As an employer, and account holder, I am not a fan of this feature.
My team must feel free to use our internal communication tools to have private, perhaps critical, conversations between each other without worrying about me, or other members of management, from reviewing them.
If the tools cannot be trusted, employee will not use them. If they don’t use, they’ll revert to other methods of communication, which will consume their attention.
This should be an option, and one whose affect is in plain view of users.
Lacking such an option, or clear disclosure, I will be canceling our account, as well as reviewing my companies use of other Atlasssian tools.
Please reconsider this feature, or at least, reconsider its implementation.
This was pretty stunning at first, but after thinking about it my guess is simply organizations that use Jira are the kind of organizations that want/need to keep tabs on all employee communications.
Which hey, I get that for some companies they need that for one reason or another.
What it says to me more clearly than anything though, is that Hipchat's core customer isn't small teams any longer.
It's large enterprises with lots of seats.
We run local e-mail and IM servers; the only thing that protects user communications on company owned infrastructure is our company policy. How is this any different?
What I find far more alarming -- and quite hypocritical from SaaS users seemingly suddenly concerned with privacy -- is that when I communicate with companies and individuals that use SaaS providers like Google Apps, the party with which I'm communicating implicitly shares my private correspondence with a SaaS company that engages in massive cross-internet data collection.
By comparison, employers having access to data that flows over employer-owned infrastructure is barely worth mentioning, has been the status quo for decades, and I'm absolutely stunned that anyone is shocked by this.
Second, simply because something is "status quo" does not mean it's OK.
As this is my company, I can chose to run it in a way that doesn't make me feel like an asshole.
If you don't want to "be an asshole", set a clear company policy and move on.
Having been in the position of needing to access historical e-mail records while investigating CFO malfeasance and fraud, I'd say its downright irresponsible to not have the ability and policy necessary to monitor and review communications in extenuating circumstances.
They're not being "disingenuous". Ironically, speaking of trust/management, criticizing people's personal motivations like that is precisely one thing I'm taught not to do, for effective, healthy teamwork. (Whereas, if I must investigate antagonistically, like if a boss is harassing employees, I must assume the possibility.)
As for criticizing motivations, disingenuity was the more polite assumption compared to the alternative: that he is ignorant of the legal, technical, and historical context to the degree that he actually believes HipChat's changes are unique or novel or questionable in any way.
Entities in a technologically privileged position are limited only by policy. The fact that he accepts that truth simply by relying on SaaS demonstrates the significant incongruity of logic at question here.
The entire point of my protest to this change is specifically to stop either myself, or any member of management team from having a "technologically privilege position".
Your arguments about SaaS are irrelevant and juvenile. Just cause Atlasssian, or any SaaS provider, has access doesn't mean I, or my management team, should.
Saying "well we run our email server in house so we just solve this problem with a policy" is fine.
Hardly seems irrelevant to me, and the free pass you give to SaaS is nonsensical and hypocritical.
Our team has just switched back to HipChat as we have more and more remote workers. I'm the current owner of the account, and I don't want the ability to be able to read private chats. I don't want anyone else taking over as owner being able to read my private chats.
By all means, allow it as an option for customers that feel the need to spy on their employees, but let us turn it off.
I suppose workers need to assume any communication system that is provided by the company may be read at any time by management.
The bummer about this is probably many people use private communications expecting them to stay that way. They don't realize companies like Hipchat do not have architecture to support data impermanence or encryption between parties.
Nor do these companies go out of their way to highlight this, as people probably did not understand the distinction until recently.
We use hipchat at work. I've been assuming since day one my employer can read everything I write. They are _paying_ for it after all.
They pay for the toilets too, but that doesn't mean they have surveillance access to everything you do in the bathroom.
Not saying that there might not be a good argument that they ought to have read access to company chats, but it certainly doesn't follow from the fact that they pay for it.
It's only a matter of time before they drug test every flush. As Eric Schmidt said, "if you don't want your urine tested, maybe you shouldn't drink water at work."
We made an active decision to not store / log Hipchat and Email for a few reasons. We have a specific logged Hipchat channels -- but the rest just keep 75 lines for context and that is it. We also never have logged (nor ever will) the 1 on 1 conversations. Employees in a physical location can go outside and rant about a boss, family issue or other random noise -- and this isn't unhealthy, it is normal. We want to encourage open communication and straightforwardness -- and having communications "forgotten" is an important part of that. It also had additional benefits.
1. It limits the nightmare of discovery if we ever get sued, ever word every employee ever said won't be painstakingly scrutinized. Because we want the legal protection, we clearly spell out this privacy in our corporate documents so it is crystal clear to our employees.
2. It allows stuff to be discussed in context and in time and not being picked apart or misunderstood at a later point by other employees. Which encourages honesty and "getting it done".
3. It creates a "separation" of ephemeral communication that have a lower signal to noise ratio (our Hipchat today had many pictures of new desk layouts)... the important data leaves email or Hipchat and makes its way to Trello, Github or Google Drive.
Worrying about privacy while using SaaS seems to be missing the forest for a single small tree.
Civil cases are NOT criminal or national security -- this is not the CIA, it is not a secret court, it is not being tapped... it doesn't even rise to the level of a search warrant. It is up to the party being requested on to produce the documents. So, if we get a discovery request, we have to deliver the documents to fulfill it.
For example, we have an automatic email cleanup after 90 days -- both technically, and in policy. This means if we are served with discovery, we can show the policy, show we have taken steps to follow our policy and produce the last 90 days of email. Same goes for Hipchat logs.
Now, they could make some crazy play to extend discovery to Google or Atlassian. There are a couple problems with this, the first of which is such an insanely broad request would be flat out denied as fishing. If it wasn't, they would fight it kicking and screaming because they don't want to be involved in every civil case of every one of their of clients. They then would have to actually have the data, which in the no logging situation, hopefully they never had.
Discovery is often used as a tool of attrition, to wear down the guy with the smaller wallet -- run lean (by policy and design) and if you ever get a request for discovery -- you can fulfill it quickly and completely.
Not that crazy. If the data exists, the fact that it's on a cloud vendor's backup tape is your problem.
Discovery isn't what you would think from popular culture ... if you served my company with discovery request, "we" (all the lawyers and companies) would have a meeting about it -- you would want to extend your grasp, we would look to shrink it. Most of the time, you would end up with something like "All emails about 'blue paint' between April 2011 and March 2012". Then it is up to ME and my company to find all those emails and provide them to you. Even knowing my email provider would likely be outside the scope. Discovery isn't to FIND a civil issue, it is to find evidence of one already filed issue, so fishing is explicitly not allowed.
Corporate policies are a huge part of the discovery process, what makes it hellish is when you have NO policy around something (like email) because then you have to provide data or prove you don't have it. Our proof is our policy and technical measures.
Our lack of recording data (logging) IS our record management strategy (and a wholly valid one) that massively reduces our costs if we ever get sued.
The "cloud vendor's backup tape" is largely a straw man brought up by engineers rather than lawyers, I think I may have been guilty of bringing it up prior to learning about the discovery process.
It's more expensive and more complicated, but it's not crazy.
To quote the article "Stay tuned – this is a fight that will happen over and over again, and there will be more guidance provided by the courts in the coming years."
As long as the data exists, there's a very real risk someone is going to want it. If it's managed by an off-the-shelf SaaS vendor, where and how that data exists is entirely outside your control.
"In the vast majority of cases, cloud data that is accessible by the end-user will meet discovery needs and obligations."
(regarding going after cloud providers) "Serving a subpoena and ensuring compliance can be challenging and potentially expensive. Whether such efforts are worth the expense and effort will depend on the specific needs of each case. Cloud providers are likely to resist compliance with a subpoena under provisions of Title II of the Electronic Communications Privacy Act, otherwise known as the Stored Communications Act (“SCA”)."
Additionally, a director at http://tsemerge.com/ is hardly an unbiased reality oriented 3rd party. The more scared you are -- and the more complex it seems -- the more likely you are to hire them.
As for "Cloud providers are likely to resist", I dare say what's more likely to resist is controlling your own data and simply not having it stored anywhere in the first place.
Also then we're already in the right program to paste code bits around when we need.
Mimic the real workplace, I have a 1-1 meeting with someone, it isn't recorded (usually).
It's annoying, because it puts up barriers to communication, people talk differently when they know they are being recorded.
I hope they implement this as an option (like they do room history).
EDIT: Thinking more, it should be an option, and when enabled/disabled, all users should receive an email explaining the change. (If you are reading bitbucket devs, do it! Please!)
They add: "When this feature is added, notices will be visible to all members on teams where it is enabled."
Keywords: optional & visible.
That's exactly the kind of thoughtful consideration made obvious when you first use Slack. The product direction on HipChat during the 6/8 months we've been paying customers has been disappointing. Instead of working on in-app history search or the other dozen of clamored for features (http://help.hipchat.com/forums/138883-suggestions-issues/fil...), they pilled on a not really necessary audio/video call feature.
I can only hope the HipChat/Atlassian team considers making admin access to private conversations optional and visible as well.
Your circumstances don't sound like they would be rare.
It'd be nice if you could take a conversation off the record. Is it inconceivable that HipChat may be used for human resource like discussions? I see some risks with this, and not sure I agree.
However, I do understand why they would do this. Bummer.
I truly feel that if the chat platform is being provided by the employer, then they have every right to disallow you from taking conversations offline.
The problem really lies with Atlassian for not offering better permissions.
The new API allows you to request personal tokens or room tokens (you'll need to be a room admin for that).
"Jamie Leigh Jones is a courageous woman who stood up to KBR and Halliburton when they tried to force her into arbitration after she was allegedly gang-raped by fellow employees in 2005."
It's a way for corporations to avoid being held legally liable for criminal behavior against consumers and employees. So if Atlasssian screws you, either as an employee or a consumer, you're forced into arbitration instead of being able to challenge them in court.
Who knows how many untold "civil" cases like that one have never seen the light of day due to forced arbitration.
I am not making excuses for KBR, but I do not know how else a corporation can protect itself from the actions of its employees in a scenario where jurisdiction is not enforceable in its host country. In other words what court would have heard this case, presumable it would have been Iraqi, in which case she would have had a much more difficult case.
Sorry if this was a ramble, but the issue is very complex and has little to do with arbitration requirements, and more to do with vague international prosecution policies inside a war zone.
They also make some claims that are not really true:
"Individuals often have to pay a large fee simply to initiate the arbitration process. "
Please pick any large company you desire to ever sue (amazon, ebay, general mills, etc). I challenge you to find a single one that requires you pay for the arbitration process in all but frivolous cases.
Let's take Amazon's:
"Payment of all filing, administration and arbitrator fees will be governed by the AAA's rules. We will reimburse those fees for claims totaling less than $10,000 unless the arbitrator determines the claims are frivolous. Likewise, Amazon will not seek attorneys' fees and costs in arbitration unless the arbitrator determines the claims are frivolous. You may choose to have the arbitration conducted by telephone, based on written submissions,"
Paypal goes further, in fact:
"If the value of the relief sought is more than $10,000 and you are able to demonstrate that the costs of arbitration will be prohibitive as compared to the costs of litigation, PayPal will pay as much of the filing, administration, and arbitrator fees as the arbitrator deems necessary to prevent the arbitration from being cost-prohibitive"
NACA's next complaint is that you don't get an in-person hearing, but at the same time complains about the expense of arbitration?
This is non-sensical.
Naca also makes some more falsehoods:
"Forced arbitration clauses generally bind the consumer—not the company. The way many forced arbitration clauses are written, the seller retains its rights to take any complaint to court while the consumer can only initiate arbitration.
Again, i've yet to see any of these. Amazon's doesn't.
Maybe paypal, that bastion of horribleness, says something here:
" You and PayPal each agree that any and all disputes or claims that have arisen or may arise between you and PayPal shall be resolved exclusively through final and binding arbitration, rather than in court, except that you may assert claims in small claims court, if your claims qualify. The Federal Arbitration Act governs the interpretation and enforcement of this Agreement to Arbitrate."
Whoops, nope, they agree to arbitration bilaterally too
(they also agree to pay the fees)
They cite exactly zero examples of any of these claims, btw.
Part of my life is reviewing TOS'en, and i've got to have reviewed thousands. I have not seen any that are either unilateral, or where you would pay fees. All I ask is for one example :)
I also doubt such a thing would be upheld even under current supreme court precedent.
The rest of the NACA complaints basically come down "you can't take them to court". Which is yes, the point of arbitration.
To avoid the cost of court.
The truth is, NACA doesn't like arbitration because the lawyers involved in it are class action lawyers.
It says in the exceptions to arbitration that Dropbox still retains the right to take consumers to court for intellectual property infringement, but if Dropbox has a massive data breach and every private file you have shared becomes public, you're on your own facing Dropbox in forced arbitration.
- Dropbox allows you to opt out of the commitment to arbitration.
- If you agree to always arbitrate then the exception for intellectual property disputes applies to both parties, not just Dropbox.
For another example of companies carving out justice for themselves, check out Wells Fargo. They say they will not initiate arbitration for debt collect (translation: they still have their right to take you to court if you owe them money) but if you want to hold them accountable for fraud and negligence, you are going to forced arbitration. https://www.wellsfargo.com/downloads/pdf/credit_cards/agreem...
One last thing on Dropbox's opt-out, why should you have to opt back into your constitutional rights?
Again the NACA link was to highlight the problems with forced arbitration. I wouldn't want it to detract from the fact that forced arbitration is a terrible policy.
Forced Arbitration is anti-consumer but unfortunately it's also pretty common these days. I'd wager you've already agreed to it with you cable, home internet, and phone providers.
It is a strange world when we live 'free' but our companies are dictatorships/feudal while using military tribunal type justice in arbitration, but it is a byproduct of ludicrous overstepping of the bounds with lawsuits so the other side gets wacky.
IMO the most "broken" part of the system is that the corporation gets to pick the "arbitrator" who they think will give them the best outcome (and they are paid by the corporations, too, generally). I'm not sure how "new" that part is, but when my father-in-law explained it to me (he's a trial attorney) I was like "No way - that sounds like some stuff that would happen in some 3rd world country." But I went and read up on it myself - and sure enough, that's the case.
I'm not sure "where you went and read up on it itself"
Here's the rules:
Also note c-1 (d)
"(d) Parties can still take their claims to a small claims court.
Surely I can still take them to court and argue the forced arbitration is part of my grievance. IANAL but surely one can argue that removing the judicial system from anything is illegal?
Of course you can take them to court, however, do you have enough money to sustain the effort?
Forced Arb. clauses mean little for large corporations (who have the legal muscle to either reach a settlement or win a battle of legal attrition), however they absolutely screw "the little guy" who has zero choice but to follow the contract.
Might be better for you to take the token settlement as an apology, and sign the papers.
I'm not sure who their "friends" are. The arbitrators i've met in my time tended to be fair, unbiased folks. I'd expect in general civil cases, it's a mess.
The only claims that get preempted by forced arbitration are these small little $1-2 per person claims. But then people complain when lawyers litigate them as class actions, and settle for $1-2.
Other Cons of arbitration you can confirm with readings:
- Arbitration can occur in secret, with the public finding out nothing about a company's illegal behavior. This is bad for a number of reasons I won't get into.
- Arbitration does not need to follow the rules of discovery or evidence found in a public court. This is most often in the favor of the company.
- Arbitration clauses mostly forbid banding together as a class. Which means you have to fight your case on your own, often times without a lawyer.
- Arbitration allows companies to get away with wage theft, discrimination, sexual harassment, illegal fees & fines, etc. b/c in arbitration their is no requirement for injunctive relief.
- Arbitration was never designed to be used the way it is used today. The Federal Arbitration Act (FAA) was passed by congress in the 1920s to allow businesses to engage in commerce and use an alternate form of justice (arbitration) they both agreed & negotiated on instead of public courts. Today, the reason arbitration is used in a way other than congress intended is because in consumer and employer relationships - there is NO equal bargaining power. Most arbitration agreements are never negotiated between consumers/employees and the company - its a take it or leave it contract. This is not how the FAA was conceived and not what congress intended.
You can read more about it here:
Put your fork down and think about that for a second... let's say I do some kind of harm to you...you'd be okay with a guy that I paid and picked determining my liability to you over the normal justice system? And if it is so great for consumers, why not let them choose to do that? Why force it on them?
I'm sorry for the way we presented this information. We definitely should have explained these changes more clearly, because they do NOT mean that admins can browse your 1-1 chats. Our blog has been updated with a better explanation: http://blog.hipchat.com/2014/04/25/hey-were-changing-our-ter...
If you still have questions or concerns, feel free to email me directly (address in profile here) and I can answer them or put you in touch with someone who can.
I'm still reading this as admins have access to our 1-1 chats...
We also give some oef our senior guys admin access so they can manage other users - I don't particularly want them to read my private communications with other employees either.
I love Atlassian (go aussies!) and Slack is expensive. Bummed.
It took me a minute or two to figure out how to change rooms in the Slack Android app (it has menus that slide from the left AND the right).
It's not really a matter of trust.
When a legal discovery request arrives and your company replies 'we don't know what the employees said in that context because it's private' - that's when the problems start.
>I don't particularly want them to read my private communications
either you trust them, or you don't. It doesn't seem like atlassian's problem that you don't trust your senior staff to not read your chat logs.
and then there is not trusting employees who have access to your conversations to also not feel the need to scan everything you say to people looking for boogiemen.
There is no dissonance here.
Also, no in-app voice/video integration that I could find. HipChat's one-on-one video is great, although waht I really wish for is conferencing built in. Google Hangouts is just too annoying to set up (first it pesters me about signing up for Google Plus, which I don't want, then it shows a blank screen with a "start a hangout" button, then it opens a GH video in a separate window, which is just stupid), and doesn't have a desktop app.
Atlassian themselves could snoop on your traffic; the only thing stopping them is their terms of service. All you have to do to protect your employees is publish clear guidelines on when and how your company will access employee communications on company-owned infrastructure -- bingo, problem solved.
It's nothing but a policy that prevents your SaaS provider from reading your data in the first place.
I'm working on compiling a list of alternatives right now, and will edit this comment in the next few minutes.
At a previous company a round of firings were commenced with evidence contributed from HipChat logs... That was followed by a rash of everyone using the XMPP interface so they could encrypt their chats- I thought that was a bit much but now their paranoia has been proven wise...
I could believe that they were surprised management decided to track what they were saying, but I can't believe anyone thought HipChat would protect chatroom logs against the account administrator.
I was surprised at the same foolishness. But it's inline with the story we were told about their rather cavalier attitude about coming to work inebriated and abusing substances on company time. I didn't know any of them at take the information at face value- the message was don't come to work high and you won't get fired. The takeaway was don't brag about your activities on the company HipChat...
Our team loves HipChat, and they will probably end up feeling the opposite because of this. Please provide a way for us not to activate that "feature".
Companies are basically required by law to store all the communications of their employees, it has nothing to do with trust. I forget the entire reason, but basically Bill Clinton cut some crazy deal with radical feminists in order to get reelected whereby he signed some sexual harassment law that basically required employers to monitor all employee communications. Jeffrey Rosen has a book about it called The Unwanted Gaze.
I had no idea that radical feminists, or indeed feminists in general, had such immense power that they could affect an election where the incumbent won by 9%.
In many cases, IT can already do a lot of other things like span your port, read your e-mail, shadow your terminal, capture all printer output, etc. But in practice, this kind of permission is usually used when someone is stuck and an employee unreachable or out on vacation, or an employee is terminated and you need some critical piece of information they might have in their chat history.
What's the difference? Just because an employer can snoop -- and might be legally obligated to snoop -- doesn't mean your company can't have a clear policy regarding when and how you will exercise that ability inherent in owning infrastructure.
There is a difference between having a feature which allows someone to view your private chat logs (something Google Apps doesn't have) and what it sounds like HipChat are implementing - though maybe they're going to make it just as difficult?
My team tested out HipChat, and it's rad, but I had trouble convincing anyone it was worth the cost over terrible Lync, which we already have, despite it's complete lack of stability on the Mac. We're now secretly using Slack, and enjoying it pretty well. The "native" client is also really nice, bringing just enough native experience to a web view.
https://en.wikipedia.org/wiki/Libor_scandal shows the value of logging private IM in a financial context.
I'm tired of constantly being screwed over by any company that I'm not paying directly.
This is really only something that probably matters if company has to take legal action and needs the CYA.
I know my company has web monitoring in place, because we got a note about people using their cell phones to access raunchy sites while on corp-wifi.