Last week, Slack warned users of changes to its platform that make it easier for employers to access and download their employees' data, including DMs and messages in private channels.
With this update, Slack is killing its preexisting “compliance export” tool, which couldn’t download data retroactively, was only available to paying customers, and alerted users whose data was being exported.
Though workers in the US are familiar with laws that allow their employers to read emails sent from work accounts, the Slack update caught some users off guard, especially given that it coincided with news of Facebook’s Cambridge Analytica data collection scandal.
Some have argued that the new tool could be considered workplace surveillance, and might violate employment law if it makes workers feel they can’t openly discuss workplace conditions.
Not every Slack workspace owner can read DMs with impunity. The change doesn’t apply to Free and Standard Slack workspaces, where administrators need a legal reason to download workspace data; even with the higher-priced Plus and Enterprise Grid workspaces, administrators need to file a request to Slack to download it.
Once Slack approves data collection requests, companies that pay for Plus can download data via Slack's export tool. Companies that pay for Enterprise Grid can access the Discovery API, which allows them “to use third-party applications to export, retain, or archive messages and files submitted to Slack.”
Slack declined to comment when asked if there are any circumstances in which it would decline to give a paying customer access to requested data.
Which Slack are you using, and what can your employer see? Here’s how to find out.
To find out if your employer has the option to read and save your private messages, you need to check your Workspace Settings. From inside the Slack app, click the down arrow next to your organization's name in the upper left-hand corner. Click "Customize Slack," which will open a new window in your browser. In the upper left-hand corner, click Menu and then Workplace Settings.
Here, you can see who the owners and admins in your organization are, how long your company stores data, and what data your company allows you to delete. If you scroll to the bottom, under “Exports,” it also shows you whether your employer can “export messages and files from private channels and DMs.”
The reality is that, when it comes to company software, your employer has a legal right — and sometimes a legal need — to view those communications. For example, in the instance of a harassment claim, an employer may need to investigate; in the instance of a corporate lawsuit, an employer might need to turn over certain records in discovery. Moreover, given the existence of other technologies that integrate with Slack, it’s possible that your employer was reading your DMs long before this new tool was rolled out.
It's important to note that if you have a private channel or direct message set to retain data for only a limited time, “the data is not exportable” after it expires, a Slack spokesperson said. However, for a period of two weeks, it’s backed up by Slack and “could be discoverable” in the case of legal action. After two weeks, it’s hard deleted.
In a statement, a Slack spokesperson acknowledged that while the software does give workspace owners the ability to read private messages, that doesn’t always mean they should.
“All software designed for use in the workplace provides access capabilities,” the statement reads. “However, to protect employees, there are also laws and regulations in place that govern specifically what access is permitted by employers. When extracting any data from Slack, employers must always comply with all employment laws, contracts and privacy protections for employees.”
Caroline O'Donovan is a senior technology reporter for BuzzFeed News and is based in San Francisco.
Contact Caroline O'Donovan at firstname.lastname@example.org.
Got a confidential tip? Submit it here.