Your Slack DMs aren’t as private as you think

Your Slack DMs aren’t as private as you think

2021-04-02 15:04:17

Is Slack Good For Really Getting Your Work Done? That can be discussed. But the popular messaging platform – which bragged more than 12 million daily active users since last year – is certainly a promising medium for employers, regulators, the government and even hackers looking for a wealth of data about a company and its employees. Even your colleagues can learn more about you than you might expect.

The number of Slack messages that your workplace can potentially open has actually grown as Slack has built out its workplace app. Last year, the company launched a new tool called Slack Connect, which allows different workplaces to share channels on the app. The company announced that the feature was expanded again last month, so everyone could send invitations to send a direct message to other Slack users – even if they work at another workplace (Whether users can actually send and accept these invitations depends on whether their workplace has restrictions on them). But just because you're messaging someone in another workplace doesn't mean your boss can't necessarily see the messages you send.

Here's what a first version of Slack's direct messaging feature looks like.

Yes, your employer has access to your private messages. They are not alone.

First, employers don't necessarily have to go through your messages to spy on gossip.

“The company may have a duty to preserve and produce that information if you are part of a lawsuit,” explains Brad Harris, vice president of product at Hanzo, a company that provides a third-party data retention app that works in conjunction with Slack, last year. "The company may also wish to conduct internal investigations and have the right to access your information through their privacy and acceptable use policies."

Harris added, "Businesses traditionally had that (good) with email." However, the introduction of the direct messaging feature by Slack didn't change much. "Obviously, the adage of 'Don't write anything in an email that you wouldn't want to see on the front page of the Wall Street Journal' also applies to your use of Slack," Harris said. March of this year to Recode. .

Whether and how your boss your private messages and private channels depends on a number of factors. If your employer uses Slack's free or standard plan you can check this by going through the drop-down menu under your name in the app they need Slack's green light, which means the company will review your employer's request and, if approved, allow the employer to perform a one-time export. The messaging platform says it will deliver that content if a company has received employee consent, if the company has a & # 39; valid legal process & # 39; follows or if there is a & # 39; right or requirement (to do so) under applicable law & # 39 ;.

For example, workers in the European Union have the right to certain information that their employers have collected about them below the General Data Protection Regulation (GDPR). Companies using a Plus plan must also request approval from Slack to export private communications, but the company can continue to use the feature until they decide to turn it off.

Keep in mind that the data downloaded by an employer is not a mirror image of the actual Slack platform. Instead, workplace data is delivered in ZIP files, which contain a type of data storage file called JSON. That means content appears in long lines that resemble code and include message text, comment information, and even edit history (that's right, your business would preserve you removed messages). You can see what that data looks like on Slack's website, and if you want to quickly find out what data your company is storing, go to (your organization) / account / workspace-settings # retention.

All of this applies to direct messages that you may also be sending to someone outside of your workplace.

"Administrators can see that there is a relationship between their organization and another through the Connections view," a Slack spokesperson told Recode. "The same controls an administrator has put in place for Slack Connect channels shared with external organizations apply to Slack Connect DMs."

It is also possible that your employer has invested in a higher plan, such as Enterprise Grid. Those plans work with third-party apps such as Hanzo that empower employers store messages and other informationBusinesses may need to consistently preserve electronic communications for regulatory review, such as the Securities and Exchange Commission (SEC) and the Financial sector authority

Still, Slack expects employers to comply with employment contracts, company policies, and all relevant laws. "For employees, an employer's rights to access your data are governed by your employment contract and the laws that govern it – not by Slack," a Slack spokesperson said in an email. "Employers ultimately own their company's Slack data and are responsible for complying with the laws that govern how they access that data."

Keep in mind that there is always one manual approach to monitor employees' electronic communications: they boot from their computer while their Slack accounts are still logged in. A boss described this technique in a Y Combinator thread on the investigation of an internal harassment issue.

Law enforcement and legal process can also get your Slacks

One route to your private Slack posts being revealed? A lawsuit. Suppose you sue your former employer for sexual harassment. If you think there is evidence that could help you prove your case on Slack inappropriate messages from your boss, for example you can fight for those records to be legally "discoverable", meaning your old company must produce them. When Slack rolled out the DM feature that allowed people to send messages to others outside their organization in March, the tool was criticized for enabling harassment, and the backlash forced Slack to some adjustments to the tool

Discussion of Slack data can come up in all kinds of complaints, just like as part of a class action lawsuit against the game developer Activision Blizzard. Discussion of Slack data also came up in a lawsuit against California-based lighting fixture company Lamps Plus

The government may also want Slack data as part of other legal processes.

In its most recent transparency report (covering 2020), Slack says it has received 38 requests from U.S. government agencies for both content and metadata, including through search warrants, subpoenas and court orders. Only 10 of the requests for content data were granted by Slack, but in 22 cases the company provided government agencies with other, non-content data, such as information about the date, time and identity of senders and recipients of messages and files. Keep in mind that these numbers are quite small; the company said in its latest earnings report that it had more than 150,000 organizations pay for its service, and customers can also use the platform for free.

Slack also says it will consider "national security requests," although the company says it has not yet received any. In 2019 Slack granted one request for non-content, user data stored in the US from an unnamed foreign government as part of following a mutual legal assistance treaty.

In the meantime, if you actually work for the government, your Slack communications may be are records subject to Freedom of Information Act (FOIA) requestsFOIA is a law that allows curious members of the public and journalists to request data on government activities, and the government must respond to those requests within 20 working daysFOIA applicants seem to have successfully applied for Others Slack-related data, such as a list of team domains used by the government General services administrationWe couldn't immediately find an example of when a US FOIA request led to the release of Slack messages from within a government agency (although some have tried), if only because it's unclear how many local, state, and federal government employees use Slack.

But a search of a federal contracts database shows that the Ministry of Foreign Affairs the Ministry of Defense, the Ministry of Health and Human Services, and apparently the "Ebola team" at the United States Agency for International Development all bought technology from the company; the platform also has reportedly used by NASASlack is also used by a unit of technologists – called the US Digital Service – located in the office of the president.

Your colleagues can also get information about you, although it may not be that interesting

Do you just have a regular Slack account for employees? You can still get some (relatively benign) information about your colleagues through Slack. The first thing to know is that you can still read all messages and files posted on public channels before you arrived (unless they have been deleted). Some companies may have set content on their Slack systems to be automatically deleted on a regular basis, and those deletion periods could be as short as a day

But there is a little bit you can do through Slack & # 39; s Analytics tab (go to (yourworkspace) / stats). There you can see how the percentage of posts – and views – is spread on any given day across direct messages, private channels, and public channels. In a large office, it's not clear if this information would tell you much, but in a smaller company, these metrics can be a way for a boss to check for a spike in people talking privately. Another interesting thing you can find out through Slack Analytics is which of your colleagues sent the most messages of all time or in any given month, although it's unclear how useful these metrics are.

It's important to remember that even if your co-workers or even your boss may not have easy access to your private Slack messages, they can still learn a lot about you based on your profile, such as your time zone, your contact details, phone number, location and social media (you can voluntarily post this information on the platform). You can also find their member's ID number, which may not be too revealing, and files they submitted by clicking on their individual profile, which could be more revealing.

Depending on your settings, your employer and colleagues can also find out if you are online. That little green light? You can turn it off manually. If you don't, Slack will tell you if and when you are shown as "active", depending on the device you are using and how you are using it. Whether you really work hard is entirely up to you. Whether your company offers Slack privacy or not may unfortunately be up to your employer.

Update, Friday, April 2, 11 a.m.ET: This piece has been updated with information on Slack's latest feature and transparency report.

Open source is powered by Omidyar Network. All open source content is editorially independent and produced by our journalists.


Leave a Reply

Your email address will not be published. Required fields are marked *