We’re trying to answer all the privacy questions employees might have around their company’s ability to view messages and data within Slack.
So here’s the headline: Your boss can read your Slack DMs. Even if you edit them. Even if you delete them. Even if you leave the company.
But even if you’re already dimly aware of that fact, you probably don’t know how the process of accessing your data works in practice.
Unfortunately, you won’t learn much about that from Slack’s privacy policy. That document exceeds 5,000 words, includes 15 subsections, and primarily addresses how Slack itself manages data. (It’s pretty boilerplate stuff.)
For the average employee, the most pressing concern isn’t what Slack itself is doing with their DMs; it’s what their boss is doing. Employees have questions, such as:
What kinds of data does Slack collect and share with employers?
Who at your organization is allowed to access DMs and private channels?
Does Slack have privacy guardrails to prevent abuse?
Can employers peek inside private conversations on a whim, or do they need to show a valid cause?
The answers to these questions matter because they impact how we behave and what we feel comfortable talking about on Slack. Slack sits at the crossroads of two major trends: a growing labor movement and the rise of remote work, so it’s vital that employees know how to communicate safely and responsibly with coworkers.
Slack’s approach to data privacy
The first thing you need to understand is that Slack’s privacy policies are designed to meet the needs of its customers, which are employers, not employees.
The “Privacy at Slack” landing page, for example, states that “customer trust is at the forefront of everything we do” and that “you own and control the content within your Slack workspace.” This sounds nice, but it’s important to keep in mind that in most cases (outside of community-run Slack instances), the “you” they’re talking to is an employer. Legally, Slack considers itself to be a “processor” of data, while the customer – your employer – is the data’s “controller."
This framework is essential both to interpreting Slack’s messaging and understanding how Slack prioritizes the needs of employers versus employees.
Employer access to Slack data varies by pricing tier
In theory, Slack allows all workspace owners to request access to private channels and DMs. Slack provides some oversight to prevent abuse, but ultimately, employers are the data’s “controllers.”
However, when you dig into Slack’s help documentation, you find that Slack’s level of oversight is not universal, and varies depending on a workspace’s pricing tier. In other words: employers have more access to employee data if they pay more for Slack.
There are some valid reasons for not taking a one-size-fits-all approach to privacy. For instance, certain highly-regulated companies and industries are required to maintain records of all internal communications in case of an audit. However, Slack’s employee-facing information neglects to explain this crucial context. On top of that, there are contradictions in Slack’s own documentation, and we found significant differences between Slack’s published policies and our own experience in requesting a data export.
Free and Pro plans limit data access
Employers using the Free and Pro plans can access and export data from public channels, including links to files but not the files themselves.
If employers using a Free or Pro plan want access to private channels and direct messages, they must ask Slack directly, and Slack will only provide the data “under limited circumstances.”
Slack claims “we will reject applications” unless Workspace Owners can show they meet one of the following criteria:
A valid legal process
The consent of members
A requirement or right under the law
If an employer’s request is approved at one of these tiers, they’ll receive a one-time export of data from all channels, delivered as a JSON file. At the Enterprise Grid account level, data can be exported via either JSON or TXT format. Whereas every other export would only include file links, TXT includes the exported files themselves.
This JSON file will include edited and deleted messages, and even messages from users who have been deactivated, though Slack states that “the exports will not include data older than one year that has been deleted.” It also includes messages to and from members from outside the company, like third-party contractors who are guests in your workspace.
We initially requested a complete data export from an account belonging to the Pro tier, which meant we had to message Slack support through a generic “Contact Us” form (located at https://[yourworkspace].slack.com/help/requests/new). We were deliberately vague in explaining our reasons for requesting an export; we said only we were “investigating a privacy-related matter.”
When Slack replied, they did not ask us to prove that we met their requirements for exporting data – they merely said that if we wished to do so, we would have to upgrade to a more expensive plan.
Business+ plans enable employers to export data at will
Employers using the Business+ plan also need to apply to Slack to export non-public data. But as opposed to a one-time export, this grants employers access to a “self-serve data export tool.”
To use this tool, Slack writes that employers must ensure they have “appropriate employment agreements and corporate policies” and only use the tool as permitted by applicable law.
The most important word here is “ensure.” At the Free/Pro levels, Slack writes employers must “show” they meet certain requirements. At Business+, they need only to say they will use this tool responsibly.
It’s worth noting that there’s a material difference between having to ask permission every time you want to export DMs, and doing so at your leisure. The self-serve tool makes it pretty easy. All you have to do is “Click Start Export” to get a zip file, in JSON format, containing “message history…and file links from all public channels or from all channels and DMs, depending on your export type.”
Our experience
Once we upgraded our experiment to an account on the Business+ plan, Slack support said the next step was to submit an application for the data export tool, which would be reviewed by a “dedicated team.” Their language seemed to imply we could expect a drawn-out review process, but that’s not what we found.
Slack’s “application” for the data export tool turned out to be a three-page legal document that essentially establishes two things:
The employer attests that they have the authority to access this data in accordance with the law, and that they have “obtained the appropriate permissions, as set forth through employee handbooks, computer use policies, consent forms or similar documents or electronic notices, to obtain access to all of its employees' communications carried or maintained on Customer’s networks and systems…”
The employer agrees that Slack will not be responsible for any damages related to this agreement, including liabilities arising from employees or regulators. “For clarity, this includes any claims arising out of any failure by Customer to secure the appropriate permissions from its employees…”
We duly signed this document. Next, Slack requested an email from our Workspace Primary Owner acknowledging that this export would contain all message history, and that all Workspace Owners would have access to the export tool.
Less than four hours later, Slack informed us that our application had been approved and we could export data as we saw fit.
Enterprise grid plans enable easier, deeper data collection
Our personal experience with Slack’s data export process ended at the Business+ tier, but their help documentation outlines what customers at the Enterprise Grid level can expect.
The Discovery API
There are a few significant upgrades at this level, but the biggest difference is that employers paying for the Enterprise Grid plan get access to the Discovery API. The Discovery API lets employers connect Slack to approved, third-party eDiscovery and data loss prevention tools.
“eDiscovery” tools capture and store messages and files from Slack in a third-party data warehouse. “Data loss prevention” tools scan messages and files for policy-breaking content, like someone sharing sensitive data, such as social security numbers. The primary goal of either tool is to help companies meet data management regulations, but they certainly come with some serious power.
Compliance admins and legal holds
The Enterprise Grid plan also offers more administrative roles than other plans–one of them being the “Legal Holds Admin." This person, who’s given their powers by the organization’s primary owner, can create and manage legal holds.
No matter what general retention settings might be in place, or whether an employee edits or deletes content, a legal hold ensures all messages, files, and conversations of a targeted employee are saved. Once compliance admins retain this data, employers can export it or access it via the Discovery API. Slack explains too, in a magic wand adorned tip, that there is “no limit on the number of legal holds you can create.”
We should note too, that on this page, Slack doesn’t explain or define the “legal” aspect of a legal hold.
Our thoughts on Slack’s approach to employee data privacy
Before we go any further, let’s try and find some nuance in how Slack shares data with your boss, because it’s not a black-and-white issue.
Take our own experience getting access to Slack’s export tool. Slack did not provide the level of oversight we expected. We did not have to prove we were behaving ethically – we merely had to say we were. But that’s not really surprising once you think about it, since Slack has no way of investigating every request it receives. How could they possibly tell if an employer is really investigating harassment, or merely using it as a pretext to sniff out union activity? At a certain point, every company, including Slack, has to trust customers not to abuse its products.
But even if we assume that the vast majority of employers are behaving ethically, and that Slack’s policies are sound, we can still take issue with their lack of transparency toward end users.
Slack’s privacy policy is evasive when it comes to employee privacy, and its help documentation isn’t intended for or easily discoverable by employees. This creates confusion, and that confusion opens employees up to risk.
Employees can’t make informed decisions about how to behave on Slack without understanding who is looking over their shoulder. Slack doesn’t precisely hide the fact that it gives employers surveillance powers, but there’s a pervasive sense that it’s an uncomfortable topic that Slack would prefer users didn’t think about.
Our product, 1Password® Extended Access Management also collects employee data in the name of endpoint security; we can see when you last rebooted your computer, whether you’ve installed updates, and even search for specific files. The difference between us and Slack is that transparency and informed consent – what we call Honest Security – are at the heart of everything we do.
It also bears mentioning that we use Slack at 1Password – it’s an essential (and often great!) product. Slack is ubiquitous, and it’s far from the only tech company who fall short on matters of employee data privacy. So it’s not feasible to suggest that anyone with a criticism of Slack (or Meta or Google or Apple) just goes elsewhere – it’s incumbent on us to encourage them to do better.
How Slack’s privacy policies have evolved
Some of the best advice we can give you about Slack’s data privacy policies is to monitor them for changes.
Slack maintains a privacy policy archive that stretches back to 2013. Though we won’t detail the precise evolution of Slack’s privacy policy over time, it’s worth showing the level to which Slack is willing to change things.
In a privacy policy update released in 2018, Slack made a major change to message access that broke headlines. From 2014 to 2018, Slack customers (or at least, those who bought a premium plan) were able to download and read messages sent through Slack by downloading a so-called “compliance export.” When customers requested a compliance export, employees were automatically notified.
But in 2018, Slack discontinued the compliance export function and introduced the self service export tool, allowing employers to export data whenever they chose.
At the same time, Slack stopped automatically notifying employees of these exports, leaving it up to employers to police themselves. This raised some eyebrows, but Slack claimed they made the change to comply with GDPR and to help employers conduct private investigations into sensitive matters.
Still, there’s reason to hope that future changes to Slack’s policies may increase transparency. California’s data privacy law (CPRA) is likely to increase Slack’s obligations to employees. So keep an eye on this subject in the coming months and years.
How should you conduct yourself on Slack?
We’ve thrown a lot of information at you (and this is the readable, summarized version). So now we’d like to provide some guidance for how employees should actually use Slack and stay safe at the same time.
First, know that, despite the privacy policy, Slack is contested legal territory for both employees and employers. Furthermore, your vulnerability and privacy are as much dependent on your employer as on Slack.
For instance, Apple controversially barred an employee pay transparency channel on Slack, putting them in a legally murky position.
Slack is also subject to regulations like the General Data Protection Agreement (GDPR) and the California Consumer Privacy Act (CCPA), which means that depending on where you reside, you might have different rights you can exercise, including the right to see what information your boss has requested about you.
Given the evolving legal issues at play, we can’t provide universal advice to employees. What we can do is provide a guiding question to help you make your own decisions: Which conversations should be on Slack and which should be off Slack?
Workplace organizing
Labor organizing is surging in the United States, among tech companies in particular. Potential organizers are likely considering Slack as a way to communicate to fellow workers, especially on remote teams where there isn’t a physical water cooler to huddle around.
We want to make clear that discussing your working conditions at work is a federally protected right. As one labor lawyer said regarding Apple’s case: “If two or more employees are talking about workplace conditions, then they’re protected by the NLRA.”
That said, because your employer can potentially access all of your conversations on Slack without notifying you or getting your consent, it’s smart to take conversations about organizing offline. Remote workers may not have this option, but can still move to different platforms like Signal, Discord, or even a separate, worker-run Slack instance. If possible, you should also conduct these activities off of your work-managed laptop or mobile device.
Conversations involving company information
Part of what makes Slack both appealing and dangerous is that it feels so casual; you can share files and information without pausing to consider security. But once you’ve shared something, it can disappear into another user’s downloads folder, or any number of unsecure places.
So remember: any time you’re handling sensitive company data (things like valuable IP or customer data), be careful where you’re doing it and consider finding a safer alternative. (For instance, our Enterprise Password Manager comes with the ability to share documents and other files through encrypted vaults). If you’re taking data off company-managed applications, you open the company up to security risks and potentially make yourself liable.
You should be especially wary if you’re in fields, with stricter regulations. In September 2022, 11 bankers and brokerages admitted to using banned messaging apps, and had to pay a total of $1.8 billion in fines.
Conversations about other employees
Collaboration within a company inherently requires talking to and about other employees, but there’s a spectrum between acceptable and unacceptable versions of this conversation.
Gossip, especially if it’s about something you’d be uncomfortable with your boss seeing, likely shouldn’t be on Slack. If you have serious concerns about a coworker, such as sexual harassment or other inappropriate behavior, your HR department is likely a better place to have that conversation than Slack DMs.
If the concern rises to a level where you’re not comfortable talking to your manager or your HR department, then you might need to step back. Depending on the severity of the problem, it’s likely best to take the conversation off Slack and speak to a lawyer or other outside professional.
Non-work conversations
Many companies have #random channels and other venues to encourage non-work-related conversations. Participate in these at your discretion, as long as you know that your conversations always have the potential to be accessed.
Even if your messages aren’t objectionable, the amount of non-work messages might be. Employers might not care about the content of your non-work conversations but care deeply about how much time you’re messaging about your weekend plans instead of working. While Slack isn’t primarily intended as a productivity monitoring tool, it can be used that way.
Slack is one battleground in a larger conflict
The issue of data privacy in the workplace isn’t exclusive to Slack. There’s a clear appetite for surveillance fuelling the growth of the “bossware” sector. ExpressVPN research shows that 78% of bosses/executives use “employee monitoring software to track employee performance and/or online activity” and 73% say “stored recordings of staff’s calls, emails, or messages have informed an employee’s performance reviews.” Even if you’re reading this and thinking “my boss wouldn’t do that,” there’s no telling what your next boss might try, as X/Twitter employees learned the hard way.
Traditionally, US laws and workplace culture have heavily favored employer rights over employee privacy, with the assumption that employees only have a “reasonable expectation of privacy." The case of Slack makes it clear that we desperately need to redefine what “reasonable” means in the context of remote work.
Think of it this way: in a traditional office, it’s reasonable to expect that your boss can monitor your emails. But you don’t expect them to install recording devices in the bathroom, or follow you to the bar down the street and write down everything you say during happy hour.
But in a remote workplace, there isn’t a bar where you can blow off some steam; you don’t have a reasonable expectation of privacy in any of your communications with coworkers. You are deprived of the universal need to connect on a personal level, to commiserate, to vent.
The result of such a stifling, paranoid environment is either that workers feel disconnected from one another or find alternative digital venues to escape surveillance. Neither outcome is good for a company’s morale or security.
So, if you’re alarmed to discover how limited your privacy rights are as an employee, and if you’d like to change that, start by talking to your coworkers about your concerns. Just consider taking the conversation off Slack.
FAQ
Let’s review some of the most common questions employees have about privacy on Slack.
Can Slack read my direct messages and private channel messages?
Yes. Employers can request this kind of visibility from Slack. The process varies based on a workspace’s pricing tier.
How long does Slack retain data?
Slack gives workspace owners broad control over data retention. For paid plans, owners can choose for Slack to keep everything, keep everything except edits and deletions, or delete messages after a set amount of time. (Some organizations, like banks, are required to retain all records and export them in a readable format, which basically obligates them to purchase a higher tier of Slack.)
Does my employer need my consent to access my direct messages and private channel messages?
Legally speaking, they probably already have your “consent.” Most employment agreements, especially in the US, include blanket language that gives employers access to your behavior while using company systems and devices.
Will Slack inform me if my employer has exported my DMs and private channels?
No. In the past, Slack informed employees, but changed this policy in 2018.
Does Slack provide user data to advertisers?
Yes. On Slack’s cookie table page, advertising partners include Facebook, LinkedIn, and Google.
Is Slack subject to GDPR or CCPA?
Yes. Refer to Slack’s GDPR page and CCPA page for more information.
Has Slack revealed customer and user data to government agencies?
Yes. Its transparency report, reveals that from January 1st, 2023, to December 31st, 2023 Slack received 22 search warrants, 8 court orders, and 74r government subpoenas (98 of the one-hundred and four cases were in the United States). In 91% of those cases, Slack provided some degree of customer data in accordance with those requests.
Want to get more stories like this right in your inbox? Subscribe to the Kolidescope newsletter today!
Tweet about this post