an admin views private communications?


Before tech, witness testimony was the same thing.

Old boys club keeps it "verbal only", but someone blows the whistle and testifies regarding the conversation.

Technology didn't change anything. You can't have a private conversation at work. Period end of story. If you manage to conceal your communications, not only could you be violating laws (depending on your industry and relevant regulations) but you're likely violating corporate policy and in need of corrective actions.

It's a liability problem for a company if employees are circumventing documentation and potentially covering up crimes.

The way I see it, you have three options:

* Be rich enough to not work

* Get paid by someone who accepts the liability of your work and has the legal right to all of your business communications

* Be the guy paying other people who accepts liability for their work and has the legal right to their business communications

Spoiler, even if you're the last guy, chances are there's lawyers doing the same thing to you.


> You can't have a private conversation at work.

I was talking about discretion, not privacy. Those are two different things. Discretion is controlled sharing of thoughts, ideas, and information. Marking documents "trade secret" is an example of discretion. Trade secrets are not private information.

I'm not arguing that information should be unavailable when a warrant or subpoena requires disclosure. I'm arguing that doing the digital equivalent of bugging every conference room in the building is a toxic thing to do, culturally. If the law compels the bugged rooms, we have bad laws on the books.

Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.


> Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.

If you are worried about this, the issue isn't Slack. I don't worry about my boss reading my slack DM's - I'm well aware of what process would be involved there (my boss would be fired immediately, and wouldn't even have access without Legal involved). If you're worried about your company 'snooping' on you that's an underlying, unrelated problem.


> Trade secrets are not private information.

Trade Secrets are a form of intellectual property. They have legal protections, and disclosing them without permission can have legal consequences.


Note that there's also a difference between work-mandated communication channels (for which there is no "opt-in"--there is a directory with your email address, you're on the list of Slack users, etc) and channels outside of work that you can opt into and out of (you can not give your personal number when the company is big enough for that to be an option, block people when they abuse it, not reciprocate keybase follows or leave signal chat groups, etc). A channel that is mandated to be kept open loses some discretion for its users, and the loss of power has to be compensated in some way.

(This is the more charitable way of looking at it, obviously. There are plenty of other reasons things are the way they are, and they aren't all good for us, there is just also this)


> A channel that is mandated to be kept open loses some discretion for its users, and the loss of power has to be compensated in some way.

Yeah, I was hinting at that a bit. I think tools like SnapChat and encrypted chat clients are reaching for discrete and healthy digital relationships. A lot of the conversation about these tools is about privacy, which is really something else. How someone looks naked is often private. How that biopsy turned out should be shared with people, just discretely.


That line or reasoning makes no sense. If that were true, then states like California couldn't make it illegal for companies to eavesdrop on its employees(e.g. recording audio, bugging offices). But allowing companies to read direct messages is very, very similar.

Also, what's preventing a victim of harassment from handing over the offending messages? I don't see how this helps anyone.


Recording audio and bugging offices is a completely different matter than reading through already preserved text that exists on company infrastructure (email or slack conversations). The records already exist in the case we're talking about.

Presumably the victim would share the harassing messages, but by being able to review the records directly the supervisors can gain more information such as whether the harasser was also harassing others, whether there was coordination between multiple people, or even if the original shared messages were missing some context which would vindicate the accused harasser. There's a lot of reasons why a real investigation will bring up more information than a simple one sided copy/paste would.


I'd argue that it isn't. I'm not a legal expert, but it seems that it could be argued that direct messages are implied private conversations, and that laws around recording audio implies that private spoken conversations can occur in offices. The fact that direct messages leave a history is merely a side effect that does not suggest that they are any less private than a spoken conversation behind closed doors.

However, I would need to know the actual intent of such laws, which I don't. Let's say that the intent is to allow for private conversations, then that premise also suggests that messages between two individuals(as opposed to ones in a channel) are only intended to be read by those two participants, hence a conversation that is private. Nobody sends direct messages with the intent that they be read by people besides the recipient.

Why would you need a crude one-sided copy and paste? A password, a cookie, or even an API token, can already provide as much information to authorities as would be provided by that of Slack team admins. There is no need for anyone besides the messaging participants and authorities to see someone's DM history, either technically or philosophically.


Well, as you said, you aren't an expert on this and apparently haven't ever been briefed by your company's legal team, and presumably have never been in charge of compliance. So your arguments about how the law works are in this situation pretty useless.

Jumping away from that angle though, there's still a lot of issues with what you are presenting. For one thing you keep referring to "authorities" without defining who those authorities are. If you're referring to the company IT, HR, and Compliance officers then it seems like you agree with us that the information should be available to those people. However, since that would be a bit odd with the rest of the context you're speaking about I'm going to assume you mean authorities in some sort of government or law enforcement sense.

The thing is that authorities rarely get involved in most of the cases where this information is needed. Sexual Harassment is not a criminal offense, it's a civil one- people don't go to jail for it, they lose money from it. Outside of taking reports these types of things are rarely investigated by authorities in that sense, and there are remarkably different burdens of proof for each of those. Most companies (and individuals I would imagine) also don't want to make a legal issue out of work ones if they can help it, which means it is often in everyone's best interest to handle certain types of problems in house.

Now, as for the philosophy aspect of things, as long as companies are responsible for managing their own trade secrets, sexual harassment complaints, and security in general then all company property (which includes conversations on company servers and services) are open to that company. This is why I do not sign up for company phone plans (except when I want a separate company phone and phone number), and why my work computer does not have my personal accounts on it.


You are correct in all of that.

I simply would have hoped that Slack wouldn't give too much control to employers when there are already viable ways of providing message history without resorting to copy-paste. It makes for a lousier product, and it would have prevented me from having candid conversations that involved no company secrets or harassment of any kind.


You might argue that, but you'd lose in a US court (and afaik most other western countries).


The case is that the culture needs to change. Where it is now isn't healthy.


I won't deny that. ;)


>The records already exist in the case we're talking about.

Perhaps it is then illegal to save these messages?


> For example, in the US sexual harassment is taken seriously.

Yeah, we've seen that over the past couple months.


Wouldn't it show up in slack of receiver?? If receiver has issues, he/she can show his/her slack to get the investigation started.


And what if the issue is two employees are using Slack to discuss using a competitors proprietary information on a contract proposal? Or two employees are discussing how to arrange the books so that they don't receive margin calls while trying to hide large trading losses?

You can't depend on everyone being on the up and up.


Replace "are using Slack" with "discussing at the bar across the street from the office" and what changes about the situation? If the company has an obligation to look into something, they have to look into it. They don't necessarily (and in my opinion shouldn't ever) have the need to, say, record audio of everything you ever do. What does the gray-er area of conversation in the break room at the office look like? What about the darker, gray-er area of conversation in the parking lot before you drive home at the end of the day?

My personal opinion, having avoided the MS IM client at work, is that you never say anything in writing that you wouldn't walk into the CEOs office and say to him in person. Chat of any kind, Slack included, is "in writing" and will have the same full force legal effect as email, so who's honestly surprised by this news?


>Replace "are using Slack" with "discussing at the bar across the street from the office" and what changes about the situation?

That the conversation is no longer happening over a company-sanctioned and controlled communications system? Seems like a pretty clear difference.


This idea that, because you can't perfectly stop something, you shouldn't try to do it at all is madness. Yes, they could get around it. But in this situation, they're not.


Hopefully they would choose there own phones to arrange a corporate takeover.


Yes, well "hopefully" the opposing legal team won't sue you back to the stone age, but hey, it's best to take precautions.


Do you think you will go over every single DM to see if your employees are doing this? That's insane amount of time wasted. How do you think you will capture all of that? AI? Good luck. We had a system in my previous job that highlighted conversations which had keywords and we just abused it by mentioning those keywords constanly in "relevant" contexts. And if you really wanted to get the password (one of the monitored keywords) you'd just say: "Can you give me the details for ..."


You're missing the point. You don't actively monitor it, you record it so that later you can go back and review those conversations in the event you are required to by law. I don't know where you've worked, but this standard in any sizable company, or any involved in particular industries, and is not that difficult to arrange. There are specific legal requirements to keep records of certain types around for 2, 5, 10+ years, whether it's email, chat, file servers, etc. And yes, that includes Slack.

Why do you think Slack is any different than the systems that we have in place already? What makes Slack any different from email? Answer: nothing.

And if Slack didn't do this, they'd eventually find themselves filtered out of nearly every corporate network due to the inherent legal risk.


We may have already hit peak Slack, but for folks that don't already know, most folks use something like Signal for anything you want to keep private.


Doesn't the same logic also apply to internal phone calls?

Or is the main point here about giving access to data that has been collected already and not requiring the business to collect this data. If for example the used instant messaging solution didn't keep any log files - what problems would arise for the business? If any arise, why would phones be exempt? Or do businesses in the US really record all internal phone calls?


> If two people want to have a private conversation

You response is based on a false fact: that anything you use official company communication channels for should be considered private.

HR functions can and will access such communication to investigate complaints about behaviour and similar. Compliance and legal functions can and will access such communication to investigate complaints relevant to them. They can, will, and often must provide access to such communication to relevant external bodies (legal authorities, regulators) under some circumstances too. Heck, in some regulated environments compliance functions are required not just to view your communications for specific reasons but to actively monitor them for certain activity (if they fail to do so they could be liable for punishments for a due diligence failing). For instance our email is monitored to block distribution of client data, accidental or otherwise.

If you want a private conversation, use a truly private channel not an employer provided/related one.

> they'll just find another means by which to do it

The fact that people will find away around rules, restrictions, and monitoring, is not a good reason for not implementing such rules, restrictions, and monitoring in the first place.

If the private conversation is in no way a problem then, well, there isn't a problem.

If it is something that would cause the participants trouble if performed over an official channel then when/if the matter does come to light it shows malice of forethought and planning (i.e. that the participants knew they were in the wrong and took specific action to hide their behaviour rather than correct it).

> I would quit a job

In many (most?) industries you would not even get a job without explicitly agreeing to the fact that your communications using employer provided/related services can be accessed by some functions of the organisation and distributed to external authorities, so you would not be in a position to need to quit.


That is only according to some law systems though. It does not work like that at all in many European countries. For instance in France the employer cannot read any private conversation (mail/message) of the employee, even when using work email. And no internal rule can change that (it is a criminal offense). If the employer suspects a leak of information by the employee, they can read the message in presence of the employee and a union member, and only in those circumstances.


> If the employer suspects a leak of information by the employee

or if they suspect any other illegal activity.

Even in EU countries where arbitrary inspection/monitoring is not permitted wholesale, there are exceptions where regulatory or other legal requirements trump privacy. Though often there needs to be sufficient suspicion of something worth looking for, I still wouldn't count that as a truly private channel (nor would I expect my employer to provide me with one).


But as I said even in those cases the employee needs to be present when the employer accesses private messages, in addition to a union member. So as an employer you cannot just sneak in and check what has been said, it has to be public. Which I think greatly mitigates the risk. It is not a secret conversation like you would have between lawyer and client but it is rather private.


>I would quit a job that treated me as a child which must be supervised in such a manner.

Are you replying to the right comment? From the example given, it seems no action was taken until the parties involved proved such supervision was necessary.


No one is watching you or treating you like a child. This is important for security and legal reasons.

Insider threat is a serious, real world problem - consider employee harassment, exfiltrating data, sharing secret information, a compromised slack account DM'ing people malware, etc.

No one wants to read your messages, and it's probably a small set of people that even can.


You had better work for yourself then. EDiscovery is a thing, and employee preference will never trump a judge’s order.


So what would your solution to the OP's problem be? If harassment is happening, I expect the company has some legal requirement to act. I also expect that you support the company making a safe workplace. How does the company do that if it cannot verify that something is actually going on? Just blindly believe the accuser without confirming if it's true? Just disbelieve the accuser? Tell them to work it out themselves?


Ask the harassed person to show their slack to start with.


And if the harassment itself wasn't over Slack, but just the discussions of it between 2 harassers, then what?


> abusing your privileged access to conversations intended to be private (however justified you may consider it to be) will just breed mistrust among employees

Abusing your privileged access?!? You do realize some of us are required to access those communications for a variety of reasons especially because a threat is happening? Also, I don't get a choice when the lawyer shows up and says we need to look at X's account.

> I would quit a job that treated me as a child which must be supervised in such a manner.

Well, that might save me a bit of trouble, but at the point I am asked to look at your account, I get the feeling you are on your way out anyway or will shortly have a lawyer or the police contacting you.

The communication systems you use as an employee are not yours.


While I sympathize with that concern, I do really believe that actively preventing employees from employing natural means of 'private' conversation is squarely in the 'panopticon' sphere of employment. I find it difficult enough that people can be 'owned' for full work weeks as far as their physical presence, but I suppose I'm pragmatic enough to accept that this is the status quo. But the thought that they are actively monitored during this time, preventing them from even private venting and communicating in a way that is not monitored, is much harder to accept.

We're talking about people here. While I personally have never understood how anyone can accept being under the thumb of an employer for such long periods of time out of their productive years, I've learned to see that this is bearable within the relative freedom that this usually entails (complaining about x colleague, grumbling about the boss with the support staff, after-work beers with a manager who grumbles about his manager), I truly cannot understand how one can have a dignified life as an individual when all your forms of communication are being watched by your overlords.


Yeah, we are talking about people here.

You think I like any of this? Do you really think I get my jollies from looking in someone's e-mail to find a picture they e-mailed another employee that is so far into NSFW that it is sickening. Or the fun of finding out how some employee is plotting with others to make life miserable for someone else? I would prefer people keep their crap off the servers intended to do business.

We have folks here who have argued that a remark at a conference should get someone fired from work. We are talking about something owned and operated by a company that they will be legally liable for unless they are vigilant. Something that hits the press and people will be saying "why didn't the company know?" and "how could they not stop it?". Yeah, we are talking about people here. Companies get sued and people lose their jobs.

Never mind the professions that absolutely have every communication logged and monitored.

If you want something the company cannot look at then use something outside the company. Its really that simple[1]. Its really simple, if you don't pay for it then it is not yours. If its not your computer then don't expect privacy.

I still cannot understand the folks who want to use stuff from work systems even when they are not work related. Have your own life, interests, and stuff. You are trading your time and work for money. Don't give companies something beyond what they pay for.

I truly cannot understand how one can have a dignified life as an individual when all your forms of communication are being watched by your overlords.

If your place of employment owns all your forms of communication then you have a lot more problems beyond this.

1) well, unless you get into something really nasty and the court discovery orders start flying.


I can't seem to edit my comment, so I'll comment on my comment instead:

To put this in a broader perspective, because I'm tired of the comment-sniping that doesn't seem to lead anywhere:

I find myself already a bit uneasy with the whole idea that an individual can write away their freedom to spend their daylight hours tethered to an employer to the point where their every (productive, sunlit) hour needs to be accounted for.

At the same time I can understand that this is how things are, and we are trying to be human within that sphere, and perhaps for many this is not so bad as long as they can live in a microcosm of society within this world. That includes gossip, complaining, semi-secret conversation, and even romance (while that's often not smart).

I'd really prefer to engage with those who employ and get to dictate the behavior of said employees, instead of comment-sniping where we never bridge that 'gap' between me, a self-employed, individual (because I reject all that), and someone who actively is 'in charge' of people who submit to it.

I do realize that my wording in itself is not neutral, but I hope acknowledging that helps bridge that gap a bit at least. And I have counted those 'in charge' as friends in the past, plus I know I'm not a typical 'person', so I'm open to learning to understand this whole thing.


threats are hardly a good reason for mass surveillance.


It's not mass surveillance. It's compliance with the rules governing preservation of records for legal discovery.


These are preserved by the participants of the conversation. A third party shouldn't have any hold on it.


> because a threat is happening

because an "alleged" threat is happening. Still, cause for gathering evidence, sure.

> I don't get a choice when the lawyer shows up and says we need to look at X's account

And now with this, they'll use a different communication method that you dont have access to and now youre back to square one. The best you can hope for is that theyre ignorant of these changes so you can catch them.

> ... at the point I am asked to look at your account, I get the feeling you are on your way out anyway or will shortly have a lawyer or the police contacting you.

ah, guilty until proven innocent

> The communication systems you use as an employee are not yours.

This is true, and I dont think slack is necessarily wrong in providing this access - but you shouldnt assume that communications that the user doesnt want the company to be privy to is necessarily malicious or illegal.

If you are having legitimate complaints about your job and you want to vent or validate your concerns before proceeding, you might want to have a private conversation with a coworker - and you might legitimately be afraid that your unfiltered, undiplomatic private conversation might be taken out of context or retaliated against.


You made many good points, but I'll take issue with this one:

> If you are having legitimate complaints about your job and you want to vent or validate your concerns before proceeding, you might want to have a private conversation with a coworker - and you might legitimately be afraid that your unfiltered, undiplomatic private conversation might be taken out of context or retaliated against.

If you were retaliated against for your legitimate complaints in private Slack conversations (via firing, harassment, etc) then the records could be subpoenaed for you to prove WHY you were being targeted.

It works both ways.


The company isn't a court "alleged" is plenty enough for the company to look at the communication system it pays for to figure out what is going on. It has a communication system to communicate about business.

> And now with this, they'll use a different communication method that you dont have access to and now youre back to square one. The best you can hope for is that theyre ignorant of these changes so you can catch them.

Good, then its security and HR's problem. We tell everyone we own the communications systems (its even in the employee handbook).

> ah, guilty until proven innocent

Yep. Welcome to the corporate environment in the US. Frankly, if they think you used the company e-mail / Slack to do your activity then I don't think we are dealing with Moriarty here.

> but you shouldnt assume that communications that the user doesnt want the company to be privy to is necessarily malicious or illegal.

Then use your own non-company communication system (e.g. text, home e-mail) or go to lunch - how hard is that?


It would make a lot more sense to take your unfiltered and undiplomatic private conversation to a nearby private establishment. If you are remote and can not do this I would simply use a not supplied by work phone. This is for your protection and whoever you bring along to vent. There have been at least two occurrences in my career which have forced my hand on employee communication and in both cases, a blanket refusal was not an option. If you don't want to say something publically don't assume anything your company pays for is private until our society changes its views on where the expectation of privacy exists.


> The communication systems you use as an employee are not yours.

Yes they are. I work as a contractor, remotely, using my own personal equipment, my own personal email account, and either my home internet connection or that of whatever coffee shop or co-working space I happen to be in on any given day. My clients are all located in other cities and countries and lack a physical presence where I live. I've never had any complaints about these arrangements (yes, I do realise I'm very fortunate to be able to work in this manner).

I also work for multiple clients. Allowing one of them access to all my work-related communications would involve violating the confidentiality agreements I've signed with the others. Should I be required to divulge the trade secrets or intellectual property of one client to another to satisfy a corporate IT policy? And if I have a personal conversation with someone, which client(s) should I share that with?


Should I be required to divulge the trade secrets or intellectual property of one client to another to satisfy a corporate IT policy? And if I have a personal conversation with someone, which client(s) should I share that with?

Contractors are always in an odd position, but its pretty logical and a lot easier these days. If I was a contractor again, I would probably put my communications and project files on VM of their own[1]. You should have a procedure to clearly separate your time, communications, and work product for each client. If you are using your company e-mail then separation is well understood by lawyers. I would make sure to have separate Slack accounts per client.

1) This assumes I am not assigned a PC and accounts by the employer because its a staffing position instead of a work product arrangement.


Hope this doesn't sound too harsh but your reply comes off as extremely self-centered. What about looking—at the very least—at it from a legal perspective? It's not like lawsuits and aspects related to discovery haven't been in the tech news lately.


It’s sad how many bullshit decisions were buldozed by “because legal” excuse. By that logic eveything should be recorded everywhere — including bathrooms.


Sure, but then the communication doesn’t happen in the space where your boss is partially responsible for what's happening there.

It’s very simple: use your employers tools and networks only for business stuff, do personal stuff unrelated to work in your own networks and software...

Besides that, just in case you didn’t notice, the original poster did not say hes reading employee private messages for fun, but only to act as law prescribes.


Nobody can or should stop you from finding private spaces to talk to fellow employees -- but you have to provide the space yourself. Slack is part of the work environment being set up for you by your employer, so they're responsible for being able to make sure that it's free of harassment and illegal activity.


> would quit a job that treated me as a child which must be supervised in such a manner.

Then you should be prepared to be permanently out of work.

You are NOT entitled to private communications on company-sanctioned channels. Full Stop. End of story. This isn't an issue of "trust" or having faith in your employees, but this is how business is done.


The company should not provide funding for a channel used to harass people.

You're being a shit if you trivialize harassment in the workplace, but you are being an idiot if you are paying for the tools used to hide it.


Hey, don't let the door hit yourself on the way out. There are very valid legal reasons for a business to need at least the option for discovery, e.g., legal suits, fraud, violation of trade secret or export controls, serious employee harassment, etc. This goes for chat just as much as email or anything else electronic. If you think this is "treating you like a child", well, perhaps you are the child.


> If two people want to have a private conversation,

Emphasis is mine. If one person can have a private conversation with an unwilling participant, that is entirely different. I have worked in places with heavy logging requirements, and for sure we created ways to have private conversations. The point is that everyone in these private chats was a willing participant, and could leave if they wanted.


>I would quit a job that treated me as a child which must be supervised in such a manner.

Did you miss the part where the interns were acting like children?

>A few years back, a group of interns started privately harassing other interns via Slack.

We're all proud of you for making this top comment thread about your own ethical stand, let's give peterkelly a big round of applause!!


> I would quit a job that treated me as a child which must be supervised in such a manner.

Agreed this can lead to abuse. But investigating employee behavior while using employer provided communication platforms doesn't immediately fall under abuse. No more than police subpoenaing phone records during a criminal investigation would.


I think one of the side-effects of this is that there are other slack teams created to help keep communications among colleagues private-ish. This leads to cliques and tends to isolate new employees who may not yet be in those "teams".


Well, that's only if the person actually knows that the conversation isn't private.

I would also like to point out that the person you were responding was talking about interns, so were arguably 'actually' children.


If you're required to be on Slack to do your job, then your employer is obligated to make sure going on Slack is safe and free from harassment. You can't just sign off or block other employees.


Where are you getting abuse of access from the prior comment?


I mean, if you're using that capability to harass other employees, as the interns in the story were, then yeah, you deserve to be treated as a child, because you basically are.


> Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening.

Why couldn't you just ask the recipient to look on his station?

> We had to make all intern accounts into multi-channel guests after that

Are 2 interns ever allowed to be alone together? I mean it's essentially the same, you are saying they can't be trusted so either you always need them in groups of 3, or you should put cameras everywhere with microphones...

I am glad that you are serious about tackling abuse, but more monitoring and rules about congregation are not the right solution imo.


You are assuming that harassment was direct, sending messages to the accusers. My impression is that this was a group chatting privately about the accusers either making fun of them or coordinating actions.

While this can be done through other channels (in person or private cellphone) allowing it on corporate infrastructure without monitoring is not acceptable.


If harassers, as you have mentioned, can simply switch to another channel, then what problem exactly is this measure trying to solve? I'm honestly confused.


Ass-covering. It should've been obvious as soon as HR was mentioned that this isn't about helping employees, harassed or not.


Before this change, would the company have been liable for harassing DMs on Slack, an unaffiliated service where they previously were not able to read peoples DMs?


> an unaffiliated service

Unaffiliated? The company a customer that is paying Slack for a messaging service, that certainly isn't 'unaffiliated'.


Friction. Yes they could use PGP messages. But most people are idiots and use the systems that are available and simple. If somebody needs to think "I've got to go through these extra steps to be an asshole" then they might think twice in the first place.


No need for PGP. Using any other messenger that won't give private information out for no reason would be enough.


It increases the friction of harrassment


No it doesn't. It literally just removes liability from the corporation.

If you've ever dealt with toxic work relationships, you know that stopping harassment isn't going to come down to how you are allowed to pass notes.


Because you could just forbid employees from using such other form of communication at work.


Now the harassers are doing more and more to harass and leaving more evidence behind. And you have a more compelling case, "they were on Slack, they were on email, they were texting, they set up their own ICQ server..."


What's stopping the harassers from setting up a secondary Slack install for coordination of such nefarious ends?

The only use I can see for this would be evidence after the fact. Surveillance is almost never the proper way to enforce acceptable standards of behavior.


> What's stopping the harassers from setting up a secondary Slack install for coordination of such nefarious ends?

Company policy for one could be applicable.

You’re missing the point though, what you do with non-company provided tools is held to a different standard from officially blessed and sanctioned ones.


In that case, that would be absolutely none of your business. You're making assumptions and jumping to conclusion about what went on.


>> Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening.

> Why couldn't you just ask the recipient to look on his station?

This is probably exactly what happened? I'm guessing they didn't physically pry the unwilling intern from his seat like he was passenger on United.


Not to be contrarian here, but could you offer a solution given that you've thought about this?


Did you miss his first (the second) paragraph?


I don't know about parent, but I did notice that! I saw it clearly written there. I read it and understood it. I understand that the person who wrote it believes it is sufficient to cover all relevant needs.

I would posit that this person may not be familiar with the importance of collecting evidence against possible future needs. An IT manager's testimony from memory, no matter how perfect, is not as useful as evidence collected in a technological manner at the time of offense.

With that in mind, walking over and looking at the intern's screen might be considered by some to be less than a full replacement.


No need to recite from memory when the log is trivially viewed or copied at a later date.


You're right! The log can be easily viewed or accessed later. This of course occasionally requires an annoying amount of screwing around with reactivating old accounts, resetting passwords, and so on. Irritating, but of course a price well worth paying for employee privacy.

With that said, is it perhaps possible that direct access is preferable for reasons other than sheer laziness? Chain of custody and provenance both come to mind as items that some enterprise users of Slack might find worthy of consideration in some circumstances. This is obviously not nearly as important as employee privacy, but still...


Reactivating accounts would only need to happen if the accuser had left immediately, which doesn't seem likely.

I think it is just that big companies have a way of doing things, are paying the bills, and employee privacy is close to last on their priority list—far behind CYA. They don't care that there is another potential solution.


A person leaving a company after filing a harassment complaint strikes me as very likely. I personally know people who have very precisely that. It's a very common scenario in large companies.

Having personally dealt with some of those companies and situations, I can tell you quite simply that people are definitely aware that there are other potential solutions. Such approaches are seen as not adequate for purpose. The reasons for this judgment are not merely arbitrary or capricious. They are broadly quite sound and reasonable, and I touched on them above in an effort to give you an opportunity to grow in your understanding of those you disagree with.

And yes, as you say, companies are far more interested in limiting liability than they are in employee privacy on company-controlled systems. It's not, as some might suggest, that employee privacy is not valued. It's a question of priorities, and companies tend to place being able to defend themselves and control their risks adequately over an employee's right to leverage their privacy and incur liability for the company.

Though I understand why some might prefer to dismiss the above and think of it as just another example of big, stupid, corporate laziness and refusing to consider alternatives.


Here's where you made a detour, agreeing and disagreeing with a side order of condescension.

A significant portion of folks stick around for a long time in a poor situation as it isn't so easy leave a job at a moment's notice. For those that don't there is the simple matter of not deleting everything. Nothing is actually deleted any more anyway. Brave new world.

Big, stupid, and corporate are synonyms, government too. It goes with the territory of any large group of humans. As they grow they get dumber and further out of touch until they are overturned by a smaller, nimbler version where the process is repeated in Innovator's Dilemma fashion.


You have to ask why they wouldn't want to talk to an individual suspected of wrongdoing? Why look at security footage, when you can "just ask" the suspect?


You misunderstood. The accused may not be willing to cooperate, but the accuser probably will.


The recipient isn't suspected of wrongdoing, they're on the receiving end of the abuse.


I wish a compromise between willy-nilly dumps of private DMs and their Compliance Exports could have been found. As a user who is not the head of IT this is frustrating. Now frank discussions have to go back to out-of-band channels.

If anyone thinks this won't get abused, think again. I've worked with IT folks of all shapes and sizes over many years and a tiny percentage do abuse the privilege. Including heads of IT. And those are just the ones I know about.


I mean, how do you think your email is handled? Your internet traffic? This stuff has been monitored and recorded by companies for decades, why would Slack be any different?


I'll agree that a whole dump of data is not the ideal solution to the problem here.


Unfortunately the US is a surveillance state.


> "Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons."

Wow, THAT is highly illegal in Europe.


I was under the impression it WAS legal in Europe as well after being litigated to the Court of Human Rights[1]. The requirement is simply that they inform you ahead of time that they can (and will) monitor your email.

In the US there is usually a form you sign at your hiring that says you understand the company may monitor your email. It is couched in terms like "to ensure compliance with laws and company policy" but the actionable part is that they assert the right to monitor it and you agree to that (or you don't work for them).

[1] https://www.nytimes.com/2017/09/05/business/european-court-e...


Note that the ECHR has jurisdiction over the European Convention on Human Rights, which is attached to the Council of Europe, which is a pan-European organization that provides the "lower end" of protection in Europe. Even Russia is a member of the COE.

The EU, on top of requiring COE/ECHR membership provides additional protections under the EU Charter of Fundamental Rights. The highest court for EU law is the European Court of Justice, not the ECHR.

Then on top of that, a number of EU/EEA countries have much stricter rules, some are outlined in the article.

So it's technically right in that it is legal in signatories to the ECHR provided they are not covered by other, stricter rules via one of the other routes, and many are.


We're US based, and it's very explicit that we can and will do this if necessary. We state clearly to all employees that the computers and accounts we give them are not theirs and are subject to monitoring. Thankfully, it's almost never necessary.


Certainly illegal in Norway. Hell, I've heard stories of corporate networks up here that MITM all their computers for security monitoring, and where the admins routinely see evidence of searches for sketchy pornography, but can't legally do anything because this kind of surveillance of your employees is illegal.


This isn't exactly true. Employees do have a higher right of privacy even when using company resources than they do in the US, but monitoring is allowed within certain parameters, and that can include searching email or other "private" storage spaces.

Companies must still be able to comply with eDiscovery and data preservation requests from various police agencies (such as Økokrim), and these may be performed without informing individuals that it is happening.


>Compare that to our email, where I can go into anyone's messages immediately if need-be

The only opening for reading employees' communications that I can find by some quick googling, are (1) if there is good reason to believe that information contained there is required to keep the concern going or (2) if there is suspicion of serious dereliction of duties. And even then, there is a significant checklist required in order to do it legally. (Obviously, legal police requests can be fulfilled without necessarily alerting the owner).

My point being, this is a far cry from legally being able to go into anyone's communications immediately if need-be.

Are you aware of further openings than this, apart from the obvious in the case of a court-ordered request? I am basing this on the statement from Datatilsynet at https://www.datatilsynet.no/rettigheter-og-plikter/personver.... General monitoring would seem like a big no-no.


Datatilsynet's statement actually does give quite a bit of leeway, but I do agree that you can't just monitor without reasonable suspicion that the employee is acting improperly.


No. Different EU countries have different laws and many different gray areas.

Intercepting messages on a medium that is clearly meant to be private is usually illegal.


In France the current legal viewpoint is your company can open your emails/files except if the subject/body explicitly say it's private.


In the UK they're allowed to monitor work email[0]. I'm not sure how that compares to the rest of Europe.

In financial services they monitor all kind of chat rooms, especially after the LIBOR scandal. Every chat I open gives me a disclaimer saying that chats will be monitored.

[0] https://www.citizensadvice.org.uk/work/rights-at-work/basic-...


Really? I like to consider myself much more privacy-minded than most, but I would expect an email assigned to an employee to be used for official business purposes should definitely have a paper trail that higher-ups can audit if necessary.


I don't think so. The employer has all the rights to look at company emails, there is no right to privacy when using the company's email addresses. There are quite recent verdicts in Germany IIRC, considering if it was unlawful termination if your employer uses information gathered from your emails as reason for the firing. Looking at the emails in the first place was totally lawful, IIRC.


Please state the relevant law that it'd be breaking, I'm genuinely curious. Compliance tools are built into most cloud and enterprise offerings that allow this. Do you not have experience of enterprise/cloud email offerings?


At least in Switzerland and Germany, I thought they can record, and, in case of legal case, also read your emails provided that it is expected to give strong supporting material for the case.


Well...most work contracts I've signed said something like "working here is not mandatory and we may need access to the mailbox (which we're providing to you for your work duties), such access cases are logged and externally audited. Sign here to agree, take that door to disagree." As long as this is agreed beforehand, I'm not aware of a European state banning it - this is somewhat different from "let's go digging around the computers out of curiosity". (I am in GMT+1, for the reference)

I've seen a situation where this was invoked - employee was fired for an unrelated issue, only kept some documentation in their inbox for whatever reason. Without such a provision, our options would have been a) legally questionable, b) up shit creek sans paddle.


In most of Europe what the employment contract says must be compared to local law - it varies greatly how many rights you are able to contract away in an employment contract.

E.g. while employment contracts in the UK are often fairly long, employment contracts in Norway can be as short as a couple of paragraphs, as almost all the terms are regulated and are costly and/or difficult to deviate from for most roles and most additional terms you might add will be null and void.


True. I have misread "this is illegal in Europe" as "anywhere in Europe" rather than "in Europe there exist such jurisdictions".


Europe consists of plenty of countries, all of them different. It seems like statements on HN about how it is "in Europe" is usually Americans writing fan fiction about some never-never land.


Usually people mean the EU, and there is lots of EU level law.

They even do it in the UK, which is weird "Here in Britain, we drive on the left, and in Europe they drive on the right"


> Europe consists of plenty of countries, all of them different. It seems like statements on HN about how it is "in Europe" is usually Americans writing fan fiction about some never-never land.

Yes, this is a common trope on HN (and the Internet in general). People have selective memories, and it's easy for people - unintentionally - to remember the most favorable laws from individual countries, stitch the together in their minds, and then form perceptions on the composite image. It's generally not conscious, but it happens pretty frequently.

And in some cases - such as this one - people are just flat-out misinformed about the situation in Europe. (As pointed out in other comments, this is legal in the EU, subject to comparable restrictions as it is subject to in the US). It's not surprising that a feature Slack is marketing specifically to business users is, in fact, legal for businesses to use in one of their largest markets.


Hadn't thought they were actually Americans, since it's usually critical of the US. That explains why they never mention which country they're from.


Wow, THAT is highly illegal in Europe

No, it isn't. https://www.nytimes.com/2017/09/05/business/european-court-e...

To wit: “Today’s ruling is fairly clear in how it outlines the parameters of monitoring employees,” said Stephen Ravenscroft, a London-based partner specializing in employment law at White & Case, a law firm. “It won’t be sufficient for employers to have a general policy permitting monitoring — the policy will need to be much more detailed, outlining why, how and where employees may be monitored and explaining how any information gathered through monitoring may be used.”


From that article:

> In an 11 to 6 ruling, [the ECHR] found that Mr. Barbulescu’s privacy rights had been violated [after he had been fired for sending personal messages using his corporate account].

and

> Furthermore, the chamber found, Romanian courts did not sufficiently examine the company’s need to read the entirety of Mr. Barbulescu’s messages, or the seriousness of the consequences of the monitoring, which resulted in dismissal.

and

> The chamber ruled that countries should ensure that companies’ efforts to monitor employees’ communications are “accompanied by adequate and sufficient safeguards against abuse.”

So at least it's a more nuanced view than "I can go into anyone's messages immediately if need-be".


Given his username he may well be from europe.


One might argue that this is exactly the reason why slack should not have made this decision.

Inevitably, some communications channels are audit-able and some are not. Modern employees (being modern people) use a lot of channels. They call eachother, SMS, Whatsapp, Slack, email ...sometimes people even talk. Companies have only partial control.

Anyway, harassment or other misbehavior can happen on any of these. In some cases (like your intern case) companies have to audit, if they can.

Can Audit = Must Audit

If slack gives employers the option to read messages, they've given employers the responsibility to do it.

It's not cut and dry. You could argue that companies won't/can't use slack unless they can read messages. This is doubtless true in some cases and I imagine slack has it's eye on these cases right now. But, I think it's hard-ish to argue the magnitude is all that big today.

Companies did use slack before this feature existed, including yours.


> "This is all very standard corporate IT stuff that you need for HR and legal reasons."

there's the problem right there.

(1) need =/= want. you want those things to cover your butt. you're not entitled to them. do you really want to live in a surveillance/nanny state?

(2) the legal system can't save every person from negative consequences, nor can it truly compensate for negative consequences without other negative actions. stuff happens. let's be adults and sort them out ourselves rather than hoping some (imperfect) higher power can do it for us.


Instant messaging is used to express instant thoughts. Instant thoughts can be used against you if accessible by the employer. So why using instant messages over email if you anyway need to think through your instant messages in Slack like you do with emails? Let's use emails then.

I think most people will only learn the importance of privacy after having been affected personally.


> Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening.

Couldn’t the complainant show their history or screenshots? Going through peoples messages is a bit yuck, even if they are horrible individuals.


You are exactly why we should all be extremely careful with what we communicate on the work network.

By "you" I don't mean you personally of course, what I mean is IT in general.

You might be ethical enough to not abuse your new found privilege but who is to say that the next guy won't?

I believe all employees should restrain from posting personal and private things on a company network or any related device for that matter.

You never know how this data can be misused.


Why can't the recipient save a copy of logs?


Provenance. I can doctor my local logs just about as quickly as I can type. True, it's a bit harder than some people estimate to keep the whole thing coherent, but that just means that you hear about the people who get caught, but not the ones who do it successfully. If I am capable of doctoring Slack's copy of the logs with sufficient effort, it is certainly orders of magnitude harder and much legally riskier (as I would be committing many felonies in the process).


That's easy to disprove, though. Make them log into their slack on a new computer, and they'll have no opportunity to doctor them.


It's got enterprise auth, they could just as easily login to the Slack account themselves. ¯\_(ツ)_/¯


The parent I was replying to said they ought to keep the Slack logs themselves. If they're logging into Slack to get them, then it is Slack doing the keeping and we're back to Slack doing the storage.


What is the material difference between having employees save DM logs in an auditable, authenticated way and being able to view employee DMs?

If any employee can ostensibly be compelled to provide their logs when asked by their employer, you are getting just as much information as if IT can view them directly. The only way IT doesn't get as much information is if the system doesn't work, for example because employees can alter their logs or simply refuse to provide them. In that scenario having employees saving their own logs gives you more privacy, but doesn't solve the essential problem.

The tradeoff here is convenience of access versus friction. When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.


> What is the material difference between having employees save DM logs in an auditable, authenticated way and being able to view employee DMs?

> When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.

You just answered your own question.

You might not want them to know you're reviewing it but they most certainly do want to know that you are.


> You might not want them to know you're reviewing it but they most certainly do want to know that you are.

Of course they want to know. Everyone wants to know. But if they committed a crime, or at least are complicit in a lawsuit the company is facing, their desire for privacy on an information channel they don't own is irrelevant.

I don't understand why this is controversial. When the SEC, FBI, local police, opposing legal team, etc. want you to hand over information about an employee, having to ask the employee directly or even let them know is problematic.


Then Slack should (and indeed, does) have special processes for handing over private conversations when served with a warrant, subpoena, court order, etc. "The FBI should be able to do it with probably cause" and "your employer should be able to do it whenever they feel like" are radically different.

And I don't disagree that the company owns it and should have the right to do whatever they want with the things they own. But the employees should also have the right to think that's shitty, and companies should have the ability to demonstrate their lack of shittiness to their employees by configuring their environment in such a way that a higher barrier exists to snooping. This change doesn't actually make a new thing possible; Slack had a "compliance mode" before that companies could opt into, but it wasn't the default, and users were notified if it was enabled. This change just limits companies abilities not to have snoop mode turned on.


Maybe I missed some context but since when are we talking about committing crimes and the SEC or FBI getting involved? If it's that serious I assume they'd just get a warrant and get the logs directly from Slack.

To me that scenario is completely unrelated to the ability of an employer to silently read DMs of their employees for any reason they see fit.


Don't you think some companies need the ability to investigate things their employees are doing for the specific purpose of bringing it to the attention of government agencies PRIOR to warrants being issued and PRIOR to pissing off the entire federal government?


No? I'm being serious when I say this idea is absurd to me. If you have a serious level of concern about your employees doing something illegal then why are they your employee in the first place?

If you are going to use "We need to be checking for illegal activity" as a justification, why stop at DMs? Why not ask your employees to always be carrying around a recording device that is constantly sending their verbal conversations somewhere where they can be electronically filtered for suspicious keywords? Obviously that's crazy and I'm not saying anyone is suggesting that or would support that, but what exactly makes that scenario over the line that doesn't apply to DMs?

I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.


> If you have a serious level of concern about your employees doing something illegal then why are they your employee in the first place?

Because “we don’t hire criminals” is not sustainable, just like “we only hire the best engineers” is not realistic. Strive for the best scenario and prepare for the worst.

> I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.

But why? Why do you feel you’re entitled to privacy for your activity if it’s conducted over a communications medium in a workplace, owned by your employer and intended for work-related use? Your rights are guaranteed in the context of government transgression, not in the context of arbitrary corporate policy. For example, “freedom of speech” is not a meaningful right in a workplace setting either.

Your personal rights are not globally applicable in any context. You have avenues available to you for private communication if you’d like, but companies (rightfully) do not want to be responsible for that communication. They want to be responsible for workplace communication. So if you want a private chat, have a private chat outside of Slack. It’s very simple and straightforward.

Workplace communication channels are not intended to be, nor advertised as, safe harbors for digital privacy. You can have those, but companies have every right not support them for you. It’s not as though companies want you to have private conversations with people and then peek into them for juicy details. They want you to use their infrastructure for its indended purpose.


You pick the law of one of the weakest privacy jurisdictions and argue that Slack should standardize privacy on most invasive level this country's law allows.

What is this declaration of rights for corporate eavesdropping?


Why do you feel the need to defend Slack? It was their decision to do this to ensure they wouldn’t be forced out of the corporate market ($$$$$) and, I hate to break it to you, US and EU law are very similar in this regard. Corporations in the EU can listen to your business correspondence just as easily as US ones, and in neither do you have any real expectation of privacy at work.


You are wrong about the EU - the national legislation on right to privacy is stricter in many (most?) countries. EU only sets minimum levels of protection. And even EU law protects more than you imply(1).

I'm defending employee rights and generally the human right to privacy against arbitrary surveillance, not Slack.

(1) https://www.helpnetsecurity.com/2017/09/06/workplace-surveil...


From the court case,

In particular, the national courts had failed to determine whether the applicant had received prior notice from his employer of the possibility that his communications might be monitored; nor had they had regard either to the fact that he had not been informed of the nature or the extent of the monitoring, or the degree of intrusion into his private life and correspondence. In addition, the national courts had failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into the applicant’s private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge.

There is nothing in that case that prohibits EU companies from monitoring the communications of their employees. Half of that case revolves around legal procedural problems in the original case, and the other half is about whether the company could have fired him over his personal correspondence _without proper notice_. That case, if anything, only upholds corporate EU rights to monitor their employees, so long as they provide some trivial legal notice.

yes, EU law does protect private correspondence more than US law, but almost none of that applies to business correspondence, and the EU is just as liberal in that regard as the US.


Workplace communication between coworkers eg on Slack is not automatically business correspondence in this sense.

In any case, you repeat the oft debunked myth of corporate right to surveillance. It does not exist. There is just partial lack of EU level protections. The national laws can and do say otherwise in many cases. As can/do binding collective bargaining agreements.


We are not talking about some small made with love startup here that no one cares about. We are talking about military contractors, financial companies, law firms, consulting firms, public stock corporations, etc etc. places with hundred or thousands of employees and millions if not billions in revenue. You are woefully niave if you think you can run a major company in any of these areas without eventually having employees who are going to do illegal things. People do a lot of crazy things, some for personal reasons, some to get promoted, some because they think they were sanctioned by their boss, some perhaps thought it was best for the company, and so on.

I understand what you’re saying here, and sure, maybe in some small private companies or organizations this is a tragic loss of privacy, but everywhere else it is simply the cost of doing business.


up until now I was acting under the belief that my Slack logs were as private as my WhatsApp logs


You need non-repudiation of changes to log contents.


Because they typically can be easily falsified.


You could have the logs signed with Slack's PGP key so they cannot be altered without the signature causing a mismatch.


Arguably, but what if the company wants to find proof of, say, two employees colluding to exfiltrate sensitive data or something like that? Would they have to convince them to turn in the PGP signed logs?

More generally like the parent I don't see why a company couldn't have full control over their corporate tools.


> two employees colluding to exfiltrate sensitive data or something like that

In that case spying Slack usage is simply not enough: the employer should need to spy every single move every employee makes inside and outside the company, which of course it's not possible (well, except if the company is located in a fascist state).


Not everybody is going to send one time pad private key encrypted messages using a 1000 characater password.

It turns out that having access to slack alone would probably catch 95% of situations.


What if those two employees collude to do something like that via their own private phones? Should employers have access to those too?

It doesn't seem to me like any of this really does anything, since there are (and should be) plenty of ways that employees can communicate without their employer having access.


There are security issues here that you may not be aware. For one example, if technically knowledgeable people want to falsify signed logs without having the signing key, they can simply keep a separate set of logs with actual innocuous conversations. Slack would sign those in your scenario without a problem. This is the canonical problem of keeping "double-books".


While I agree with auditable access to employee DMs, there is a middle ground solution that trivially solves the problem you've presented. Instead of providing the employer with access to the employee's messages directly, logs can be signed at both the blob and message level. Then if an employee selectively turns over only some of their logs, the mismatch will be readily apparent.


Of course it can be solved! I was pointing out that the prior comment was incorrect.

If an employee is in possession of chat logs that if divulged will get them fired, they can simply delete the logs. "Sorry, the drive crashed. IT is working to fix it right now." Stepwise refinement to insecurely re-create security solutions is one of the reasons for many security vulnerabilities.

Logs are well understood, and logging of sensitive information is not just a small technical issue but a security issue. The same way that people shouldn't design their own crypto, when people design logging mechanisms for sensitive data, which is seemingly simple, they will almost always introduce these security errors, as in your post.

Unfortunately, there are also a number of legal issues (and possibly compliance issues) that need to be accounted for from redaction to anonymity and from GDPR to encryption.


Not sure what you mean by blobs? If Slack implemented a scheme like this, they should sign a message which includes metadata like the org name, channel name and timestamps in addition to text.


By blob I mean an archive dump of every message and the metadata you're describing. If that dump is hashed, selectively presenting messages in the dump is obvious.


If they harassed them in toilet would you install cameras there? =P

Sorry, but that's the same kind of argument for invading someone's privacy and justifying surveillance.

I doubt that anyone would agree even if you said you'll watch the videos only when necessary.


This is ridiculous. If one is harassed in private they have all the evidence they need to expose the harassment to whomever they want.

So now they are not private messages and shouldn't be called as such.


As I do not know which country you are from I really hope you checked before if what you did complies with the legislation as for example in many european countries this would be very illegal.


Totally agree. If harassment is a problem they'll find other ways, but that doesn't mean an employer has to provide an outlet for them to harass on.


With the recent Facebook news, I should have thought that sort of concern was obvious.

It's always going to be Eternal September somewhere on the internet.


I reluctantly agree with you. Employees are smart, especially the ones that harass others and they need to be exposed.


Maybe you should start at the root of the issue and vet your interns before bringing them on.


You didn't have compliance exports turned on already?


So employees can read your private slack right? F it’s really just about creating a safe space, I don’t see why management is exempt.


Typically management is not exempt. If management == admin, then there'll be a user mode in which management uses the app normally, and an admin mode where you do admin-y stuff.


[flagged]


Every big enterprise on the planet has your email to whip-out and read if legal issues arise, whether that's for internal reasons or for something like SOX compliance or running into problems with the SEC. It's a total necessity for big public companies.


Guess that's what's wrong with such entities...


So long as they can go through your chat history it seems very reasonable and is not simply a further entrenchment of the structure of power.

Information is power: https://news.ycombinator.com/threads?id=tvanantwerp


Uh, ok? Never really posted on HN under the illusion it was private, so not sure what you're going for here...


I apologize if this seemed personal. I just think that information asymmetry is a type of power differential. HN does not have such a n asymmetry when it comes to chat history.


LOL. I was about to write a post with this exact first line. Thank you for beating me to it.


It's called "private" for a reason. If someone harasses me on Slack, I have proof of that, because they wrote me a message. If people have private conversations about anything, it should be of no one's concern. Same goes for Signal or Whatsapp, it's a private conversation. It's like putting microphones everywhere and then fire people who have a bad day and say something stupid once in a while, would you like that? This is not a world I wanna live in and it's a serious move against privacy and freedom of speech.


Yeah, and there's a reason some places have laws against bugging offices. One key thing is that everyone should be clear on what's recorded and what's not, and "if it's written down" at least has the virtue of relative simplicity. Probably if it's not supposed to be fair game for later investigation it shouldn't be logged at all.

I think part of the trouble is that we spend too much time at work for most people to actually be productive the whole time -- if you buy the notion that it's reasonable for people to be at work to work, and they shouldn't be socializing whathaveyou, then logging everything seems more reasonable than if you recognize that no one can actually be a drone 40/hr a week, then the surveillance starts to look like de facto surveillance of stuff other than the job, which is more worrying.

I am in the privileged position of doing freelance work, on my own machine, mostly remote. As such, if I'm using a client's communication systems it is essentially guaranteed to be work related, so having it logged doesn't bother me; if I'm not working I'm using something else. But being monitored for half your waking hours five days a week feels much more onerous.

I suspect some of a this is tension with reasonable expectations of levels of monitoring from when less of our communication was via the network.


> This is all very standard corporate IT stuff that you need for HR and legal reasons.

I doubt that, but it is country dependant. In some of the countries I have worked in it is quite the opposite. You get drilled for legal purposes you are not to look at people's personal emails and if possible DMs. Mostly as it is potentially illegal. I have not worked in the US though.

I was however unaware that in Norway then can access your email in exceptional circumstances: https://www.datatilsynet.no/en/privacy-and-society/personver... It seems in case of gross breach of duty, the employee has to be notified, then they can access their work email.


There's an infinite space of solutions to your particular problem, but your chosen solution is totalitarian surveillance in the workplace because an intern got offended?

I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.

Bullies are pretty adept at functioning in these environments. Instead of harassing on monitored DMs, they'll make verbal comments with double meanings, use their leverage to put their targets in unpleasant situations, undercut their targets at meetings etc. Totalitarian surveillance doesn't stop bullies. It just makes your workplace a soul-destroying shithole for the employees who are forced to work in it.


> but your chosen solution is totalitarian surveillance in the workplace because an intern got offended?

Sigh

Totalitarianism is a socio-political paradigm, not a stand-in word to describe things you think constitute surveillance in the context of a business. Companies require the capability to maintain auditable records of employee activity on the information channels they own and manage. Your company is not recording your activity in the privacy of your home or on the street, it's protecting itself and other employees from potentially problematic abuse scenarios. These requirements are also directly imposed by a variety of regulations in various countries.

When you twist the meaning of loaded words like this to describe things you don't like, you make it very difficult for people to get past the hyperbole and take you seriously. You're conflating assaults on personal rights with the routine and mundane business practice of keeping auditable logs.

> I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.

I'm not sure what you're getting at here, because almost all the good developers I know work in environments like this. So where does trading these anecdotes leave us? Do you really believe most competent software engineers don't work in companies that do this? In most cases, that means the company is actively breaking the law, or at best making adherence with the law very difficult and error-prone.


I think the bigger problem that the OP pointed at is that whatever adjectives you attach to this, surveillance is almost always the wrong way to change behavior, unless your desired outcome is to make everyone suspicious of everyone else.

What's stopping these folks from creating an out-of-company channel to do the bullying and attacking in coordination via that means, or tricking the victim into joining them in the new side channel?

The answer to bullying or shitty office behavior is not monitoring. That cover-your-ass because the real answer is hard. Improve your company culture. Fire people who are detrimental to the team. KNOW YOUR TEAM! So often I hear about these things and what you find is a shitty manager who has no idea how to be a manager and says "well they get their work done."


You realize this has far more to do with than workplace harassment, right? Have you never heard of employees using a competitors proprietary information? Or arranging fraudulent financial transactions to cover losses? Or discussing how to mislead investors or watchdog agencies? What do you expect this company to do when they are involved in a legal dispute like this, and have to explain to the court why they have company sanctioned, un-auditable computer systems/applications that helped their employees break serious state and national laws?


I suppose my experience in large corporations is limited. But I'm going to hazard a guess that for all but the biggest corps "company sanctioned" is a not an official term, and that most have given little-to-no thought about all the various ways they need to keep track of the way their employees communicate.

Keeping in context with the OP, Slack allowing admin access to all conversations is a cover-your-ass corporate move, not a solid new tool to combat workplace cultural issues. Perhaps once in a blue moon employee surveillance and bad culture might intersect and prove useful. But that should in no way be used to justify corporate surveillance.

As an elected government official, I understand the importance of papertrails and record-keeping. But the mere fact that so many companies USED SLACK WITHOUT THIS FEATURE, means most had no qualms about side channels being un-auditable before. And now this is just sweet sweet honey to corporate overlords.


It doesn't make sense to refuse solutions that solve part of the problem, or that make the problem more manageable. Perfect is the enemy of good.


> because almost all the good developers I know work in environments

But they aren't True Good Developers... /s


> socio-political paradigm

Sigh.

And workplaces are socio-political contexts... I didn't find it very difficult to get past his hyperbole, and I frankly find it hard to believe that you did. It isn't hard to argue that monitoring channels that even just imply privacy, regardless of whether they take place in the workplace (or in academia, or at home) is a violation of personal rights - regardless of the fact that you arbitrarily draw the line at "recording your activity in the privacy of your home or on the street."


> And workplaces are socio-political contexts

They're not governments, they're companies.

> monitoring channels that even just imply privacy, regardless of whether they take place in the workplace (or in academia, or at home) is a violation of personal rights

It isn't, unless your definition of "personal rights" includes "things I personally want which are neither codified in, nor protected by, laws."


>They're not governments, they're companies.

You're right, it's important to note they are more powerful and exercise more control over the lives of their employees than many governments, though employees often have the same opportunity to leave their company as they do their government (none).

>It isn't, unless your definition of "personal rights" includes "things I personally want which are neither codified in, nor protected by, laws."

Yes that's literally exactly what personal rights always means. Legal rights are legal rights, personal rights are a conception of what the person who uses the term wants or believes rights to be.


> You're right, it's important to note they are more powerful and exercise more control over the lives of their employees than many governments, though employees often have the same opportunity to leave their company as they do their government (none).

Especially when they're also dependent on their corporation for healthcare and retirement...

This is exactly my point, it's effortless to compare corporations to government, especially in this context. For the other comment to base his argument around the word "totalitarian" seems nothing if not disingenuous, given that the meaning behind the word is clear.


In what way are companies not trivially compared to states (governments) in this context (surveillance)? You're being intellectually disingenuous.

I mean, you completely (amusingly) misquoted that sentence. I said "it isn't hard to argue that [...]". I did not make an absolute statement that it is (a violation)... Come on now.


> You're being intellectually disingenuous.

Okay...let me see if I understand you correctly. You're defending the other commenter's description of corporate logs as totalitarian surveillance, but you're saying that I'm being intellectually disingenuous because I'm pointing out that companies are not governments?


No, I'm calling you intellectually disingenuous for reading a comment about internal corporate surveillance, and choosing to pontificate on word choice when the meaning is trivial to understand. Blatantly misquoting me also doesn't help.


> imply privacy

Workplace provided communication mechanisms do not in any way imply privacy. Best practices are that staff sign an acknowledgement of such, so that there is no such confusion.


So, if an acknowledgement is needed... It's needed because there might be an implication of privacy, right?


Generally speaking it’s easy to argue that employees have no expectation of privacy on the work network for the following reasons:

1. Regulation in most countries requires it to be this way, we’ll most countries any of us is likely to work in. Which is to say: The Law Hath Spoken, which is to say: The People Hath Decided.

2. The employer should have spelled this out to you at time of hire, and had you sign a document to verify you understand.

The problem here isn’t that the direct messages take place in the workplace, it’s that they take place on infrastructure owned by the workplace.


I didn't actually argue that there was an expectation...

I only said that the comment I replied to relied on a purely arbitrary definition for what an invasion of personal privacy was... He argued that because "your company is not recording your activity in the privacy of your home or on the street" it wasn't unreasonable (or totalitarian), because the company was "protecting itself and other employees from potentially problematic abuse scenarios." Even though it's amusingly easy to imagine that a totalitarian regime would make the same argument for its own surveillance practices....


Totalitarian surveilance? While you’re at removing that from the workplace don’t forget to instigate democratic revolution in your company as well.


Well yes, this is a good idea, democratization of the workplace and worker co-ops generally promote better quality of life for employees and the surrounding community, less exploitation, less corruption, more justice and similar or better efficiency as the normal dictatorial corporate model.


Well, if you work at Google anyway.


Infinite space of solutions? I think not. If the harassment was in any way sexual, the company had a legal responsibility to investigate. It may have been a timely matter and the best and/or only solution was to read the messages at the offending intern's workstation.


If you've worked anywhere with more than 50 employees, your emails are available for an admin to look at. This is required for legal discovery whenever a company is sued. For companies in regulated industries (healthcare, finance, etc) they may actually be required to keep all your communications for a period of time so that they can track if you leaked sensitive data (PHI, PII, trade secrets, etc)


> totalitarian surveillance

> got offended

> Bullies

> soul-destroying shithole

It's funny how these sort of comments always come from recently created throwaway accounts.


People can only candidly speak their minds on touchy subjects through anonymity. What a shock, if only we came up with a name for this effect a long time ago? If only that very effect wasn't so ironically relevant to the subject at hand?


Why do you think that is?

How would you describe the tenor of the comment?


> I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.

So you and your choosy developer friends work at a place where IT can't access your corporate email?


In Germany (and probably the whole EU) it's illegal for an employer to read an employee's mails without approval of the workers' council for each individual case.


"probably the whole EU" [citation-needed]. German privacy law is very strict. This might be a good thing, don't get me wrong - but extrapolating this to all the other 27 member states is pure nonsense.


Requiring approval of the worker's council is how an employer's demand to read an employee's mail is usually handled in Germany. I did not mean to imply that it is handled the same way in the whole EU, just that unsubstantiated monitoring is likely illegal in the whole EU.


The European Court of Human Rights recently ruled that an employee's communication may not be monitored without prior notice and without specific reasons. [1]

This ruling applies not only to the whole EU, but to the 47 member states of the Council of European, including for example Russia and Turkey.

[1] https://www.coe.int/en/web/human-rights-rule-of-law/-/echr-m...


I'm aware of this, yet "prior notice + specific reasons" != "approval of the workers' council for each individual case"


I think you're mixing up the way businesses run and how society should run. Two different things.


Businesses are society, we are forced to spent the vast majority of our waking life under the thumb of one so we should absolutely decide how we want that life to go.


It's getting well OT but why should there be a distinction? Should we forgo morals in favour of profits.


No, he chose it because a group of interns was harassing other interns.

Words matter.


Reading someone's workplace messages to resolve a workplace investigation into a workplace dispute between co-workers isn't totalitarian.

There is no reasonable expectation of privacy on a corporate slack account.


You may be speaking legally in your final sentence but in natural language terms I'd say there is definitely an expectation of privacy in DMs to a named account; and it's not an unreasonable expectation.

If one DMs "Alex Murdo" then the expectation would be that they alone would read it, or their nominated person. If one DMs "Graphic Design" department then obviously that doesn't stand.

I'd expect contracts and such to contradict this natural expectation however.


Would you provide a small list of solutions as examples?


How about ask the intern being bullied to show the bullying messages?


And the sender deletes the message?


nice nirvana fallacy


Looking at all positive comments here, this is generally a bad news.

Not sure how much compliant this is with the law, but in this case the law should be more protective towards employees.

I imagine the following situation

I write on a company-owned piece of paper - "My boss is an idiot". Then take this piece of paper put it in an envelope ( owned by the company as well ), write the name of my colleague and seal the envelope. Then put the envelope on the recipient's desk.

I bet it would be illegal for my boss to take that letter, open it and read it.

P.S.

Looks like with e-mails the law is more protective towards employees :

[1] : https://www.reuters.com/article/us-privacy-emails-echr/europ...

[2] : http://www.internationallawoffice.com/Newsletters/Employment...

[3] : https://www.womblebonddickinson.com/uk/insights/articles-and...


Your boss is absolutely allowed to open an envelope on your desk if it's clearly a business-related piece of mail, and your employee handbook almost certainly says that your corporate Slack account is only to be used for business purposes.

In fact, your boss is allowed to open any mail sent to your work address.

https://www.azcentral.com/story/money/business/abg/2015/07/1...

http://www.askamanager.org/2010/08/is-it-legal-for-my-boss-t...

http://employment.findlaw.com/workplace-privacy/privacy-at-w...


Ah, Europe might be different. In the US, if your employer owns the platform, they have the right to all the messages for compliance. We view this as "if you have something private, don't do it on corp channels." This is usually fine unless you're harassing someone or engaging in something against corp ethics.

https://www.privacyrights.org/consumer-guides/workplace-priv...


It really depends on national legislation, as well as individual contracts with unions or work councils. At least here, as a rule of thumb, as long as private internet use is permitted, the employer can't legally monitor traffic outside of very specific circumstances. AFAIK you can't get around that by prohibiting personal internet usage without generally enforcing that prohibition.


> At least here, as a rule of thumb, as long as private internet use is permitted, the employer can't legally monitor traffic outside of very specific circumstances. AFAIK you can't get around that by prohibiting personal internet usage without generally enforcing that prohibition.

This isn't relevant here. ECHR has ruled that employers do have the right to read emails, as long as employees are notified in advance (which can include blanket notification as part of their employment agreement). ECHR has jurisdiction over all ECHR countries, which is a superset of EU countries and includes several non-EU countries, like Norway. Other European countries, like Germany, Switzerland, and the UK have also affirmed this right.

Email being roughly analogous to Slack, in the eyes of the law, there's little room for doubt that employers in Europe have the right to read Slack messages on the company's Slack account.


The ECHR has ruled that it is not a violation of human rights, that does not override national law that limits employers if it exists.


> The ECHR has ruled that it is not a violation of the convention on human rights, that does not override national law that limits employers if it exists.

It doesn't override national law, but national law is pretty consistently clear that employers have this right as well - that's why the case was before the ECHR in the first place.


You claimed that specific rules the poster you replied to mentioned aren't relevant due to the ECHR decision, and that's just not true. E.g. here in Germany, an employer needs to explicitly forbid private e-mail to be allowed simple access to employee mail, which is why basically everyone does that, often allowing private internet use to access webmail instead. (I've also seen employee agreements where there's different rules for specific folders: a private archive folder is never accessed, work-related folders can be easily accessed and e.g. looking at new mail in the inbox is allowed if it's done under supervision and e-mail that's clearly recognizable as private isn't opened, since private mail was hard to avoid in the specific case)

This is something were you likely can not make useful blanket "in Europe" statements.


Again, it depends on individual agreements. If the employee is not allowed to use his work company mail for private stuff, he has no reasonable expectation of privacy that goes beyond obvious cases. Like, for example, if your wife sends you a mail with the subject "here are my nudes!", your employer isn't allowed to access the content.


> Not sure how much compliant this is with the law, but in this case the law should be more protective towards employees.

This change is precisely because of regulations like GDPR, among others.


The ECHR said that the employer has no right to access any private employee communication, even if it happened at work.

That contradicts what you’re saying quite a bit.


It doesn't contradict what I'm saying. If you mean the Romanian case, the ultimate resolution was that 1) an employee has an expectation of privacy for personal communication on personal channels on a corporate machine, and 2) if an employee's personal internet usage is going to be monitored on a corporate machine, they must know before the monitoring begins. The ECHR didn't have any problem with the monitoring in general; what they ruled against was the legality of personal internet usage monitoring before the employee knew about it and agreed.

In the ECHR case, the employee's personal communications over an instant messenger were being monitored just because they were happening on the employer's machine, and without the employee knowing ahead of time. That's the no-no. But Slack is not a personal communications medium; it's maintained and administrated directly by an employer for the explicit purpose of work-related communication. In the context of the ECHR case, Slack doesn't qualify.

Circling back to Slack and the GDPR: as a direct result of the GDPR, Slack now needs to align their desire for full employee auditability with full data transparency. There's a tension between competing regulations, but there's no contradiction here.


Slack can be used for e.g. union organizing, which an employer may not read either, and "they must know before the monitoring begins" is obviously not given here.

This doesn’t look good for Slack.


That's 100% incorrect.

https://www.echr.coe.int/Documents/Press_Q_A_Barbulescu_ENG....

They don't have free access however they want, but they do have the right to access under certain conditions.


Communication over an employer-provided tool is not private communication.


In broker-dealer finance, it is illegal to not log and audit all business communications. Additionally, you have to contract with a government-approved agency to save the logs in a manner that cannot be tampered with. I think we even have to save it in a format that is easy for government agencies to review and search if necessary.


I'm lost on the employees needing protection concept here.

If you're going to call your boss an idiot, don't do it with the company tools. That seems like a pretty reasonable boundary to maintain.

I've never thought of much of anything that was my employer's as mine. If I wanted a private email conversation, I'd use my email, same with chatting and etc... that's just smart no matter what the local legal traditions are.

The volume of negativity surprises me if only because there are all sorts of ways to obtain some private channel communication.

Do people need to talk shit about their boss THAT often, but they feel they should use a work provided tool to do it?


It's funny how much hedging and how many implausible hypothetical scenarios there are in some of these comments.


Previously, you could only see employee DMs if you turned on Compliance Exports, at which point you could download all of them going forward. Now it sounds like everything you've ever written could be downloaded at any time without notice.

So, all of those communications you had with co-workers based on the promise they would be private until you were notified future ones wouldn't be anymore? Now it's ALL available to your employer.

Surprise!

(This is presumably due to GDPR)


Meh. Nobody should be surprised by any of this in the slightest. If your employer provides / pays for any kind of communications tool, the only sane position is to assume that they can - and probably do - monitor every single byte you send.


Honestly I didn't realize my Slack DMs on my work account weren't private until I saw this. I assumed that since my employer pays for the account, any message I sent was being monitored.


you meant "were" instead of "weren't"


Correct.


That's what I'm thinking. I mean... of course employers expect to be able to have access to communication done by employees in the course of doing their jobs. They've been able to do this with every (archivable) communication medium since the invention of writing. Where is the news here?

If you want privacy use a private channel. Your employer's work tools don't qualify.


By private channel, I assume you mean a completely separate system that is not slack, and not a private slack channel (which, prior to this, was private from slack workspace admins, with hilarious results).


I think there's some middle ground, some grey area where whether it's alright is murky. It's kind of pulling the rug out from under people when the policy of a 3rd party provider abruptly changes and suddenly tons of messages become available to the company.

There are a number of things I might mention to a coworker over a private IM which wouldn't necessarily put my employment at risk, but would be awkward for management to suddenly have access to.

A couple made up examples:

"I'm super sick, but $boss is really pushing me to get the report out. I just want to go home and be sick all alone."

"I hate management's decision to reduce vacation days. No wonder we can't keep people around here."

"Did you see Tom's email? It's kinda awkward that he thinks he's a strong contributor to the group..."


All of those conversations should take place out of band of employer communications tools.

Never write something you wouldn’t want printed on the front page of a newspaper.


As a company policy I sure hope your IT doesn't make emails available to your management.


No they don't, but I work at a large megacorp. At a small 10-20 person non-technology company startup, the admin on Slack is likely to be the owner or general manager. It could be another 5-10 people before a person is hired on as full-time IT.


If the owner or GM has enough time to dip into Slack DM's, or even emails, the company has bigger issues.


These are all the sorts of things that you would ideally want management to know about so they can make better informed decisions. Assuming of course that you have competent and trustworthy managers.


>Assuming of course that you have competent and trustworthy managers.

You're begging the question.

"Competent and trustworthy" people won't abuse their power by definition. Anyone who abuses their power intentionally is untrustworthy, and anyone who abuses their power unintentionally is incompetent.

In the real world there are many incompetent and untrustworthy leaders. Slack has no choice but to operate in the real world.


Which question am I begging? I wasn't talking about abuse of power.


I think the EU would have something to say about that: https://www.telegraph.co.uk/news/2017/09/05/landmark-eu-ruli...


Seems a little different. Courts ruled that work emails could be viewed, just not personal accounts used on work computers.


Additionally, unless your work environment is sophisticated enough to fiddle with the certificates on your machine, and run a MITM proxy, you should be safe using something like GMail over https. Now I'm sure some companies do manage to intercept outgoing https traffic, but I doubt that most companies do.

OTOH, I still think being paranoid is the safest policy, so if you're plotting to overthrow your boss, or sell secrets to your biggest competitor, I still wouldn't do it on the company networking, and/or using a company computer.


If your Gmail account is through work (i.e. not a personal one) they already have access to it.


Agreed. I was referring to the parent post's comment about using personal accounts at work. That might be safe, to some extent. But again, I would lean on the side of paranoia if you're talking about anything that could get you (fired|put in jail).


In any case, if you would plan any of that, I would guess that it would most probably leak out through entirely nontechnological channel - e.g. by somebody overhearing in person, or even by a co-conspirator defecting for their own gain.

Cloak-and-dagger games are very similar to building your own crypto: likely to be broken at a fundamental level, never mind the amount of magic security glitter that you pile on top.


Yeah, they said it here[1], and basically, given cause and given notice, they can still access private communications on work property. So not exactly what you are implying.

From the actual source: https://www.echr.coe.int/Documents/Press_Q_A_Barbulescu_ENG....


Thanks for the document. I think it still says that the employer should notify the employee beforehand of any potential monitoring of communications, which is different from assuming that every byte is being monitored.


Exactly. I'm surprised they couldn't before.


Yup


The smart people will have anticipated this, and their message logs will paint them as good for the company.


You should not assume your communications are private if there is no end-to-end encryption. Also, the employers are often required to do this because of regulations. (I think those are silly regulations given that end-to-end encryption is so easily available nowadays, but the companies don't really have a choice here.)


You shouldn't assume they're private just because they're encrypted. Employers can and will install SSL certs on your desktop machine so that they can decrypt and scan/archive everything at the gateway. This is standard practice in financial companies, and is easily done anywhere.

They can also install screen capture and key logging software if they want, but that's less common and without disclosure is a lot shadier (although certainly legal in the US). I wouldn't expect it most places; it's a more extreme step.

But never trust encryption at work unless you know your company's policies.


`whyever` said _end-to-end_ encrypted, presumably meaning "between the intended recipient and I," not "between a middleman and I."

Of course, you also need to trust your hardware.


Then of course, if the hardware is provided by the employer...the Second and Third Rule is already broken, game over.


Are there any guides to check for shady SSL certificate shenanigans on an employer provided Mac?


If the employer had physical access, what would prevent them installing a rootkit? Then you couldn't detect a fake certificate no matter what you tried. Or deeper, if you distrust the provided software, what makes you trust the hardware? It's turtles all the way down ;)


I'm not talking about anything shady here. We're told that they're going to update our desktop SSL certificates for this reason. Partially CYA, partially compliance/legal. I'd probably quit if someone were keylogging or screengrabbing my work machine without my knowledge, but I'm not talking about employers being sneaky.

And this is exactly end-to-end encryption that the original thread responder mentioned; I know it's in place so I won't connect to my personal accounts from the work machine. That's what my phone is for (and I won't use their wifi for my phone, either).


Yes, but assuming partial good faith (this does sound like an oxymoron, but humor me) - how would I go about checking for cert misuses?


The OS should have a trusted CA list somewhere (not sure where OSX does); checking that it matches a fresh install should be the first step. Note that there might be multiple lists - Firefox, for one, tends to keep their CA list separate.


Ah, I work remotely, so I normally don't worry about that sort of thing.


I doubt this has anything to do with GDPR which is about personal information of customers and users. In this case the customer is the company and I don't think GDPR applies.


The announcement email says "As part of our growth and in support of upcoming changes to EU data protection law, we’re launching new tools and features and updating our Privacy Policy and User Terms."


"As part of our growth and in support of upcoming changes to EU data protection law, we’re launching new tools and features and updating our Privacy Policy and User Terms."

That sounds like a convenient marketing bullshit bogey man to me.


Actually GDPR also applies to your personal information that a company holds about you as an employee. However GDPR doesn’t apply if there are other laws that also apply to the data, which will be the case in a lot of circumstances for employees.


Why would you have such conversations or expectations when using company chat? That's unprofessional and, frankly, stupid because it puts one's job in danger (as could an in person conversion heard by the wrong people at work). If you want to talk in private, there's dozens of other chat programs out there you can run on your own devices.


You're missing the point. Slack was one of those programs until this retroactive privacy policy change.


You really thought Slack somehow didn't have access to those messages or deleted them? That this feature wouldn't be inevitable? Their whole sales spiel is that they can keep all your messages forever. This shouldn't be surprising. I'm not missing the point at all. I always assumed they had an entire history and could reveal it at any time. It's not end to end encrypted. Assuming otherwise is dangerous and frankly, idiotic in today's world.


why presumably due to GDPR? I would think it was a possible GDPR problem for them in the future. Specifically, you wrote it based on expectation it was private and now it is not, when did you give permission for sharing that data?


An employee's use of a company-provided communication channel like Slack isn't covered by GDPR, but the company is liable for the content that's stored in their Slack account. Under GDPR, I, as a customer of Company X, have a right to know about and request a copy of any data stored about me by that company, which includes Slack conversations, in both open and "private" channels. GDPR also applies retroactively, so the old compliance export process wouldn't cover it.


GDPR was mentioned in the announcement email (though not for this line item).


If it's your company's asset, you gave permission for sharing that data when you signed the e-handbook at orientation, the same document that gives them the right to monitor your work emails, put MDM on your work-issued phone, and log your work machine's network traffic into their SIEM.

You have no right to privacy when you're inside your company's office using your company's computers to access your company's network. They own it all, you just have permission to use it within the guidelines they set and you signed off on when you were hired.


You seem to be applying US legal concepts, when the question was about the GDPR, an EU directive.


Then your mistake was having conversations you wouldn't like your boss to read using your company's internal messaging system. How is this any different than e.g. emails?


Following GDPR could be much easier. Simply delete messages ASAP. Best protection of private data is not storing them.


This is not completely true. Been able to pull DMs via the Discovery API.


I actually didn't know this. Why did they have the big alert when turning on the Compliance Exports then?


Wanted to let people know about GDPR. More for optics I am sure.


It also could be other compliance requirements.


This is to be expected from Big Brother. These days one should assume the telescreen is always watching and so should be very cautious as to not commit a thoughtcrime.

---- Edit ----

To clarify; my comment is referring to the novel 1984. While a bit tongue in cheek, it was not meant entirely as a joke.

This is a forum visited mostly by IT workers. I would assume most of us here know enough (or should know enough) to realize that any of our communications at work can be read by someone else and so you may want to treat it a bit as such.

In my personal programming working experience I have seen data captured in all of the following forms, reviewed, and then used to fire or prevent firing individuals.

Email, Instant messaging, Phone calls (audio recordings), Computer monitor (video recordings)


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: