When Amy Pascal’s ruthless emails leaked in the infamous Sony hack, friends of mine who worked in the entertainment industry were less than shocked, recalling that her emails just reflected how everyone speaks, and how deals get made, in Hollywood.
And when John Podesta’s leaked emails revealed the wheeling and dealing surrounding the Democratic National Committee and Hillary’s nomination, people in politics expressed a similar sentiment to me: That’s just how things get done.
In both cases, the fault lay not in the actual content of leaked emails, but with the executives and politicians who put too much truth in writing. Silly old people. They should have known better!
Now, a new kind of leak is becoming the norm: Slack messages sent between co-workers. As the popular office-chat client has grown to 6 million daily users, multiple instances of leaked Slack conversations have revealed sometimes embarrassing, sometimes enlightening information about the true thoughts and feelings of a company’s employees — and it’s already led to firings.
When we spurned email for its ability to burn us, we turned to chat. But Slack’s particular user interface can make even those of us who are wary of putting anything in an email spill our guts in both direct messages and office slack channels — complaining about the bosses in the same breath as the weather.
Conversations among colleagues can and should be truthful, honest, funny — even occasionally unflattering. But we’ve started rendering permanent these sorts of conversations by chatting them, rather than speaking them out loud. Silence is not more secure: Slack’s channels — its immediacy, its private-public, highly recordable format — is starting to get people, and institutions, in trouble.
The Slack leak is the new email leak.
Drip drip drip
On Wednesday, the Huffington Post printed a Slack transcript of New York Times employees airing complaints about a controversial tweet from op-ed columnist Bari Weiss, as well as faults they found with larger policies at the Times.
Coming from one of the leading newsmakers in the world, the NYTimes chat transcript represents the most significant Slack leak to date. Through the laughably simple means of copying and pasting internal conversations, whoever is responsible for the leak provided an inside look into how ire around the management of the op-ed pages, liberal-versus-conservative fracturing, and diversity initiatives are causing a heated level of strife.
With a restrictive social media policy, the Times takes pains to prevent its employees from revealing their opinions to the public (as the Huffington Post leak article notes). So whether readers find the content of the leak predictable or shocking, the leak was organizationally damning: It revealed a side of the company management clearly did not want the public to see.
But this wasn’t the first time a leaked Slack transcript provided an inside look into the organizational workings and private thoughts of employees. In fact, the low-tech method responsible for this leak has led to breaches at Breitbart, Reddit, and a high school. Breitbart leaks have been similar to the ones from the Times. They show more internal dialogue and a less united front than Breitbart would like to present to its readers. The alleged Reddit leak of a moderator’s Slack channel provided fodder for conservative trolls looking for bias in “anti-Trump” moderators.
The security breach at a Rhode Island high school recently revealed several teachers using Slack to bash students, calling them “idiots,” and complaining about their parents. A teacher’s email was reportedly hacked in order to disseminate the leak via a shared Google doc, but the conversations themselves were copied through good old-fashioned screenshots.
The school fired the teachers for what they said over chat. And while the New York Times does not appear to be disciplining its employees, who’s to say whether organizations with leaked chats containing employee complaints or bad behavior will be as forgiving in the future.
Coming back to haunt you
And then there was the meta-Slack leak. Splinter acquired a screengrab of a Slackbot message from CNN’s Slack. The message informed channel members that “Team Owners” would as-of that message be able to “export communication history, including the content of private group and direct messages, subject to your team’s message retention and deletion policy.”
That is, the bosses would be able to read your DM’s.
In 2014, Slack changed its policy to allow this oversight and export capability. Employees should understand that that little padlock next to private channels doesn’t mean jack if their company has enabled this setting.
But it’s not just the Slack owners who have access to your chats.
In the Gawker-Hulk Hogan lawsuit, Hogan’s council pressed a Gawker employee on the significance of a joke one employee made about Hogan to another. In a reflective essay, the author of the joke characterizes what he said as a throwaway comment, but he recognizes the larger significance. “This is a scary realization,” he writes. “Hulk Hogan’s lawyers have a better sense of many conversations I had in 2012 than I do.”
This is just one instance in which one’s private chats become discoverable evidence in a lawsuit; a seemingly innocuous chat may have contributed to the bankruptcy of a major media organization.
This access is by no means limited to opposing councils. Just like other tech companies including Apple and Facebook, Slack complies with law enforcement requests to provide data and history on users.
There has yet to be a major Slack security breach. But the introduction of chat logs into evidence, law enforcement and organization’s ability to access data, and simple copy and pasted transcripts have shown that there does not need to be a hack of the Sony or Wikileaks variety to prove that Slack leaks are real and that chat logs are searchable. And with such free-flowing dialogue about company politics and sensitive topics, the leaks are sure to keep coming.
Letting those fingers fly
The quick and casual way we use chat is certainly at the root of Slack’s ability to hurt us when the conversations we have on it leak. But there are several features of Slack’s particular user interface that seem to encourage treating its channels — private and public — like an employee lounge.
Chat, of course, breeds immediate responses. You don’t have to open a new message window, and all you have to do is press enter. Have you ever written a joke to a comment, followed by a little nagging question of whether you really should have said that? The immediacy contributes to sending those questionable jokes and complaints, pressing send before we’ve thought through what we’re saying. In its own study about the use and nature of chat, Facebook says that messaging leads to more “authentic” and meaningful conversation. Though sad but true, authenticity might not be the best feature of all messages we send to our colleagues.
Slack’s differences from email also help blind us to how easy it is for our messages to be passed on, or read by people who might not like what we have to say. Chats distinctly lack that “Forward” button. Sure, emails can be copy and pasted, just like Slacks. But the existence of the email Forward button reminds us of our words’ ability to have a life of their own.
Slack channels also more effectively mask the actual recipients of the messages you send. When writing an email, you either have to type in directly who you’re sending your message to, or send to a list. In office clients like Outlook, you can click on a list to see who you’re actually sending your email to. This makes you more aware of how far and wide your message is spreading. Plus, you have the ability to delete any recipients you might be wary of.
But Slack channels don’t give you the option to delete recipients — that requires a DM. Sure, you can click on the people icon under the channel name. But who’s really thinking about all of the people who have access to your messages in an open Slack channel? The New York Times leak had to have originated from an internal source — a Times employee who had access to the channel. You never know how an employee you might not be thinking about may take an opinionated message, or even a joke. Sending messages out into the ether of office chat is not as private, or secure, as you might think while firing off a chat.
Stemming the tide
While there’s not much you as an individual can do to prevent a fellow employee from leaking a copy and pasted message, there are steps you can take to protect yourself from getting your words leaked, and facing potential consequences.
First, of course, is watching what you say. Don’t treat public Slack channels like private DM’s. Save company complaints for in person conversations, not messages that can be taken out of context, or make your employer look bad. That’s not to say that companies and bosses shouldn’t be questioned, and that you shouldn’t speak your mind. But if Amy Pascal — formerly one of the most powerful people in Hollywood — can fall for doing business, so can you.
Next up is checking whether your company has access to your private messages. This is a setting called “Compliance Exports” that companies can choose to enable in Slack. To check whether your company has turned this feature on, click the downward arrow in the top right corner next to your company’s workspace. Click on “Profile & account,” and your profile will open in a sidebar. Click the downward arrow underneath your photo, and navigate to “Open account settings.” This will take you to your “Account” page in your browser. (You can also go straight here by typing in the URL of your workspace plus /account/settings).
Now, click on workspace settings. Here, you’ll find a bunch of handy info: who your workspace owners and admins are, how often messages in public and private slack channels and DM’s get deleted, and of course, whether the “Compliance Exports” capability is turned on. Scroll all the way down to find the “Compliance Exports” section: here, you can see if your bosses have the ability to read your DM’s. From there, proceed wisely.
Your company may have set the “Retention and deletion” settings for all types of messages; IE, whether and how frequently messages get automatically hard deleted from your company’s and Slack’s servers.
However, your company may have allowed employees to override these settings, specifically in private channels and DMs. It’s a good idea to have your messages auto-delete: even if you think you haven’t said anything damaging, you don’t want something you don’t even remember saying to become discoverable evidence in a lawsuit that costs your company money, and maybe even costs you your job.
To see if you are able to change how frequently messages get deleted, click the gear icon in a private channel or DM. Click “Edit message retention” if it appears, choose how long you want to keep your messages, then save and apply. Reportedly, when messages are deleted, Slack hard deletes all messages and back-ups from their servers within 14 days — and they’re no longer accessible to anyone who asks for them. Phew.
Just do it
In the middle of the leaked New York Times transcript, an employee tells the channel “hey all. whatever we’re saying here is leaking outside the Times. I’ve got a message from a reporter outside the building asking me to screen shot this conversation.”
The employees carry on as if she hasn’t said anything. They’re clearly frustrated and looking for a way to voice their concerns — public eye be damned (and maybe even embraced).
Who doesn’t roll their eyes at the refrain to not talk shit in chat, keep your words professional in the office at all times and on all platforms, think before you speak? Mashable’s Rachel Thompson recently reported that email is on the way out for entrepreneurs because its slow pace can’t keep up with start-up culture; instead, millennial workers turn to chat and project management clients.
We don’t have time to think before we speak, the attitude seems to say. Plus, in what world could our boring work convos actually have any consequences? It seems like an old wive’s tail, a warning from an older generation. And it’s just no freaking fun. We don’t want to live in the buttoned up world where we can’t be our authentic selves in the office. That’s what our generation, the generation of seeking out purpose in work, is all about.
But we are just at the beginning of learning about the consequences of chat. Over the last decade, we gradually stopped sending those bitchy emails, those “ughs” to our work friends, in the forwarded message body above a particularly annoying note from that colleague you hate. Email stopped being fun because it stopped being honest and emotive. With email, no matter how banal our messages seemed, the stories detailing the consequences executives and employees alike faced for their emails, changed the way we used email, too.
So despite all the custom dancing emoji in the world, with every new Slack leak, life on Slack will (have to) change, too.