If two people want to have a private conversation, they'll just find another means by which to do it. In the long run, abusing your privileged access to conversations intended to be private (however justified you may consider it to be) will just breed mistrust among employees. I would quit a job that treated me as a child which must be supervised in such a manner.
I hate to tell you this but if you would quit a job for this reason you probably can't work in the US. The US has laws about corporate compliance, and it has requirements for things like dealing with sexual harassment. There is no such thing as a "private conversation" that takes place over a corporate network.
For example, in the US sexual harassment is taken seriously. If a company gets a complaint of sexual harassment on Slack they are legally obligated to look into it, and if they refuse to the individual managers could personally be held liable for it. This includes situations where the person being harassed isn't directly in the conversation- the above example of harassment over slack could have evidence of coordination in a different private channel than the ones the harassment target is in.
> There is no such thing as a "private conversation" that takes place over a corporate network.
It's a tech issue, cultural issue, and a legal issue, but it's harmful that we seem to be forgetting the wisdom of discretion as life become more digitized. If the law or culture says "no expectation of discretion", they're just wrong and likely hypocritical.
It's healthy, normal, and appropriate to tell specific things to specific people. If we're worried about abuse, there are other solutions to those problems, like letting the harassed share the conversation later, which they can already do, with screenshots if nothing else.
Discretion still has its place, but that's different from privacy and compliance.
Most admins aren't going to spend all day reading other people's conversations, and good companies have explicit policies as to when they will do so. The thing we're discussing here isn't whether companies should spy on everything their employees do- it's about what happens when an issue does occur where they do need to look into things.
I would not work for a company where I thought my managers were looking over my shoulder at every single thing I was doing, but at the same time I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.
People are also ignoring another aspect of this- if a company does get sued by an outside party they have to make internal data available through discovery. These laws about corporate compliance also exist to make it so corporations can be held accountable.
> Discretion still has its place, but that's different from privacy and compliance.
It should be, but often digital tools obliterate discretion in the service of compliance or even just monitoring employee work habits.
> I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.
A healthy workplace needs to solve the underlying issue, here. But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed. Managers and compliance officers are reluctant to let the investigated employees know they're being investigated, which I understand, but I don't think throwing out discretion-oriented communication is worth the benefits there.
> But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed.
Are you serious? So, someone accuses an employee of abuse and you casually stroll by and ask them to send relevant conversations your way? And you expect them to comply without cheating? Why don't we try this approach with other misdeeds, for example, when someone complains about theft, we just ask thieves to come by the police station with the stuff they stole. Do you think that would work?
Before tech, witness testimony was the same thing.
Old boys club keeps it "verbal only", but someone blows the whistle and testifies regarding the conversation.
Technology didn't change anything. You can't have a private conversation at work. Period end of story. If you manage to conceal your communications, not only could you be violating laws (depending on your industry and relevant regulations) but you're likely violating corporate policy and in need of corrective actions.
It's a liability problem for a company if employees are circumventing documentation and potentially covering up crimes.
The way I see it, you have three options:
* Be rich enough to not work
* Get paid by someone who accepts the liability of your work and has the legal right to all of your business communications
* Be the guy paying other people who accepts liability for their work and has the legal right to their business communications
Spoiler, even if you're the last guy, chances are there's lawyers doing the same thing to you.
I was talking about discretion, not privacy. Those are two different things. Discretion is controlled sharing of thoughts, ideas, and information. Marking documents "trade secret" is an example of discretion. Trade secrets are not private information.
I'm not arguing that information should be unavailable when a warrant or subpoena requires disclosure. I'm arguing that doing the digital equivalent of bugging every conference room in the building is a toxic thing to do, culturally. If the law compels the bugged rooms, we have bad laws on the books.
Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.
> Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.
If you are worried about this, the issue isn't Slack. I don't worry about my boss reading my slack DM's - I'm well aware of what process would be involved there (my boss would be fired immediately, and wouldn't even have access without Legal involved). If you're worried about your company 'snooping' on you that's an underlying, unrelated problem.
Note that there's also a difference between work-mandated communication channels (for which there is no "opt-in"--there is a directory with your email address, you're on the list of Slack users, etc) and channels outside of work that you can opt into and out of (you can not give your personal number when the company is big enough for that to be an option, block people when they abuse it, not reciprocate keybase follows or leave signal chat groups, etc). A channel that is mandated to be kept open loses some discretion for its users, and the loss of power has to be compensated in some way.
(This is the more charitable way of looking at it, obviously. There are plenty of other reasons things are the way they are, and they aren't all good for us, there is just also this)
> A channel that is mandated to be kept open loses some discretion for its users, and the loss of power has to be compensated in some way.
Yeah, I was hinting at that a bit. I think tools like SnapChat and encrypted chat clients are reaching for discrete and healthy digital relationships. A lot of the conversation about these tools is about privacy, which is really something else. How someone looks naked is often private. How that biopsy turned out should be shared with people, just discretely.
That line or reasoning makes no sense. If that were true, then states like California couldn't make it illegal for companies to eavesdrop on its employees(e.g. recording audio, bugging offices). But allowing companies to read direct messages is very, very similar.
Also, what's preventing a victim of harassment from handing over the offending messages? I don't see how this helps anyone.
Recording audio and bugging offices is a completely different matter than reading through already preserved text that exists on company infrastructure (email or slack conversations). The records already exist in the case we're talking about.
Presumably the victim would share the harassing messages, but by being able to review the records directly the supervisors can gain more information such as whether the harasser was also harassing others, whether there was coordination between multiple people, or even if the original shared messages were missing some context which would vindicate the accused harasser. There's a lot of reasons why a real investigation will bring up more information than a simple one sided copy/paste would.
I'd argue that it isn't. I'm not a legal expert, but it seems that it could be argued that direct messages are implied private conversations, and that laws around recording audio implies that private spoken conversations can occur in offices. The fact that direct messages leave a history is merely a side effect that does not suggest that they are any less private than a spoken conversation behind closed doors.
However, I would need to know the actual intent of such laws, which I don't. Let's say that the intent is to allow for private conversations, then that premise also suggests that messages between two individuals(as opposed to ones in a channel) are only intended to be read by those two participants, hence a conversation that is private. Nobody sends direct messages with the intent that they be read by people besides the recipient.
Why would you need a crude one-sided copy and paste? A password, a cookie, or even an API token, can already provide as much information to authorities as would be provided by that of Slack team admins. There is no need for anyone besides the messaging participants and authorities to see someone's DM history, either technically or philosophically.
Well, as you said, you aren't an expert on this and apparently haven't ever been briefed by your company's legal team, and presumably have never been in charge of compliance. So your arguments about how the law works are in this situation pretty useless.
Jumping away from that angle though, there's still a lot of issues with what you are presenting. For one thing you keep referring to "authorities" without defining who those authorities are. If you're referring to the company IT, HR, and Compliance officers then it seems like you agree with us that the information should be available to those people. However, since that would be a bit odd with the rest of the context you're speaking about I'm going to assume you mean authorities in some sort of government or law enforcement sense.
The thing is that authorities rarely get involved in most of the cases where this information is needed. Sexual Harassment is not a criminal offense, it's a civil one- people don't go to jail for it, they lose money from it. Outside of taking reports these types of things are rarely investigated by authorities in that sense, and there are remarkably different burdens of proof for each of those. Most companies (and individuals I would imagine) also don't want to make a legal issue out of work ones if they can help it, which means it is often in everyone's best interest to handle certain types of problems in house.
Now, as for the philosophy aspect of things, as long as companies are responsible for managing their own trade secrets, sexual harassment complaints, and security in general then all company property (which includes conversations on company servers and services) are open to that company. This is why I do not sign up for company phone plans (except when I want a separate company phone and phone number), and why my work computer does not have my personal accounts on it.
I simply would have hoped that Slack wouldn't give too much control to employers when there are already viable ways of providing message history without resorting to copy-paste. It makes for a lousier product, and it would have prevented me from having candid conversations that involved no company secrets or harassment of any kind.
And what if the issue is two employees are using Slack to discuss using a competitors proprietary information on a contract proposal? Or two employees are discussing how to arrange the books so that they don't receive margin calls while trying to hide large trading losses?
You can't depend on everyone being on the up and up.
Replace "are using Slack" with "discussing at the bar across the street from the office" and what changes about the situation? If the company has an obligation to look into something, they have to look into it. They don't necessarily (and in my opinion shouldn't ever) have the need to, say, record audio of everything you ever do. What does the gray-er area of conversation in the break room at the office look like? What about the darker, gray-er area of conversation in the parking lot before you drive home at the end of the day?
My personal opinion, having avoided the MS IM client at work, is that you never say anything in writing that you wouldn't walk into the CEOs office and say to him in person. Chat of any kind, Slack included, is "in writing" and will have the same full force legal effect as email, so who's honestly surprised by this news?
This idea that, because you can't perfectly stop something, you shouldn't try to do it at all is madness. Yes, they could get around it. But in this situation, they're not.
Do you think you will go over every single DM to see if your employees are doing this? That's insane amount of time wasted. How do you think you will capture all of that? AI? Good luck. We had a system in my previous job that highlighted conversations which had keywords and we just abused it by mentioning those keywords constanly in "relevant" contexts. And if you really wanted to get the password (one of the monitored keywords) you'd just say: "Can you give me the details for ..."
You're missing the point. You don't actively monitor it, you record it so that later you can go back and review those conversations in the event you are required to by law. I don't know where you've worked, but this standard in any sizable company, or any involved in particular industries, and is not that difficult to arrange. There are specific legal requirements to keep records of certain types around for 2, 5, 10+ years, whether it's email, chat, file servers, etc. And yes, that includes Slack.
Why do you think Slack is any different than the systems that we have in place already? What makes Slack any different from email? Answer: nothing.
And if Slack didn't do this, they'd eventually find themselves filtered out of nearly every corporate network due to the inherent legal risk.
Doesn't the same logic also apply to internal phone calls?
Or is the main point here about giving access to data that has been collected already and not requiring the business to collect this data.
If for example the used instant messaging solution didn't keep any log files - what problems would arise for the business?
If any arise, why would phones be exempt? Or do businesses in the US really record all internal phone calls?
> If two people want to have a private conversation
You response is based on a false fact: that anything you use official company communication channels for should be considered private.
HR functions can and will access such communication to investigate complaints about behaviour and similar. Compliance and legal functions can and will access such communication to investigate complaints relevant to them. They can, will, and often must provide access to such communication to relevant external bodies (legal authorities, regulators) under some circumstances too. Heck, in some regulated environments compliance functions are required not just to view your communications for specific reasons but to actively monitor them for certain activity (if they fail to do so they could be liable for punishments for a due diligence failing). For instance our email is monitored to block distribution of client data, accidental or otherwise.
If you want a private conversation, use a truly private channel not an employer provided/related one.
> they'll just find another means by which to do it
The fact that people will find away around rules, restrictions, and monitoring, is not a good reason for not implementing such rules, restrictions, and monitoring in the first place.
If the private conversation is in no way a problem then, well, there isn't a problem.
If it is something that would cause the participants trouble if performed over an official channel then when/if the matter does come to light it shows malice of forethought and planning (i.e. that the participants knew they were in the wrong and took specific action to hide their behaviour rather than correct it).
> I would quit a job
In many (most?) industries you would not even get a job without explicitly agreeing to the fact that your communications using employer provided/related services can be accessed by some functions of the organisation and distributed to external authorities, so you would not be in a position to need to quit.
That is only according to some law systems though. It does not work like that at all in many European countries. For instance in France the employer cannot read any private conversation (mail/message) of the employee, even when using work email. And no internal rule can change that (it is a criminal offense). If the employer suspects a leak of information by the employee, they can read the message in presence of the employee and a union member, and only in those circumstances.
> If the employer suspects a leak of information by the employee
or if they suspect any other illegal activity.
Even in EU countries where arbitrary inspection/monitoring is not permitted wholesale, there are exceptions where regulatory or other legal requirements trump privacy. Though often there needs to be sufficient suspicion of something worth looking for, I still wouldn't count that as a truly private channel (nor would I expect my employer to provide me with one).
But as I said even in those cases the employee needs to be present when the employer accesses private messages, in addition to a union member. So as an employer you cannot just sneak in and check what has been said, it has to be public. Which I think greatly mitigates the risk. It is not a secret conversation like you would have between lawyer and client but it is rather private.
>I would quit a job that treated me as a child which must be supervised in such a manner.
Are you replying to the right comment? From the example given, it seems no action was taken until the parties involved proved such supervision was necessary.
No one is watching you or treating you like a child. This is important for security and legal reasons.
Insider threat is a serious, real world problem - consider employee harassment, exfiltrating data, sharing secret information, a compromised slack account DM'ing people malware, etc.
No one wants to read your messages, and it's probably a small set of people that even can.
So what would your solution to the OP's problem be? If harassment is happening, I expect the company has some legal requirement to act. I also expect that you support the company making a safe workplace. How does the company do that if it cannot verify that something is actually going on? Just blindly believe the accuser without confirming if it's true? Just disbelieve the accuser? Tell them to work it out themselves?
> abusing your privileged access to conversations intended to be private (however justified you may consider it to be) will just breed mistrust among employees
Abusing your privileged access?!? You do realize some of us are required to access those communications for a variety of reasons especially because a threat is happening? Also, I don't get a choice when the lawyer shows up and says we need to look at X's account.
> I would quit a job that treated me as a child which must be supervised in such a manner.
Well, that might save me a bit of trouble, but at the point I am asked to look at your account, I get the feeling you are on your way out anyway or will shortly have a lawyer or the police contacting you.
The communication systems you use as an employee are not yours.
While I sympathize with that concern, I do really believe that actively preventing employees from employing natural means of 'private' conversation is squarely in the 'panopticon' sphere of employment. I find it difficult enough that people can be 'owned' for full work weeks as far as their physical presence, but I suppose I'm pragmatic enough to accept that this is the status quo. But the thought that they are actively monitored during this time, preventing them from even private venting and communicating in a way that is not monitored, is much harder to accept.
We're talking about people here. While I personally have never understood how anyone can accept being under the thumb of an employer for such long periods of time out of their productive years, I've learned to see that this is bearable within the relative freedom that this usually entails (complaining about x colleague, grumbling about the boss with the support staff, after-work beers with a manager who grumbles about his manager), I truly cannot understand how one can have a dignified life as an individual when all your forms of communication are being watched by your overlords.
You think I like any of this? Do you really think I get my jollies from looking in someone's e-mail to find a picture they e-mailed another employee that is so far into NSFW that it is sickening. Or the fun of finding out how some employee is plotting with others to make life miserable for someone else? I would prefer people keep their crap off the servers intended to do business.
We have folks here who have argued that a remark at a conference should get someone fired from work. We are talking about something owned and operated by a company that they will be legally liable for unless they are vigilant. Something that hits the press and people will be saying "why didn't the company know?" and "how could they not stop it?".
Yeah, we are talking about people here. Companies get sued and people lose their jobs.
Never mind the professions that absolutely have every communication logged and monitored.
If you want something the company cannot look at then use something outside the company. Its really that simple[1]. Its really simple, if you don't pay for it then it is not yours. If its not your computer then don't expect privacy.
I still cannot understand the folks who want to use stuff from work systems even when they are not work related. Have your own life, interests, and stuff. You are trading your time and work for money. Don't give companies something beyond what they pay for.
I truly cannot understand how one can have a dignified life as an individual when all your forms of communication are being watched by your overlords.
If your place of employment owns all your forms of communication then you have a lot more problems beyond this.
1) well, unless you get into something really nasty and the court discovery orders start flying.
I can't seem to edit my comment, so I'll comment on my comment instead:
To put this in a broader perspective, because I'm tired of the comment-sniping that doesn't seem to lead anywhere:
I find myself already a bit uneasy with the whole idea that an individual can write away their freedom to spend their daylight hours tethered to an employer to the point where their every (productive, sunlit) hour needs to be accounted for.
At the same time I can understand that this is how things are, and we are trying to be human within that sphere, and perhaps for many this is not so bad as long as they can live in a microcosm of society within this world. That includes gossip, complaining, semi-secret conversation, and even romance (while that's often not smart).
I'd really prefer to engage with those who employ and get to dictate the behavior of said employees, instead of comment-sniping where we never bridge that 'gap' between me, a self-employed, individual (because I reject all that), and someone who actively is 'in charge' of people who submit to it.
I do realize that my wording in itself is not neutral, but I hope acknowledging that helps bridge that gap a bit at least. And I have counted those 'in charge' as friends in the past, plus I know I'm not a typical 'person', so I'm open to learning to understand this whole thing.
because an "alleged" threat is happening. Still, cause for gathering evidence, sure.
> I don't get a choice when the lawyer shows up and says we need to look at X's account
And now with this, they'll use a different communication method that you dont have access to and now youre back to square one. The best you can hope for is that theyre ignorant of these changes so you can catch them.
> ... at the point I am asked to look at your account, I get the feeling you are on your way out anyway or will shortly have a lawyer or the police contacting you.
ah, guilty until proven innocent
> The communication systems you use as an employee are not yours.
This is true, and I dont think slack is necessarily wrong in providing this access - but you shouldnt assume that communications that the user doesnt want the company to be privy to is necessarily malicious or illegal.
If you are having legitimate complaints about your job and you want to vent or validate your concerns before proceeding, you might want to have a private conversation with a coworker - and you might legitimately be afraid that your unfiltered, undiplomatic private conversation might be taken out of context or retaliated against.
You made many good points, but I'll take issue with this one:
> If you are having legitimate complaints about your job and you want to vent or validate your concerns before proceeding, you might want to have a private conversation with a coworker - and you might legitimately be afraid that your unfiltered, undiplomatic private conversation might be taken out of context or retaliated against.
If you were retaliated against for your legitimate complaints in private Slack conversations (via firing, harassment, etc) then the records could be subpoenaed for you to prove WHY you were being targeted.
The company isn't a court "alleged" is plenty enough for the company to look at the communication system it pays for to figure out what is going on. It has a communication system to communicate about business.
> And now with this, they'll use a different communication method that you dont have access to and now youre back to square one. The best you can hope for is that theyre ignorant of these changes so you can catch them.
Good, then its security and HR's problem. We tell everyone we own the communications systems (its even in the employee handbook).
> ah, guilty until proven innocent
Yep. Welcome to the corporate environment in the US. Frankly, if they think you used the company e-mail / Slack to do your activity then I don't think we are dealing with Moriarty here.
> but you shouldnt assume that communications that the user doesnt want the company to be privy to is necessarily malicious or illegal.
Then use your own non-company communication system (e.g. text, home e-mail) or go to lunch - how hard is that?
It would make a lot more sense to take your unfiltered and undiplomatic private conversation to a nearby private establishment. If you are remote and can not do this I would simply use a not supplied by work phone. This is for your protection and whoever you bring along to vent. There have been at least two occurrences in my career which have forced my hand on employee communication and in both cases, a blanket refusal was not an option. If you don't want to say something publically don't assume anything your company pays for is private until our society changes its views on where the expectation of privacy exists.
> The communication systems you use as an employee are not yours.
Yes they are. I work as a contractor, remotely, using my own personal equipment, my own personal email account, and either my home internet connection or that of whatever coffee shop or co-working space I happen to be in on any given day. My clients are all located in other cities and countries and lack a physical presence where I live. I've never had any complaints about these arrangements (yes, I do realise I'm very fortunate to be able to work in this manner).
I also work for multiple clients. Allowing one of them access to all my work-related communications would involve violating the confidentiality agreements I've signed with the others. Should I be required to divulge the trade secrets or intellectual property of one client to another to satisfy a corporate IT policy? And if I have a personal conversation with someone, which client(s) should I share that with?
Should I be required to divulge the trade secrets or intellectual property of one client to another to satisfy a corporate IT policy? And if I have a personal conversation with someone, which client(s) should I share that with?
Contractors are always in an odd position, but its pretty logical and a lot easier these days. If I was a contractor again, I would probably put my communications and project files on VM of their own[1]. You should have a procedure to clearly separate your time, communications, and work product for each client. If you are using your company e-mail then separation is well understood by lawyers. I would make sure to have separate Slack accounts per client.
1) This assumes I am not assigned a PC and accounts by the employer because its a staffing position instead of a work product arrangement.
Hope this doesn't sound too harsh but your reply comes off as extremely self-centered. What about looking—at the very least—at it from a legal perspective? It's not like lawsuits and aspects related to discovery haven't been in the tech news lately.
It’s sad how many bullshit decisions were buldozed by “because legal” excuse. By that logic eveything should be recorded everywhere — including bathrooms.
Sure, but then the communication doesn’t happen in the space where your boss is partially responsible for what's happening there.
It’s very simple: use your employers tools and networks only for business stuff, do personal stuff unrelated to work in your own networks and software...
Besides that, just in case you didn’t notice, the original poster did not say hes reading employee private messages for fun, but only to act as law prescribes.
Nobody can or should stop you from finding private spaces to talk to fellow employees -- but you have to provide the space yourself. Slack is part of the work environment being set up for you by your employer, so they're responsible for being able to make sure that it's free of harassment and illegal activity.
> would quit a job that treated me as a child which must be supervised in such a manner.
Then you should be prepared to be permanently out of work.
You are NOT entitled to private communications on company-sanctioned channels. Full Stop. End of story. This isn't an issue of "trust" or having faith in your employees, but this is how business is done.
Hey, don't let the door hit yourself on the way out. There are very valid legal reasons for a business to need at least the option for discovery, e.g., legal suits, fraud, violation of trade secret or export controls, serious employee harassment, etc. This goes for chat just as much as email or anything else electronic. If you think this is "treating you like a child", well, perhaps you are the child.
> If two people want to have a private conversation,
Emphasis is mine. If one person can have a private conversation with an unwilling participant, that is entirely different. I have worked in places with heavy logging requirements, and for sure we created ways to have private conversations. The point is that everyone in these private chats was a willing participant, and could leave if they wanted.
> I would quit a job that treated me as a child which must be supervised in such a manner.
Agreed this can lead to abuse. But investigating employee behavior while using employer provided communication platforms doesn't immediately fall under abuse. No more than police subpoenaing phone records during a criminal investigation would.
I think one of the side-effects of this is that there are other slack teams created to help keep communications among colleagues private-ish. This leads to cliques and tends to isolate new employees who may not yet be in those "teams".
If you're required to be on Slack to do your job, then your employer is obligated to make sure going on Slack is safe and free from harassment. You can't just sign off or block other employees.
I mean, if you're using that capability to harass other employees, as the interns in the story were, then yeah, you deserve to be treated as a child, because you basically are.
