Hacker News new | comments | ask | show | jobs | submit login
HipChat Will Grant Employers Access To 1-to-1 Chat History (hipchat.com)
157 points by espinchi on Apr 25, 2014 | hide | past | web | favorite | 135 comments

I sent the following email to HipChat:

As an employer, and account holder, I am not a fan of this feature.

My team must feel free to use our internal communication tools to have private, perhaps critical, conversations between each other without worrying about me, or other members of management, from reviewing them.

If the tools cannot be trusted, employee will not use them. If they don’t use, they’ll revert to other methods of communication, which will consume their attention.

This should be an option, and one whose affect is in plain view of users.

Lacking such an option, or clear disclosure, I will be canceling our account, as well as reviewing my companies use of other Atlasssian tools.

Please reconsider this feature, or at least, reconsider its implementation.

Thank you.

I completely agree with you on this. I can't imagine continuing to use hipchat with this change in place.

This was pretty stunning at first, but after thinking about it my guess is simply organizations that use Jira are the kind of organizations that want/need to keep tabs on all employee communications.

Which hey, I get that for some companies they need that for one reason or another.

What it says to me more clearly than anything though, is that Hipchat's core customer isn't small teams any longer.

It's large enterprises with lots of seats.

I don't get your concern at all.

We run local e-mail and IM servers; the only thing that protects user communications on company owned infrastructure is our company policy. How is this any different?

What I find far more alarming -- and quite hypocritical from SaaS users seemingly suddenly concerned with privacy -- is that when I communicate with companies and individuals that use SaaS providers like Google Apps, the party with which I'm communicating implicitly shares my private correspondence with a SaaS company that engages in massive cross-internet data collection.

By comparison, employers having access to data that flows over employer-owned infrastructure is barely worth mentioning, has been the status quo for decades, and I'm absolutely stunned that anyone is shocked by this.

You honestly don't see the difference between the amount of interest a third-party software company would have in the private conversations of a team than the amount a person's immediate manager might have in them?

Second, simply because something is "status quo" does not mean it's OK.

As this is my company, I can chose to run it in a way that doesn't make me feel like an asshole.

You're being disingenuous; it's the status quo because having the ability to monitor user communications is the default and inherent legal and technical nature of conveying communications over company owned infrastructure.

If you don't want to "be an asshole", set a clear company policy and move on.

Having been in the position of needing to access historical e-mail records while investigating CFO malfeasance and fraud, I'd say its downright irresponsible to not have the ability and policy necessary to monitor and review communications in extenuating circumstances.

You're looking at it from the perspective of malfeasance/fraud. The other poster is looking at it from teamwork/management.

They're not being "disingenuous". Ironically, speaking of trust/management, criticizing people's personal motivations like that is precisely one thing I'm taught not to do, for effective, healthy teamwork. (Whereas, if I must investigate antagonistically, like if a boss is harassing employees, I must assume the possibility.)

No, I'm looking at it from the perspective of simple rationality: SaaS does not mystically change the technical and legal nature of administrative access to communications over company controlled infrastructure.

As for criticizing motivations, disingenuity was the more polite assumption compared to the alternative: that he is ignorant of the legal, technical, and historical context to the degree that he actually believes HipChat's changes are unique or novel or questionable in any way.

Entities in a technologically privileged position are limited only by policy. The fact that he accepts that truth simply by relying on SaaS demonstrates the significant incongruity of logic at question here.

It's hilarious that you're implying it's hard to understand that the guy with the server password has can read everything. I mean, really?

The entire point of my protest to this change is specifically to stop either myself, or any member of management team from having a "technologically privilege position".

Your arguments about SaaS are irrelevant and juvenile. Just cause Atlasssian, or any SaaS provider, has access doesn't mean I, or my management team, should.

Saying "well we run our email server in house so we just solve this problem with a policy" is fine.

So you're OK with SaaS being protected by policy, but not the behavior of your own company's executive staff and delegated administrators?

Hardly seems irrelevant to me, and the free pass you give to SaaS is nonsensical and hypocritical.

You're either being purposeful dense or you have an agenda.

Whereas you appear to be simply dense given your inability to see the hilarious hypocrisy of surrendering the privacy of yourself and others to SaaS vendor policies while calling them to task for giving you the equivalent privilege of policy choice.

Thanks for doing this, please keep us updated if you get a response that you can share.

Our team has just switched back to HipChat as we have more and more remote workers. I'm the current owner of the account, and I don't want the ability to be able to read private chats. I don't want anyone else taking over as owner being able to read my private chats.

By all means, allow it as an option for customers that feel the need to spy on their employees, but let us turn it off.

At least it isn't retroactive.

I suppose workers need to assume any communication system that is provided by the company may be read at any time by management.

The bummer about this is probably many people use private communications expecting them to stay that way. They don't realize companies like Hipchat do not have architecture to support data impermanence or encryption between parties.

Nor do these companies go out of their way to highlight this, as people probably did not understand the distinction until recently.

"I suppose workers need to assume"

We use hipchat at work. I've been assuming since day one my employer can read everything I write. They are _paying_ for it after all.

> They are _paying_ for it after all.

They pay for the toilets too, but that doesn't mean they have surveillance access to everything you do in the bathroom.

Not saying that there might not be a good argument that they ought to have read access to company chats, but it certainly doesn't follow from the fact that they pay for it.

> They pay for the toilets too, but that doesn't mean they have surveillance access to everything you do in the bathroom.

It's only a matter of time before they drug test every flush. As Eric Schmidt said, "if you don't want your urine tested, maybe you shouldn't drink water at work."

Most big companies have a policy that any thing created on their computers is their property. Similarly, any information created on systems that they are paying for is theirs. If you were creating business value in the bathroom, then they might argue that they have access to it. If it were for labor and privacy laws, they might even have a legal claim to monitoring your brainstorms in the bathroom.

Actually, it does follow from the fact they pay for it. If it weren't for explicit rights carved out by privacy laws, they could put cameras in the bathrooms they own.

I manage the Hipchat system at my office. You would be amazed at how few features there are on the admin end. I can only change peoples nicknames, room names, and turn on/off guest access. And upload emoticons. That's the only admin action I ever use.


I get what you're saying, but we use HipChat and it's really obvious that it's "your company's chat system." At least, that's how our employees think of it and how it's marketed. I'd be really surprised if someone thought it was more private than their company email address.

Indeed. I suspect companies being started now will opt out of logging more and more. My companies employees work from home the majority of the time. We use Hipchat, Trello, Github, Google Drive, and Email for most of our communications. We limit what we log technically (auto deleted after X days email, no logging on most hipchat channels) and by corporate policy.

We made an active decision to not store / log Hipchat and Email for a few reasons. We have a specific logged Hipchat channels -- but the rest just keep 75 lines for context and that is it. We also never have logged (nor ever will) the 1 on 1 conversations. Employees in a physical location can go outside and rant about a boss, family issue or other random noise -- and this isn't unhealthy, it is normal. We want to encourage open communication and straightforwardness -- and having communications "forgotten" is an important part of that. It also had additional benefits.

1. It limits the nightmare of discovery if we ever get sued, ever word every employee ever said won't be painstakingly scrutinized. Because we want the legal protection, we clearly spell out this privacy in our corporate documents so it is crystal clear to our employees. 2. It allows stuff to be discussed in context and in time and not being picked apart or misunderstood at a later point by other employees. Which encourages honesty and "getting it done". 3. It creates a "separation" of ephemeral communication that have a lower signal to noise ratio (our Hipchat today had many pictures of new desk layouts)... the important data leaves email or Hipchat and makes its way to Trello, Github or Google Drive.

Given how much you rely on SaaS, how do you even know the data is actually gone? Come discovery, I'd expect you'd find its a lot more permanent and exposed than you expect.

Worrying about privacy while using SaaS seems to be missing the forest for a single small tree.

Not really, and there is a ton of case law on the topic. The way (civil) discovery works makes the SaaS concern far less of an issue.

Civil cases are NOT criminal or national security -- this is not the CIA, it is not a secret court, it is not being tapped... it doesn't even rise to the level of a search warrant. It is up to the party being requested on to produce the documents. So, if we get a discovery request, we have to deliver the documents to fulfill it.

For example, we have an automatic email cleanup after 90 days -- both technically, and in policy. This means if we are served with discovery, we can show the policy, show we have taken steps to follow our policy and produce the last 90 days of email. Same goes for Hipchat logs.

Now, they could make some crazy play to extend discovery to Google or Atlassian. There are a couple problems with this, the first of which is such an insanely broad request would be flat out denied as fishing. If it wasn't, they would fight it kicking and screaming because they don't want to be involved in every civil case of every one of their of clients. They then would have to actually have the data, which in the no logging situation, hopefully they never had.

Discovery is often used as a tool of attrition, to wear down the guy with the smaller wallet -- run lean (by policy and design) and if you ever get a request for discovery -- you can fulfill it quickly and completely.

> Now, they could make some crazy play to extend discovery to Google or Atlassian ... Discovery is often used as a tool of attrition, to wear down the guy with the smaller wallet

Not that crazy. If the data exists, the fact that it's on a cloud vendor's backup tape is your problem.


On a technical level, I can understand your concerns. I am a developer, and it took me some time to get my head around how it works. But, the bottom line is -- it IS that crazy.

Discovery isn't what you would think from popular culture ... if you served my company with discovery request, "we" (all the lawyers and companies) would have a meeting about it -- you would want to extend your grasp, we would look to shrink it. Most of the time, you would end up with something like "All emails about 'blue paint' between April 2011 and March 2012". Then it is up to ME and my company to find all those emails and provide them to you. Even knowing my email provider would likely be outside the scope. Discovery isn't to FIND a civil issue, it is to find evidence of one already filed issue, so fishing is explicitly not allowed.

Corporate policies are a huge part of the discovery process, what makes it hellish is when you have NO policy around something (like email) because then you have to provide data or prove you don't have it. Our proof is our policy and technical measures.

Our lack of recording data (logging) IS our record management strategy (and a wholly valid one) that massively reduces our costs if we ever get sued.

The "cloud vendor's backup tape" is largely a straw man brought up by engineers rather than lawyers, I think I may have been guilty of bringing it up prior to learning about the discovery process.

All the research I've done says you're wrong: http://www.informationintersection.com/2014/04/discovering-c...

It's more expensive and more complicated, but it's not crazy.

To quote the article "Stay tuned – this is a fight that will happen over and over again, and there will be more guidance provided by the courts in the coming years."

As long as the data exists, there's a very real risk someone is going to want it. If it's managed by an off-the-shelf SaaS vendor, where and how that data exists is entirely outside your control.

That article basically agrees with me. Additionally -- notice how it doesn't point to explicit existing examples, but implies "future problems" -- as did the 2006 article.

"In the vast majority of cases, cloud data that is accessible by the end-user will meet discovery needs and obligations."


(regarding going after cloud providers) "Serving a subpoena and ensuring compliance can be challenging and potentially expensive. Whether such efforts are worth the expense and effort will depend on the specific needs of each case. Cloud providers are likely to resist compliance with a subpoena under provisions of Title II of the Electronic Communications Privacy Act, otherwise known as the Stored Communications Act (“SCA”)."

Additionally, a director at http://tsemerge.com/ is hardly an unbiased reality oriented 3rd party. The more scared you are -- and the more complex it seems -- the more likely you are to hire them.

"basically" agrees?

As for "Cloud providers are likely to resist", I dare say what's more likely to resist is controlling your own data and simply not having it stored anywhere in the first place.

Intelligent corporate policy. Oh how I wish such a marriage of pragmatism and respect for privacy were the norm.

My friends and I are all using gitter.im to chat now. I just made a private repo on my github account and made them all contributors. Easy peasy.

Also then we're already in the right program to paste code bits around when we need.

Gitter looks awesome - thanks

Hipchat should have stuck gone the opposite, and made their policy explicitly: "1-to-1 is private".

Mimic the real workplace, I have a 1-1 meeting with someone, it isn't recorded (usually).

It's annoying, because it puts up barriers to communication, people talk differently when they know they are being recorded.

I hope they implement this as an option (like they do room history).

EDIT: Thinking more, it should be an option, and when enabled/disabled, all users should receive an email explaining the change. (If you are reading bitbucket devs, do it! Please!)

This is a pain point for me because HipChat's permissions granularity is really bad: my organization gives everybody admin access so we can configure API tokens, emoticons, etc. Things we want to do pretty often. Now, we'll have to restrict everybody to a normal user and have a single administrator do these very normal operations.

Yep, we have exactly the same issue. This feature decision is a trust-deterrent. Nothing worse when it comes to team communication.

To me this is the final straw. By contrast Slack's privacy policy mentions they "plan to allow team owners or administrators to enable an optional feature which would allow them to view anything inside their teams".

They add: "When this feature is added, notices will be visible to all members on teams where it is enabled."

Keywords: optional & visible.

That's exactly the kind of thoughtful consideration made obvious when you first use Slack. The product direction on HipChat during the 6/8 months we've been paying customers has been disappointing. Instead of working on in-app history search or the other dozen of clamored for features (http://help.hipchat.com/forums/138883-suggestions-issues/fil...), they pilled on a not really necessary audio/video call feature.

I can only hope the HipChat/Atlassian team considers making admin access to private conversations optional and visible as well.

Talk to HipChat, that sounds like something they might be able to change in their service. Perhaps have a super-admin or user groups or something that give intermediate permissions.

Your circumstances don't sound like they would be rare.

They definitely aren't rare. We have the same pain where I work. We just end up having a limited number of HC admins and make them do all our API requests.

It'd be nice if you could take a conversation off the record. Is it inconceivable that HipChat may be used for human resource like discussions? I see some risks with this, and not sure I agree.

However, I do understand why they would do this. Bummer.

HR-level discussions should be documented at all times, so that seems like a poor example to use here.

I truly feel that if the chat platform is being provided by the employer, then they have every right to disallow you from taking conversations offline.

The problem really lies with Atlassian for not offering better permissions.

You don't need to be an admin to get an API token... https://www.hipchat.com/account/api

The new API allows you to request personal tokens or room tokens (you'll need to be a room admin for that).

There can only be one room admin per room. Doesn't really fix it.

The forced arbitration seems a bit odious... general mills just got dinged for that and had to apologize...I wonder if the same thing will happen here. For those who don't know, forced arb basically gives them carte blanche to harm you and have the case handled by their "friends" instead of the justice system.

Forced arbitration is a terrible policy and terrible for consumers[1]. I remember when Al Franken fought to amend the "forced arbitration" policy in the Department of Defense Appropriations Act[2]:

"Jamie Leigh Jones is a courageous woman who stood up to KBR and Halliburton when they tried to force her into arbitration after she was allegedly gang-raped by fellow employees in 2005."

It's a way for corporations to avoid being held legally liable for criminal behavior against consumers and employees. So if Atlasssian screws you, either as an employee or a consumer, you're forced into arbitration instead of being able to challenge them in court.



Arbitration is not applicable in criminal behavior. It's for civil disputes.

I'd say gang-rape by fellow employees and KBR/Halliburton attempts to cover it up both fall under criminal behavior; at least it seems criminal to me.

Who knows how many untold "civil" cases like that one have never seen the light of day due to forced arbitration.

Jurisdiction would be the pressing issue in that specific case. I do not believe bases were sovereign at that time, and as the parties are not military they would not be prosecutable under the UCMJ. I am not certain on the process to charge someone with a crime while in a different country and outside US jurisdiction.

I am not making excuses for KBR, but I do not know how else a corporation can protect itself from the actions of its employees in a scenario where jurisdiction is not enforceable in its host country. In other words what court would have heard this case, presumable it would have been Iraqi, in which case she would have had a much more difficult case.

Sorry if this was a ramble, but the issue is very complex and has little to do with arbitration requirements, and more to do with vague international prosecution policies inside a war zone.

NACA is not exactly unbiased, since it's mainly consumer class action lawyers.

They also make some claims that are not really true:

"Individuals often have to pay a large fee simply to initiate the arbitration process. "

Please pick any large company you desire to ever sue (amazon, ebay, general mills, etc). I challenge you to find a single one that requires you pay for the arbitration process in all but frivolous cases.

Let's take Amazon's: "Payment of all filing, administration and arbitrator fees will be governed by the AAA's rules. We will reimburse those fees for claims totaling less than $10,000 unless the arbitrator determines the claims are frivolous. Likewise, Amazon will not seek attorneys' fees and costs in arbitration unless the arbitrator determines the claims are frivolous. You may choose to have the arbitration conducted by telephone, based on written submissions,"

Paypal goes further, in fact: "If the value of the relief sought is more than $10,000 and you are able to demonstrate that the costs of arbitration will be prohibitive as compared to the costs of litigation, PayPal will pay as much of the filing, administration, and arbitrator fees as the arbitrator deems necessary to prevent the arbitration from being cost-prohibitive"

NACA's next complaint is that you don't get an in-person hearing, but at the same time complains about the expense of arbitration? This is non-sensical.

Naca also makes some more falsehoods: "Forced arbitration clauses generally bind the consumer—not the company. The way many forced arbitration clauses are written, the seller retains its rights to take any complaint to court while the consumer can only initiate arbitration. " Again, i've yet to see any of these. Amazon's doesn't.

Maybe paypal, that bastion of horribleness, says something here: " You and PayPal each agree that any and all disputes or claims that have arisen or may arise between you and PayPal shall be resolved exclusively through final and binding arbitration, rather than in court, except that you may assert claims in small claims court, if your claims qualify. The Federal Arbitration Act governs the interpretation and enforcement of this Agreement to Arbitrate."

Whoops, nope, they agree to arbitration bilaterally too (they also agree to pay the fees)

They cite exactly zero examples of any of these claims, btw.

Part of my life is reviewing TOS'en, and i've got to have reviewed thousands. I have not seen any that are either unilateral, or where you would pay fees. All I ask is for one example :)

I also doubt such a thing would be upheld even under current supreme court precedent.

The rest of the NACA complaints basically come down "you can't take them to court". Which is yes, the point of arbitration. To avoid the cost of court.

The truth is, NACA doesn't like arbitration because the lawyers involved in it are class action lawyers. Shocking.

Guess you missed Dropbox's big announcement. Here's their forced arbitration clause:


It says in the exceptions to arbitration that Dropbox still retains the right to take consumers to court for intellectual property infringement, but if Dropbox has a massive data breach and every private file you have shared becomes public, you're on your own facing Dropbox in forced arbitration.

This is not an example of a unilateral agreement because:

- Dropbox allows you to opt out of the commitment to arbitration.

- If you agree to always arbitrate then the exception for intellectual property disputes applies to both parties, not just Dropbox.

Dropbox's ToS is one-sided because what Dropbox did was carve out the ways it would want to go to court and eliminate the ways most consumers would ever take it to court. Most consumers are not suing Dropbox over IP.

For another example of companies carving out justice for themselves, check out Wells Fargo. They say they will not initiate arbitration for debt collect (translation: they still have their right to take you to court if you owe them money) but if you want to hold them accountable for fraud and negligence, you are going to forced arbitration. https://www.wellsfargo.com/downloads/pdf/credit_cards/agreem...

One last thing on Dropbox's opt-out, why should you have to opt back into your constitutional rights?

Arbitration is private court where the judge is paid by your opponent. If you legitimately think this is awesome enough that we should all be gung-ho about it just because the companies who benefit choose to pay the fees, I don't think there's really anything else to discuss.

I guess linking to NACA was more to highlight some of the other downsides of forced arbitration. I agree with your counterpoints to NACA's claims but ultimately forced arbitration still prevents someone from using the justice system simply because it's too costly to the corporations. Again, cases like the KBR/Halliburton can have atrocious consequences.

Again the NACA link was to highlight the problems with forced arbitration. I wouldn't want it to detract from the fact that forced arbitration is a terrible policy.

Again - if it's so incredibly awesome for consumers...why not let them choose to arbitrate instead of forcing them?

Because lawyers are very good at convincing consumers not to with promises of big dollars?

General Mills got banged up because they tried to claim that performing such actions as "Liking their facebook page" indicated your agreement to those terms. That was the part that was extreme.

Forced Arbitration is anti-consumer but unfortunately it's also pretty common these days. I'd wager you've already agreed to it with you cable, home internet, and phone providers.

It has stormed the front immensely in the last 10-15 years. Almost all contracts have an arbitration section to bypass the courts which has many to blame.

It is a strange world when we live 'free' but our companies are dictatorships/feudal while using military tribunal type justice in arbitration, but it is a byproduct of ludicrous overstepping of the bounds with lawsuits so the other side gets wacky.

What's gotten crazy in the last 2 years or so after some bad Supreme Court decisions is that corporations can get more and more sneaky about saying what constitutes your "agreement" to their terms - things like "liking" the company on Facebook or walking through the door of their fast food chain...

IMO the most "broken" part of the system is that the corporation gets to pick the "arbitrator" who they think will give them the best outcome (and they are paid by the corporations, too, generally). I'm not sure how "new" that part is, but when my father-in-law explained it to me (he's a trial attorney) I was like "No way - that sounds like some stuff that would happen in some 3rd world country." But I went and read up on it myself - and sure enough, that's the case.

Under AAA consumer rules (which is what roughly everyone is using) the corporation does not pick the arbitrator. The AAA does. Either side may provide factual objections, which, if upheld, only results in them picking someone new at random.

I'm not sure "where you went and read up on it itself" Here's the rules:


Also note c-1 (d) "(d) Parties can still take their claims to a small claims court. "

I actually bought a shaver once, from a retail store, that included an unannounced forced arbitration contract thay claimed implied consent by using the shaver. It's ridiculous.

I generally just cross out such legal vomit upon reading it, to reject any implied assent for down the road, but mainly to keep my own head straight.

Will it work?

Surely I can still take them to court and argue the forced arbitration is part of my grievance. IANAL but surely one can argue that removing the judicial system from anything is illegal?

>I can still take them to court

Of course you can take them to court, however, do you have enough money to sustain the effort?

Forced Arb. clauses mean little for large corporations (who have the legal muscle to either reach a settlement or win a battle of legal attrition), however they absolutely screw "the little guy" who has zero choice but to follow the contract.

Courts will often order arbitration in civil cases anyway, moving to a trial only if the arbitration fails.

You can argue anything; the question is how long and how hard can you afford to argue it, and what are going to be your ultimate chances of success based on the history of people making the same sort of argument, and which venues are you going to be forced to make that argument in.

Might be better for you to take the token settlement as an apology, and sign the papers.

According to the supreme court it will. The corporation gets to pick the "arbitrator" (who is most likely to decide your claim is worthless) and you have to go there instead of court. Read up on it.

I'm not sure why people hate on forced arbitration. Outside of the occasional ridiculous damages award that happens, it's actually often better for consumers. It's cheaper, doesn't require a lawyer, company usually pays, etc.

I'm not sure who their "friends" are. The arbitrators i've met in my time tended to be fair, unbiased folks. I'd expect in general civil cases, it's a mess.

The only claims that get preempted by forced arbitration are these small little $1-2 per person claims. But then people complain when lawyers litigate them as class actions, and settle for $1-2.

Researchers at Cornell University studied hundreds of cases where consumer / employees were forced into arbitration and found that the arbitrator ruled with the company 90-95% of the time. This can be attributed to what dccoolgai points out below.

Other Cons of arbitration you can confirm with readings: - Arbitration can occur in secret, with the public finding out nothing about a company's illegal behavior. This is bad for a number of reasons I won't get into.

- Arbitration does not need to follow the rules of discovery or evidence found in a public court. This is most often in the favor of the company.

- Arbitration clauses mostly forbid banding together as a class. Which means you have to fight your case on your own, often times without a lawyer.

- Arbitration allows companies to get away with wage theft, discrimination, sexual harassment, illegal fees & fines, etc. b/c in arbitration their is no requirement for injunctive relief.

- Arbitration was never designed to be used the way it is used today. The Federal Arbitration Act (FAA) was passed by congress in the 1920s to allow businesses to engage in commerce and use an alternate form of justice (arbitration) they both agreed & negotiated on instead of public courts. Today, the reason arbitration is used in a way other than congress intended is because in consumer and employer relationships - there is NO equal bargaining power. Most arbitration agreements are never negotiated between consumers/employees and the company - its a take it or leave it contract. This is not how the FAA was conceived and not what congress intended.

You can read more about it here: https://www.nela.org/NELA/index.cfm?event=showPage&pg=mandar...

"The company usually pays".

Put your fork down and think about that for a second... let's say I do some kind of harm to you...you'd be okay with a guy that I paid and picked determining my liability to you over the normal justice system? And if it is so great for consumers, why not let them choose to do that? Why force it on them?

Hey everyone - Garret from HipChat here.

I'm sorry for the way we presented this information. We definitely should have explained these changes more clearly, because they do NOT mean that admins can browse your 1-1 chats. Our blog has been updated with a better explanation: http://blog.hipchat.com/2014/04/25/hey-were-changing-our-ter...

If you still have questions or concerns, feel free to email me directly (address in profile here) and I can answer them or put you in touch with someone who can.

"Under the Atlassian Privacy Policy, HipChat administrators will have the right to access all information in the HipChat account they manage, including 1-to-1 chat history and files shared in those 1-to-1 chats."

I'm still reading this as admins have access to our 1-1 chats...

If you've signed a policy with your employer giving them access to data in the services they pay for, we will have access to provide them, just like they can with the email account they provide you (if they do). They won't be casually browsing your chats, as that is not a feature we provide.

We trust our employees. I don't feel the need to access personal communications between employees.

We also give some oef our senior guys admin access so they can manage other users - I don't particularly want them to read my private communications with other employees either.

I love Atlassian (go aussies!) and Slack is expensive. Bummed.

We use Slack at my company (switched to it from Kato) and we're very happy with it.

Were non technical staff able to grok it? I recently went with HipChat over Slack mainly because Slack just seemed too confusing, but now I'm kind of regretting it.

It took me a minute or two to figure out how to change rooms in the Slack Android app (it has menus that slide from the left AND the right).

Nobody I know has found it confusing, it's a mix of technical faculty. I've only used the desktop app.

You mean the website-in-an-app-looking-frame right?

At least the OS X version installs and runs mostly like a regular app. The Windows one requires installation through Chrome.

Yeap, but people like seeing the notifications when they cmd-tab and being able to remove a tab from their browser.

Same. Though, it seems a tad overpriced. It is a very nice platform though

I guess it depends on how it was being used. If your employees came up with a great idea over chat that six month's later lead to a patentable invention, its nice that there is a record of all that information.

> We trust our employees. I don't feel the need to access personal communications between employees.

It's not really a matter of trust.

When a legal discovery request arrives and your company replies 'we don't know what the employees said in that context because it's private' - that's when the problems start.

What do you need that isn't included in the free plan on Slack?

>We trust our employees

>I don't particularly want them to read my private communications

either you trust them, or you don't. It doesn't seem like atlassian's problem that you don't trust your senior staff to not read your chat logs.

There is trusting your employees and not feeling the need to scan everything they say to each other looking for boogiemen...

and then there is not trusting employees who have access to your conversations to also not feel the need to scan everything you say to people looking for boogiemen.

There is no dissonance here.

Somewhat tangential to this story, but we recently moved our team over from HipChat to Slack [1]. I initially thought that we'd miss the sheer number of integrations HipChat offers, but Slack seems to cover almost all of the ones we use regularly and some HipChat doesn't yet offer, like Asana.

[1]: https://slack.com/

Our team tried out Slack, but the Mac app isn't native, just a rather weak wrapper around the normal web page. And the web experience just isn't as good as HipChat.

Also, no in-app voice/video integration that I could find. HipChat's one-on-one video is great, although waht I really wish for is conferencing built in. Google Hangouts is just too annoying to set up (first it pesters me about signing up for Google Plus, which I don't want, then it shows a blank screen with a "start a hangout" button, then it opens a GH video in a separate window, which is just stupid), and doesn't have a desktop app.

I guess that's one way to lose your customer base. We have a team of 50 that will be switching to another platform shortly. Good bye HipChat...

Why do you care? If you ran the chat server locally, you'd have the ability to snoop already.

Atlassian themselves could snoop on your traffic; the only thing stopping them is their terms of service. All you have to do to protect your employees is publish clear guidelines on when and how your company will access employee communications on company-owned infrastructure -- bingo, problem solved.

Because this isn't communist Russia/China. There is a certain level of implied freedom and privacy here in America. That's why I fucking care.

If the company is paying for the chat service, it's the company's chat, and the company owns the logs. It's no different than a work email address/inbox.

And if I'm running the company, I don't want my employees to have to go through loopholes to chat privately. The company owns the water cooler too but putting a mic into it is not ethical behavior.

The decision of whether or not private chat occurs in that situation is up to your company though, not the company you buy the water from. This policy change by Atlassian shifts the ability to set policy where it should have been in the first place (as they've noted): to the company purchasing access to HipChat.

So set a policy that you won't read their messages. There's nothing new here.

It's nothing but a policy that prevents your SaaS provider from reading your data in the first place.

Employees don't generally have to worry about their SaaS provider having an impact on their performance review, paycheck, or continued employment.

Then just don't look at the logs, or turn them off.

If you care about personal privacy, don't use your employer's servers, and don't host your private conversations on a third-party SaaS.

Really? An implied freedom in the US? I agreed with your initial post, but this one is ridiculous.

Well, it was great while it lasted.

I'm working on compiling a list of alternatives right now, and will edit this comment in the next few minutes.



I don't see much positive coming from this.

At a previous company a round of firings were commenced with evidence contributed from HipChat logs... That was followed by a rash of everyone using the XMPP interface so they could encrypt their chats- I thought that was a bit much but now their paranoia has been proven wise...

People were typing incriminating things in a chatroom on your company's HipChat server?

I could believe that they were surprised management decided to track what they were saying, but I can't believe anyone thought HipChat would protect chatroom logs against the account administrator.

That's what we were told at an all hands meeting to squelch the morale decline after a handful of people were sent packing... That they were being poisonous in a group room and it backed up allegations about their behavior.

I was surprised at the same foolishness. But it's inline with the story we were told about their rather cavalier attitude about coming to work inebriated and abusing substances on company time. I didn't know any of them at take the information at face value- the message was don't come to work high and you won't get fired. The takeaway was don't brag about your activities on the company HipChat...

I don't see how this is relevant, if it was bad enough to warrant being fired, logs or lack of them wouldn't have helped. Sure they might have acted as evidence but there was probably other evidence of the actual action?

All they had to write was "It’s been two years since HipChat joined the Atlassian family"... the rest is obvious. IMHO Atlassian is a company focused on helping enterprises control users of their software, not help them. JIRA's maddening UX is Exhibit A.

How is JIRA's UX maddening? It's so highly configurable that it really depends on how it is set up, and what the patterns of use are within your organisation.

I would argue that "maddening" is an understatement. JIRA' ui tries to do so much and allows such granular customization that it takes an age of expertise in the tool to simply properly configure it to your organization. In fact, one of my college buddies job's is exactly that.

Really disappointing move. If you don't trust your developers, maybe you shouldn't have hired them in the first place.

Our team loves HipChat, and they will probably end up feeling the opposite because of this. Please provide a way for us not to activate that "feature".

> If you don't trust your developers, maybe you shouldn't have hired them in the first place.

Companies are basically required by law to store all the communications of their employees, it has nothing to do with trust. I forget the entire reason, but basically Bill Clinton cut some crazy deal with radical feminists in order to get reelected whereby he signed some sexual harassment law that basically required employers to monitor all employee communications. Jeffrey Rosen has a book about it called The Unwanted Gaze.

Reading employees email is potentially illegal in some countries in the Europe http://en.wikipedia.org/wiki/Workplace_privacy#Europe http://www.eurofound.europa.eu/eiro/2005/10/feature/no051010... How that relates to chat is unknown but would probably have to abide by the same laws (IANAL)

> Bill Clinton cut some crazy deal with radical feminists in order to get reelected

I had no idea that radical feminists, or indeed feminists in general, had such immense power that they could affect an election where the incumbent won by 9%.

They don't. That was only one of dozens of such deals with various organizations. The Adam Curtis documentary Century of the Self goes into some of the others.

I'd expect an organization who pays for the service should have access to their data in it. If you fear the change, you really fear the people who are or will someday become a service administrator. If you fear that, perhaps you should consider if you're really happy where you are. I'd suspect you either have trust issues with your corporate or IT management, or you work at a place that moves too slow for IT to have anything better to do than troll through private chats.

In many cases, IT can already do a lot of other things like span your port, read your e-mail, shadow your terminal, capture all printer output, etc. But in practice, this kind of permission is usually used when someone is stuck and an employee unreachable or out on vacation, or an employee is terminated and you need some critical piece of information they might have in their chat history.

I pay for the service for my company. I trust my employees. I don't want them to think I'm snooping on their personal conversations between each other.

You also control the routers, the email server, any other form of digital communications, and possibly even the software in their desktop.

What's the difference? Just because an employer can snoop -- and might be legally obligated to snoop -- doesn't mean your company can't have a clear policy regarding when and how you will exercise that ability inherent in owning infrastructure.

Well most of the team is remote and we use Google Apps which doesn't allow email access (as far as I can tell, at least not without changing passwords and a few other tricks).

There is a difference between having a feature which allows someone to view your private chat logs (something Google Apps doesn't have) and what it sounds like HipChat are implementing - though maybe they're going to make it just as difficult?

This seems like an appropriate time to remind everyone that your work email belongs to your boss, not to you. Don't send private emails from your work account. Likewise, your work laptop isn't yours, it's your employers. Don't do personal work on it.

My team tested out HipChat, and it's rad, but I had trouble convincing anyone it was worth the cost over terrible Lync, which we already have, despite it's complete lack of stability on the Mac. We're now secretly using Slack, and enjoying it pretty well. The "native" client is also really nice, bringing just enough native experience to a web view.

This is garbage. We have over 250 people using Hipchat and we use the 1:1 as the way to vent outside of the rooms that we're also part of. Better? I'm an admin and I'm so pissed that they decided to change a feature that I sung praises of for so long. Just like another company tool, we'll start to use another outlet to "really" communicate to each other while the HipChat rooms will be relegated to PMs and business owners fishing for updates.

I don't know if you can blame Atlassian for being "anti user" here. In some businesses and government settings data retention is a regulatory requirement. It's not ideal. It doesn't fit human patterns of communication. There are obvious back-channels. So systems like that catch only the dumbest violators. But Atlassian probably has customers who are required to specify communication systems that can be monitored.

eg section 802 of the Sarbanes-Oxley Act

https://en.wikipedia.org/wiki/Libor_scandal shows the value of logging private IM in a financial context.

I wish there were more companies that were more worried about doing the right thing than serving their paying customers. Especially when those customers are businesses who want to snoop on their employees, or ad agencies that want to sort through your mail.

I'm tired of constantly being screwed over by any company that I'm not paying directly.

The only question I have is: how good are the emoticons on Slack.com?

Full emoji support and users can upload custom emoticons. It's full of win!

While this is probably helpful in some situations, my expectation is that like monitoring interwebs traffic, most tech companies don't care and won't bother.

This is really only something that probably matters if company has to take legal action and needs the CYA.

Probably true, but I think a lot of Atlassian customers (maybe most) aren't tech companies, but tech departments within big enterprises. I think most big companies actually do have web and email monitoring in place.

Agreed they have monitoring in place, but I'm curious how many actively review it on a day to day basis.

I know my company has web monitoring in place, because we got a note about people using their cell phones to access raunchy sites while on corp-wifi.

Does anyone know if Google has a similar policy for GMail or Google Hangouts/Google Talk?

I'm curious about this too, and whether 'off the record' does anything with a corporate account.

With Google Apps for Domains you can take over an email address, for example after you fire someone. Nothing prevents you from seeing old emails.

Even if they're deleted?

Slack tho.

I wonder if they will implement a "off the record" feature similar to Google Chat. Even if the company has access to private chats, some legal departments recommend their employees not use chats or emails for certain correspondence.

The binding arbitration clause is predatory and an unfortunate addition to their terms.

The title reads as though HipChat are releasing previous chat history to administrators although the ToS clearly states that this is not retrospective and only future 1-to-1 conversations will be impacted by this.

I tried my best not to word the title in a misleading way. Sorry if it still mislead you, though.

We use Flowdock. We're happy with it and it's actually quite fun (custom emojis are a blast). I would never consider using a chat client with this limitation and strongly consider not working for anyone who does.

Does this applies even if no chat history is being saved?

Will have to give hall.com another serious look...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact