Provenance. I can doctor my local logs just about as quickly as I can type. True, it's a bit harder than some people estimate to keep the whole thing coherent, but that just means that you hear about the people who get caught, but not the ones who do it successfully. If I am capable of doctoring Slack's copy of the logs with sufficient effort, it is certainly orders of magnitude harder and much legally riskier (as I would be committing many felonies in the process).
The parent I was replying to said they ought to keep the Slack logs themselves. If they're logging into Slack to get them, then it is Slack doing the keeping and we're back to Slack doing the storage.
What is the material difference between having employees save DM logs in an auditable, authenticated way and being able to view employee DMs?
If any employee can ostensibly be compelled to provide their logs when asked by their employer, you are getting just as much information as if IT can view them directly. The only way IT doesn't get as much information is if the system doesn't work, for example because employees can alter their logs or simply refuse to provide them. In that scenario having employees saving their own logs gives you more privacy, but doesn't solve the essential problem.
The tradeoff here is convenience of access versus friction. When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.
> What is the material difference between having employees save DM logs in an auditable, authenticated way and being able to view employee DMs?
> When you are reviewing an auditable log of information related to an employee, you don't necessarily want to have to ask the employee for that information, nor do you necessarily want them to know you're reviewing it.
You just answered your own question.
You might not want them to know you're reviewing it but they most certainly do want to know that you are.
> You might not want them to know you're reviewing it but they most certainly do want to know that you are.
Of course they want to know. Everyone wants to know. But if they committed a crime, or at least are complicit in a lawsuit the company is facing, their desire for privacy on an information channel they don't own is irrelevant.
I don't understand why this is controversial. When the SEC, FBI, local police, opposing legal team, etc. want you to hand over information about an employee, having to ask the employee directly or even let them know is problematic.
Then Slack should (and indeed, does) have special processes for handing over private conversations when served with a warrant, subpoena, court order, etc. "The FBI should be able to do it with probably cause" and "your employer should be able to do it whenever they feel like" are radically different.
And I don't disagree that the company owns it and should have the right to do whatever they want with the things they own. But the employees should also have the right to think that's shitty, and companies should have the ability to demonstrate their lack of shittiness to their employees by configuring their environment in such a way that a higher barrier exists to snooping. This change doesn't actually make a new thing possible; Slack had a "compliance mode" before that companies could opt into, but it wasn't the default, and users were notified if it was enabled. This change just limits companies abilities not to have snoop mode turned on.
Maybe I missed some context but since when are we talking about committing crimes and the SEC or FBI getting involved? If it's that serious I assume they'd just get a warrant and get the logs directly from Slack.
To me that scenario is completely unrelated to the ability of an employer to silently read DMs of their employees for any reason they see fit.
Don't you think some companies need the ability to investigate things their employees are doing for the specific purpose of bringing it to the attention of government agencies PRIOR to warrants being issued and PRIOR to pissing off the entire federal government?
No? I'm being serious when I say this idea is absurd to me. If you have a serious level of concern about your employees doing something illegal then why are they your employee in the first place?
If you are going to use "We need to be checking for illegal activity" as a justification, why stop at DMs? Why not ask your employees to always be carrying around a recording device that is constantly sending their verbal conversations somewhere where they can be electronically filtered for suspicious keywords? Obviously that's crazy and I'm not saying anyone is suggesting that or would support that, but what exactly makes that scenario over the line that doesn't apply to DMs?
I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.
> If you have a serious level of concern about your employees doing something illegal then why are they your employee in the first place?
Because “we don’t hire criminals” is not sustainable, just like “we only hire the best engineers” is not realistic. Strive for the best scenario and prepare for the worst.
> I'm assuming the answer is "expectation of privacy" or the lack-thereof for DMs, and I guess my response would be that we should go back to an expectation of privacy for DMs also.
But why? Why do you feel you’re entitled to privacy for your activity if it’s conducted over a communications medium in a workplace, owned by your employer and intended for work-related use? Your rights are guaranteed in the context of government transgression, not in the context of arbitrary corporate policy. For example, “freedom of speech” is not a meaningful right in a workplace setting either.
Your personal rights are not globally applicable in any context. You have avenues available to you for private communication if you’d like, but companies (rightfully) do not want to be responsible for that communication. They want to be responsible for workplace communication. So if you want a private chat, have a private chat outside of Slack. It’s very simple and straightforward.
Workplace communication channels are not intended to be, nor advertised as, safe harbors for digital privacy. You can have those, but companies have every right not support them for you. It’s not as though companies want you to have private conversations with people and then peek into them for juicy details. They want you to use their infrastructure for its indended purpose.
You pick the law of one of the weakest privacy jurisdictions and argue that Slack should standardize privacy on most invasive level this country's law allows.
What is this declaration of rights for corporate eavesdropping?
Why do you feel the need to defend Slack? It was their decision to do this to ensure they wouldn’t be forced out of the corporate market ($$$$$) and, I hate to break it to you, US and EU law are very similar in this regard. Corporations in the EU can listen to your business correspondence just as easily as US ones, and in neither do you have any real expectation of privacy at work.
You are wrong about the EU - the national legislation on right to privacy is stricter in many (most?) countries. EU only sets minimum levels of protection. And even EU law protects more than you imply(1).
I'm defending employee rights and generally the human right to privacy against arbitrary surveillance, not Slack.
In particular, the national courts had failed to determine whether the applicant had received prior notice from his employer of the possibility that his communications might be monitored; nor had they had regard either to the fact that he had not been informed of the nature or the extent of the monitoring, or the degree of intrusion into his private life and correspondence. In addition, the national courts had failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into the applicant’s private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge.
There is nothing in that case that prohibits EU companies from monitoring the communications of their employees. Half of that case revolves around legal procedural problems in the original case, and the other half is about whether the company could have fired him over his personal correspondence _without proper notice_. That case, if anything, only upholds corporate EU rights to monitor their employees, so long as they provide some trivial legal notice.
yes, EU law does protect private correspondence more than US law, but almost none of that applies to business correspondence, and the EU is just as liberal in that regard as the US.
Workplace communication between coworkers eg on Slack is not automatically business correspondence in this sense.
In any case, you repeat the oft debunked myth of corporate right to surveillance. It does not exist. There is just partial lack of EU level protections. The national laws can and do say otherwise in many cases. As can/do binding collective bargaining agreements.
We are not talking about some small made with love startup here that no one cares about. We are talking about military contractors, financial companies, law firms, consulting firms, public stock corporations, etc etc. places with hundred or thousands of employees and millions if not billions in revenue. You are woefully niave if you think you can run a major company in any of these areas without eventually having employees who are going to do illegal things. People do a lot of crazy things, some for personal reasons, some to get promoted, some because they think they were sanctioned by their boss, some perhaps thought it was best for the company, and so on.
I understand what you’re saying here, and sure, maybe in some small private companies or organizations this is a tragic loss of privacy, but everywhere else it is simply the cost of doing business.
Arguably, but what if the company wants to find proof of, say, two employees colluding to exfiltrate sensitive data or something like that? Would they have to convince them to turn in the PGP signed logs?
More generally like the parent I don't see why a company couldn't have full control over their corporate tools.
> two employees colluding to exfiltrate sensitive data or something like that
In that case spying Slack usage is simply not enough: the employer should need to spy every single move every employee makes inside and outside the company, which of course it's not possible (well, except if the company is located in a fascist state).
What if those two employees collude to do something like that via their own private phones? Should employers have access to those too?
It doesn't seem to me like any of this really does anything, since there are (and should be) plenty of ways that employees can communicate without their employer having access.
There are security issues here that you may not be aware. For one example, if technically knowledgeable people want to falsify signed logs without having the signing key, they can simply keep a separate set of logs with actual innocuous conversations. Slack would sign those in your scenario without a problem. This is the canonical problem of keeping "double-books".
While I agree with auditable access to employee DMs, there is a middle ground solution that trivially solves the problem you've presented. Instead of providing the employer with access to the employee's messages directly, logs can be signed at both the blob and message level. Then if an employee selectively turns over only some of their logs, the mismatch will be readily apparent.
Of course it can be solved! I was pointing out that the prior comment was incorrect.
If an employee is in possession of chat logs that if divulged will get them fired, they can simply delete the logs. "Sorry, the drive crashed. IT is working to fix it right now." Stepwise refinement to insecurely re-create security solutions is one of the reasons for many security vulnerabilities.
Logs are well understood, and logging of sensitive information is not just a small technical issue but a security issue. The same way that people shouldn't design their own crypto, when people design logging mechanisms for sensitive data, which is seemingly simple, they will almost always introduce these security errors, as in your post.
Unfortunately, there are also a number of legal issues (and possibly compliance issues) that need to be accounted for from redaction to anonymity and from GDPR to encryption.
Not sure what you mean by blobs? If Slack implemented a scheme like this, they should sign a message which includes metadata like the org name, channel name and timestamps in addition to text.
By blob I mean an archive dump of every message and the metadata you're describing. If that dump is hashed, selectively presenting messages in the dump is obvious.
