Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Businesses Privacy Software

Slack Now Letting Employers Tap Workers' Private Chats 79

itwbennett writes: Chat app maker Slack is hoping to make inroads in the enterprise with a new paid plan that will include an optional feature called Compliance Exports that will let administrators access their team's communications, encompassing public and private messages. The tool is far-reaching, potentially including the edit history for workers' messages as well as messages workers have marked for deletion, if the supervisor so desires.
This discussion has been archived. No new comments can be posted.

Slack Now Letting Employers Tap Workers' Private Chats

Comments Filter:
  • Wouldn't "Work Hard" be a better name for your app?

    • Wouldn't "Work Hard" be a better name for your app?

      Product names should be descriptive. How about Quisling? ... or Canary? ... Stool Pigeon? ... Rat? ... Grass?

  • it's a good idea to assume it's not private.

    • to still assume it's not private.

      The only secure computer is one that is disconnected from the net, turned off, and cased in concrete and even then I wouldn't be sure.

      • You forgot "sunk at the bottom of the Marianas Trench". :)

      • by ruir ( 2709173 )
        Nobody talked about "secure" computers. If you are not using your OWN computer and your OWN network, youd better assume it can be tampered with (and even so, lets not get started on ISPes or malware for espionage). More so when using computers at work. The computers and the network belong to your employer.
        • Nobody talked about "secure" computers. If you are not using your OWN computer and your OWN network, youd better assume it can be tampered with (and even so, lets not get started on ISPes or malware for espionage). More so when using computers at work. The computers and the network belong to your employer.

          Woosh

          • by ruir ( 2709173 )
            fuck you too. Have you heard about stressing out something that was just said and figures of speech? Damn kids...
        • The network shouldn't matter unless you count installing some shiny cisco app or accepting companie's CA as "network setup".

          • by ruir ( 2709173 )
            You should seriously revise your [cynic mode on] I do not even have an idea why people use Tor [off]. And in the corporate word, often you have not a say own your work station is installed of which certificates come with the default setup. Or what people is logged besides you. And besides passive surveillance, there are more nefarious activities to worry about. ( https://www.eff.org/wp/detecti... [eff.org] ) Packet interception, DNS interception, packet sniffing, man in the middle attacks, logging all your network ac
            • Yes you can monitor stuff even with TLS, but that's far less than without encryption. So my company knows that my smartphone connects to whattsapp.com on port 443 and exchanges 2kb of information.

              • by rioki ( 1328185 )

                The trick is that to use your device in the corporate network you need to install the company's CA-certificate. You need to do that or you can not use . Now as it just happens the gateway router is also a transparent HTTPS proxy that issues certificate for the domains it MITM using that said CA-cert. You can't do much (in the US), since you agreed to the usage terms, that included "monitoring for anomalous behavior".

                • by rioki ( 1328185 )

                  Stupid angle bracket removal....

                  You need to do that or you can not use "vital bureaucratic web service".

    • by TheCarp ( 96830 )

      it is, though, I think this is amusing in a way as, where I work we have an internal messaging solution, but we are actually expressly forbidden from turning on logging because well...if we are using im for work, then likely important and confidential information goes over that channel, which is fine being both internal and encrypted to the endpoint but.... if we log, it means that information sitting around in logs, which is a liability since it would be yet one more source of confidential information that

  • by Todd Knarr ( 15451 ) on Tuesday November 25, 2014 @03:41AM (#48455927) Homepage

    I think if I were in Legal I'd nix this instantly as a discovery nightmare in the making. Employees start to say a lot of things, reconsider and rephrase or outright rewrite before sending the message. Often the message they didn't send is exactly the kind of thing the opponent in a lawsuit is looking for and exactly what you don't want to have to give them. If your compliance monitoring application will let you store and view those unsent, often inappropriate or ill-conceived, messages then you're going to have to cough them up during discovery or during any investigation by regulators. Worse, if any of them get out through other channels you've weakened your defense against a claim that you knew or ought to have known about them since they're in your compliance system. Better to only record the stuff that was actually sent and not have to explain your employees' private opinions.

    As far as monitoring of sent messages goes, the first rule is "If you're on someone else's network, they can see everything you do.". Or, to quote Pitr, "God, root, what is difference?". If you're on the company network, don't say anything you don't want the company becoming aware of. If you need to express a private opinion without putting it on the record, do it face-to-face and verbally (especially if it involves an unflattering opinion of someone with the authority to get you fired).

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      If your compliance monitoring application will let you store and view those unsent, often inappropriate or ill-conceived, messages then you're going to have to cough them up during discovery or during any investigation by regulators.

      That is exactly the point. The 'compliance' refers to compliance with the regulators/regulations.

      I work for a company that provides call and SMS recording solutions to banks where they can record the phone calls and text messages sent and received by their employees on their mobile phones. This doesn't mean all employees, it's just those in certain positions like traders.

      Doing so is an FSA requirement - banks *must* do this in order to gather the evidence that can prove or disprove that traders are involved

      • I think this is a new level. Considering they can see pre-drafts, edits, etc. which previously were lost and all you saw was what was sent or saved.

        It may be suitable for banks, but it is going to raise the cost of business for everyone.
        It's probably overkill for many businesses AND will simply drive people who have ill intent to other communications methods.

      • If your compliance monitoring application will let you store and view those unsent, often inappropriate or ill-conceived, messages then you're going to have to cough them up during discovery or during any investigation by regulators.

        That is exactly the point. The 'compliance' refers to compliance with the regulators/regulations.

        I work for a company that provides call and SMS recording solutions to banks where they can record the phone calls and text messages sent and received by their employees on their mobile phones. This doesn't mean all employees, it's just those in certain positions like traders.

        Doing so is an FSA requirement - banks *must* do this in order to gather the evidence that can prove or disprove that traders are involved in things they shouldn't such as insider trading, libor rate fixing etc. The bank has a team that is responsible for monitoring those communications and preparing reports for the FSA proving they are recording these communications as required (which is essentially showing you have a recording of every call made/received).

        This is just an IM platform catering to that market.

        Of course, the beauty of all these systems is whenever the SEC asks for emails, they are often "missing" due to backup or archiving mishaps. The fact that the penalty for not producing the emails is significantly less than the penalty for financial misconduct is purely coincidental.

    • Your network security team can already see everything you do on your computer. They can literally, watch a live view of your desktop. They can log into your email. They can capture all of your network traffic at the firewall and view it via wireshark. And since it's THEIR computer and network, they can take the SSL keys you used and decode your HTTPS traffic as well. Nothing you do on a work computer is private at all.

      But, they don't generally do all of this unless they have a reason to. If you missed your

      • by davidwr ( 791652 )

        Your network security team can already see everything you do on your computer.

        Well, practically everything. Except on machines where they control the BIOS, they can't tell what happens if I power off, disconnect the network cable, and boot up with another device.

        They also can't tell if I use the monitor as a place to hold the sticky note with my password on it. Now, the security team that comes around and night checking for sticky notes with passwords on the other hand....

    • >As far as monitoring of sent messages goes, the first rule is "If you're on someone else's network, they can see everything you do."

      That might apply in the US. The first rule in the EU is that they can see only what they've informed you they want to see, and only if doing that is proportionate. You can't in general snoop just because you own the wires.

      • Not to be picky, but I think you're confusing "can" and "are allowed to". "can" has to do with being physically and technically able to. "are allowed to" involves things like "Is it legal?" and "Have the sysadmins been ordered to?". The admins may not for example be legally allowed to just record and scan your IM sessions for no reason, but if diagnosing a weird network problem requires capturing traffic on the wire your packets will get caught and get included in the logs regardless of what the law says (s

    • Comment removed based on user account deletion
  • What, we don't think that Lync and everything else that offers a chat server in your own rack can't be configured to do this?

    Hell, at my last office, they were feeding all our VoIP calls through this SIGINT app [verint.com] ; the only reason I found out was because I was copied in on ICT change reports for operational reasons and one of the changes was they moved the storage for the VoIP calls to another server.

    Presume that you're being watched. You likely are, by someone.

  • Sounds like an interesting way to make employees pay for their own to be used during work hours and toss the company phone in a drawer. A very cunning way to save company mobile phone call costs and make the employees pay for them ;D.

  • Internet chat is a terrible hellscape and it's saddened me for almost two decades.

    Unlike email and the web, the dominant systems for instant messaging have been proprietary forever. Sure, XMPP exists, but nobody uses it. There was a chance when Google Talk was using it, but ever since Google stopped federating, that's basically fucked.

    Now we're seeing the slow death of IRC too at the hands of better but more proprietary user experiences being offered by Skype and Slack.

    And it's easy to see why too. The prop

    • by SeaFox ( 739806 )

      Sure, XMPP exists, but nobody uses it.

      My employer does. It's the official office chat platform. The workstations come with Miranda on them and it's run from a network drive so your profile roams with you.

      If IRC and XMPP are ever going to be competitive with the new proprietary guys in town, it needs to get competitive on the usability front.

      Why must everything be a competition to gain share? IRC isn't going anywhere. The people using IRC now are using other chat clients along side it. Or they aren't. There's no reason XMPP or IRC can't continue to exist in their own little niches just because more people use Slack/Skype/$currenthypedmessagingprotocol. People still use newsgroups f

    • by gozar ( 39392 )

      Now we're seeing the slow death of IRC too at the hands of better but more proprietary user experiences being offered by Skype and Slack.

      And it's easy to see why too. The proprietary chat tools out there like Slack are absolutely incredible user experiences.

      If IRC and XMPP are ever going to be competitive with the new proprietary guys in town, it needs to get competitive on the usability front.

      I think Slack is built on IRC, I use a bouncer and whatever IRC client I have handy to connect to our work Slack.

      IRCCloud [irccloud.com] is putting a pretty face on IRC, if they would offer the Slack integrations they could be a real competitor.

  • The company hopes to attract more businesses with the optional feature

    they seemed to have forgotten the part where the employee has choose to use it. i wouldnt be surprised if they lose all their users in a month's time to a similar application that isn't spyware.

  • "They're going to 'allow' us? hahahaha!" said your network security guy while reading this story live from your browser via remote desktop while simultaneously capturing all of your http requests via packet capture at the firewall.

  • ... not exploiting existing ones, at least not intentionally. This is a requirement for places like financial firms that have to show there was no insider trading going on, so phone calls and messaging systems have to have full logs. Every other system is simply banned for compliance. So if Slack wants to be used in those companies, they have to have this capability.

    Seems like a story of company expansion more than privacy being exploited, but of course, like others say, if it's not on your computer, don't

  • by Greyfox ( 87712 )
    Your communications are being monitored at work. Never type anything into IM unless you have to, never log on to personal E-Mail from a work computer and for the love of God never log into your bank from there. And never log into work IM or Email from a personal computer.
  • Thsi will push people to have more face to face chats, and only post online politically correct chats.

    Maybe this is not so bad.

    my 2 cents

  • Comment removed based on user account deletion
    • by ESD ( 62 )

      That's what I thought too, at first glance. Didn't know the other 'Slack' yet.

  • There has been a lot of press about traders misbehaving. Normally all communications from the trading room is recorded: Voice and IM. The idea is that if some traders decide to cooperate to set a price that should be set by competition, it will become obvious later and the traders can be prosecuted. This has happened but it needs full logs. As for privacy, the usual rule is that you can make personal calls or messages but not at the trading desk.
  • They can already read your email. Besides you shouldn't be discussing anything non-professional on work networks anyways. And if you are on a office computer they could read your notepad.txt if they wanted.

New crypt. See /usr/news/crypt.

Working...