Don't get me wrong--it's not like I want to read your messages and very likely won't. But there are times when I have no choice. A few years back, a group of interns started privately harassing other interns via Slack. Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening. We had to make all intern accounts into multi-channel guests after that. Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons.
Edit: I'll say this is still not an ideal solution. I don't go into private communications unless I have to, and I'd rather have the option to review specific DMs / private channels than dump everything. I really don't want everything; that's more than I care to see. Also, to clarify, I'm in the US and our employees are well aware that communications on company-operated platforms should not be considered private. I want them to be careful how they communicate in writing, not because they should be worried about me, but because they should be worried about Slack getting hacked/leaked. With the recent Facebook news, I should have thought that sort of concern was obvious.
For example, in the US sexual harassment is taken seriously. If a company gets a complaint of sexual harassment on Slack they are legally obligated to look into it, and if they refuse to the individual managers could personally be held liable for it. This includes situations where the person being harassed isn't directly in the conversation- the above example of harassment over slack could have evidence of coordination in a different private channel than the ones the harassment target is in.
It's a tech issue, cultural issue, and a legal issue, but it's harmful that we seem to be forgetting the wisdom of discretion as life become more digitized. If the law or culture says "no expectation of discretion", they're just wrong and likely hypocritical.
It's healthy, normal, and appropriate to tell specific things to specific people. If we're worried about abuse, there are other solutions to those problems, like letting the harassed share the conversation later, which they can already do, with screenshots if nothing else.
Most admins aren't going to spend all day reading other people's conversations, and good companies have explicit policies as to when they will do so. The thing we're discussing here isn't whether companies should spy on everything their employees do- it's about what happens when an issue does occur where they do need to look into things.
I would not work for a company where I thought my managers were looking over my shoulder at every single thing I was doing, but at the same time I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.
People are also ignoring another aspect of this- if a company does get sued by an outside party they have to make internal data available through discovery. These laws about corporate compliance also exist to make it so corporations can be held accountable.
It should be, but often digital tools obliterate discretion in the service of compliance or even just monitoring employee work habits.
> I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.
A healthy workplace needs to solve the underlying issue, here. But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed. Managers and compliance officers are reluctant to let the investigated employees know they're being investigated, which I understand, but I don't think throwing out discretion-oriented communication is worth the benefits there.
Are you serious? So, someone accuses an employee of abuse and you casually stroll by and ask them to send relevant conversations your way? And you expect them to comply without cheating? Why don't we try this approach with other misdeeds, for example, when someone complains about theft, we just ask thieves to come by the police station with the stuff they stole. Do you think that would work?
Old boys club keeps it "verbal only", but someone blows the whistle and testifies regarding the conversation.
Technology didn't change anything. You can't have a private conversation at work. Period end of story. If you manage to conceal your communications, not only could you be violating laws (depending on your industry and relevant regulations) but you're likely violating corporate policy and in need of corrective actions.
It's a liability problem for a company if employees are circumventing documentation and potentially covering up crimes.
The way I see it, you have three options:
* Be rich enough to not work
* Get paid by someone who accepts the liability of your work and has the legal right to all of your business communications
* Be the guy paying other people who accepts liability for their work and has the legal right to their business communications
Spoiler, even if you're the last guy, chances are there's lawyers doing the same thing to you.
I was talking about discretion, not privacy. Those are two different things. Discretion is controlled sharing of thoughts, ideas, and information. Marking documents "trade secret" is an example of discretion. Trade secrets are not private information.
I'm not arguing that information should be unavailable when a warrant or subpoena requires disclosure. I'm arguing that doing the digital equivalent of bugging every conference room in the building is a toxic thing to do, culturally. If the law compels the bugged rooms, we have bad laws on the books.
Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.
If you are worried about this, the issue isn't Slack. I don't worry about my boss reading my slack DM's - I'm well aware of what process would be involved there (my boss would be fired immediately, and wouldn't even have access without Legal involved). If you're worried about your company 'snooping' on you that's an underlying, unrelated problem.
Trade Secrets are a form of intellectual property. They have legal protections, and disclosing them without permission can have legal consequences.
(This is the more charitable way of looking at it, obviously. There are plenty of other reasons things are the way they are, and they aren't all good for us, there is just also this)
Yeah, I was hinting at that a bit. I think tools like SnapChat and encrypted chat clients are reaching for discrete and healthy digital relationships. A lot of the conversation about these tools is about privacy, which is really something else. How someone looks naked is often private. How that biopsy turned out should be shared with people, just discretely.
Also, what's preventing a victim of harassment from handing over the offending messages? I don't see how this helps anyone.
Presumably the victim would share the harassing messages, but by being able to review the records directly the supervisors can gain more information such as whether the harasser was also harassing others, whether there was coordination between multiple people, or even if the original shared messages were missing some context which would vindicate the accused harasser. There's a lot of reasons why a real investigation will bring up more information than a simple one sided copy/paste would.
However, I would need to know the actual intent of such laws, which I don't. Let's say that the intent is to allow for private conversations, then that premise also suggests that messages between two individuals(as opposed to ones in a channel) are only intended to be read by those two participants, hence a conversation that is private. Nobody sends direct messages with the intent that they be read by people besides the recipient.
Why would you need a crude one-sided copy and paste? A password, a cookie, or even an API token, can already provide as much information to authorities as would be provided by that of Slack team admins. There is no need for anyone besides the messaging participants and authorities to see someone's DM history, either technically or philosophically.
Jumping away from that angle though, there's still a lot of issues with what you are presenting. For one thing you keep referring to "authorities" without defining who those authorities are. If you're referring to the company IT, HR, and Compliance officers then it seems like you agree with us that the information should be available to those people. However, since that would be a bit odd with the rest of the context you're speaking about I'm going to assume you mean authorities in some sort of government or law enforcement sense.
The thing is that authorities rarely get involved in most of the cases where this information is needed. Sexual Harassment is not a criminal offense, it's a civil one- people don't go to jail for it, they lose money from it. Outside of taking reports these types of things are rarely investigated by authorities in that sense, and there are remarkably different burdens of proof for each of those. Most companies (and individuals I would imagine) also don't want to make a legal issue out of work ones if they can help it, which means it is often in everyone's best interest to handle certain types of problems in house.
Now, as for the philosophy aspect of things, as long as companies are responsible for managing their own trade secrets, sexual harassment complaints, and security in general then all company property (which includes conversations on company servers and services) are open to that company. This is why I do not sign up for company phone plans (except when I want a separate company phone and phone number), and why my work computer does not have my personal accounts on it.
I simply would have hoped that Slack wouldn't give too much control to employers when there are already viable ways of providing message history without resorting to copy-paste. It makes for a lousier product, and it would have prevented me from having candid conversations that involved no company secrets or harassment of any kind.
Perhaps it is then illegal to save these messages?
Yeah, we've seen that over the past couple months.
You can't depend on everyone being on the up and up.
My personal opinion, having avoided the MS IM client at work, is that you never say anything in writing that you wouldn't walk into the CEOs office and say to him in person. Chat of any kind, Slack included, is "in writing" and will have the same full force legal effect as email, so who's honestly surprised by this news?
That the conversation is no longer happening over a company-sanctioned and controlled communications system? Seems like a pretty clear difference.
Why do you think Slack is any different than the systems that we have in place already? What makes Slack any different from email? Answer: nothing.
And if Slack didn't do this, they'd eventually find themselves filtered out of nearly every corporate network due to the inherent legal risk.
Or is the main point here about giving access to data that has been collected already and not requiring the business to collect this data.
If for example the used instant messaging solution didn't keep any log files - what problems would arise for the business?
If any arise, why would phones be exempt? Or do businesses in the US really record all internal phone calls?
You response is based on a false fact: that anything you use official company communication channels for should be considered private.
HR functions can and will access such communication to investigate complaints about behaviour and similar. Compliance and legal functions can and will access such communication to investigate complaints relevant to them. They can, will, and often must provide access to such communication to relevant external bodies (legal authorities, regulators) under some circumstances too. Heck, in some regulated environments compliance functions are required not just to view your communications for specific reasons but to actively monitor them for certain activity (if they fail to do so they could be liable for punishments for a due diligence failing). For instance our email is monitored to block distribution of client data, accidental or otherwise.
If you want a private conversation, use a truly private channel not an employer provided/related one.
> they'll just find another means by which to do it
The fact that people will find away around rules, restrictions, and monitoring, is not a good reason for not implementing such rules, restrictions, and monitoring in the first place.
If the private conversation is in no way a problem then, well, there isn't a problem.
If it is something that would cause the participants trouble if performed over an official channel then when/if the matter does come to light it shows malice of forethought and planning (i.e. that the participants knew they were in the wrong and took specific action to hide their behaviour rather than correct it).
> I would quit a job
In many (most?) industries you would not even get a job without explicitly agreeing to the fact that your communications using employer provided/related services can be accessed by some functions of the organisation and distributed to external authorities, so you would not be in a position to need to quit.
or if they suspect any other illegal activity.
Even in EU countries where arbitrary inspection/monitoring is not permitted wholesale, there are exceptions where regulatory or other legal requirements trump privacy. Though often there needs to be sufficient suspicion of something worth looking for, I still wouldn't count that as a truly private channel (nor would I expect my employer to provide me with one).
Are you replying to the right comment? From the example given, it seems no action was taken until the parties involved proved such supervision was necessary.
Insider threat is a serious, real world problem - consider employee harassment, exfiltrating data, sharing secret information, a compromised slack account DM'ing people malware, etc.
No one wants to read your messages, and it's probably a small set of people that even can.
Abusing your privileged access?!? You do realize some of us are required to access those communications for a variety of reasons especially because a threat is happening? Also, I don't get a choice when the lawyer shows up and says we need to look at X's account.
> I would quit a job that treated me as a child which must be supervised in such a manner.
Well, that might save me a bit of trouble, but at the point I am asked to look at your account, I get the feeling you are on your way out anyway or will shortly have a lawyer or the police contacting you.
The communication systems you use as an employee are not yours.
We're talking about people here. While I personally have never understood how anyone can accept being under the thumb of an employer for such long periods of time out of their productive years, I've learned to see that this is bearable within the relative freedom that this usually entails (complaining about x colleague, grumbling about the boss with the support staff, after-work beers with a manager who grumbles about his manager), I truly cannot understand how one can have a dignified life as an individual when all your forms of communication are being watched by your overlords.
You think I like any of this? Do you really think I get my jollies from looking in someone's e-mail to find a picture they e-mailed another employee that is so far into NSFW that it is sickening. Or the fun of finding out how some employee is plotting with others to make life miserable for someone else? I would prefer people keep their crap off the servers intended to do business.
We have folks here who have argued that a remark at a conference should get someone fired from work. We are talking about something owned and operated by a company that they will be legally liable for unless they are vigilant. Something that hits the press and people will be saying "why didn't the company know?" and "how could they not stop it?".
Yeah, we are talking about people here. Companies get sued and people lose their jobs.
Never mind the professions that absolutely have every communication logged and monitored.
If you want something the company cannot look at then use something outside the company. Its really that simple. Its really simple, if you don't pay for it then it is not yours. If its not your computer then don't expect privacy.
I still cannot understand the folks who want to use stuff from work systems even when they are not work related. Have your own life, interests, and stuff. You are trading your time and work for money. Don't give companies something beyond what they pay for.
I truly cannot understand how one can have a dignified life as an individual when all your forms of communication are being watched by your overlords.
If your place of employment owns all your forms of communication then you have a lot more problems beyond this.
1) well, unless you get into something really nasty and the court discovery orders start flying.
To put this in a broader perspective, because I'm tired of the comment-sniping that doesn't seem to lead anywhere:
I find myself already a bit uneasy with the whole idea that an individual can write away their freedom to spend their daylight hours tethered to an employer to the point where their every (productive, sunlit) hour needs to be accounted for.
At the same time I can understand that this is how things are, and we are trying to be human within that sphere, and perhaps for many this is not so bad as long as they can live in a microcosm of society within this world. That includes gossip, complaining, semi-secret conversation, and even romance (while that's often not smart).
I'd really prefer to engage with those who employ and get to dictate the behavior of said employees, instead of comment-sniping where we never bridge that 'gap' between me, a self-employed, individual (because I reject all that), and someone who actively is 'in charge' of people who submit to it.
I do realize that my wording in itself is not neutral, but I hope acknowledging that helps bridge that gap a bit at least. And I have counted those 'in charge' as friends in the past, plus I know I'm not a typical 'person', so I'm open to learning to understand this whole thing.
because an "alleged" threat is happening. Still, cause for gathering evidence, sure.
> I don't get a choice when the lawyer shows up and says we need to look at X's account
And now with this, they'll use a different communication method that you dont have access to and now youre back to square one. The best you can hope for is that theyre ignorant of these changes so you can catch them.
> ... at the point I am asked to look at your account, I get the feeling you are on your way out anyway or will shortly have a lawyer or the police contacting you.
ah, guilty until proven innocent
> The communication systems you use as an employee are not yours.
This is true, and I dont think slack is necessarily wrong in providing this access - but you shouldnt assume that communications that the user doesnt want the company to be privy to is necessarily malicious or illegal.
If you are having legitimate complaints about your job and you want to vent or validate your concerns before proceeding, you might want to have a private conversation with a coworker - and you might legitimately be afraid that your unfiltered, undiplomatic private conversation might be taken out of context or retaliated against.
> If you are having legitimate complaints about your job and you want to vent or validate your concerns before proceeding, you might want to have a private conversation with a coworker - and you might legitimately be afraid that your unfiltered, undiplomatic private conversation might be taken out of context or retaliated against.
If you were retaliated against for your legitimate complaints in private Slack conversations (via firing, harassment, etc) then the records could be subpoenaed for you to prove WHY you were being targeted.
It works both ways.
> And now with this, they'll use a different communication method that you dont have access to and now youre back to square one. The best you can hope for is that theyre ignorant of these changes so you can catch them.
Good, then its security and HR's problem. We tell everyone we own the communications systems (its even in the employee handbook).
> ah, guilty until proven innocent
Yep. Welcome to the corporate environment in the US. Frankly, if they think you used the company e-mail / Slack to do your activity then I don't think we are dealing with Moriarty here.
> but you shouldnt assume that communications that the user doesnt want the company to be privy to is necessarily malicious or illegal.
Then use your own non-company communication system (e.g. text, home e-mail) or go to lunch - how hard is that?
Yes they are. I work as a contractor, remotely, using my own personal equipment, my own personal email account, and either my home internet connection or that of whatever coffee shop or co-working space I happen to be in on any given day. My clients are all located in other cities and countries and lack a physical presence where I live. I've never had any complaints about these arrangements (yes, I do realise I'm very fortunate to be able to work in this manner).
I also work for multiple clients. Allowing one of them access to all my work-related communications would involve violating the confidentiality agreements I've signed with the others. Should I be required to divulge the trade secrets or intellectual property of one client to another to satisfy a corporate IT policy? And if I have a personal conversation with someone, which client(s) should I share that with?
Contractors are always in an odd position, but its pretty logical and a lot easier these days. If I was a contractor again, I would probably put my communications and project files on VM of their own. You should have a procedure to clearly separate your time, communications, and work product for each client. If you are using your company e-mail then separation is well understood by lawyers. I would make sure to have separate Slack accounts per client.
1) This assumes I am not assigned a PC and accounts by the employer because its a staffing position instead of a work product arrangement.
It’s very simple: use your employers tools and networks only for business stuff, do personal stuff unrelated to work in your own networks and software...
Besides that, just in case you didn’t notice, the original poster did not say hes reading employee private messages for fun, but only to act as law prescribes.
Then you should be prepared to be permanently out of work.
You are NOT entitled to private communications on company-sanctioned channels. Full Stop. End of story. This isn't an issue of "trust" or having faith in your employees, but this is how business is done.
You're being a shit if you trivialize harassment in the workplace, but you are being an idiot if you are paying for the tools used to hide it.
Emphasis is mine. If one person can have a private conversation with an unwilling participant, that is entirely different. I have worked in places with heavy logging requirements, and for sure we created ways to have private conversations. The point is that everyone in these private chats was a willing participant, and could leave if they wanted.
Did you miss the part where the interns were acting like children?
>A few years back, a group of interns started privately harassing other interns via Slack.
We're all proud of you for making this top comment thread about your own ethical stand, let's give peterkelly a big round of applause!!
Agreed this can lead to abuse. But investigating employee behavior while using employer provided communication platforms doesn't immediately fall under abuse. No more than police subpoenaing phone records during a criminal investigation would.
I would also like to point out that the person you were responding was talking about interns, so were arguably 'actually' children.
Why couldn't you just ask the recipient to look on his station?
> We had to make all intern accounts into multi-channel guests after that
Are 2 interns ever allowed to be alone together? I mean it's essentially the same, you are saying they can't be trusted so either you always need them in groups of 3, or you should put cameras everywhere with microphones...
I am glad that you are serious about tackling abuse, but more monitoring and rules about congregation are not the right solution imo.
While this can be done through other channels (in person or private cellphone) allowing it on corporate infrastructure without monitoring is not acceptable.
Unaffiliated? The company a customer that is paying Slack for a messaging service, that certainly isn't 'unaffiliated'.
If you've ever dealt with toxic work relationships, you know that stopping harassment isn't going to come down to how you are allowed to pass notes.
The only use I can see for this would be evidence after the fact. Surveillance is almost never the proper way to enforce acceptable standards of behavior.
Company policy for one could be applicable.
You’re missing the point though, what you do with non-company provided tools is held to a different standard from officially blessed and sanctioned ones.
> Why couldn't you just ask the recipient to look on his station?
This is probably exactly what happened? I'm guessing they didn't physically pry the unwilling intern from his seat like he was passenger on United.
I would posit that this person may not be familiar with the importance of collecting evidence against possible future needs. An IT manager's testimony from memory, no matter how perfect, is not as useful as evidence collected in a technological manner at the time of offense.
With that in mind, walking over and looking at the intern's screen might be considered by some to be less than a full replacement.
With that said, is it perhaps possible that direct access is preferable for reasons other than sheer laziness? Chain of custody and provenance both come to mind as items that some enterprise users of Slack might find worthy of consideration in some circumstances. This is obviously not nearly as important as employee privacy, but still...
I think it is just that big companies have a way of doing things, are paying the bills, and employee privacy is close to last on their priority list—far behind CYA. They don't care that there is another potential solution.
Having personally dealt with some of those companies and situations, I can tell you quite simply that people are definitely aware that there are other potential solutions. Such approaches are seen as not adequate for purpose. The reasons for this judgment are not merely arbitrary or capricious. They are broadly quite sound and reasonable, and I touched on them above in an effort to give you an opportunity to grow in your understanding of those you disagree with.
And yes, as you say, companies are far more interested in limiting liability than they are in employee privacy on company-controlled systems. It's not, as some might suggest, that employee privacy is not valued. It's a question of priorities, and companies tend to place being able to defend themselves and control their risks adequately over an employee's right to leverage their privacy and incur liability for the company.
Though I understand why some might prefer to dismiss the above and think of it as just another example of big, stupid, corporate laziness and refusing to consider alternatives.
A significant portion of folks stick around for a long time in a poor situation as it isn't so easy leave a job at a moment's notice. For those that don't there is the simple matter of not deleting everything. Nothing is actually deleted any more anyway. Brave new world.
Big, stupid, and corporate are synonyms, government too. It goes with the territory of any large group of humans. As they grow they get dumber and further out of touch until they are overturned by a smaller, nimbler version where the process is repeated in Innovator's Dilemma fashion.
If anyone thinks this won't get abused, think again. I've worked with IT folks of all shapes and sizes over many years and a tiny percentage do abuse the privilege. Including heads of IT. And those are just the ones I know about.
Wow, THAT is highly illegal in Europe.
In the US there is usually a form you sign at your hiring that says you understand the company may monitor your email. It is couched in terms like "to ensure compliance with laws and company policy" but the actionable part is that they assert the right to monitor it and you agree to that (or you don't work for them).
The EU, on top of requiring COE/ECHR membership provides additional protections under the EU Charter of Fundamental Rights. The highest court for EU law is the European Court of Justice, not the ECHR.
Then on top of that, a number of EU/EEA countries have much stricter rules, some are outlined in the article.
So it's technically right in that it is legal in signatories to the ECHR provided they are not covered by other, stricter rules via one of the other routes, and many are.
Companies must still be able to comply with eDiscovery and data preservation requests from various police agencies (such as Økokrim), and these may be performed without informing individuals that it is happening.
The only opening for reading employees' communications that I can find by some quick googling, are (1) if there is good reason to believe that information contained there is required to keep the concern going or (2) if there is suspicion of serious dereliction of duties. And even then, there is a significant checklist required in order to do it legally. (Obviously, legal police requests can be fulfilled without necessarily alerting the owner).
My point being, this is a far cry from legally being able to go into anyone's communications immediately if need-be.
Are you aware of further openings than this, apart from the obvious in the case of a court-ordered request? I am basing this on the statement from Datatilsynet at https://www.datatilsynet.no/rettigheter-og-plikter/personver.... General monitoring would seem like a big no-no.
Intercepting messages on a medium that is clearly meant to be private is usually illegal.
In financial services they monitor all kind of chat rooms, especially after the LIBOR scandal. Every chat I open gives me a disclaimer saying that chats will be monitored.
I've seen a situation where this was invoked - employee was fired for an unrelated issue, only kept some documentation in their inbox for whatever reason. Without such a provision, our options would have been a) legally questionable, b) up shit creek sans paddle.
E.g. while employment contracts in the UK are often fairly long, employment contracts in Norway can be as short as a couple of paragraphs, as almost all the terms are regulated and are costly and/or difficult to deviate from for most roles and most additional terms you might add will be null and void.
They even do it in the UK, which is weird "Here in Britain, we drive on the left, and in Europe they drive on the right"
Yes, this is a common trope on HN (and the Internet in general). People have selective memories, and it's easy for people - unintentionally - to remember the most favorable laws from individual countries, stitch the together in their minds, and then form perceptions on the composite image. It's generally not conscious, but it happens pretty frequently.
And in some cases - such as this one - people are just flat-out misinformed about the situation in Europe. (As pointed out in other comments, this is legal in the EU, subject to comparable restrictions as it is subject to in the US). It's not surprising that a feature Slack is marketing specifically to business users is, in fact, legal for businesses to use in one of their largest markets.
No, it isn't. https://www.nytimes.com/2017/09/05/business/european-court-e...
To wit: “Today’s ruling is fairly clear in how it outlines the parameters of monitoring employees,” said Stephen Ravenscroft, a London-based partner specializing in employment law at White & Case, a law firm. “It won’t be sufficient for employers to have a general policy permitting monitoring — the policy will need to be much more detailed, outlining why, how and where employees may be monitored and explaining how any information gathered through monitoring may be used.”
> In an 11 to 6 ruling, [the ECHR] found that Mr. Barbulescu’s privacy rights had been violated [after he had been fired for sending personal messages using his corporate account].
> Furthermore, the chamber found, Romanian courts did not sufficiently examine the company’s need to read the entirety of Mr. Barbulescu’s messages, or the seriousness of the consequences of the monitoring, which resulted in dismissal.
> The chamber ruled that countries should ensure that companies’ efforts to monitor employees’ communications are “accompanied by adequate and sufficient safeguards against abuse.”
So at least it's a more nuanced view than "I can go into anyone's messages immediately if need-be".
Inevitably, some communications channels are audit-able and some are not. Modern employees (being modern people) use a lot of channels. They call eachother, SMS, Whatsapp, Slack, email ...sometimes people even talk. Companies have only partial control.
Anyway, harassment or other misbehavior can happen on any of these. In some cases (like your intern case) companies have to audit, if they can.
Can Audit = Must Audit
If slack gives employers the option to read messages, they've given employers the responsibility to do it.
It's not cut and dry. You could argue that companies won't/can't use slack unless they can read messages. This is doubtless true in some cases and I imagine slack has it's eye on these cases right now. But, I think it's hard-ish to argue the magnitude is all that big today.
Companies did use slack before this feature existed, including yours.
there's the problem right there.
(1) need =/= want. you want those things to cover your butt. you're not entitled to them. do you really want to live in a surveillance/nanny state?
(2) the legal system can't save every person from negative consequences, nor can it truly compensate for negative consequences without other negative actions. stuff happens. let's be adults and sort them out ourselves rather than hoping some (imperfect) higher power can do it for us.
I think most people will only learn the importance of privacy after having been affected personally.
Couldn’t the complainant show their history or screenshots? Going through peoples messages is a bit yuck, even if they are horrible individuals.
By "you" I don't mean you personally of course, what I mean is IT in general.
You might be ethical enough to not abuse your new found privilege but who is to say that the next guy won't?
I believe all employees should restrain from posting personal and private things on a company network or any related device for that matter.
You never know how this data can be misused.
If any employee can ostensibly be compelled to provide their logs when asked by their employer, you are getting just as much information as if IT can view them directly. The only way IT doesn't get as much information is if the system doesn't work, for example because employees can alter their logs or simply refuse to provide them. In that scenario having employees saving their own logs gives you more privacy, but doesn't solve the essential problem.
The tradeoff here is convenience of access versus friction. When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.
> When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.
You just answered your own question.
You might not want them to know you're reviewing it but they most certainly do want to know that you are.
Of course they want to know. Everyone wants to know. But if they committed a crime, or at least are complicit in a lawsuit the company is facing, their desire for privacy on an information channel they don't own is irrelevant.
I don't understand why this is controversial. When the SEC, FBI, local police, opposing legal team, etc. want you to hand over information about an employee, having to ask the employee directly or even let them know is problematic.
And I don't disagree that the company owns it and should have the right to do whatever they want with the things they own. But the employees should also have the right to think that's shitty, and companies should have the ability to demonstrate their lack of shittiness to their employees by configuring their environment in such a way that a higher barrier exists to snooping. This change doesn't actually make a new thing possible; Slack had a "compliance mode" before that companies could opt into, but it wasn't the default, and users were notified if it was enabled. This change just limits companies abilities not to have snoop mode turned on.
To me that scenario is completely unrelated to the ability of an employer to silently read DMs of their employees for any reason they see fit.
If you are going to use "We need to be checking for illegal activity" as a justification, why stop at DMs? Why not ask your employees to always be carrying around a recording device that is constantly sending their verbal conversations somewhere where they can be electronically filtered for suspicious keywords? Obviously that's crazy and I'm not saying anyone is suggesting that or would support that, but what exactly makes that scenario over the line that doesn't apply to DMs?
I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.
Because “we don’t hire criminals” is not sustainable, just like “we only hire the best engineers” is not realistic. Strive for the best scenario and prepare for the worst.
> I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.
But why? Why do you feel you’re entitled to privacy for your activity if it’s conducted over a communications medium in a workplace, owned by your employer and intended for work-related use? Your rights are guaranteed in the context of government transgression, not in the context of arbitrary corporate policy. For example, “freedom of speech” is not a meaningful right in a workplace setting either.
Your personal rights are not globally applicable in any context. You have avenues available to you for private communication if you’d like, but companies (rightfully) do not want to be responsible for that communication. They want to be responsible for workplace communication. So if you want a private chat, have a private chat outside of Slack. It’s very simple and straightforward.
Workplace communication channels are not intended to be, nor advertised as, safe harbors for digital privacy. You can have those, but companies have every right not support them for you. It’s not as though companies want you to have private conversations with people and then peek into them for juicy details. They want you to use their infrastructure for its indended purpose.
What is this declaration of rights for corporate eavesdropping?
I'm defending employee rights and generally the human right to privacy against arbitrary surveillance, not Slack.
In particular, the national courts had failed to determine whether the applicant had received prior notice from his employer of the possibility that his communications might be monitored; nor had they had regard either to the fact that he had not been informed of the nature or the extent of the monitoring, or the degree of intrusion into his private life and correspondence. In addition, the national courts had failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into the applicant’s private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge.
There is nothing in that case that prohibits EU companies from monitoring the communications of their employees. Half of that case revolves around legal procedural problems in the original case, and the other half is about whether the company could have fired him over his personal correspondence _without proper notice_. That case, if anything, only upholds corporate EU rights to monitor their employees, so long as they provide some trivial legal notice.
yes, EU law does protect private correspondence more than US law, but almost none of that applies to business correspondence, and the EU is just as liberal in that regard as the US.
In any case, you repeat the oft debunked myth of corporate right to surveillance. It does not exist. There is just partial lack of EU level protections. The national laws can and do say otherwise in many cases. As can/do binding collective bargaining agreements.
I understand what you’re saying here, and sure, maybe in some small private companies or organizations this is a tragic loss of privacy, but everywhere else it is simply the cost of doing business.
More generally like the parent I don't see why a company couldn't have full control over their corporate tools.
In that case spying Slack usage is simply not enough: the employer should need to spy every single move every employee makes inside and outside the company, which of course it's not possible (well, except if the company is located in a fascist state).
It turns out that having access to slack alone would probably catch 95% of situations.
It doesn't seem to me like any of this really does anything, since there are (and should be) plenty of ways that employees can communicate without their employer having access.
If an employee is in possession of chat logs that if divulged will get them fired, they can simply delete the logs. "Sorry, the drive crashed. IT is working to fix it right now." Stepwise refinement to insecurely re-create security solutions is one of the reasons for many security vulnerabilities.
Logs are well understood, and logging of sensitive information is not just a small technical issue but a security issue. The same way that people shouldn't design their own crypto, when people design logging mechanisms for sensitive data, which is seemingly simple, they will almost always introduce these security errors, as in your post.
Unfortunately, there are also a number of legal issues (and possibly compliance issues) that need to be accounted for from redaction to anonymity and from GDPR to encryption.
Sorry, but that's the same kind of argument for invading someone's privacy and justifying surveillance.
I doubt that anyone would agree even if you said you'll watch the videos only when necessary.
So now they are not private messages and shouldn't be called as such.
It's always going to be Eternal September somewhere on the internet.
Information is power:
I think part of the trouble is that we spend too much time at work for most people to actually be productive the whole time -- if you buy the notion that it's reasonable for people to be at work to work, and they shouldn't be socializing whathaveyou, then logging everything seems more reasonable than if you recognize that no one can actually be a drone 40/hr a week, then the surveillance starts to look like de facto surveillance of stuff other than the job, which is more worrying.
I am in the privileged position of doing freelance work, on my own machine, mostly remote. As such, if I'm using a client's communication systems it is essentially guaranteed to be work related, so having it logged doesn't bother me; if I'm not working I'm using something else. But being monitored for half your waking hours five days a week feels much more onerous.
I suspect some of a this is tension with reasonable expectations of levels of monitoring from when less of our communication was via the network.
I doubt that, but it is country dependant. In some of the countries I have worked in it is quite the opposite. You get drilled for legal purposes you are not to look at people's personal emails and if possible DMs. Mostly as it is potentially illegal. I have not worked in the US though.
I was however unaware that in Norway then can access your email in exceptional circumstances: https://www.datatilsynet.no/en/privacy-and-society/personver... It seems in case of gross breach of duty, the employee has to be notified, then they can access their work email.
I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.
Bullies are pretty adept at functioning in these environments. Instead of harassing on monitored DMs, they'll make verbal comments with double meanings, use their leverage to put their targets in unpleasant situations, undercut their targets at meetings etc. Totalitarian surveillance doesn't stop bullies. It just makes your workplace a soul-destroying shithole for the employees who are forced to work in it.
Totalitarianism is a socio-political paradigm, not a stand-in word to describe things you think constitute surveillance in the context of a business. Companies require the capability to maintain auditable records of employee activity on the information channels they own and manage. Your company is not recording your activity in the privacy of your home or on the street, it's protecting itself and other employees from potentially problematic abuse scenarios. These requirements are also directly imposed by a variety of regulations in various countries.
When you twist the meaning of loaded words like this to describe things you don't like, you make it very difficult for people to get past the hyperbole and take you seriously. You're conflating assaults on personal rights with the routine and mundane business practice of keeping auditable logs.
> I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.
I'm not sure what you're getting at here, because almost all the good developers I know work in environments like this. So where does trading these anecdotes leave us? Do you really believe most competent software engineers don't work in companies that do this? In most cases, that means the company is actively breaking the law, or at best making adherence with the law very difficult and error-prone.
What's stopping these folks from creating an out-of-company channel to do the bullying and attacking in coordination via that means, or tricking the victim into joining them in the new side channel?
The answer to bullying or shitty office behavior is not monitoring. That cover-your-ass because the real answer is hard. Improve your company culture. Fire people who are detrimental to the team. KNOW YOUR TEAM! So often I hear about these things and what you find is a shitty manager who has no idea how to be a manager and says "well they get their work done."
Keeping in context with the OP, Slack allowing admin access to all conversations is a cover-your-ass corporate move, not a solid new tool to combat workplace cultural issues. Perhaps once in a blue moon employee surveillance and bad culture might intersect and prove useful. But that should in no way be used to justify corporate surveillance.
As an elected government official, I understand the importance of papertrails and record-keeping. But the mere fact that so many companies USED SLACK WITHOUT THIS FEATURE, means most had no qualms about side channels being un-auditable before. And now this is just sweet sweet honey to corporate overlords.
But they aren't True Good Developers... /s
And workplaces are socio-political contexts... I didn't find it very difficult to get past his hyperbole, and I frankly find it hard to believe that you did. It isn't hard to argue that monitoring channels that even just imply privacy, regardless of whether they take place in the workplace (or in academia, or at home) is a violation of personal rights - regardless of the fact that you arbitrarily draw the line at "recording your activity in the privacy of your home or on the street."
They're not governments, they're companies.
> monitoring channels that even just imply privacy, regardless of whether they take place in the workplace (or in academia, or at home) is a violation of personal rights
It isn't, unless your definition of "personal rights" includes "things I personally want which are neither codified in, nor protected by, laws."
You're right, it's important to note they are more powerful and exercise more control over the lives of their employees than many governments, though employees often have the same opportunity to leave their company as they do their government (none).
>It isn't, unless your definition of "personal rights" includes "things I personally want which are neither codified in, nor protected by, laws."
Yes that's literally exactly what personal rights always means. Legal rights are legal rights, personal rights are a conception of what the person who uses the term wants or believes rights to be.
Especially when they're also dependent on their corporation for healthcare and retirement...
This is exactly my point, it's effortless to compare corporations to government, especially in this context. For the other comment to base his argument around the word "totalitarian" seems nothing if not disingenuous, given that the meaning behind the word is clear.
I mean, you completely (amusingly) misquoted that sentence. I said "it isn't hard to argue that [...]". I did not make an absolute statement that it is (a violation)... Come on now.
Okay...let me see if I understand you correctly. You're defending the other commenter's description of corporate logs as totalitarian surveillance, but you're saying that I'm being intellectually disingenuous because I'm pointing out that companies are not governments?
Workplace provided communication mechanisms do not in any way imply privacy. Best practices are that staff sign an acknowledgement of such, so that there is no such confusion.
1. Regulation in most countries requires it to be this way, we’ll most countries any of us is likely to work in. Which is to say: The Law Hath Spoken, which is to say: The People Hath Decided.
2. The employer should have spelled this out to you at time of hire, and had you sign a document to verify you understand.
The problem here isn’t that the direct messages take place in the workplace, it’s that they take place on infrastructure owned by the workplace.
I only said that the comment I replied to relied on a purely arbitrary definition for what an invasion of personal privacy was... He argued that because "your company is not recording your activity in the privacy of your home or on the street" it wasn't unreasonable (or totalitarian), because the company was "protecting itself and other employees from potentially problematic abuse scenarios." Even though it's amusingly easy to imagine that a totalitarian regime would make the same argument for its own surveillance practices....
> got offended
> soul-destroying shithole
It's funny how these sort of comments always come from recently created throwaway accounts.
How would you describe the tenor of the comment?
So you and your choosy developer friends work at a place where IT can't access your corporate email?
This ruling applies not only to the whole EU, but to the 47 member states of the Council of European, including for example Russia and Turkey.
There is no reasonable expectation of privacy on a corporate slack account.
If one DMs "Alex Murdo" then the expectation would be that they alone would read it, or their nominated person. If one DMs "Graphic Design" department then obviously that doesn't stand.
I'd expect contracts and such to contradict this natural expectation however.
Not sure how much compliant this is with the law, but in this case the law should be more protective towards employees.
I imagine the following situation
I write on a company-owned piece of paper - "My boss is an idiot". Then take this piece of paper put it in an envelope ( owned by the company as well ), write the name of my colleague and seal the envelope. Then put the envelope on the recipient's desk.
I bet it would be illegal for my boss to take that letter, open it and read it.
Looks like with e-mails the law is more protective towards employees :
 : https://www.reuters.com/article/us-privacy-emails-echr/europ...
 : http://www.internationallawoffice.com/Newsletters/Employment...
 : https://www.womblebonddickinson.com/uk/insights/articles-and...
In fact, your boss is allowed to open any mail sent to your work address.
This isn't relevant here. ECHR has ruled that employers do have the right to read emails, as long as employees are notified in advance (which can include blanket notification as part of their employment agreement). ECHR has jurisdiction over all ECHR countries, which is a superset of EU countries and includes several non-EU countries, like Norway. Other European countries, like Germany, Switzerland, and the UK have also affirmed this right.
Email being roughly analogous to Slack, in the eyes of the law, there's little room for doubt that employers in Europe have the right to read Slack messages on the company's Slack account.
It doesn't override national law, but national law is pretty consistently clear that employers have this right as well - that's why the case was before the ECHR in the first place.
This is something were you likely can not make useful blanket "in Europe" statements.
This change is precisely because of regulations like GDPR, among others.
That contradicts what you’re saying quite a bit.
In the ECHR case, the employee's personal communications over an instant messenger were being monitored just because they were happening on the employer's machine, and without the employee knowing ahead of time. That's the no-no. But Slack is not a personal communications medium; it's maintained and administrated directly by an employer for the explicit purpose of work-related communication. In the context of the ECHR case, Slack doesn't qualify.
Circling back to Slack and the GDPR: as a direct result of the GDPR, Slack now needs to align their desire for full employee auditability with full data transparency. There's a tension between competing regulations, but there's no contradiction here.
This doesn’t look good for Slack.
They don't have free access however they want, but they do have the right to access under certain conditions.
If you're going to call your boss an idiot, don't do it with the company tools. That seems like a pretty reasonable boundary to maintain.
I've never thought of much of anything that was my employer's as mine. If I wanted a private email conversation, I'd use my email, same with chatting and etc... that's just smart no matter what the local legal traditions are.
The volume of negativity surprises me if only because there are all sorts of ways to obtain some private channel communication.
Do people need to talk shit about their boss THAT often, but they feel they should use a work provided tool to do it?
So, all of those communications you had with co-workers based on the promise they would be private until you were notified future ones wouldn't be anymore? Now it's ALL available to your employer.
(This is presumably due to GDPR)
If you want privacy use a private channel. Your employer's work tools don't qualify.
There are a number of things I might mention to a coworker over a private IM which wouldn't necessarily put my employment at risk, but would be awkward for management to suddenly have access to.
A couple made up examples:
"I'm super sick, but $boss is really pushing me to get the report out. I just want to go home and be sick all alone."
"I hate management's decision to reduce vacation days. No wonder we can't keep people around here."
"Did you see Tom's email? It's kinda awkward that he thinks he's a strong contributor to the group..."
Never write something you wouldn’t want printed on the front page of a newspaper.
You're begging the question.
"Competent and trustworthy" people won't abuse their power by definition. Anyone who abuses their power intentionally is untrustworthy, and anyone who abuses their power unintentionally is incompetent.
In the real world there are many incompetent and untrustworthy leaders. Slack has no choice but to operate in the real world.
OTOH, I still think being paranoid is the safest policy, so if you're plotting to overthrow your boss, or sell secrets to your biggest competitor, I still wouldn't do it on the company networking, and/or using a company computer.
Cloak-and-dagger games are very similar to building your own crypto: likely to be broken at a fundamental level, never mind the amount of magic security glitter that you pile on top.
From the actual source:
They can also install screen capture and key logging software if they want, but that's less common and without disclosure is a lot shadier (although certainly legal in the US). I wouldn't expect it most places; it's a more extreme step.
But never trust encryption at work unless you know your company's policies.
Of course, you also need to trust your hardware.
And this is exactly end-to-end encryption that the original thread responder mentioned; I know it's in place so I won't connect to my personal accounts from the work machine. That's what my phone is for (and I won't use their wifi for my phone, either).
That sounds like a convenient marketing bullshit bogey man to me.
You have no right to privacy when you're inside your company's office using your company's computers to access your company's network. They own it all, you just have permission to use it within the guidelines they set and you signed off on when you were hired.
---- Edit ----
To clarify; my comment is referring to the novel 1984. While a bit tongue in cheek, it was not meant entirely as a joke.
This is a forum visited mostly by IT workers. I would assume most of us here know enough (or should know enough) to realize that any of our communications at work can be read by someone else and so you may want to treat it a bit as such.
In my personal programming working experience I have seen data captured in all of the following forms, reviewed, and then used to fire or prevent firing individuals.
Phone calls (audio recordings),
Computer monitor (video recordings)