I hate to tell you this but if you would quit a job for this reason you probably can't work in the US. The US has laws about corporate compliance, and it has requirements for things like dealing with sexual harassment. There is no such thing as a "private conversation" that takes place over a corporate network.
For example, in the US sexual harassment is taken seriously. If a company gets a complaint of sexual harassment on Slack they are legally obligated to look into it, and if they refuse to the individual managers could personally be held liable for it. This includes situations where the person being harassed isn't directly in the conversation- the above example of harassment over slack could have evidence of coordination in a different private channel than the ones the harassment target is in.
> There is no such thing as a "private conversation" that takes place over a corporate network.
It's a tech issue, cultural issue, and a legal issue, but it's harmful that we seem to be forgetting the wisdom of discretion as life become more digitized. If the law or culture says "no expectation of discretion", they're just wrong and likely hypocritical.
It's healthy, normal, and appropriate to tell specific things to specific people. If we're worried about abuse, there are other solutions to those problems, like letting the harassed share the conversation later, which they can already do, with screenshots if nothing else.
Discretion still has its place, but that's different from privacy and compliance.
Most admins aren't going to spend all day reading other people's conversations, and good companies have explicit policies as to when they will do so. The thing we're discussing here isn't whether companies should spy on everything their employees do- it's about what happens when an issue does occur where they do need to look into things.
I would not work for a company where I thought my managers were looking over my shoulder at every single thing I was doing, but at the same time I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.
People are also ignoring another aspect of this- if a company does get sued by an outside party they have to make internal data available through discovery. These laws about corporate compliance also exist to make it so corporations can be held accountable.
> Discretion still has its place, but that's different from privacy and compliance.
It should be, but often digital tools obliterate discretion in the service of compliance or even just monitoring employee work habits.
> I would not refuse to work for a company just because they could look into my conversations if I was accused of wrongdoing.
A healthy workplace needs to solve the underlying issue, here. But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed. Managers and compliance officers are reluctant to let the investigated employees know they're being investigated, which I understand, but I don't think throwing out discretion-oriented communication is worth the benefits there.
> But there are simple ways (i.e., asking or ordering the employee to send you conversation transcripts) to get the information needed.
Are you serious? So, someone accuses an employee of abuse and you casually stroll by and ask them to send relevant conversations your way? And you expect them to comply without cheating? Why don't we try this approach with other misdeeds, for example, when someone complains about theft, we just ask thieves to come by the police station with the stuff they stole. Do you think that would work?
Before tech, witness testimony was the same thing.
Old boys club keeps it "verbal only", but someone blows the whistle and testifies regarding the conversation.
Technology didn't change anything. You can't have a private conversation at work. Period end of story. If you manage to conceal your communications, not only could you be violating laws (depending on your industry and relevant regulations) but you're likely violating corporate policy and in need of corrective actions.
It's a liability problem for a company if employees are circumventing documentation and potentially covering up crimes.
The way I see it, you have three options:
* Be rich enough to not work
* Get paid by someone who accepts the liability of your work and has the legal right to all of your business communications
* Be the guy paying other people who accepts liability for their work and has the legal right to their business communications
Spoiler, even if you're the last guy, chances are there's lawyers doing the same thing to you.
I was talking about discretion, not privacy. Those are two different things. Discretion is controlled sharing of thoughts, ideas, and information. Marking documents "trade secret" is an example of discretion. Trade secrets are not private information.
I'm not arguing that information should be unavailable when a warrant or subpoena requires disclosure. I'm arguing that doing the digital equivalent of bugging every conference room in the building is a toxic thing to do, culturally. If the law compels the bugged rooms, we have bad laws on the books.
Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.
> Two employees need to be able to have a healthy, discrete conversation about working with the boss without having to worry about a transcript of the conversation pop up in a performance evaluation later in the year.
If you are worried about this, the issue isn't Slack. I don't worry about my boss reading my slack DM's - I'm well aware of what process would be involved there (my boss would be fired immediately, and wouldn't even have access without Legal involved). If you're worried about your company 'snooping' on you that's an underlying, unrelated problem.
Note that there's also a difference between work-mandated communication channels (for which there is no "opt-in"--there is a directory with your email address, you're on the list of Slack users, etc) and channels outside of work that you can opt into and out of (you can not give your personal number when the company is big enough for that to be an option, block people when they abuse it, not reciprocate keybase follows or leave signal chat groups, etc). A channel that is mandated to be kept open loses some discretion for its users, and the loss of power has to be compensated in some way.
(This is the more charitable way of looking at it, obviously. There are plenty of other reasons things are the way they are, and they aren't all good for us, there is just also this)
> A channel that is mandated to be kept open loses some discretion for its users, and the loss of power has to be compensated in some way.
Yeah, I was hinting at that a bit. I think tools like SnapChat and encrypted chat clients are reaching for discrete and healthy digital relationships. A lot of the conversation about these tools is about privacy, which is really something else. How someone looks naked is often private. How that biopsy turned out should be shared with people, just discretely.
That line or reasoning makes no sense. If that were true, then states like California couldn't make it illegal for companies to eavesdrop on its employees(e.g. recording audio, bugging offices). But allowing companies to read direct messages is very, very similar.
Also, what's preventing a victim of harassment from handing over the offending messages? I don't see how this helps anyone.
Recording audio and bugging offices is a completely different matter than reading through already preserved text that exists on company infrastructure (email or slack conversations). The records already exist in the case we're talking about.
Presumably the victim would share the harassing messages, but by being able to review the records directly the supervisors can gain more information such as whether the harasser was also harassing others, whether there was coordination between multiple people, or even if the original shared messages were missing some context which would vindicate the accused harasser. There's a lot of reasons why a real investigation will bring up more information than a simple one sided copy/paste would.
I'd argue that it isn't. I'm not a legal expert, but it seems that it could be argued that direct messages are implied private conversations, and that laws around recording audio implies that private spoken conversations can occur in offices. The fact that direct messages leave a history is merely a side effect that does not suggest that they are any less private than a spoken conversation behind closed doors.
However, I would need to know the actual intent of such laws, which I don't. Let's say that the intent is to allow for private conversations, then that premise also suggests that messages between two individuals(as opposed to ones in a channel) are only intended to be read by those two participants, hence a conversation that is private. Nobody sends direct messages with the intent that they be read by people besides the recipient.
Why would you need a crude one-sided copy and paste? A password, a cookie, or even an API token, can already provide as much information to authorities as would be provided by that of Slack team admins. There is no need for anyone besides the messaging participants and authorities to see someone's DM history, either technically or philosophically.
Well, as you said, you aren't an expert on this and apparently haven't ever been briefed by your company's legal team, and presumably have never been in charge of compliance. So your arguments about how the law works are in this situation pretty useless.
Jumping away from that angle though, there's still a lot of issues with what you are presenting. For one thing you keep referring to "authorities" without defining who those authorities are. If you're referring to the company IT, HR, and Compliance officers then it seems like you agree with us that the information should be available to those people. However, since that would be a bit odd with the rest of the context you're speaking about I'm going to assume you mean authorities in some sort of government or law enforcement sense.
The thing is that authorities rarely get involved in most of the cases where this information is needed. Sexual Harassment is not a criminal offense, it's a civil one- people don't go to jail for it, they lose money from it. Outside of taking reports these types of things are rarely investigated by authorities in that sense, and there are remarkably different burdens of proof for each of those. Most companies (and individuals I would imagine) also don't want to make a legal issue out of work ones if they can help it, which means it is often in everyone's best interest to handle certain types of problems in house.
Now, as for the philosophy aspect of things, as long as companies are responsible for managing their own trade secrets, sexual harassment complaints, and security in general then all company property (which includes conversations on company servers and services) are open to that company. This is why I do not sign up for company phone plans (except when I want a separate company phone and phone number), and why my work computer does not have my personal accounts on it.
I simply would have hoped that Slack wouldn't give too much control to employers when there are already viable ways of providing message history without resorting to copy-paste. It makes for a lousier product, and it would have prevented me from having candid conversations that involved no company secrets or harassment of any kind.
And what if the issue is two employees are using Slack to discuss using a competitors proprietary information on a contract proposal? Or two employees are discussing how to arrange the books so that they don't receive margin calls while trying to hide large trading losses?
You can't depend on everyone being on the up and up.
Replace "are using Slack" with "discussing at the bar across the street from the office" and what changes about the situation? If the company has an obligation to look into something, they have to look into it. They don't necessarily (and in my opinion shouldn't ever) have the need to, say, record audio of everything you ever do. What does the gray-er area of conversation in the break room at the office look like? What about the darker, gray-er area of conversation in the parking lot before you drive home at the end of the day?
My personal opinion, having avoided the MS IM client at work, is that you never say anything in writing that you wouldn't walk into the CEOs office and say to him in person. Chat of any kind, Slack included, is "in writing" and will have the same full force legal effect as email, so who's honestly surprised by this news?
This idea that, because you can't perfectly stop something, you shouldn't try to do it at all is madness. Yes, they could get around it. But in this situation, they're not.
Do you think you will go over every single DM to see if your employees are doing this? That's insane amount of time wasted. How do you think you will capture all of that? AI? Good luck. We had a system in my previous job that highlighted conversations which had keywords and we just abused it by mentioning those keywords constanly in "relevant" contexts. And if you really wanted to get the password (one of the monitored keywords) you'd just say: "Can you give me the details for ..."
You're missing the point. You don't actively monitor it, you record it so that later you can go back and review those conversations in the event you are required to by law. I don't know where you've worked, but this standard in any sizable company, or any involved in particular industries, and is not that difficult to arrange. There are specific legal requirements to keep records of certain types around for 2, 5, 10+ years, whether it's email, chat, file servers, etc. And yes, that includes Slack.
Why do you think Slack is any different than the systems that we have in place already? What makes Slack any different from email? Answer: nothing.
And if Slack didn't do this, they'd eventually find themselves filtered out of nearly every corporate network due to the inherent legal risk.
Doesn't the same logic also apply to internal phone calls?
Or is the main point here about giving access to data that has been collected already and not requiring the business to collect this data.
If for example the used instant messaging solution didn't keep any log files - what problems would arise for the business?
If any arise, why would phones be exempt? Or do businesses in the US really record all internal phone calls?
For example, in the US sexual harassment is taken seriously. If a company gets a complaint of sexual harassment on Slack they are legally obligated to look into it, and if they refuse to the individual managers could personally be held liable for it. This includes situations where the person being harassed isn't directly in the conversation- the above example of harassment over slack could have evidence of coordination in a different private channel than the ones the harassment target is in.