Is Slack good for actually getting your work done? Thats debatable. But the popular messaging platform which now boasts more than 12 million daily active users is definitely a promising medium for employers, regulatory agencies, the government, and even hackers seeking a trove of data about a company and its workers. Even your coworkers could find out more about you than you might expect.
Yes, your employer can get to your private messages. Theyre not the only one.
First off, employers arent necessarily going through your messages to snoop on gossip.
The company may have a duty to preserve and produce that information if youre part of a lawsuit, explains Brad Harris, the vice president of product at Hanzo, a company that provides a third-party, data-preservation app that works in conjunction with Slack. The company may also want to do internal investigations, and through their privacy policies and acceptable use policies, have the right to look at your information.
Harris added, Companies have traditionally had that [right] with email.
Whether and how your boss can export your private messages and private channels depends on a few factors. If your employer is using Slacks free or standard plan you can check this by going through the drop-down menu under your name on the app they need Slacks go-ahead, meaning the company will review your employers request and, if approved, allow the employer to conduct a one-time export. The messaging platform says it will provide that content if a company has gained employees consent, if the company is following a valid legal process, or if theres a right or requirement [to do so] under applicable laws.
For instance, employees in the European Union have the right to certain data collected about them by their employers under the General Data Protection Regulation (GDPR). Companies using a Plus plan also need to apply for approval from Slack to export private communications, but the company can continue using the feature until they decide to turn it off.
Keep in mind that the data downloaded by an employer isnt a mirror image of the actual Slack platform. Instead, workplace data is delivered in ZIP files, which contain a type of data-storing file called JSON. That means content comes up in long lines that resemble code, and includes message text, information about reactions, and even edit history (thats right, your company could retainyour deleted messages). You can see what that data actually looks like on Slacks website, and if you want a quick profile of what data your company might be keeping, go to [yourorganization]
Its also possible that your employer has invested in a higher-level plan, like Enterprise Grid. Those plans work with third-party apps like Hanzo that allow employers to store messages and other information. Companies may need to consistently preserve electronic communications for review by regulatory agencies, such as the Securities and Exchange Commission (SEC) and the Financial Industry Regulation Authority.
Still, Slack expects employers to follow employment agreements, corporate policies, and any relevant laws. For employees, an employers rights to access your data are controlled by your employment agreement and by the laws that govern that not by Slack, said a Slack spokesperson in an email. Employers ultimately own their companys Slack data and are responsible for complying with the laws that govern how they access that data.
Its worth keeping in mind that theres always the manual approach to surveilling employees electronic communications: booting them from their computers while their Slack accounts are still logged in. One boss described this technique in a Y Combinator thread about the investigation of an intern harassment problem.
Law enforcement and legal processes can get your Slacks, too
One route to your private Slack messages being revealed? A lawsuit. Lets say youre suing your former employer for sexual harassment. If you think theres evidence that could help prove your case on Slack inappropriate messages from your boss, for example you can fight for those records to be legally discoverable, meaning your old company will have to produce them. Discussion of Slack data can come up in all sorts of complaints, as it did as part of oneclass action lawsuit against the game developer Activision Blizzard. Discussion of Slack data also came up in a lawsuit against the California-based lighting fixture company Lamps Plus.
The government might also want Slack data as part of other legal processes.
In its most recent transparency report (which was published this week and covers all of 2019), Slack says it received 66 requests from US government entities for both content and metadata, including through search warrants, subpoenas, and civil subpoenas. Only nine of the requests forcontent data were fulfilled by Slack, but in 24 cases, the company provided government entities with other, non-content data, such as information about the date, time, and identities of senders and recipients of messages and files. Keep in mind, those numbers are pretty small; the company said in its last earnings report that it had more than 105,000 organizations paying for its service, and customers can also use the platform for free.
Slack also says it will consider national security requests, though the company says it has yet to receive any. Slack has, however, granted one request for non-content, user data stored in the US from an unnamed foreign government as part of following a mutual legal assistance treaty.
Meanwhile, if you actually work for the government, its possible that your Slack communications are records subject to Freedom of Information Act (FOIA) requests. FOIA is a law that allows nosey members of the public and journalists to request records about government activities, and the government must respond to those requests within 20 business days. FOIA requesters appear to have successfully asked for other Slack-related data, such as a list of team domains used by the governments General Services Administration. We couldnt immediately find an example of when a US FOIA request has led to the release of Slack messages from within a government agency (though some have tried), if only because its unclear how many local, state, and federal government workers are using Slack.
But a search of a federal contracts database reveals that the Department of State, the Department of Defense, the Department of Health and Human Services, and apparently the Ebola team at the US Agency for International Development have all bought technology from the company; the platform has also reportedly been used by NASA. Slack is also being used by a unit of technologists called the US Digital Service based in the presidents office.
Your coworkers can also get info on you, though it may not be that interesting
Do you just have a regular employee Slack account? You can still get some (relatively benign) info on your coworkers via Slack. The first thing you should know is that you can still read all the messages and files that have been posted in public channels before you arrived (unless theyve been deleted). Some companies might have content on their Slack systems set to auto-delete regularly, and those deletion periods can be as short as one day.
But theres a bit you can do through Slacks Analytics tab (go to [yourworkspace] There, you can see how the percentage of messages and views are distributed in direct messages, private channels, and public channels on any given day. In a large office, its not clear if this information would tell you much, but in a smaller company, these statistics might be a way for a boss to check whether theres been a spike in people talking privately. Another interesting thing you can find out through Slack Analytics is which of your coworkers has sent the most messages of all time or in any given month, though its unclear how useful these stats are.
Its important to remember that even if your coworkers or even your boss might not have easy access to your private Slack messages, theres still a lot they can learn about you based on your profile, like your time zone, your contact information, phone number, location, and social media (you might volunteer this information on the platform). You could also find their member ID number, which might not be too revealing, and files that theyve sent by clicking through on their individual profile, which would potentially be more revealing.
Your employer and coworkers alike can also figure out whether youre online, depending on your settings. That little green light? You can manually turn it off. If you dont, Slack tells you if and when youll appear as active, depending on what device youre on and how youre using it. Whether youre actually working hard is entirely up to you. Whether or not your company Slack offers any privacy is, maybe unfortunately, up to your employer.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.