Slack Now Letting Employers Tap Workers' Private Chats 79
itwbennett writes: Chat app maker Slack is hoping to make inroads in the enterprise with a new paid plan that will include an optional feature called Compliance Exports that will let administrators access their team's communications, encompassing public and private messages. The tool is far-reaching, potentially including the edit history for workers' messages as well as messages workers have marked for deletion, if the supervisor so desires.
Re: (Score:3)
Most Americans wouldn't recognise a welfare state if it walked up to them and and handed them its ID.
Re: (Score:1)
You are welcome to all the wealth that is purely the product of you or others who have voluntarily co-operated with you.
Of course, this does mean you are not allowed to own land. Or make use of any raw materials. So you won't have a house, you won't have food, and you won't be able to eat. But at least you'll be able to live without redistribution of wealth!
Hint: You don't have any rights to any property that aren't granted communally, under license. If you reject that license, you reject making use of anyt
Re: (Score:2)
Not a good name for enterprise (Score:2)
Wouldn't "Work Hard" be a better name for your app?
Re: (Score:3)
Wouldn't "Work Hard" be a better name for your app?
Product names should be descriptive. How about Quisling? ... or Canary? ... Stool Pigeon? ... Rat? ... Grass?
If it's not your computer (Score:2)
it's a good idea to assume it's not private.
Pretty good idea if it is your computer (Score:3)
to still assume it's not private.
The only secure computer is one that is disconnected from the net, turned off, and cased in concrete and even then I wouldn't be sure.
Re: (Score:2)
You forgot "sunk at the bottom of the Marianas Trench". :)
Re: (Score:2)
Re: (Score:2)
You think he doesn't?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Nobody talked about "secure" computers. If you are not using your OWN computer and your OWN network, youd better assume it can be tampered with (and even so, lets not get started on ISPes or malware for espionage). More so when using computers at work. The computers and the network belong to your employer.
Woosh
Re: (Score:2)
Re: (Score:2)
The network shouldn't matter unless you count installing some shiny cisco app or accepting companie's CA as "network setup".
Re: (Score:2)
Re: (Score:2)
Yes you can monitor stuff even with TLS, but that's far less than without encryption. So my company knows that my smartphone connects to whattsapp.com on port 443 and exchanges 2kb of information.
Re: (Score:2)
The trick is that to use your device in the corporate network you need to install the company's CA-certificate. You need to do that or you can not use . Now as it just happens the gateway router is also a transparent HTTPS proxy that issues certificate for the domains it MITM using that said CA-cert. You can't do much (in the US), since you agreed to the usage terms, that included "monitoring for anomalous behavior".
Re: (Score:2)
Stupid angle bracket removal....
You need to do that or you can not use "vital bureaucratic web service".
Re: (Score:2)
Logging actions. Sure.
Reading my email? OK
Wiretapping my phone? OK
========= LIMIT =========
Sending emails in my name? False Personation.
Where is the limit?
Banks' Compliance departments require the first three (SEC rules) at work -- including work mobile phone. I drew the line for you.
By the way, false (im)personation can be qualified as a felony is some states in the US.
Re: (Score:3)
it is, though, I think this is amusing in a way as, where I work we have an internal messaging solution, but we are actually expressly forbidden from turning on logging because well...if we are using im for work, then likely important and confidential information goes over that channel, which is fine being both internal and encrypted to the endpoint but.... if we log, it means that information sitting around in logs, which is a liability since it would be yet one more source of confidential information that
Re: (Score:2)
This.
For the curious, Google, "discoverable in litigation."
Discovery nightmare (Score:5, Insightful)
I think if I were in Legal I'd nix this instantly as a discovery nightmare in the making. Employees start to say a lot of things, reconsider and rephrase or outright rewrite before sending the message. Often the message they didn't send is exactly the kind of thing the opponent in a lawsuit is looking for and exactly what you don't want to have to give them. If your compliance monitoring application will let you store and view those unsent, often inappropriate or ill-conceived, messages then you're going to have to cough them up during discovery or during any investigation by regulators. Worse, if any of them get out through other channels you've weakened your defense against a claim that you knew or ought to have known about them since they're in your compliance system. Better to only record the stuff that was actually sent and not have to explain your employees' private opinions.
As far as monitoring of sent messages goes, the first rule is "If you're on someone else's network, they can see everything you do.". Or, to quote Pitr, "God, root, what is difference?". If you're on the company network, don't say anything you don't want the company becoming aware of. If you need to express a private opinion without putting it on the record, do it face-to-face and verbally (especially if it involves an unflattering opinion of someone with the authority to get you fired).
Re: (Score:2, Interesting)
If your compliance monitoring application will let you store and view those unsent, often inappropriate or ill-conceived, messages then you're going to have to cough them up during discovery or during any investigation by regulators.
That is exactly the point. The 'compliance' refers to compliance with the regulators/regulations.
I work for a company that provides call and SMS recording solutions to banks where they can record the phone calls and text messages sent and received by their employees on their mobile phones. This doesn't mean all employees, it's just those in certain positions like traders.
Doing so is an FSA requirement - banks *must* do this in order to gather the evidence that can prove or disprove that traders are involved
Re: (Score:2)
I think this is a new level. Considering they can see pre-drafts, edits, etc. which previously were lost and all you saw was what was sent or saved.
It may be suitable for banks, but it is going to raise the cost of business for everyone.
It's probably overkill for many businesses AND will simply drive people who have ill intent to other communications methods.
Re: (Score:2)
If your compliance monitoring application will let you store and view those unsent, often inappropriate or ill-conceived, messages then you're going to have to cough them up during discovery or during any investigation by regulators.
That is exactly the point. The 'compliance' refers to compliance with the regulators/regulations.
I work for a company that provides call and SMS recording solutions to banks where they can record the phone calls and text messages sent and received by their employees on their mobile phones. This doesn't mean all employees, it's just those in certain positions like traders.
Doing so is an FSA requirement - banks *must* do this in order to gather the evidence that can prove or disprove that traders are involved in things they shouldn't such as insider trading, libor rate fixing etc. The bank has a team that is responsible for monitoring those communications and preparing reports for the FSA proving they are recording these communications as required (which is essentially showing you have a recording of every call made/received).
This is just an IM platform catering to that market.
Of course, the beauty of all these systems is whenever the SEC asks for emails, they are often "missing" due to backup or archiving mishaps. The fact that the penalty for not producing the emails is significantly less than the penalty for financial misconduct is purely coincidental.
Re: (Score:2)
Your network security team can already see everything you do on your computer. They can literally, watch a live view of your desktop. They can log into your email. They can capture all of your network traffic at the firewall and view it via wireshark. And since it's THEIR computer and network, they can take the SSL keys you used and decode your HTTPS traffic as well. Nothing you do on a work computer is private at all.
But, they don't generally do all of this unless they have a reason to. If you missed your
Re: (Score:2)
But, they don't generally do all of this unless they have a reason to.
Which is different from a program that captures and saves all of the messaging data.
Reading comprehension bro, do you even?
What about capture don't you understand? Capturing every bit of data that leaves your computer is a 2 to 4 word command. Later you take the log file, grep it for interesting bits and you have everything you want. Including encrypted traffic. So next time, shut your mouth and do some research before decide to get all snotty and post Anon.
I find it ironic that you think posting anon gives you any sense of anonymity on slashdot. lol
Re: (Score:1)
Your network security team can already see everything you do on your computer.
Well, practically everything. Except on machines where they control the BIOS, they can't tell what happens if I power off, disconnect the network cable, and boot up with another device.
They also can't tell if I use the monitor as a place to hold the sticky note with my password on it. Now, the security team that comes around and night checking for sticky notes with passwords on the other hand....
Re: (Score:2)
>As far as monitoring of sent messages goes, the first rule is "If you're on someone else's network, they can see everything you do."
That might apply in the US. The first rule in the EU is that they can see only what they've informed you they want to see, and only if doing that is proportionate. You can't in general snoop just because you own the wires.
Re: (Score:2)
Not to be picky, but I think you're confusing "can" and "are allowed to". "can" has to do with being physically and technically able to. "are allowed to" involves things like "Is it legal?" and "Have the sysadmins been ordered to?". The admins may not for example be legally allowed to just record and scan your IM sessions for no reason, but if diagnosing a weird network problem requires capturing traffic on the wire your packets will get caught and get included in the logs regardless of what the law says (s
Re: (Score:2)
So what? (Score:2)
What, we don't think that Lync and everything else that offers a chat server in your own rack can't be configured to do this?
Hell, at my last office, they were feeding all our VoIP calls through this SIGINT app [verint.com] ; the only reason I found out was because I was copied in on ICT change reports for operational reasons and one of the changes was they moved the storage for the VoIP calls to another server.
Presume that you're being watched. You likely are, by someone.
Save Money (Score:2)
Sounds like an interesting way to make employees pay for their own to be used during work hours and toss the company phone in a drawer. A very cunning way to save company mobile phone call costs and make the employees pay for them ;D.
Chat is terrible hellscape (Score:2)
Internet chat is a terrible hellscape and it's saddened me for almost two decades.
Unlike email and the web, the dominant systems for instant messaging have been proprietary forever. Sure, XMPP exists, but nobody uses it. There was a chance when Google Talk was using it, but ever since Google stopped federating, that's basically fucked.
Now we're seeing the slow death of IRC too at the hands of better but more proprietary user experiences being offered by Skype and Slack.
And it's easy to see why too. The prop
Re: (Score:3)
Sure, XMPP exists, but nobody uses it.
My employer does. It's the official office chat platform. The workstations come with Miranda on them and it's run from a network drive so your profile roams with you.
If IRC and XMPP are ever going to be competitive with the new proprietary guys in town, it needs to get competitive on the usability front.
Why must everything be a competition to gain share? IRC isn't going anywhere. The people using IRC now are using other chat clients along side it. Or they aren't. There's no reason XMPP or IRC can't continue to exist in their own little niches just because more people use Slack/Skype/$currenthypedmessagingprotocol. People still use newsgroups f
Re: (Score:2)
It matters, because every time I start a project with a few new people, it's a huge pain to get everyone on the same network, and that is even before any issues with needing to add each other as contacts, voice/video communication, file sharing. It's a giant hassle.
If the platform you're using is hampering your work, and if XMPP has advantages over other platforms for your issues, you should be making the business case for this to whoever picked what you're using. If the other guys have something else they're using and they're resistant to change, then that sounds like a people issue, not a software issue. Wishing everyone had the same preference as you to make your life easier if futile. Depending on how often this comes up, maybe the person really using the "wrong"
Re: (Score:2)
Now we're seeing the slow death of IRC too at the hands of better but more proprietary user experiences being offered by Skype and Slack.
And it's easy to see why too. The proprietary chat tools out there like Slack are absolutely incredible user experiences.
If IRC and XMPP are ever going to be competitive with the new proprietary guys in town, it needs to get competitive on the usability front.
I think Slack is built on IRC, I use a bouncer and whatever IRC client I have handy to connect to our work Slack.
IRCCloud [irccloud.com] is putting a pretty face on IRC, if they would offer the Slack integrations they could be a real competitor.
shortsighted (Score:2)
The company hopes to attract more businesses with the optional feature
they seemed to have forgotten the part where the employee has choose to use it. i wouldnt be surprised if they lose all their users in a month's time to a similar application that isn't spyware.
Re: (Score:2)
Re: (Score:2)
Yeah, because employees totally stopped using email because employers can and do archive it and read it when/if they want to.
lol (Score:2)
"They're going to 'allow' us? hahahaha!" said your network security guy while reading this story live from your browser via remote desktop while simultaneously capturing all of your http requests via packet capture at the firewall.
They are expanding to other markets... (Score:2)
... not exploiting existing ones, at least not intentionally. This is a requirement for places like financial firms that have to show there was no insider trading going on, so phone calls and messaging systems have to have full logs. Every other system is simply banned for compliance. So if Slack wants to be used in those companies, they have to have this capability.
Seems like a story of company expansion more than privacy being exploited, but of course, like others say, if it's not on your computer, don't
Yeah (Score:2)
Face to face chats (Score:1)
Thsi will push people to have more face to face chats, and only post online politically correct chats.
Maybe this is not so bad.
my 2 cents
Re: (Score:2)
Re: (Score:1)
That's what I thought too, at first glance. Didn't know the other 'Slack' yet.
Traders fixing Libor, FX rates, etc? (Score:2)
You can already do this (Score:2)