Think your private messages on work systems are safe? Think again. Here’s what your boss can see on Slack, G Suite, and Office 365.
Take a good look through your employment contract. Chances are that, tucked somewhere within, you’ll find a clause letting your company monitor your electronic communications.
But now that most of our communications live in the cloud, what can your company see? Has the ability of your boss to snoop on your private messages been diminished now that the content doesn’t sit on the company’s own servers? Or is it easier than ever to scour private conversations that take place on ‘work’ systems?
Here, we dive deep into the admin panels of three of the most used business communications platforms to give you an insight into the communications monitoring tools available to IT admins. You may be shocked to discover what your boss can see.
Slack has largely replaced email for internal communications within many companies. But, while most employees will be aware that their email can be read by their employer – a condition normally stated in contracts of employment – what about their Slack messages? Especially those posted in private Slack channels?
The extent to which your boss can read your Slack messages will depend on their appetite to pay for the service.
Slack has infiltrated many organisations from the ground up, with many teams still using the free tier – especially if it’s not officially supported by the IT department. (In many small organisations, there’s no such thing as an IT department in the first place.)
On the free tier, teams only have access to their past 10,000 messages. The rest are bundled into an unreachable archive, which Slack doesn’t delete, because it uses access to the archive as a carrot to induce companies to subscribe.
Admins can search and export content from any public Slack channels, even on the Free tier. Public channels are all those listed under Channels in the Slack interface that don’t have a padlock next to their name (the indicator of a private channel only open to selected users).
Slack administrators are given a graph that breaks down the percentage of daily messages
On the Free and Standard tiers, it’s not ordinarily possible for Slack admins to search for direct messages between team members, unless they themselves were privy to the conversation in the first place. Direct messages can be sent between two or more employees, and effectively act as private channels.
Free and Standard tier admins might not be able to see direct messages, but they can still tell if there’s a lot of private chatter going on. Slack analytics displays a graph that shows the percentage of daily communication in public, private and direct messaging channels. If the boss can see a high percentage of chatter in direct messages, that might encourage them to probe further.
If Free and Standard tier admins do want to access private conversations between employees, they would have to apply directly to Slack. Slack says it “will reject applications, unless Workspace Owners show in each instance (a) valid legal process, or (b) consent of members, or (c) a requirement or right under applicable laws in order to export data”.
If your company pays for one of Slack’s Plus or Enterprise plans, however, the ball game changes. Paid subscribers can perform what’s known as a Corporate Export, which Slack describes as “a self-serve export tool that permits a Workspace Owner to export content from private channels and direct/ group messages as needed and permitted by law”.
While Slack once again insists that the Workplace Owner must “ensure that (a) appropriate employment agreements and corporate policies have been implemented, and (b) all use of Corporate Export is permitted under applicable law”, note that key phrase “self-serve tool”. There’s nothing in practice that prevents IT admins or managers exporting and skimming through private messages. Such conversations are exported as JSON files, with conversations in the following format:
“text”: “Hello world”,
That means it would be the work of moments to do a keyword search for a particular name or phrase, and identifying the person behind a user ID wouldn’t be difficult.
So how do you know if the boss is exporting your private conversations? Under its old Compliance Report system, Slack used to notify users if there was a chance their private messages could be read.
Now you have to go to slack.com/account/team, log in and read the notification at the bottom, which reveals the type of data that can be exported from your company’s Slack account. If private messages are listed, it might be better to use WhatsApp or some other private channel to plot the overthrow of your manager…
There is one potential saviour for Slack plotters. Paid-for Slack accounts can allow users to set their own private channel and direct message retention policies. This means you can click the settings cog in any private or DM channel and have the messages routinely purged in as little as 24 hours. This is a permanent deletion and means the message won’t be retrievable by admins. However, admins need to explicitly switch on this option – it’s not on by default. If your company is the kind of employer to go poking around your private messages, it’s hardly likely to switch this on in the first place.
It may come as a surprise to people who work for companies using Google as their email provider that employers can’t routinely read emails – at least, not on the most basic G Suite plan. G Suite Basic admins can search email logs, to see what their users are receiving and sending, and even narrow down those searches to specific recipients, senders or subject lines. If a company wanted to show that Employee A had been harassing Employee B by barraging them with email, for example, the audit logs could be used as evidence.
What those audit logs don’t show is the content of messages. That doesn’t mean that G Suite admins have no way of searching through employees’ inboxes, as Google’s support staff cheerfully explained to me when I asked for a way to search employees’ emails from the admin console.
In the most basic G Suite plan, admins can’t read your emails, but they can search the logs to see who you’re emailing and the subject line
“Barry to answer your question, you can reset users’ passwords… and then you’ll be able to access users’ inboxes,” support desk Daniel said. This, of course, will lock the employee out of their inbox, so if you’ve ever found your work Gmail mailbox password has been mysteriously reset, you might wonder what the IT admins have been up to.
Once they have access to your inbox, admins can also set themselves up as a “delegate”, allowing them to read any messages sent to or by you. But you’d be able to see who’s been afforded delegate access in your Gmail settings – if you ever bothered to look.
Those companies on the more expensive G Suite Business and Enterprise accounts need not resort to such underhand measures. These tiers get access to Google Vault, which archives all the email accounts in the firm’s domain on Google’s servers. Crucially, this lets the company search the content of email by keyword – and not only email, but Drive files, Hangout chats and Google Groups messages, too.
As Google’s support files helpfully explain: “When you open an email or chat message, the thread’s entire conversation is displayed. For very long threads, only the most recent 100 messages are included in the preview. You can’t preview earlier messages from the thread. However, all messages that match your search criteria are included when you export.”
Even the criminals’ favourite technique of saving messages in Drafts so that they can’t be intercepted on their way to recipients is thwarted by Google Vault. Indeed, the help files suggest that you have to specifically exclude drafts from a search if you don’t want those results to be returned.
Office 365 admins have much the same ability to plough through employees’ email as G Suite overlords. Office 365 doesn’t even force you to pay for the higher tier products before handing businesses the ability to search through employees’ emails. It’s a standard part of the Office 365 Business admin centre.
Usage reports let admins see when users are accessing their mailbox, OneDrive, SharePoint or Skype services, although these reports merely highlight the frequency with which they’re being used, not the nature of those communications.
In Office 365, admins can monitor when you access your mailbox and can also search the whole company for specific keywords
To look for specific keywords in mailboxes, admins can run a content search in the Office 365 Security & Compliance Center. As with the Google Vault, this not only covers email, but SharePoint Online and OneDrive for Business sites, Skype for Business conversations, Microsoft Teams and Office 365 Groups.
Admins can search specific inboxes or the entire company, and as Microsoft’s help files explain: “After you run a search you can preview the results, get keyword statistics for one or more searches, bulk-edit content searches, and export the results to a local computer.”
Office 365 lets admins perform relatively complex searches, so they can drill down to very specific pieces of information. “You can specify keywords, message properties such as sent and received dates, or document properties such as file names or the date that a document was last changed,” Microsoft states. “You can use more complex queries that use a Boolean operator, such as AND, OR, NOT, NEAR, or ONEAR. You can also search for sensitive information… in documents, or search for documents that have been shared externally.”
Microsoft’s search results even deliver detailed statistics. Say you’ve searched the company’s mailboxes for a particular keyword: the search results can be sorted to show the mailboxes with the greatest number of hits at the top, for example. Big Brother has never had it so good.
This article originally appeared at itpro.co.uk