Slack’s new policy lets bosses read employees’ DMs without consent

Slack’s new policy lets bosses read employees’ DMs without consent

If your company uses Slack for group communication, you might want to watch what you say in Direct Messages with your colleagues: the app now lets administrators export all the data shared through it, including those private conversations – without notifying you.

That’s thanks to an updated privacy policy and tools that help Slack comply with GDPR rules; they grant customers on Slack’s Plus and Enterprise Grid plans access to a self-service tool for exporting data from all public and private channels. This functionality was previously available too, but it used to notify users when it was turned on, so they’d know that their DMs weren’t entirely private.

You can check if your team is on either of those plans by visiting https://YourTeamNameHere.slack.com/account/team, and scrolling to the bottom of the page.

But don’t assume that you’re safe if your organization uses a free or Standard plan; administrators can request access to the data export tool by providing Slack with either valid legal process, consent of team members, or a requirement or right under applicable laws. Alternatively, they can use whitelisted apps that do the same thing; you can look up the apps connected to your team’s Slack by visiting https://YourTeamNameHere.slack.com/apps/manage, but it could take a while to figure out if any of those are designed to export data from private channels.

There’s an option in Slack’s DM channels that wipes conversation history as often as you specify (visit a channel, click the gear icon, and choose ‘Edit message retention’), but you can only set it to clear data after a minimum of a day, which leaves a small window of time for your chats to be scraped. I wouldn’t risk it.

If you must talk trash about your employer, bosses, or colleagues, you’re better off avoiding using Slack to do so, and opting for something more secure, like Telegram or Signal. It’s best, of course, to leave no evidence at all, than to have to destroy it later on.

The Next Web’s 2018 conference is just a few months away, and it’ll be 💥💥. Find out all about our tracks here.

Read next: Mozilla suspends advertising on Facebook after Cambridge Analytica scandal