DEV Community

Jamie Smith
Jamie Smith

Posted on

Is Slack Snooping Illegal?

Is Slack Snooping Illegal?

Update at bottom

I read a tweet the other which pointed out that Slack administrators can read your private and group messages.

The responses to the tweet start a conversation that this isn't as easy for an organization to do this as the statement makes it sound.

I know people who've been disciplined for speaking honestly/airing their grievances in private channels. The management claimed to have read the messages and gave the group a warning specific to the chat messages. It seemed that they had indeed read the messages.

For those unfamiliar, many companies use Slack as an internal communication platform. It's so widespread that the word has more-or-less experienced trademark erosion, with many using it as a verb for any type of organizational messaging.

Anyway, after reading this thread, I decided to look into the situation more. I'm not a lawyer, and I'm not terribly well versed in data privacy laws. So, please don't take this to HR after you've been busted for calling your boss an L 7 weenie in your "Front-End Team Members ONLY!!!" support group.

According to Slack, the only way to export and read messages are through legal means. Even then, organization Slack administrations can only do so with Plus or Enterprise plans. Neither Free nor Standard Slack plans allow for the organization to access this information on their own.

If an organization on a Plus or Enterprise level plan wants to access message content, they need to send an application to Slack stating why access to this content is required.

Slack gives the following examples of when they might permit an organization to access the message content.

  • A company receives a report of harassment or theft of trade secrets and needs to conduct a workplace investigation.
  • A financial services company is required by a regulation to archive certain communications for a set period of time.
  • A court order mandates information from Slack must be disclosed due to a lawsuit or investigation.
  • A former employee requests to be provided with a copy of the information their former employer retained about them, as required by the EU’s General Data Protection Regulation

There is a lot of information on exporting data, including message content, but there isn't much on "monitoring" message content on private channels. I can only assume that the export rules extend to the monitoring of messages. If I can only have permission to export message data & content under specific circumstances, it would only make sense that I'd need similar permissions to monitor the message content at all.

The closest I came to any language regarding active monitoring of message content was in the Slack API documentation.

Let's summarize what seems to be Slack's policies regarding access to private message content:

  • In most cases, nobody can read message content in private channels other than the participants of that messaging.
  • If a Slack admin wants to gain access to private message content, they need to apply for permission to do so. This only applies to Slack Plus and Slack Enterprise plans. The Free and Standard tiers can only get this information directly from Slack.
  • If an organization obtains permission to monitor private message content, they need to make it clear to their employees and those using the company's Slack that this data is being collected and monitored.
  • Private message content can not be actively monitored. Only private message data.

Maybe someone has more insight on this? It's certainly worth talking about and potentially getting more information on.

I want to close out with two final thoughts:

  1. It's probably smart to not engage in non-professional conversation in Slack. There are so many reasons why this is a bad idea and certainly not in the scope of this article.
  2. This response in the conversation on the tweet:

If you don't trust your employer it means that your employer doesn't trust its employees and that is a sure sign of a toxic workplace. Start looking for a new job.

Thoughts? Additions?

Update: I'm in the US and you should never assume your conversations are "private" on a corporate/company account. There are a lot of ways to get around this in the United States and elsewhere. If, for example, the company has consent by it's employees to freely read this data, they probably can. Also, I found this AFTER I finished this article.

Discussion (0)