The Employee's Guide to Slack's Privacy Policy
So hereâs the headline: Your boss can read your Slack DMs. Even if you edit them. Even if you delete them. Even if you leave the company.
But even if youâre already dimly aware of that fact, you probably donât know how the process of accessing your data works in practice.
Unfortunately, you wonât learn much about that from Slackâs privacy policy. That document exceeds 5,000 words, includes 15 subsections, and primarily addresses how Slack itself manages data. (Itâs pretty boilerplate stuff.)
For the average employee, the most pressing concern isnât what Slack is doing with their DMsâitâs what their boss is doing. Employees have questions, such as:
What kinds of data does Slack collect and share with employers?
Who at your organization is allowed to access DMs and private channels?
Does Slack have privacy guardrails to prevent abuse?
Can employers peek inside private conversations on a whim, or do they need to show a valid cause?
The answers to these questions matter because they impact how we behave and what we feel comfortable talking about on Slack. Slack sits at the crossroads of two major trends: a growing labor movement and the rise of remote work, so itâs vital that employees know how to communicate safely and responsibly with coworkers.
Slackâs Approach to Data Privacy
The first thing you need to understand is that Slackâs privacy policies are designed to meet the needs of its customers, which are employers, not employees.
A privacy at Slack landing page, for example, states that âCustomer trust is at the forefront of everything we doâ and that âYou own and control the content within your Slack workspace.â This sounds nice but itâs important to keep in mind that in most cases (outside of community-run Slack instances), the âyouâ is an employer. Legally, Slack considers itself to be a âprocessorâ of customer data while the customerâyour employerâis the dataâs âcontroller.â
This framework is essential both to interpreting Slackâs messaging and understanding how Slack prioritizes the needs of employers versus employees.
Employer Access to Slack Data Varies By Pricing Tier
In theory, Slack allows all workspace owners to request access to private channels and DMs. Slack provides some oversight to prevent abuse, but ultimately, employers are the dataâs âcontrollers.â
However, when you dig into Slackâs help documentation, you find that Slackâs level of oversight is not universal, and varies depending on a workspaceâs pricing tier.
In other words: employers have more access to employee data if they pay more for Slack.
This illustrates how export capabilities vary by plan, but elsewhere, Slack claims that Free and Pro accounts may also request private channels and DMs.
There are some valid reasons for not taking a one-size-fits-all approach to privacy. For instance, certain highly-regulated companies and industries are required to maintain records of all internal communications in case of an audit. However, Slackâs employee-facing information neglects to explain this crucial context to employees. On top of that, there are contradictions in Slackâs own documentation, and we found significant differences between Slackâs published policies and our own experience in requesting a data export.
Note: We requested comment from Slack on this matter, as well as other matters discussed in this piece, but they were unable to respond in time for publication. We will update this piece to include any clarifying information they provide.
https://[YourWorkspaceHere].slack.com/account/workspace-settings#overview
.
Free and Pro Plans Limit Data Access
Employers using the Free and Pro plans can access and export data from public channels, including links to files but not the files themselves.
If employers using a Free or Pro plan want access to private channels and direct messages, they must ask Slack directly, and Slack will only provide the data âunder limited circumstances.â
Slack claims âwe will reject applicationsâ unless Workspace Owners can show they meet one of the following criteria:
- A valid legal process
- The consent of members
- A requirement or right under the law
(As you might have guessed, each of those criteria is open to much interpretation.)
If an employerâs request is approved, theyâll receive a one-time export of data from all channels, delivered as a JSON file. This file will include edited and deleted messages, and messages from users who have been deactivated. It also includes messages to and from members from outside the company, like third-party contractors who are guests in your workspace.
{
"type": "message",
"user": "UTXHL6F8A",
"upload": false,
"ts": "1590101612.000000",
"text": "Hello, this is the message after it was edited.",
"previous": {
"text": "Hello, this is the original message.",
"blocks": [
{
"type": "rich_text",
"block_id": "Bts",
"elements": [
{
"type": "rich_text_section",
"elements": [
{
"type": "text",
"text": "Hello, this is the original message."
}
]
}
]
}
]
},
"original_ts": "1590101603.000300",
"subtype": "message_changed",
"editor_id": "UTXHL6F8A",
"blocks": [{
"type": "rich_text",
"block_id": "O+PJ",
"elements": [
{
"type": "rich_text_section",
"elements": [
{
"type": "text",
"text": "Hello, this is the message after it was edited."
}
]
}
]
}]
}
As you can see, even with Slackâs help, at this level youâre looking at a lot of data delivered in a difficult-to-read format.
Our Experience
When Kolide initially requested a complete data export, we belonged to the Pro
tier, which meant we had to message Slack support through a generic âContact Usâ
form (located at https://[yourworkspace].slack.com/help/requests/new
). We were
deliberately vague in explaining our reasons for requesting an export; we said
only we were âinvestigating a privacy-related matter.â
When Slack replied, they did not ask us to prove that we met their requirements for exporting dataâthey merely said that if we wished to do so, we would have to upgrade to a more expensive plan.
That could have been the end of our investigation. But then we realized we probably needed to upgrade anyway in order to access SAML-based single sign-on. (Whether itâs ethical to charge extra for SSO is another matter.)
Business+ Plans Enable Employers To Export Data At Will
Employers using the Business+ plan also need to apply to Slack to export non-public data. But as opposed to a one-time export, this grants employers access to a âself-serve data export tool.â
Itâs worth pausing on the fact that thereâs a material difference between having to ask permission every time you want to export DMs, and being able to do so at your leisure. The easier it is to access employee data, the greater the temptation to abuse it.
To use this tool, Slack writes that employers must ensure they have âappropriate employment agreements and corporate policiesâ and only use the tool as permitted by applicable law.
The most important word here is âensure.â Whereas at the Free/Pro levels, Slack writes employers must âshowâ they meet certain requirements, here, they need only to say they will use this tool responsibly.
Our Experience
Once we upgraded to the Business+ plan, Slack support said the next step was to submit an application for the data export tool, which would be reviewed by a âdedicated team.â They wrote: âThere are several factors considered in the review process, and applications are handled on a case by case basis.â That language seemed to imply we could expect a drawn-out review process, but thatâs not what we found.
Slackâs âapplicationâ for the data export tool turned out to be a three-page legal document that essentially establishes two things:
The employer attests that they have the authority to access this data in accordance with the law, and that they have âobtained the appropriate permissions, as set forth through employee handbooks, computer use policies, consent forms or similar documents or electronic notices, to obtain access to all of its employeesâ communications carried or maintained on Customerâs networks and systemsâŚâ
The employer agrees that Slack will not be responsible for any damages related to this agreement, including liabilities arising from employees or regulators. âFor clarity, this includes any claims arising out of any failure by Customer to secure the appropriate permissions from its employees, whether in the United States or elsewhere, to export employee communications.â
We duly signed this document. Next, Slack requested an email from our Workspace Primary Owner (in this case the CEO), acknowledging that this export will contain all message history, and that all Workspace Owners will have access to the export tool.
https://[yourworkspace].slack.com/account/workspace-settings#admins
We werenât sure what to expect next, but less than four hours later, Slack informed us that our application had been approved and we could export data as we saw fit. We thanked them for their help and then promptly asked them to disable the tool, since reading private messages is not a capability we have any desire to maintain.
Enterprise Grid Plans Enable Easier, Deeper Data Collection
Our personal experience with Slackâs data export process ended at the Business+ tier, but their help documentation outlines what customers at the Enterprise Grid level can expect.
Employers using the Enterprise Grid plan must also apply for access to the self-serve data export tool if they want to see private messages and channels. However, these VIP customers get to send their applications straight to the support team instead of submitting an application through the Slack app.
There are a few significant upgrades at this level, including:
- Employers can export data for a single user, instead of all users
- Data can be exported via either JSON or TXT format
- Whereas every other export only includes file links, TXT includes the files themselves
The Discovery API
But the biggest difference between the Business+ plan and the Enterprise Grid plan is that employers paying for the latter get access to the Discovery API.
The primary goal of the Discovery API is to enable employers to connect Slack to approved, third-party eDiscovery and data loss prevention tools (and the primary goal of those tools is to help companies meet data management regulations).
The former, eDiscovery, captures and stores messages and files from Slack in a third-party data warehouse. The latter, data loss prevention, scans messages and files for policy-breaking content, so companies can catch people sharing sensitive data like credit card and social security numbers.
For example, Hanzo, a company that provides risk management software, has a product called Hanzo Hold that helps employers âsecurely collect relevant Slack data and metadata, including embedded content, threaded conversations, edits, deletes, and other changes over time.â
Compliance Admins and Legal Holds
The Enterprise Grid plan offers more administrative roles than other plansâone of them being the âCompliance Admin system role.â This person, whoâs given their powers by the organizationâs primary owner, can create and manage legal holds.
A compliance admin can place a legal hold on any employee and a legal hold preserves an employeeâs messages and files. When a hold is active, compliance admins can either retain message and file data from all conversations or just the direct messages from the conversation the targeted employee is a part of. No matter what general retention settings might be in place or whether an employee edits or deletes content, a legal hold ensures all messages and files sent by all members in a given conversation are saved. Once compliance admins retain this data, employers can export it or access it via the Discovery API.
Slack explains too, in a magic wand adorned tip, that there is âno limit on the number of legal holds you can create.â
We should note too, that on this page, Slack doesnât explain or define the âlegalâ aspect of a legal hold.
Our Thoughts on Slackâs Approach to Employee Data Privacy
Before we go any further, letâs try and find some nuance in how Slack shares data with your boss, because itâs not a black-and-white issue.
Take our own experience getting access to Slackâs export tool. Slack did not provide the level of oversight we expected. We did not have to prove we were behaving ethically; we merely had to say we were. But thatâs not really surprising once you think about it, since Slack has no way of investigating every request it receives. How could they possibly tell if an employer is really investigating harassment or merely using it as a pretext to sniff out union activity? At a certain point, every company has to trust its customers not to abuse its products; if not, society would grind to a standstill.
But even if we assume that the vast majority of employers are behaving ethically, and that Slackâs policies are fundamentally sound, we can still take issue with their lack of transparency toward end users.
Slackâs privacy policy is evasive when it comes to employee privacy, and its help documentation isnât intended for or easily discoverable by employees. This creates confusion, and that confusion opens employees up to risk.
Fundamentally, employees canât make informed decisions about how to behave on Slack without understanding who is looking over their shoulder. Slack doesnât precisely hide the fact that it gives employers surveillance powers, but thereâs a pervasive sense that itâs an uncomfortable topic that Slack would prefer users didnât think about too hard.
Our product, Kolide, also collects employee data in the name of endpoint security; we can see when you last rebooted your computer, whether youâve installed updates, and even search for specific files. The difference between us and Slack is that transparency and informed consentâwhat we call Honest Securityâare at the heart of everything we do.
It also bears mentioning that we use Slack at Kolide, both internally and as a part of our product. Slack is ubiquitous, and itâs far from the only tech company who fall short on matters of employee data privacy. So itâs not feasible to suggest that anyone with a criticism of Slack (or Facebook or Google or Apple) just goes elsewhereâitâs incumbent on us to encourage them to do better.
How Third Parties Access Slack Data
Most of Slackâs third-party sharing is pretty benignâor at least itâs as benign as a typical tech company. For example, Slack shares data with some subprocessors that keep the platform functioning, like AWS.
Slack also shares data to serve its âlegitimate interestsâ (i.e. interests that Slack deems ânot outweighed by your interests or fundamental rights and freedomsâ). Within this legitimate interests section, Slack notes multiple times whether a given legitimate interest is in your interest, Slackâs interest, or is in both of your interests.
For example, Slack argues that âIt is in our interest to research and improve the Servicesâ but also that âIt is in the interests of Customers and Authorized Users to practice data minimisation and privacy by design in respect of their information.â The responsibility to minimize Slackâs access to your data, in other words, is up to you.
Legal obligations
Slack reserves the right to share data if they are legally required to do so, but it appears to treat requests from law enforcement quite differently than private citizens.
So what if you, as an employee (or ex-employee), want to access data?
If youâre an individual requesting data, Slack rather curtly writes: âThird parties seeking Customer Data should contact the Customer regarding such requests. The Customer controls the Customer Data and generally gets to decide what to do with all Customer Data.â An exception to this rule would be if you have a legal right to access this data under GDPR.
Slackâs policy page goes into much greater depth about how the company handles requests from law enforcement. They explain that Slack requires a search warrant issued by a legitimate court before it will provide anyone with customer data. Slack is clear: âSlack does not voluntarily disclose any data to governmental entities unlessâ (thereâs always an âunlessâ) âthere is an emergency that involves imminent danger or there is potential harm to Slackâs services or customers that providing customer data can potentially help prevent.â
Slack notes that it uses all the information it collects to comply with legal obligations. In other words, that data would go beyond the exports employers can access, and include things like metadata and geolocation.
Even then, Slack does not honor every request. The company provides a transparency report that shows what requests it has received and how it responded to them. In the United States, from January 1 to December 31, 2021, Slack has received five search warrants, four court orders, and twenty two government subpoenas. Slack has provided customer data in accordance with those requests in five cases (out of 31 total). This relatively low rate of cooperation would seem to indicate that Slack is willing to fight to protect the privacy of employers, at least.
How Slackâs Privacy Policies Have Evolved
Some of the best advice we can give you about Slackâs data privacy policies is to monitor them for changes.
Slack maintains a privacy policy archive that stretches back to 2013. Though we wonât detail the precise evolution of Slackâs privacy policy over time, itâs worth showing the level to which Slack is willing to change things.
In a privacy policy update released in 2018, Slack made a major change to message access that broke headlines. From 2014 to 2018, Slack customers (or at least, those who bought a premium plan) were able to download and read messages sent through Slack by downloading a so-called âcompliance export.â When customers requested a compliance export, employees were automatically notified.
But in 2018, Slack discontinued the compliance export function and introduced the self-service export tool, allowing employers to export data whenever they chose.
At the same time, Slack stopped automatically notifying employees of these exports, leaving it up to employers to police themselves. This raised some eyebrows, but Slack claimed they made the change to comply with GDPR and to help employers conduct private investigations into sensitive matters.
Still, thereâs reason to hope that future changes to Slackâs policies may increase transparency. Californiaâs data privacy law (CPRA) is likely to increase Slackâs obligations to employees. So keep an eye on this subject in the coming months and years.
How Should You Conduct Yourself on Slack?
Weâve thrown a lot of information at you (and this is the readable, summarized version), so weâd be remiss to not provide some guidance for how employees should actually use Slack and stay safe at the same time.
Foundational to suggesting or applying any advice is knowing that, despite the privacy policy, Slack is contested legal territory for both employees and employers. Furthermore, your vulnerability and privacy are as much dependent on your employer as on Slack.
Employees at Activision Blizzard, for example, have filed multiple unfair labor practice (ULP) complaints because of manager conduct on Slack, accusing the company of illegally forbidding and punishing discussion of labor conditions and organizing efforts.
Apple, controversially, barred a pay transparency channel on Slack, putting them in a legally murky position.
Slack is also subject to regulations like the General Data Protection Agreement (GDPR) and the California Consumer Privacy Act (CCPA), which means that depending on where you reside, you might have different rights you can exercise, including the right to see what information your boss has requested about you.
Given the evolving legal issues at play, we canât provide universal advice to employees. What we can do, however, is provide a guiding question to help you make your own decisions: Which conversations should be on Slack and which should be off Slack?
Workplace organizing
Labor organizing is surging in the United States, among tech companies in particular. Potential organizers are likely considering Slack as a way to communicate to fellow workers, especially on remote teams where there isnât a physical water cooler to huddle around.
We want to make clear that discussing your working conditions at work is a federally protected right. As one labor lawyer said regarding Appleâs case: âIf two or more employees are talking about workplace conditions, then theyâre protected by the NLRA.â
That said, because your employer can potentially access all of your conversations on Slack without your consent and without notifying you, itâs smart to take conversations about organizing offline. Remote workers may not have this option, but can still move to different platforms, such as Signal, Discord, or even a separate, worker-run Slack instance. If possible, you should also conduct these activities off of your work-managed laptop or mobile device.
Conversations involving company information
Part of what makes Slack both appealing and dangerous is that it feels so casual; you can share files and information without pausing to consider security. But once youâve shared something, it can disappear into another userâs downloads folder, or any number of unsecure places.
So remember: any time youâre handling sensitive company data (things like valuable IP or customer data), be careful where youâre doing it. If youâre taking data off company-managed applications, you not only open the company up to security risks but potentially make yourself liable.
You should be especially wary if youâre in the healthcare or finance fields, both of which have their own strict regulations. Eleven bankers and brokerages admitted, for example, in September 2022, to using banned messaging apps and had to pay a total of $1.8 billion in fines.
Conversations about other employees
Collaboration within a company inherently requires talking to and about other employeesânot always in front of themâbut thereâs a spectrum between acceptable and unacceptable versions of this conversation.
Gossip, especially if itâs about something youâd be uncomfortable with your boss seeing, likely shouldnât be on Slack. If you you have serious concerns about a coworker, such as sexual harassment or other inappropriate behavior, your HR department is likely a better place to have this conversation than Slack DMs.
And if the concern rises to a level where youâre not comfortable talking to your manager or your HR department, then you might need to step back and assess how big the problem is. Depending on the severity of the problem, itâs likely best to take this conversation off Slack and hire a lawyer or other outside professional.
Nonwork conversations
Many companies have #random
channels and other venues to encourage
non-work-related conversations. Participate in these at your discretion, as
long as you know that your conversations always have the potential to be
accessed.
And even if your messages arenât objectionable, the amount of non-work messages might be. Employers might not care about the content of your nonwork conversations but care deeply about how much time youâre messaging your friend about your weekend plans instead of working. While Slack isnât primarily intended as a productivity monitoring tool, it can be used that way.
Slack is One Battleground in a Larger Conflict
The issue of data privacy in the workplace isnât exclusive to Slack; Slack didnât even exist the first time someone quipped that you shouldnât send anything in an email you wouldnât want appearing in the New York Times.
Traditionally, US laws and workplace culture have heavily favored employer rights over employee privacy, with the assumption that employees only have a âreasonable expectation of privacy.â What the case of Slack makes clear is that we desperately need to redefine what âreasonableâ means in the context of remote work.
Think of it this way: in a traditional office, itâs reasonable to expect that your boss can monitor your emails. But you donât expect them to install recording devices in the bathroom, or follow you to the bar down the street and write down everything you say during happy hour.
But in a remote workplace, there isnât a bar where you can blow off some steam; you donât have a reasonable expectation of privacy in any of your communications with coworkers. You are deprived of the universal need to connect on a personal level, to laugh at your manager, to vent.
The result of such a stifling, paranoid environment is either that workers feel disconnected from one another or that they sneak off to alternative digital venues to escape surveillance. Either outcome is an organizational failure.
And while it would be nice to simply trust that employees have nothing to fear from their employers, thereâs a clear appetite for surveillance fuelling the growth of the âbosswareâ sector. ExpressVPN research shows that 78% of bosses/executives use âemployee monitoring software to track employee performance and/or online activityâ and 73% say âstored recordings of staffâs calls, emails, or messages have informed an employeeâs performance reviews.â Even if youâre reading this and thinking âmy boss wouldnât do that,â thereâs no telling what your next boss might try, as Twitter employees learned the hard way.
It can be alarming to discover how limited your privacy rights are as an employee. If youâd like to change that, the best way to start is by talking to your coworkers about your concerns. And if you do so, consider taking the conversation off Slack.
FAQ
Letâs review some of the most common questions employees have about privacy on Slack.
Can Slack read my direct messages and private channel messages?
Yes. Slack doesnât give employers this visibility out of the box but employers can request access. This process varies based on a workspaceâs pricing tier.
How long does Slack retain data?
Slack gives workspace owners broad control over data retention. For paid plans, owners can choose for Slack to keep everything, keep everything except edits and deletions, or delete messages after a set amount of time. (Some organizations, like banks, are required to retain all records and export them in a readable format, which basically obligates them to purchase a higher tier of Slack.)
Does my employer need my consent to access my direct messages and private channel messages?
Legally speaking, they probably already have your âconsent.â Most employment agreements, especially in the US, include blanket language that gives employers access to your behavior while using company systems and devices.
Will Slack inform me if my employer has exported my DMs and private channels?
No. In the past, Slack informed employees, but changed this policy in 2018.
Does Slack provide user data to advertisers?
Yes. On Slackâs cookie table page, advertising partners include Facebook, LinkedIn, and Google.
Is Slack subject to GDPR or CCPA?
Yes. Refer to Slackâs GDPR page and CCPA page for more information.
Has Slack revealed customer and user data to government agencies?
Yes. In its transparency report, Slack reveals that in the United States, from January 1 to December 31, 2021, it has received five search warrants, four court orders, and twenty two government subpoenas. Slack has provided customer data in accordance with those requests in five cases (out of 31 total).
If youâd like to read more data privacy and security stories like this, sign up for our biweekly newsletter.