Your Slack DMs aren’t as private as you think

Open Sourced logo

Is Slack good for actually getting your work done? That’s debatable. But the popular messaging platform — which boasted more than 12 million daily active users as of last year — is definitely a promising medium for employers, regulatory agencies, the government, and even hackers seeking a trove of data about a company and its workers. Even your coworkers could find out more about you than you might expect.

The number of Slack messages your workplace might be able to access has actually grown as Slack has built out its workplace app. Last year, the company launched a new tool called Slack Connect, which allows different workplaces to share channels on the app. The company announced that the feature was expanded again last month, so anyone could send invitations to direct message to other Slack users — even if they work at another workplace (whether users can actually send and accept these invites depends on whether their workplace has put in restrictions). But just because you’re messaging someone at a different workplace doesn’t mean your boss couldn’t necessarily see the messages you send.

Here’s what an initial version of Slack’s direct message function looks like.
Slack

Yes, your employer can get to your private messages. They’re not the only one.

First off, employers aren’t necessarily going through your messages to snoop on gossip.

“The company may have a duty to preserve and produce that information if you’re part of a lawsuit,” explained Brad Harris, vice president of product at Hanzo, a company that provides a third-party, data-preservation app that works in conjunction with Slack, last year. “The company may also want to do internal investigations, and through their privacy policies and acceptable use policies, have the right to look at your information.”

Harris added, “Companies have traditionally had that [right] with email.” Slack’s rolling out its direct message feature didn’t change much, though. “Clearly, the adage of ‘Don’t write anything in an email that you wouldn’t want to see on the front page of the Wall Street Journal’ applies to your use of Slack too,” Harris told Recode in March of this year.

Whether and how your boss can export your private messages and private channels depends on a few factors. If your employer is using Slack’s free or standard plan you can check this by going through the drop-down menu under your name on the app they need Slack’s go-ahead, meaning the company will review your employer’s request and, if approved, allow the employer to conduct a one-time export. The messaging platform says it will provide that content if a company has gained employees’ consent, if the company is following a “valid legal process,” or if there’s a “right or requirement [to do so] under applicable laws.”

For instance, employees in the European Union have the right to certain data collected about them by their employers under the General Data Protection Regulation (GDPR). Companies using a Plus plan also need to apply for approval from Slack to export private communications, but the company can continue using the feature until they decide to turn it off.

Keep in mind that the data downloaded by an employer isn’t a mirror image of the actual Slack platform. Instead, workplace data is delivered in ZIP files, which contain a type of data-storing file called JSON. That means content comes up in long lines that resemble code, and includes message text, information about reactions, and even edit history (that’s right, your company could retain your deleted messages). You can see what that data actually looks like on Slack’s website, and if you want a quick profile of what data your company might be keeping, go to [yourorganization].slack.com/account/workspace-settings#retention.

This all applies to direct messages you might send to someone outside your workplace, too.

“Administrators can see that there is a relationship between their organization and another via the Connections view,” a Slack spokesperson told Recode. “The same controls an administrator has put in place for Slack Connect channels shared with external organizations applies to Slack Connect DMs.”

It’s also possible that your employer has invested in a higher-level plan, like Enterprise Grid. Those plans work with third-party apps like Hanzo that allow employers to store messages and other information. Companies may need to consistently preserve electronic communications for review by regulatory agencies, such as the Securities and Exchange Commission (SEC) and the Financial Industry Regulation Authority.

Still, Slack expects employers to follow employment agreements, corporate policies, and any relevant laws. “For employees, an employer’s rights to access your data are controlled by your employment agreement and by the laws that govern that — not by Slack,” said a Slack spokesperson in an email. “Employers ultimately own their company’s Slack data and are responsible for complying with the laws that govern how they access that data.”

manual approach to surveilling employees’ electronic communications: booting them from their computers while their Slack accounts are still logged in. One boss described this technique in a Y Combinator thread about the investigation of an intern harassment problem.

Law enforcement and legal processes can get your Slacks, too

One route to your private Slack messages being revealed? A lawsuit. Let’s say you’re suing your former employer for sexual harassment. If you think there’s evidence that could help prove your case on Slack inappropriate messages from your boss, for example you can fight for those records to be legally “discoverable,” meaning your old company will have to produce them. When Slack rolled out the DM feature allowing people to message others outside their organization feature in March, the tool was criticized because it could enable harassment, and the backlash forced Slack to make some tweaks to the tool.

Discussion of Slack data can come up in all sorts of complaints, as it did as part of one class-action lawsuit against the game developer Activision Blizzard. Discussion of Slack data also came up in a lawsuit against the California-based lighting fixture company Lamps Plus.

The government might also want Slack data as part of other legal processes.

In its most recent transparency report (which covers 2020), Slack says it received 38 requests from US government entities for both content and metadata, including through search warrants, subpoenas, and court orders. Only 10 of the requests for content data were fulfilled by Slack, but in 22 cases, the company provided government entities with other, non-content data, such as information about the date, time, and identities of senders and recipients of messages and files. Keep in mind, those numbers are pretty small; the company said in its last earnings report that it had more than 150,000 organizations paying for its service, and customers can also use the platform for free.

Slack also says it will consider “national security requests,” though the company says it has yet to receive any. In 2019, Slack granted one request for non-content, user data stored in the US from an unnamed foreign government as part of following a mutual legal assistance treaty.

Meanwhile, if you actually work for the government, it’s possible that your Slack communications are records subject to Freedom of Information Act (FOIA) requests. FOIA is a law that allows nosey members of the public and journalists to request records about government activities, and the government must respond to those requests within 20 business days. FOIA requesters appear to have successfully asked for other Slack-related data, such as a list of team domains used by the government’s General Services Administration. We couldn’t immediately find an example of when a US FOIA request has led to the release of Slack messages from within a government agency (though some have tried), if only because it’s unclear how many local, state, and federal government workers are using Slack.

But a search of a federal contracts database reveals that the Department of State, the Department of Defense, the Department of Health and Human Services, and apparently the “Ebola team” at the US Agency for International Development have all bought technology from the company; the platform has also reportedly been used by NASA. Slack is also being used by a unit of technologists — called the US Digital Service — based in the president’s office.

Your coworkers can also get info on you, though it may not be that interesting

Do you just have a regular employee Slack account? You can still get some (relatively benign) info on your coworkers via Slack. The first thing you should know is that you can still read all the messages and files that have been posted in public channels before you arrived (unless they’ve been deleted). Some companies might have content on their Slack systems set to auto-delete regularly, and those deletion periods can be as short as one day.

But there’s a bit you can do through Slack’s Analytics tab (go to [yourworkspace].slack.com/stats). There, you can see how the percentage of messages — and views — are distributed in direct messages, private channels, and public channels on any given day. In a large office, it’s not clear if this information would tell you much, but in a smaller company, these statistics might be a way for a boss to check whether there’s been a spike in people talking privately. Another interesting thing you can find out through Slack Analytics is which of your coworkers has sent the most messages of all time or in any given month, though it’s unclear how useful these stats are.

It’s important to remember that even if your coworkers or even your boss might not have easy access to your private Slack messages, there’s still a lot they can learn about you based on your profile, like your time zone, your contact information, phone number, location, and social media (you might volunteer this information on the platform). You could also find their member ID number, which might not be too revealing, and files that they’ve sent by clicking through on their individual profile, which would potentially be more revealing.

Your employer and coworkers alike can also figure out whether you’re online, depending on your settings. That little green light? You can manually turn it off. If you don’t, Slack tells you if and when you’ll appear as “active,” depending on what device you’re on and how you’re using it. Whether you’re actually working hard is entirely up to you. Whether or not your company Slack offers any privacy is, maybe unfortunately, up to your employer.

Update, Friday, April 2, 11 am ET: This piece was updated to include information about Slack’s newest feature and transparency report.


Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.

Discover more from WHO WILL CARE eCommerce

Subscribe now to keep reading and get access to the full archive.

Continue reading