Slack, the ubiquitous workplace communication app, can be a bit deceptive when it comes to private channels and direct messages. Employers have long had the option to take a peek at what you're saying behind the curtain, but a new change is making it easier for them to do so and everyone needs to be aware.
In a new update to its import and export tools, Slack has quietly slipped in the discontinuance of "Compliance Exports." Beginning in 2014, Slack implemented the feature for its "Plus" plan customers. Basically, there are a number of privacy options that you and your employer can toggle on or off. Under workplace settings, you can find what options your employer has enabled and it might say, "Owners and Admins can export messages and files from private channels and DMs in your workspace." Until now, this function would be enabled by Compliance Exports and the full team would be notified if it was suddenly switched on. Employees at CNN were recently alarmed when the Slackbot informed them their bosses were watching.
According to Slack's new guidelines, however, Compliance Exports will be replaced by "a self-service export tool" on April 20th. Previously, an employer had to request a data dump of all communications to get access to private channels and direct messages. This new tool should streamline things so they can archive all your shit-talk and time-wasting with colleagues on a regular basis. The tool not only makes it easy for an admin to access everything with a few clicks, it also enables automatic exports to be scheduled on a daily, weekly, or monthly basis. An employer still has to go through a request process to get the tool, but Slack declined to elaborate on what's involved in that process.
What's particularly concerning is that Compliance Exports were designed so they notified users when they were enabled, and future exports only covered data that was generated after that notification. A spokesperson for Slack confirmed to Gizmodo that this won't be the case going forward. The new tool will be able to export all of the data that your Slack settings previously retained. Whereas before, if you were up on Slack policy, you could feel pretty comfortable that your private conversations were private unless you got that Compliance Exports notification. After the notification, you'd want to make sure you didn't discuss potentially sensitive topics in Slack. Now, anyone who was under the impression that they were relatively safe might have some cause to worry.
To be absolutely clear, Slack is not the place to discuss potential unionisation, sexual harassment response concerns, or anything else you don't want your boss reading over later. That was true before, and it's even more true now.
Yes, this new move brings Slack in line with a lot of enterprise solutions, but that doesn't change the fact that its policies are being altered in a fashion that isn't particularly loud and clear. And let's face it, this is some weird timing, with the high-profile scandal going on at Facebook and the growing realisation among the public that terms of service can really bite you in the arse. When we asked Slack what prompted this change in policy, they sent us the following statement:
Slack announced several changes to our product offerings and policies to comply with the General Data Protection Regulation (GDPR) and so that customers can prepare themselves for GDPR's implementation as they adopt enhanced data privacy standards to comply with the GDPR. People can see their team's plan, admins and settings in the Workspace Settings Center.
The GDPR is a new set of data regulations that will go into effect in Europe this coming May, so it's reasonable to believe Slack has been planning this move for a while. Slack declined to clarify exactly how this change puts them into compliance with the new rules, or why the previous system was not in compliance with GDPR.
Update: Following the publication of this story Slack sent along some more details about its changes relating to GDPR:
Compliance Exports was a self-service tool, and the exporting of data is still conducted via a self-service tool. Still, companies do not automatically get access to the Export tool - they have to apply and get approved.
We were never "out of compliance with GDPR," we did not have the tools necessary to be GDPR compliant in the past because the regulation had not gone into effect yet.
How we had to make these changes to be GDPR compliant:
We need to enable our customers to respond to subject access requests under which a user could ask them to show all the personal data within their Slack workspace (not just data collected after a certain point).
We also need to permit our customers to port all their workspace personal data, should they want that.
Defenders of this change will say that Slack is your workplace and you shouldn't say anything there that you wouldn't say out loud in the office. That's not totally wrong; we all have to realise that these communication platforms that we use are big surveillance machines and that the data we entrust to these companies could inevitably be used against us. Using encrypted private messaging like Signal with co-workers for sensitive matters is your best bet, but even that's not foolproof. Trust no tech is a great principle, but it's hard to live by.
Update: Following the publication of this story, Slack said that some notifications to users were sent out on Thursday, and the rest of its users will be notified on T\Friday.