Updated at 5:14 pm PST to add statement from Slack
A recently announced privacy update to popular work chat app Slack may give its millions of users pause, particularly in light of the escalating revelations over how analytics firm Cambridge Analytica was able to pilfer millions of users' data via social media giant Facebook.
Slack's privacy changes, which are being made to comply with the General Data Protection Regulation (GDPR), will go into effect on May 25 — but they could put users in the dark about access their employers have to private messages, and whether they are notified about that access. In the new Slack privacy regime, users will be able to download private and public data from their workspace without notifying members.
For those unfamiliar, Slack is a workspace tool used by many companies and groups for internal communication and planning. A mix between Google Drive and AOL Instant Messenger, Slack started as an internal communication tool before becoming a public product with millions of daily users. Slack allows casual chats between coworkers as well as the ability to share company documents and spreadsheets.
As Slack explained to Salon via email:
On the Plus and Enterprise Grid plans, customers, go through an application process to request access to a self-service tool to download private and public data from their workspace without notifying members. Each application goes through a human review process to vet all export requests. Companies might need to export data for regulatory or compliance reasons. Previously, employers with certain plans who enabled Compliance Exports had to notify members if they were going to download the data.
This means that the owner of your workspace — your boss — could see your private messages to a coworker. The changes will go into effect on April 20, 2018.
Slack added that they will be emailing users this week regarding the changes.
Previously, Slack offered a "compliance export" which was only available to certain customers who applied and were approved to use the tool. The owners would have to enable this function beforehand, and when enabled, a notification would be given to the user.
The point of GDPR is indeed to protect user privacy, but paradoxically, the GDPR places enhanced requirements on "controllers" (employers) and entrusts them to be good stewards of their users' personal data.
It's indeed an interesting time to make such a jarring privacy update, as other outlets have pointed out. Digital privacy protections are under scrutiny in the wake of a still-unfolding Facebook scandal. The changes raise a more difficult question: Can we trust that any level of privacy remains online?