Don't get me wrong--it's not like I want to read your messages and very likely won't. But there are times when I have no choice. A few years back, a group of interns started privately harassing other interns via Slack. Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening. We had to make all intern accounts into multi-channel guests after that. Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons.
Edit: I'll say this is still not an ideal solution. I don't go into private communications unless I have to, and I'd rather have the option to review specific DMs / private channels than dump everything. I really don't want everything; that's more than I care to see. Also, to clarify, I'm in the US and our employees are well aware that communications on company-operated platforms should not be considered private. I want them to be careful how they communicate in writing, not because they should be worried about me, but because they should be worried about Slack getting hacked/leaked. With the recent Facebook news, I should have thought that sort of concern was obvious.
If two people want to have a private conversation, they'll just find another means by which to do it. In the long run, abusing your privileged access to conversations intended to be private (however justified you may consider it to be) will just breed mistrust among employees. I would quit a job that treated me as a child which must be supervised in such a manner.
> Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening.
Why couldn't you just ask the recipient to look on his station?
> We had to make all intern accounts into multi-channel guests after that
Are 2 interns ever allowed to be alone together? I mean it's essentially the same, you are saying they can't be trusted so either you always need them in groups of 3, or you should put cameras everywhere with microphones...
I am glad that you are serious about tackling abuse, but more monitoring and rules about congregation are not the right solution imo.
I wish a compromise between willy-nilly dumps of private DMs and their Compliance Exports could have been found. As a user who is not the head of IT this is frustrating. Now frank discussions have to go back to out-of-band channels.
If anyone thinks this won't get abused, think again. I've worked with IT folks of all shapes and sizes over many years and a tiny percentage do abuse the privilege. Including heads of IT. And those are just the ones I know about.
> "Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons."
One might argue that this is exactly the reason why slack should not have made this decision.
Inevitably, some communications channels are audit-able and some are not. Modern employees (being modern people) use a lot of channels. They call eachother, SMS, Whatsapp, Slack, email ...sometimes people even talk. Companies have only partial control.
Anyway, harassment or other misbehavior can happen on any of these. In some cases (like your intern case) companies have to audit, if they can.
Can Audit = Must Audit
If slack gives employers the option to read messages, they've given employers the responsibility to do it.
It's not cut and dry. You could argue that companies won't/can't use slack unless they can read messages. This is doubtless true in some cases and I imagine slack has it's eye on these cases right now. But, I think it's hard-ish to argue the magnitude is all that big today.
Companies did use slack before this feature existed, including yours.
> "This is all very standard corporate IT stuff that you need for HR and legal reasons."
there's the problem right there.
(1) need =/= want. you want those things to cover your butt. you're not entitled to them. do you really want to live in a surveillance/nanny state?
(2) the legal system can't save every person from negative consequences, nor can it truly compensate for negative consequences without other negative actions. stuff happens. let's be adults and sort them out ourselves rather than hoping some (imperfect) higher power can do it for us.
Instant messaging is used to express instant thoughts. Instant thoughts can be used against you if accessible by the employer. So why using instant messages over email if you anyway need to think through your instant messages in Slack like you do with emails? Let's use emails then.
I think most people will only learn the importance of privacy after having been affected personally.
As I do not know which country you are from I really hope you checked before if what you did complies with the legislation as for example in many european countries this would be very illegal.
It's called "private" for a reason. If someone harasses me on Slack, I have proof of that, because they wrote me a message. If people have private conversations about anything, it should be of no one's concern. Same goes for Signal or Whatsapp, it's a private conversation. It's like putting microphones everywhere and then fire people who have a bad day and say something stupid once in a while, would you like that? This is not a world I wanna live in and it's a serious move against privacy and freedom of speech.
> This is all very standard corporate IT stuff that you need for HR and legal reasons.
I doubt that, but it is country dependant. In some of the countries I have worked in it is quite the opposite. You get drilled for legal purposes you are not to look at people's personal emails and if possible DMs. Mostly as it is potentially illegal. I have not worked in the US though.
I was however unaware that in Norway then can access your email in exceptional circumstances: https://www.datatilsynet.no/en/privacy-and-society/personver... It seems in case of gross breach of duty, the employee has to be notified, then they can access their work email.
There's an infinite space of solutions to your particular problem, but your chosen solution is totalitarian surveillance in the workplace because an intern got offended?
I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.
Bullies are pretty adept at functioning in these environments. Instead of harassing on monitored DMs, they'll make verbal comments with double meanings, use their leverage to put their targets in unpleasant situations, undercut their targets at meetings etc. Totalitarian surveillance doesn't stop bullies. It just makes your workplace a soul-destroying shithole for the employees who are forced to work in it.
Looking at all positive comments here, this is generally a bad news.
Not sure how much compliant this is with the law, but in this case the law should be more protective towards employees.
I imagine the following situation
I write on a company-owned piece of paper - "My boss is an idiot". Then take this piece of paper put it in an envelope ( owned by the company as well ), write the name of my colleague and seal the envelope. Then put the envelope on the recipient's desk.
I bet it would be illegal for my boss to take that letter, open it and read it.
P.S.
Looks like with e-mails the law is more protective towards employees :
Previously, you could only see employee DMs if you turned on Compliance Exports, at which point you could download all of them going forward. Now it sounds like everything you've ever written could be downloaded at any time without notice.
So, all of those communications you had with co-workers based on the promise they would be private until you were notified future ones wouldn't be anymore? Now it's ALL available to your employer.
Jesus, nobody here has any clue what they're talking about.
Slack has allowed companies to read private messages for well over a year. It has been called "compliance exports" and you as a slack user could always see if you had them turned on, as well as which individuals had access to read your private messages. Source: CTO of a unicorn confirmed he had used this feature to read private communications (private rooms and DMs), source 2 - used this page myself at multiple companies
Employers had to pay for this privilege. It's super unclear to me what the new policy is-- it looks like there's still no privacy but it happens via API.
You can tell who here has worked for a large American company and who hasn't.
If you've ever worked for a large American company, you know that nothing you do on company equipment or with a service the company pays for is ever private, and you should never assume it is.
I'll be honest, I always thought Slack DMs were viewable by the admin. As a Slack admin myself, I always assumed I had that ability. Never used so, I never found out I was wrong, but just always assumed it was there.
To me this is a no-op: Anyone who worked for a large American company should have assumed that this ability was always there or could be there in the future, or at the very least, your employer could have always required you to log in and show them your DMs.
IMHO I don't think this is a fair title change. What is important here is the fact that access to DMs have changed. Not that the general import/export tools have changed.
If Google changed their TOS to suddenly make everyone's search history public, would the title read "Google changes TOS"?
Part of the reason why Slack has been so successful vs. other corporate messaging solutions is that it encourages employees to bring their “whole self” to work.
It’s perhaps the most important thing at work to feel like you can communicate easily and without fear of reprisal from managers and in my opinion had a lot to do with my extensive use of Slack.
It felt like, for the first time, the communications platform wasn’t “owned” by the strict hierarchy of the company. I created my own channels, and felt no fear when I communicated with co-workers. I wasn’t doing anything “wrong” ever in my communications, but, let’s face it: there are things that you don’t want your boss to know, especially if like the majority of people, you’re working for a bad boss that has to be “managed” himself.
If Slack continues in this manner, while it may make sense from a liability and business perspective, employees aren’t going to trust the platform anymore the first time a manager reads a private conversation and uses it against someone. And generally I’ve found it’s not hard to figure out you’re being spied upon.
I’m not sure what the solution is, but definitely if Slack allows managers private access (without a court order or similar serious situation where such access would be warranted), they can no longer claim they want employees to “bring their whole self” to work anymore.
I agree. It feels like Slack broke our trust. I don't have any records, but do remember slack in it's earlier days promised of not sharing private communication to the employers and sending the logs directly to govt agencies or 3rd party audit agencies.
> It’s perhaps the most important thing at work to feel like you can communicate easily and without fear of reprisal from managers and in my opinion had a lot to do with my extensive use of Slack.
This is a problem with your management, not with Slack. If your managers are abusing such a tool to read everything you write then you have much much bigger problems.
Yep. I work totally remotely and Slack felt fundamentally different to email: my extensive DM's with coworkers felt very analogous to physical contact.
Sometimes, if you're working in an office, you just want to lean back in your chair and whisper to your coworker "what a fuckin awful meeting, what was [boss] thinkin?". And as a full-time remote worker, Slack was the only place for that. I feel this will make 100% remote a lot tougher and more isolating because the life-line that was private contact has been severed.
I think if the employer provides the tool, it is their data.
I know there are different traditions in other places where they consider something like work email to be more of an employee owned or privacy issues. I always thought that was a bit wonky and it is easier to identify who owns what by ... who owns it.
For companies, yeah, this makes sense. It was nice when this wasn't true, but never really expected nor required.
Unfortunately, Slack also gets used for a lot of OSS communities. Arguably this was already a poor fit, but now it's even more obviously a mismatched relationship; it's unclear whether one could just start paying for a Slack account and immediately pull all DM history for something that didn't come with the expectation of corporate ownership.
Let's clarify a bit, this is for the employer owned Slack workspace. If you have the client and have your employer workspace and then another random workspace that is not owned by your employer, then they can only see the messages on the workspace owned by the company.
And this is meant for backups really, it's not going to be easy to just follow random conversations of yours on a daily basis. If they want to go back and dig up some dirt they can though.
That said, if you are worried about it, and working on a computer owned by your employer, you should just assume everything you do is logged. Because some do that.
Since the email to each slack user is an @company.com address all you need to do is take control of the employees email address, reset the slack password and login as the target user.
In the end that's your responsibility to maintain professional level when using internal company tools.
Not surprisingly the three persons who forwarded me this thread with comments like: "shit", "is this legal or allowed?", or even "I'm screwed if they read my messages" - are the ones who are always trash talking colleagues, pairs and the company itself.
Reading the comments it seems nobody is concerned about this broad access leading to sexual harassment of women who are constantly exposed to glances and stronger forms of abuse and may vent in a private channel, or may have discussed intimate concerns with friends (now past conversations are also available). Nobody paints the picture of the boss reading girls logs? This is pathetic. US, land of the well paid slaves.
Always assume any communication on your work network can and will be monitored... If you want a private discussion, best to do it in person or on your own devices, not using any company resources.
As an owner of a free slack that has thousands of historical and unaccessible messages by the users, how can I delete these stored but not unaccessible messages to protect them?
It seems unconscionable that Slack retains messages but provides no way to remove them without paying.
I have never really understood the notion of needing communication privacy in the workplace. To be honest, without having seen this story, I would have assumed this was a feature of Slack already!
I can't remember where/when I heard this advice but it seems relevant and helpful for this matter:
"Write/speak all communication in the workplace as if the CEO themselves were CCd on the email."
How is this possibly news? Besides the fact than Slack has let owners read DMs through compliance export since forever, most company Slacks authenticate via mail (usually Google mail), which your employer controls.
This is no different than company emails, which (I hope this isn't surprising) your employer can also read.
Don't have personal conversations on your company Slack!
So my longstanding "never write anything in corporate correspondence that I wouldn't want revealed some day" principle seems like a great one.
Seriously. It's not your platform, they are not your emails, they are not your chatlogs, and you should never act as if what you put in will remain private and yours to control.
[+] [-] tvanantwerp|8 years ago|reply
Don't get me wrong--it's not like I want to read your messages and very likely won't. But there are times when I have no choice. A few years back, a group of interns started privately harassing other interns via Slack. Only way to see it was to boot an offending intern from his work station and go into his Slack to see what was happening. We had to make all intern accounts into multi-channel guests after that. Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons.
Edit: I'll say this is still not an ideal solution. I don't go into private communications unless I have to, and I'd rather have the option to review specific DMs / private channels than dump everything. I really don't want everything; that's more than I care to see. Also, to clarify, I'm in the US and our employees are well aware that communications on company-operated platforms should not be considered private. I want them to be careful how they communicate in writing, not because they should be worried about me, but because they should be worried about Slack getting hacked/leaked. With the recent Facebook news, I should have thought that sort of concern was obvious.
[+] [-] peterkelly|8 years ago|reply
[+] [-] ramblerman|8 years ago|reply
Why couldn't you just ask the recipient to look on his station?
> We had to make all intern accounts into multi-channel guests after that
Are 2 interns ever allowed to be alone together? I mean it's essentially the same, you are saying they can't be trusted so either you always need them in groups of 3, or you should put cameras everywhere with microphones...
I am glad that you are serious about tackling abuse, but more monitoring and rules about congregation are not the right solution imo.
[+] [-] brazzledazzle|8 years ago|reply
If anyone thinks this won't get abused, think again. I've worked with IT folks of all shapes and sizes over many years and a tiny percentage do abuse the privilege. Including heads of IT. And those are just the ones I know about.
[+] [-] s3nnyy|8 years ago|reply
Wow, THAT is highly illegal in Europe.
[+] [-] dalbasal|8 years ago|reply
Inevitably, some communications channels are audit-able and some are not. Modern employees (being modern people) use a lot of channels. They call eachother, SMS, Whatsapp, Slack, email ...sometimes people even talk. Companies have only partial control.
Anyway, harassment or other misbehavior can happen on any of these. In some cases (like your intern case) companies have to audit, if they can.
Can Audit = Must Audit
If slack gives employers the option to read messages, they've given employers the responsibility to do it.
It's not cut and dry. You could argue that companies won't/can't use slack unless they can read messages. This is doubtless true in some cases and I imagine slack has it's eye on these cases right now. But, I think it's hard-ish to argue the magnitude is all that big today.
Companies did use slack before this feature existed, including yours.
[+] [-] clairity|8 years ago|reply
there's the problem right there.
(1) need =/= want. you want those things to cover your butt. you're not entitled to them. do you really want to live in a surveillance/nanny state?
(2) the legal system can't save every person from negative consequences, nor can it truly compensate for negative consequences without other negative actions. stuff happens. let's be adults and sort them out ourselves rather than hoping some (imperfect) higher power can do it for us.
[+] [-] I_am_tiberius|8 years ago|reply
I think most people will only learn the importance of privacy after having been affected personally.
[+] [-] lostlogin|8 years ago|reply
Couldn’t the complainant show their history or screenshots? Going through peoples messages is a bit yuck, even if they are horrible individuals.
[+] [-] swat535|8 years ago|reply
By "you" I don't mean you personally of course, what I mean is IT in general.
You might be ethical enough to not abuse your new found privilege but who is to say that the next guy won't?
I believe all employees should restrain from posting personal and private things on a company network or any related device for that matter.
You never know how this data can be misused.
[+] [-] fjsolwmv|8 years ago|reply
[+] [-] luk32|8 years ago|reply
Sorry, but that's the same kind of argument for invading someone's privacy and justifying surveillance.
I doubt that anyone would agree even if you said you'll watch the videos only when necessary.
[+] [-] rocho|8 years ago|reply
So now they are not private messages and shouldn't be called as such.
[+] [-] yiiii|8 years ago|reply
[+] [-] xori|8 years ago|reply
[+] [-] DoreenMichele|8 years ago|reply
It's always going to be Eternal September somewhere on the internet.
[+] [-] ashwinaj|8 years ago|reply
[+] [-] asow92|8 years ago|reply
[+] [-] wrs|8 years ago|reply
[+] [-] fogzen|8 years ago|reply
[+] [-] aaron695|8 years ago|reply
[deleted]
[+] [-] k__|8 years ago|reply
[deleted]
[+] [-] petermcneeley|8 years ago|reply
Information is power: https://news.ycombinator.com/threads?id=tvanantwerp
[+] [-] SomeHacker44|8 years ago|reply
[+] [-] arez|8 years ago|reply
[+] [-] flurdy|8 years ago|reply
I doubt that, but it is country dependant. In some of the countries I have worked in it is quite the opposite. You get drilled for legal purposes you are not to look at people's personal emails and if possible DMs. Mostly as it is potentially illegal. I have not worked in the US though.
I was however unaware that in Norway then can access your email in exceptional circumstances: https://www.datatilsynet.no/en/privacy-and-society/personver... It seems in case of gross breach of duty, the employee has to be notified, then they can access their work email.
[+] [-] random4369|8 years ago|reply
I avoid workplaces which force shit like this. So do all the good developers I know, because they're people who can afford to be choosy.
Bullies are pretty adept at functioning in these environments. Instead of harassing on monitored DMs, they'll make verbal comments with double meanings, use their leverage to put their targets in unpleasant situations, undercut their targets at meetings etc. Totalitarian surveillance doesn't stop bullies. It just makes your workplace a soul-destroying shithole for the employees who are forced to work in it.
[+] [-] drinchev|8 years ago|reply
Not sure how much compliant this is with the law, but in this case the law should be more protective towards employees.
I imagine the following situation
I write on a company-owned piece of paper - "My boss is an idiot". Then take this piece of paper put it in an envelope ( owned by the company as well ), write the name of my colleague and seal the envelope. Then put the envelope on the recipient's desk.
I bet it would be illegal for my boss to take that letter, open it and read it.
P.S.
Looks like with e-mails the law is more protective towards employees :
[1] : https://www.reuters.com/article/us-privacy-emails-echr/europ...
[2] : http://www.internationallawoffice.com/Newsletters/Employment...
[3] : https://www.womblebonddickinson.com/uk/insights/articles-and...
[+] [-] larrik|8 years ago|reply
So, all of those communications you had with co-workers based on the promise they would be private until you were notified future ones wouldn't be anymore? Now it's ALL available to your employer.
Surprise!
(This is presumably due to GDPR)
[+] [-] alexandercrohde|8 years ago|reply
Slack has allowed companies to read private messages for well over a year. It has been called "compliance exports" and you as a slack user could always see if you had them turned on, as well as which individuals had access to read your private messages. Source: CTO of a unicorn confirmed he had used this feature to read private communications (private rooms and DMs), source 2 - used this page myself at multiple companies
Employers had to pay for this privilege. It's super unclear to me what the new policy is-- it looks like there's still no privacy but it happens via API.
[+] [-] jedberg|8 years ago|reply
If you've ever worked for a large American company, you know that nothing you do on company equipment or with a service the company pays for is ever private, and you should never assume it is.
I'll be honest, I always thought Slack DMs were viewable by the admin. As a Slack admin myself, I always assumed I had that ability. Never used so, I never found out I was wrong, but just always assumed it was there.
To me this is a no-op: Anyone who worked for a large American company should have assumed that this ability was always there or could be there in the future, or at the very least, your employer could have always required you to log in and show them your DMs.
[+] [-] MarcScott|8 years ago|reply
If Google changed their TOS to suddenly make everyone's search history public, would the title read "Google changes TOS"?
[+] [-] iamleppert|8 years ago|reply
It’s perhaps the most important thing at work to feel like you can communicate easily and without fear of reprisal from managers and in my opinion had a lot to do with my extensive use of Slack.
It felt like, for the first time, the communications platform wasn’t “owned” by the strict hierarchy of the company. I created my own channels, and felt no fear when I communicated with co-workers. I wasn’t doing anything “wrong” ever in my communications, but, let’s face it: there are things that you don’t want your boss to know, especially if like the majority of people, you’re working for a bad boss that has to be “managed” himself.
If Slack continues in this manner, while it may make sense from a liability and business perspective, employees aren’t going to trust the platform anymore the first time a manager reads a private conversation and uses it against someone. And generally I’ve found it’s not hard to figure out you’re being spied upon.
I’m not sure what the solution is, but definitely if Slack allows managers private access (without a court order or similar serious situation where such access would be warranted), they can no longer claim they want employees to “bring their whole self” to work anymore.
Oh well. It was nice while it lasted.
[+] [-] tapsboy|8 years ago|reply
[+] [-] UncleMeat|8 years ago|reply
This is a problem with your management, not with Slack. If your managers are abusing such a tool to read everything you write then you have much much bigger problems.
[+] [-] savanaly|8 years ago|reply
Sometimes, if you're working in an office, you just want to lean back in your chair and whisper to your coworker "what a fuckin awful meeting, what was [boss] thinkin?". And as a full-time remote worker, Slack was the only place for that. I feel this will make 100% remote a lot tougher and more isolating because the life-line that was private contact has been severed.
[+] [-] duxup|8 years ago|reply
I know there are different traditions in other places where they consider something like work email to be more of an employee owned or privacy issues. I always thought that was a bit wonky and it is easier to identify who owns what by ... who owns it.
[+] [-] Arubis|8 years ago|reply
Unfortunately, Slack also gets used for a lot of OSS communities. Arguably this was already a poor fit, but now it's even more obviously a mismatched relationship; it's unclear whether one could just start paying for a Slack account and immediately pull all DM history for something that didn't come with the expectation of corporate ownership.
#freenodeforlyfe, I suppose.
[+] [-] dumbfounder|8 years ago|reply
And this is meant for backups really, it's not going to be easy to just follow random conversations of yours on a daily basis. If they want to go back and dig up some dirt they can though.
That said, if you are worried about it, and working on a computer owned by your employer, you should just assume everything you do is logged. Because some do that.
[+] [-] DanBlake|8 years ago|reply
Since the email to each slack user is an @company.com address all you need to do is take control of the employees email address, reset the slack password and login as the target user.
[+] [-] postit|8 years ago|reply
Not surprisingly the three persons who forwarded me this thread with comments like: "shit", "is this legal or allowed?", or even "I'm screwed if they read my messages" - are the ones who are always trash talking colleagues, pairs and the company itself.
[+] [-] deltaprotocol|8 years ago|reply
[+] [-] phillipwills|8 years ago|reply
[+] [-] kingnight|8 years ago|reply
It seems unconscionable that Slack retains messages but provides no way to remove them without paying.
[+] [-] keeler|8 years ago|reply
[1] https://github.com/kfei/slack-cleaner
[2] https://api.slack.com/custom-integrations/legacy-tokens
[+] [-] nkcmr|8 years ago|reply
I can't remember where/when I heard this advice but it seems relevant and helpful for this matter:
"Write/speak all communication in the workplace as if the CEO themselves were CCd on the email."
It has served me well.
[+] [-] tptacek|8 years ago|reply
This is no different than company emails, which (I hope this isn't surprising) your employer can also read.
Don't have personal conversations on your company Slack!
[+] [-] darkstar999|8 years ago|reply
Just consider any work communication of any form to be public.
[+] [-] cirgue|8 years ago|reply
[+] [-] orbitur|8 years ago|reply
Seriously. It's not your platform, they are not your emails, they are not your chatlogs, and you should never act as if what you put in will remain private and yours to control.