Meh. Nobody should be surprised by any of this in the slightest. If your employer provides / pays for any kind of communications tool, the only sane position is to assume that they can - and probably do - monitor every single byte you send.
Honestly I didn't realize my Slack DMs on my work account weren't private until I saw this. I assumed that since my employer pays for the account, any message I sent was being monitored.
That's what I'm thinking. I mean... of course employers expect to be able to have access to communication done by employees in the course of doing their jobs. They've been able to do this with every (archivable) communication medium since the invention of writing. Where is the news here?
If you want privacy use a private channel. Your employer's work tools don't qualify.
By private channel, I assume you mean a completely separate system that is not slack, and not a private slack channel (which, prior to this, was private from slack workspace admins, with hilarious results).
I think there's some middle ground, some grey area where whether it's alright is murky. It's kind of pulling the rug out from under people when the policy of a 3rd party provider abruptly changes and suddenly tons of messages become available to the company.
There are a number of things I might mention to a coworker over a private IM which wouldn't necessarily put my employment at risk, but would be awkward for management to suddenly have access to.
A couple made up examples:
"I'm super sick, but $boss is really pushing me to get the report out. I just want to go home and be sick all alone."
"I hate management's decision to reduce vacation days. No wonder we can't keep people around here."
"Did you see Tom's email? It's kinda awkward that he thinks he's a strong contributor to the group..."
No they don't, but I work at a large megacorp. At a small 10-20 person non-technology company startup, the admin on Slack is likely to be the owner or general manager. It could be another 5-10 people before a person is hired on as full-time IT.
These are all the sorts of things that you would ideally want management to know about so they can make better informed decisions. Assuming of course that you have competent and trustworthy managers.
>Assuming of course that you have competent and trustworthy managers.
You're begging the question.
"Competent and trustworthy" people won't abuse their power by definition. Anyone who abuses their power intentionally is untrustworthy, and anyone who abuses their power unintentionally is incompetent.
In the real world there are many incompetent and untrustworthy leaders. Slack has no choice but to operate in the real world.
Additionally, unless your work environment is sophisticated enough to fiddle with the certificates on your machine, and run a MITM proxy, you should be safe using something like GMail over https. Now I'm sure some companies do manage to intercept outgoing https traffic, but I doubt that most companies do.
OTOH, I still think being paranoid is the safest policy, so if you're plotting to overthrow your boss, or sell secrets to your biggest competitor, I still wouldn't do it on the company networking, and/or using a company computer.
Agreed. I was referring to the parent post's comment about using personal accounts at work. That might be safe, to some extent. But again, I would lean on the side of paranoia if you're talking about anything that could get you (fired|put in jail).
In any case, if you would plan any of that, I would guess that it would most probably leak out through entirely nontechnological channel - e.g. by somebody overhearing in person, or even by a co-conspirator defecting for their own gain.
Cloak-and-dagger games are very similar to building your own crypto: likely to be broken at a fundamental level, never mind the amount of magic security glitter that you pile on top.
Yeah, they said it here[1], and basically, given cause and given notice, they can still access private communications on work property. So not exactly what you are implying.
Thanks for the document. I think it still says that the employer should notify the employee beforehand of any potential monitoring of communications, which is different from assuming that every byte is being monitored.
