[HN Gopher] US agencies warn companies: Don't delete Slack or Si...
___________________________________________________________________
US agencies warn companies: Don't delete Slack or Signal chats
Author : hhs
Score : 97 points
Date : 2024-01-26 17:33 UTC (5 hours ago)
(HTM) web link (news.bloomberglaw.com)
(TXT) w3m dump (news.bloomberglaw.com)
| AlexandrB wrote:
| For Slack, this seems like it should be a checkbox you set
| somewhere that causes Slack to archive everything instead of
| deleting it. And if you want to be ISO 9001 (or whatever)
| compliant you have to set the checkbox.
| rilindo wrote:
| IIRC, slack archive by default, you don't have access to
| previous messages after a certain point unless you pay for the
| service.
| lxgr wrote:
| Messages older than 90 days are only hidden in the free plan,
| not deleted:
| https://slack.com/help/articles/7050776459923-Pricing-
| change...
|
| As soon as you start/resume paying, you can access them
| again.
| FooBarBizBazz wrote:
| This will encourage RTO. If off-site workers can't engage in
| illegal and anticompetitive behavior without it being documented,
| then they'll be shut out of the important roles.
| kayodelycaon wrote:
| Unlikely. Video and phone calls aren't recorded. I've used them
| tons of times to discuss things with coworkers I don't want
| seen by management.
| SoftTalker wrote:
| That's a throwback to a time when it wasn't possible or
| practical to record them.
|
| There's no technical reason that lets you keep Slack, chat,
| or email and prevents keeping phone calls and video. It's all
| just digital data.
|
| I'd expect we'll see the requirements change to include
| these.
| kayodelycaon wrote:
| Sure, it could change in the future. It's not the reality
| now, so data retention rules on chat programs isn't likely
| to cause a return to office.
|
| Management have been using phones to bypass record keeping
| for well over half a century.
| rightbyte wrote:
| Its just a matter of time before some LLM will transcribe
| them and log your calls though. It might allready be
| happening.
| vel0city wrote:
| Its already an optional feature of a lot of chat platforms.
|
| https://support.microsoft.com/en-us/office/view-live-
| transcr...
|
| https://www.microsoft.com/en-us/microsoft-365-life-
| hacks/org....
| rightbyte wrote:
| Oh ...
|
| Well I wonder when "Facebook-scale" can do untargeted
| spying? Like, record and transcribe your Whatsapp calls
| without knowing that you are a high value product or
| dissident. I guess it would be to expansive to do right
| now, compute wise?
|
| I am seriously thinking about making my own VOIP app for
| the phone to try to mitigate these kinds of attacks.
| lanstin wrote:
| Pgphone was a thing in the nineties.
| https://en.wikipedia.org/wiki/PGPfone
| wharvle wrote:
| Recording laws get in the way of this. You'll start
| seeing/hearing a warning every time you start a call if
| they begin doing this.
|
| The live-captions tool in Teams is already better at
| understanding some of my colleagues than I am. The tech's
| there, and probably already was good-enough before LLMs.
| lazide wrote:
| Almost every corp phone line already can be (and often
| are) recorded. People sign away those rights when they
| sign their companies info processing rules (the 'company
| equipment belongs to the company and can be monitored at
| any time' stuff).
| wharvle wrote:
| Folks outside the company often join calls and video
| meetings. Some orgs may have their shit together-enough
| to exempt only those, perfectly, so they never violate
| recording laws, but I'd expect most would just notify on
| all calls/meetings if they started doing this.
| lazide wrote:
| Or just record and expect no one to attempt to prosecute
| (most likely), since it was 'by accident' (no mens rea).
|
| Generally recording phone calls is only a crime if there
| is an expectation of privacy, which would also be hard to
| say existed on a group phone call or video chat,
| especially if one of the parties knew for sure it could
| be recorded (and consented to it by continuing to work
| for the company).
|
| Federal law would make it legal to record such a call,
| for instance.
|
| California might make it illegal, might not - all the
| parties would have to expect it to be a non confidential
| call.
|
| Which a group call? Hard to argue that's confidential.
|
| Calling a random person in a company, where you don't
| know if it is being recorded or not? Ehhhh.
|
| Also, in California there is an exemption to these
| recording laws - you can use illegal recordings to defend
| yourself against perjury, or in the prosecution/defense
| of certain heinous crimes like extortion, kidnapping,
| murder, etc. (633.5 CPC) [https://leginfo.legislature.ca.
| gov/faces/codes_displaySectio....]
|
| It's a shame Justia doesn't link to that, as it's quite
| important in some situations.
|
| [https://www.justia.com/50-state-surveys/recording-phone-
| call...]
|
| "Under California law, it is a crime punishable by fine
| and/or imprisonment to record a confidential conversation
| without the consent of all parties, or without a
| notification of the recording to the parties via an
| audible beep at specific intervals. The California
| Supreme Court has defined a confidential conversation as
| one in which the parties have a reasonable expectation
| that no one is listening in or eavesdropping. In addition
| to criminal penalties, illegal recording can also give
| rise to civil damages.
|
| CA Penal Code SS 632 (definition & penalty), SS 637.2
| (civil damages), Flanagan v. Flanagan, 41 P.3d 575 (Cal.
| 2002), Cal. Pub. Util. Code Gen. Order 107-B(II)(A)"
| bluGill wrote:
| Teams at least pops up a message to everyone when someone
| hits record. that should be enough for the courts where
| notice is required.
| jprete wrote:
| Technological infeasibility is not necessarily an excuse for
| skipping record-keeping. I've heard that financial
| organizations, which often have strong compliance
| requirements, do in fact record phone calls and video chats -
| possibly even face-to-face meetings. And they will actively
| discourage you from using a line not controlled by the
| company, because otherwise they could have compliance
| violations.
| kayodelycaon wrote:
| And such organizations would already not be deleting slack
| messages and therefore their stance on return to office
| isn't likely to change. :)
| taeric wrote:
| I suspect this will almost certainly lead to more companies that
| have policies against these tools. I'm also assuming data
| retention policies would be the same as email? Such that you can
| delete them, but it has to be a stated policy with legally
| applicable timelines.
| ryandrake wrote:
| This doesn't seem much different than what companies must do
| with E-mail when they are under investigation or getting sued.
| Surely these chat applications have a configuration to allow
| for messages to not be deleted when under "litigation hold". No
| company that I know of has a policy against E-mail.
| taeric wrote:
| Most policies regarding email are that some topics are off
| limits for email. Certainly speculative business
| conversations should not be done on email, largely because
| context matters a lot for those discussions.
|
| Though, you are right that most places ignore email until you
| get going pretty well, and then by that point the cat is out
| of the bag. It used to be that only official communications
| where important. And that was largely managed by you only
| kept official communications archived. Now that we can
| archive anything, it is getting kind of silly.
| otoburb wrote:
| Reviewing the actual FTC announcement: " _Companies that allow or
| provide applications with ephemeral messaging capabilities must
| continue to retain all relevant documents during government
| investigations and enforcement actions._ "[1]
|
| Looks like this is only (especially) applicable once the company
| in question has been officially notified of an active ongoing
| government investigation.
|
| [1] https://www.ftc.gov/enforcement/competition-
| matters/2024/01/...
| eschneider wrote:
| What they mean is _don't delete chats after an investigation has
| started._ What sensible people do is have a retention policy of
| not keeping chats longer than, say seven days.
|
| I know what you're thinking, "Slack is our project archive." If
| that's actually true, .gov investigations are the LEAST of your
| problems.
| jgalt212 wrote:
| > What sensible people do is have a retention policy of not
| keeping chats longer than, say seven days.
|
| or seven years if the SEC is watching over you.
| gherkinnn wrote:
| Retaining messages for no longer than a week or two would act
| as a forcing function to keep project management and comms
| sane.
| wharvle wrote:
| True in theory.
|
| In practice, I've never seen a "more-correct" system actually
| replace the value of long-lived chat channels and a culture
| of discussing things out in the open on those channels.
|
| Long-lived chats don't replace documentation and project
| management, but I've yet to see those replace the value of
| long-lived chats.
|
| Now, it probably could be replaced by companies putting
| project management in a non-hellish tool that's close to the
| code and has a pleasant chatting-about-issues experience and
| low structure so you don't feel like you're knocking over
| some PM's sand castle if you mess with it (so NOT jira,
| asana, et c) but I've never experienced a company that does
| that. Communicating in the PM tools is always terrible.
| ParetoOptimal wrote:
| Even though I commented up thread that not having logs for
| more than 7 days would be horrible for an employee, I don't
| necessarily disagree fully with this statement.
|
| It would ideally force employees to take notes and keep
| comms/project management sane, however I'm more likely to
| believe people would just get used to finding an easier
| workaround or guessing.
| dylan604 wrote:
| Wouldn't any chance to retention policies be a bit of a
| possible canary trap?
| eschneider wrote:
| Not really an issue. When you're in a situation where you
| need to retain data for legal reasons, You TELL people that,
| so they don't inadvertently destroy the data. It's the
| opposite of a secret.
| mlhpdx wrote:
| And, there is software for it that automates sending and
| getting confirmation the notification has been received and
| understood.
|
| One example: https://www.exterro.com/e-discovery-
| software/legal-hold
| lxgr wrote:
| It's still bizarre to me that this has become the industry
| standard in the US.
|
| Sure, it's all legal and perfectly reasonable at the micro
| level considering that every stored email increases the legal
| fees (due to making discovery more expensive during any
| hypothetical future lawsuit), but at a macro level, the outcome
| "companies legally delete all written communications as soon as
| feasible" seems baffling.
|
| At the opposite end of the spectrum is the financial industry,
| where regulators effectively require recording every single bit
| of business communication (by taking a very liberal
| interpretation of some quite old law, as far as I understand),
| written or spoken (unless it was in person, of course), and
| under threat of massive fines.
|
| It seems to me like there should be some pragmatic middle
| ground somewhere between these two extremes?
| eschneider wrote:
| The "companies legally delete all written communications as
| soon as feasible" outcome isn't (mostly) because companies
| are trying to hide illegal shit. It's because when you get
| sued for whatever, and your email/chat/whatever get
| subpoenaed, there's going to be who-knows-how-much
| embarrassing personal gossip in there, too and that just
| makes folks look bad. The easiest way to avoid that (and
| other forms of embarrassment) is to just not keep that stuff
| around.
|
| If it's policy, it's legal. You can't go around and delete
| the stuff after the fact.
| mattmcknight wrote:
| It's also just a massive time/money sink to have your own
| legal team review all of that stuff. You don't want to send
| anything to another party before you have reviewed it. In
| addition, there are often conflicting rules there, where
| there is private information of unrelated parties in the
| messages, so the review process just becomes unmanageable
| if it is an archive over a long period of time.
|
| Meanwhile, we now have people putting stuff into their own
| personal information management systems, training various
| models on the data, etc. When the company ceases to be a
| valuable library of the information necessary to do your
| job, people start specifically archiving things that might
| be useful at some point in the future, and the discovery
| process becomes unbounded.
| dmoy wrote:
| Yup this one is it, right here.
|
| It's absolutely about discovery costs. Document review is
| typically like a quarter of all litigation cost, and
| that's assuming the problem of "get all the docs" is
| solved already.
| ghaff wrote:
| People write candid stuff on internal channels _all the
| time_ that are not official company statements. And it 's
| mostly _not_ about illegal shit they did. It 's things like
| $COMPANYA is eating our lunch because our sales processes
| are so screwed up. So when you file a lawsuit against
| $COMPANYA claiming that some questionable action caused you
| to lose business, their lawyers can cite the fact that you
| were already messed up for totally different reasons.
| [Corrected confused who is who :-)]
|
| (Very loose retelling of just a few of the sorts of things
| I saw when writing an expert witness report years ago.)
| godelski wrote:
| It's also stochastically increases privacy and security.
| Restricts any adversary from obtaining your data outside of
| certain windows. Which can be important in dynamic
| environments where allies can become adversaries (be that
| prior employees, foreign governments, or whatever). This
| seems to have a huge advantage considering it means any
| adversary must make more noise and use longer term action
| to cause damage (i.e. hard to "smash and grab").
|
| This is why when I saw the Signal Forum discussions on
| deleting chats that I was really surprised that that
| community was extremely against it (strongly in favor of
| immutable texts). All arguments against privacy were
| dismissed with claims that one can screenshot and arguments
| for immutable texts were bad analogies to mail and
| assertions about "my device, my data." The Signal Forums
| are a weird place and I think Signal's reliance on them
| contributes to their slow progress, adoption, and why they
| get weirdly sidetracked about things no one cares about.
| AnthonyMouse wrote:
| Software that can delete your copy of a text is fine.
| Software that can delete somebody else's copy of a text
| is not going to satisfy the somebody else, and is also
| not going to work because if they don't like it there are
| several other ways they can copy it, which in turn means
| you have no guarantees that they've deleted it and
| shouldn't expect any.
| godelski wrote:
| I appreciate the comment but I feel it fails to address
| mine.
|
| > is also not going to work because if they don't like it
| there are several other ways they can copy it
|
| >> All arguments against privacy were dismissed with
| claims that one can screenshot
|
| > you have no guarantees
|
| >> stochastically increases privacy and security
|
| I'm not sure why we have to frame privacy and security
| with strict guarantees. If we need strict guarantees then
| we should abandon all efforts because guarantees do not
| exist (my preemptive response to what you are thinking is
| "implementation.") Fundamentally it is always stochastic
| as statistics is a way to capture error and uncertainty.
|
| Everyone that advocates for deletion is well aware that
| one can screenshot, copy, or even write down information.
| It is a weird assumption to make, because it implies an
| exceptional level of stupidity to the person you respond
| to. Every 12 year old knows that you can screenshot
| Snapchats and they know it can be done without Snapchat
| warning the other person. So forgive me, because while I
| know you are acting in good intent (we've had enough
| conversations that I have that respect for you), I think
| I need to point out that it is easy to read such a
| response as indicating you did not bother to read my
| comment (so why comment?) or that you imply I am
| incredibly naive. I say this because this topic is often
| heated so stating this can help reduce the inference gap.
| I know you are not trying to do such a thing, but not all
| others will have that shared history to give benefit of
| the doubt.
|
| There's nuance necessary beyond the existence of copy
| methods. People with positions similar to mine understand
| that the act of copying requires time and energy. That
| someone needs to either preemptively implement a system
| of record keeping or that such an action is responsive.
| In the latter case, having the ability to delete acts as
| a windowing operation. You do not know your adversaries a
| priori nor do all adversaries begin as adversaries. So if
| you can delete the information before a log is created,
| you have succeeded. Yes, this is stochastic. But I'd
| rather have a 1% of protection than a 0%, because an
| immutable history just means the adversary has unlimited
| time to strike. Basically, you are doing your adversary's
| job for them. tldr: the game has a temporal component and
| it is not turn based.
|
| I will understand arguments about communication, of how
| some may assume stronger protection than received, but
| I'd also respond that this is a fairly universal claim
| and we do not apply it to many other domains as we still
| find utility.
|
| I'll also add that this stochastic protection is why
| companies will remotely wipe your devices if they are
| reported lost or stolen. You wipe for protection but
| operate under assumption that the data was copied. This
| is fairly standard practice.
| lxgr wrote:
| > If it's policy, it's legal.
|
| I don't disagree that it's legal and mentioned that in my
| comment. What I'm claiming is that the way in which the
| legal system has evolved has incentivized problematic
| behaviors.
|
| > there's going to be who-knows-how-much embarrassing
| personal gossip in there, too and that just makes folks
| look bad
|
| That's what I was referring to by "making discovery more
| expensive during any hypothetical future lawsuit". Part of
| that cost is due to legal fees for discovery, but the other
| part is reputational harm:
|
| The problem here again isn't courts and parties to the
| lawsuit having access to that data, but rather that it's
| being explicitly published for the entire world to see and
| share.
|
| Personal gossip has absolutely no reason to be published as
| part of a lawsuit, in my view. If it's relevant to the
| case, make it available to its parties, read it out during
| the (usually public but non-broadcast) trial etc., but
| don't put it on an online case filing platform. Get rid of
| that, and the incentive to delete literally anything that's
| not legally required to be archived goes away too.
| AnthonyMouse wrote:
| > Get rid of that, and the incentive to delete literally
| anything that's not legally required to be archived goes
| away too.
|
| Not exactly.
|
| One of the reasons companies do this is that random
| employees don't know how laws and courts work. They'll
| say things without knowing that the words they're using
| are a term of art with a different meaning in the law
| than it has the way they're using it, and then write
| something which would be damning if it was what they
| actually meant, but it wasn't what they actually meant.
| Or that sounds damning if taken out of context. Also,
| sometimes they really are breaking the law without
| knowing it and not having the evidence of that sitting
| around isn't really to the company's advantage either.
|
| The only real way to prevent companies from wanting to
| delete it would be to make it so it couldn't be used
| against them if they kept it.
| lalaithion wrote:
| > They'll say things without knowing that the words
| they're using are a term of art with a different meaning
| in the law than it has the way they're using
|
| And this is what we need to change. We need a presumption
| that when a non-lawyer says "we should form a cartel with
| our competitors" that they aren't implying anything
| illegal, even though cartels are illegal.
| pixl97 wrote:
| This is what the purpose of a trial is, hence the
| evidence gathering, and rebuttal in court. The best
| evidence against you is no evidence.
|
| Lets jump from civil to criminal law, where you do have
| the presumption of innocence.
|
| Let's say you send a message that says "I'm going to kill
| Jon with kindness" to someone else on your team . Then
| the next day Jon ends up violently murdered. Even though
| the content of your message is one that does not condone
| any particular violent act, you should 100% expect to be
| a target of the investigation.
|
| This is reasonable. In civil trials where it's not beyond
| a reasonable doubt, but a preponderance of evidence,
| these little things could tip the balance out of your
| favor.
| aidenn0 wrote:
| > Personal gossip has absolutely no reason to be
| published as part of a lawsuit, in my view. If it's
| relevant to the case, make it available to its parties,
| read it out during the (usually public but non-broadcast)
| trial etc., but don't put it on an online case filing
| platform. Get rid of that, and the incentive to delete
| literally anything that's not legally required to be
| archived goes away too.
|
| The sentence "This seems like a really shitty way to
| treat our customers," is going to both look bad and be
| relevant to lots of lawsuits. On the other hand, if a
| company doesn't have a communications channel in which
| people can freely say this, they're going to end up
| treating their customers in shitty ways a lot more.
| watwut wrote:
| It is very mich be ause companies are trying to hide
| illegal shit. Cause, companies that font do not have
| "delete in 7 days" policies. And yes they do exist and have
| layers.
|
| It is not about gossip, it is very much about management
| knowing about illegal shit, wanting to keep it and wanting
| to hide it.
| judge2020 wrote:
| Although you'll get in trouble if you make that a policy
| after being told to keep stuff:
| https://www.fastcompany.com/90955785/google-deleted-chats-
| in...
| rpaddock wrote:
| "...at a macro level, the outcome 'companies legally delete
| all written communications as soon as feasible' seems
| baffling."
|
| That leads us to directly to "2028 - A Dystopian Story" By
| Jack Ganssle:
|
| http://www.ganssle.com/articles/2028adystopianstory.htm
|
| That explains why no records are to be kept, and this is the
| real law:
|
| Known as 'The Rule of 26', which is sometimes given as a
| reason _NOT_ to keep engineering notebooks etc. By Federal
| Rule 26 you are guilty if you did not volunteer the records
| before they are requested. Including any backups.
|
| From Cornel Law:
|
| LII Federal Rules of Civil Procedure Rule 26. Duty to
| Disclose; General Provisions Governing Discovery
|
| Rule 26. Duty to Disclose; General Provisions Governing
| Discovery
|
| (a) Required Disclosures.
|
| (1) Initial Disclosure.
|
| (A) In General. Except as exempted by Rule 26(a)(1)(B) or as
| otherwise stipulated or ordered by the court, a party must,
| without awaiting a discovery request, provide to the other
| parties:
|
| (i) the name and, if known, the address and telephone number
| of each individual likely to have discoverable information--
| along with the subjects of that information--that the
| disclosing party may use to support its claims or defenses,
| unless the use would be solely for impeachment;
|
| (ii) a copy--or a description by category and location--of
| all documents, electronically stored information, and
| tangible things that the disclosing party has in its
| possession, custody, or control and may use to support its
| claims or defenses, unless the use would be solely for
| impeachment; ...
|
| https://www.law.cornell.edu/rules/frcp/rule_26
| godelski wrote:
| > sometimes given as a reason NOT to keep engineering
| notebooks etc.
|
| Don't we see this in practice? I mean I'm not talking about
| engineering logs or documenting code (we all know that
| doesn't happen, but it is due to laziness), but how there
| are some people who have strong preferences to
| conversations happening via phone conversations or in
| person. Since those prevent official records and there are
| stronger protections around those media.
| paulddraper wrote:
| > I know what you're thinking, "Slack is our project archive."
| If that's actually true, .gov investigations are the LEAST of
| your problems.
|
| I'm thinking Slack is my conversation archive.
| scruple wrote:
| We must not have the same employer. Our private message
| retention rate must be 30 days. It's _fucking infuriating_
| but I also believe it 's directly correlated to TFA.
| Karellen wrote:
| Why do you have a "conversation archive"?
|
| Wouldn't you consider it _really fucking weird_ if every time
| you had an informal, in-person discussion with a friend, or
| maybe a partner, or even a co-worker, that they insisted on
| writing everything both of you said in a notebook to keep a
| permanent record of it, in case they wanted to call you out
| on something you kind of blurted out without too much thought
| ten years from now, or to be able to turn it over to the
| authorities if they ever (incorrectly?) thought you might be
| implicated in something dodgy? Or for it to be available for
| someone to steal and /or make copies of?
|
| They can never just _have a chat_ with you? Shoot the shit
| and put the world to rights, without you keeping meticulous
| records of every goddamn word they said off the cuff?
|
| You don't think that, maybe, the more our real lives move
| online, the more that that kind of friendly, informal,
| _ephemeral_ conversation ought to be able to move online?
| xxpor wrote:
| As perf evals become more thunderdome in this environment,
| this issue is going to get worse, not better.
| pests wrote:
| Tools are see up to log by default.
|
| Apps exist for the ephemeral conversation you desire. Like
| Snapchat. Where one of the features is conversations
| disappear.
|
| I don't think everything is so gloom and doom like you make
| it out to be.
| jcul wrote:
| These are not informal conversations though. Maybe a small
| percentage is informal on slack, but even that is "SFW"
| communication that no would would care if it is logged.
|
| It's script snippets, customer support information, links,
| design decisions etc.
|
| Of course this stuff should be preserved in knowledgebases,
| tickets, commit messages etc, and it is, but sometimes
| people forget or something doesn't seem worth documenting.
| That's slacks main selling point for me, the ease of
| finding some technical conversation from 6 months ago.
| NotSammyHagar wrote:
| It's supposed to be SFW but the endless series of
| articles and lawsuits about info found in slack shows
| it's not really sfw across the business world. And yeah
| its true for all other texting systems.
| em-bee wrote:
| it sounds weird, but there is a reason why i prefer written
| over spoken communication. it helps me remember what we
| talked about. very often i need to find some detail that i
| remember me and my wife discussed. if we did in in text
| chat, i can often find it. if it was a phone call it is
| lost forever (audio recordings are useless until the tech
| has evolved to make them searchable)
|
| yes, it is a tradeoff. most things don't need to be
| recorded. but what we like to record and what not varies
| from person to person. many chat apps allow you to
| temporarily turn on automatic deletion of messages, and
| some allow you to delete old messages. it would actually be
| good to do from time to time to weed out the actually
| irrelevant stuff but it takes effort to do that.
|
| the key feature though for me is that recording messages
| helps me resume an interrupted conversation. and when you
| get older and start loosing friends as they pass away,
| these are also memories of the good times that you have had
| together.
|
| what we need is better laws to protect our privacy, that
| say don't allow old messages to be used regardless if they
| are stored or not, so that we don't run into the current
| situation that those who were so dumb to not delete the
| messages are at a disadvantage.
| paulddraper wrote:
| > they insisted on writing everything both of you said in a
| notebook
|
| Like....my emails? My SMS messages?
| bigstrat2003 wrote:
| That is what unethical people do. Sensible people have a
| retention policy that balances storage cost with need to look
| at the archives, rather than "we have to make sure we don't get
| caught doing illegal shit".
| lazide wrote:
| It's often not that anyone is doing illegal shit or not, it's
| that archives can be mined for out of context quotes that
| will ruin the company or people involved _regardless_.
|
| And large archives also dramatically increase costs of
| complying with civil discovery, which already can make the
| most ridiculous lawsuit costs millions just to 'deal with'.
| AceJohnny2 wrote:
| For example (1998)
|
| https://www.wired.com/1998/09/microsoft-subpoenas-bad-
| attitu...
|
| (not linking to jwz's own recollection of the event, due to
| HN referral trap)
| em-bee wrote:
| (why not link? it's not like we don't know how to
| circumvent that)
|
| https://www.jwz.org/gruntle/rbarip.html
|
| about that list, i am sorry, but i don't feel that
| badmouthing anyone is healthy ever. doing that in a group
| is not catharsis but it is reinforcing bad attitudes,
| discontent or even hatred. that is not something i want
| in my company.
|
| if any of my employees set up such a list or forum, i
| would tell them to stop that immediately, under threat of
| being fired if they didn't comply. not because of the
| risks involved, but because i do not want anyone to think
| that doing that is ok. it isn't!
|
| _Perhaps its best to just never say anything that you
| wouldn 't want published._
| lazide wrote:
| Sure, but that doesn't mean people don't do it all the
| time.
| em-bee wrote:
| some people maybe.
|
| but that is not an excuse.
|
| and it's not healthy to encourage others either.
| williamcotton wrote:
| Don't think illegal, think ammunition for the opposition.
| deciduously wrote:
| It's right there in the name, Searchable Log of All Company
| Knowledge.
| kevindamm wrote:
| now that's a good backronym
| csallen wrote:
| It was the original origin of the name Slack, actually
| bsimpson wrote:
| The thing Google got chastised for is having a short retention
| policy.
| ParetoOptimal wrote:
| > What sensible people do is have a retention policy of not
| keeping chats longer than, say seven days.
|
| Maybe that's good from a company perspective, but from an
| employee perspective not being able to search old conversations
| is abysmal.
| bitmasher9 wrote:
| Most tech companies shut down or slow down for 1-2weeks
| around Christmas. Imagine coming back to an empty Slack.
| nickstinemates wrote:
| Sounds amazing.
| popcalc wrote:
| I owe you a soda.
| popcalc wrote:
| Sounds wonderful :)
| taeric wrote:
| Seven is almost certainly too short of a timeline for this? I'd
| expect the retention policy to be at least months, if not
| longer. Certainly for top level employees.
| NotSammyHagar wrote:
| But that is exactly how corporations work. When I worked at
| Microsoft more than 10 years ago, they set everyone's exchange
| storage to a small amount and they auto-deleted old email, but
| the storage per person was too small, with lots of messages
| with embedded docs, etc. So every developer was wasting time
| deleting messages, trying to get under the storage limit so you
| could send and receive new email. And they were auto-deleting
| chats after a time. I was in some random group of people that
| were supposed to preserve material for a lawsuit, but they
| wouldn't give me more storage, I think what I did was store
| appropriate emails locally on my desk top.
|
| In later jobs we were using slack and they auto-deleted them
| after a week or two. We were allowed to create persistent slack
| channels that were private. This whole area is a waste of time,
| where the lawyers reduced the legal risk of the company from
| lawsuits, they transferred the cost to their dev teams wasting
| time managing this. At this company "our developers are our
| most important resource" but we weren't that important. I told
| my manager that all the devs were wasting time with this,
| probably a few hours a week figuring out if they should
| "preserve something" to remember decisions that were made. He
| agree it was a huge waste of time.
| foofie wrote:
| > When I worked at Microsoft more than 10 years ago, they set
| everyone's exchange storage to a small amount and they auto-
| deleted old email, but the storage per person was too small,
| with lots of messages with embedded docs, etc. So every
| developer was wasting time deleting messages, trying to get
| under the storage limit so you could send and receive new
| email.
|
| I think Amazon also follows that practice. It assigns
| something like 2GB of email storage for everyone, and also
| has a policy in place to ask to increment storage by 250MB
| bumps. At each request, users are gently nudged to just
| delete emails.
| llm_nerd wrote:
| This goes without saying, but those in the financial industry
| should be aware that there are stringent record keeping
| requirements that apply to things like text messaging, Slack,
| etc. Quite recently a set of firms were fined $1.1 billion for
| not retaining text messages, for instance.
| mlhpdx wrote:
| It's not after an investigation begins, it's the moment that
| it's likely or foreseeable that an legal action may come.
| Basically, if you think you might be in trouble and you delete
| stuff, you definitely are.
|
| Edit: illegal -> a legal
| cpersona wrote:
| This is not surprising. When an investigation gets underway, the
| company being investigated will notify employees that any assets
| relating to the subject of the investigation should be retained.
| Typically, this covers all physical and digital documents and
| communications.
| varispeed wrote:
| Which some employees may interpret as wink wink destroy
| everything...
| bluGill wrote:
| They might, but HR will (or at least should) fire anyone who
| does that - that is guards escort you from your desk to the
| door. Then to add insult to your bad day, you get summoned to
| court for your contempt of court hearing. It is to the
| companies advantage to turn in anyone who attempts to destroy
| everything - it shows the court they are serious about saving
| everything which might be useful if they need to claim
| something was an oversight. Of course if you are the subject
| of that wink wink thing - assume they are trying to make you
| take the blame for the company.
|
| Not that they are likely to be able to do much. My company
| first presses the button in exchange to lock everything
| electronic I have so I cannot delete it, before they let me
| know that I need to save everything (or so they claim...).
| Thus I cannot really delete anything. I might be able to
| shred something, but who keeps paper records of anything (and
| if by chance I do have one, odds are it is a printout of
| something where there is still an electronic copy). While I
| don't know what company you work for, it they have any size
| at all they should have similar processes in place so there
| is nothing you can delete - but the act of attempting it will
| be noted and brought to court.
| legitster wrote:
| There are already companies in this space that specialize in
| archival tools for old messages - Smarsh or Global Relay.
|
| Matt Levine has written about this a lot - back in the day when
| these rules were made, the only writing that were meant to be
| preserved were handwritten letters and memos. Today, regulators
| have a treasure trove of communication on which to build a case -
| their only limitation is the ability to process it.
|
| It's funny to me how many of these cases end up getting built on
| an email that turns up in a search where someone says _" gee - I
| really think we are doing a crime here! Are we doing a crime? I
| really hope we aren't doing a crime."_
|
| Like, the person might have had the most innocent intentions, but
| they end up manifesting the charges they are complicit in.
| Meanwhile, companies who do some real evil stuff get off scot-
| free because no one had the moral thought to have their doubts in
| writing.
| paulddraper wrote:
| > Meanwhile, companies who do some real evil stuff get off
| scot-free because no one had the moral thought to have their
| doubts in writing.
|
| No, belief or doubts has absolutely nothing to do with whether
| you committed a crime or not.
|
| It has to do with whether it was with malice/intention.
| nightowl_games wrote:
| Your speaking with too much absolutism. It doesn't matter
| whether you committed a crime or not, it matters if you can
| be convicted. That distinction illuminates the ambiguity and
| uncertainty that is it inherent in the justice system.
| lazide wrote:
| Intent _is_ a required element in many crimes (mens rea), and
| proving so is often hard. Unless someone writes one of these
| emails, like they noted.
|
| Fraud, for instance. Or murder vs manslaughter vs 'an
| accident'.
|
| Smoking gun emails can totally sink a case or get people
| convicted.
| paulddraper wrote:
| Intent is relevant to the severity.
|
| Murder is a crime, manslaughter is a crime.
|
| Criminal fraud requires intent, civil fraud does not.
|
| Lacking intent does not make it "scot-free."
| pixl97 wrote:
| So, it seems like you don't understand mens rea versus actus
| reus
| andix wrote:
| Good thing that it's not (easily) possible to back up Signal
| chats. Lose the devices and the history is gone.
| Kon-Peki wrote:
| Enjoy your bankruptcy and/or jail time when they decide you
| lost it on purpose.
| xxpor wrote:
| If only that were true. Jenny Durkan would be in jail right
| now.
|
| (Background: https://www.seattletimes.com/seattle-news/law-
| justice/no-cha...)
| olejorgenb wrote:
| I was about to question this statement, but then I remembered
| that it's actually a few steps you need to go through. Enabling
| backup, remember to transfer the backup file regularly, and
| keep track of the passphrase. I wouldn't say it's _hard_
| though. A bit cumbersome, but not hard.
| andix wrote:
| I think it depends on the platform. On iOS I'm not sure if
| it's even possible to get to the messages without a
| jailbreak.
| lanstin wrote:
| Enterprise signal lets you enforce retention times /s
| andix wrote:
| Is that some kind of fork of the open source client big
| companies use?
| kkfx wrote:
| A small side question: what if Slack or Signal do delete or alter
| them instead? Not necessarily the parent company, just some rogue
| employee inside them. Oh, that's MIGHT happen with emails as well
| IF they are left on someone else server or some internal admin
| decide to do nasty things, but emails can be stored locally on
| ANY system, it should be used grabbing messages with the classic
| fetchmail and keep them locally, shared maildirs as well, just
| mirrored. A local approach to locally work and sync against the
| remote.
|
| Instead we keep choosing a SPOF after another with some that even
| state "that's for safety"...
|
| Try to imaging why we chose for instance to switch from classic
| cvs/svn systems to dCVS ones. Try to realize how simple is design
| desktops that works like desktops, of course you do not sync a
| copy of a multi-TB database locally but most stuff, docs,
| sources, mails and so can perfectly be local+sync issueless. Of
| course on a FDE storage.
|
| Why keeping modern desktops used as dumb terminals since they are
| far more capable than a classic dumb terminal and they cost as
| well because of that?
| siliconc0w wrote:
| When this interesting is when they start requiring any LLMs
| trained on your internal data be handed over for interrogation.
| justinclift wrote:
| For Slack specifically, the US agencies could probably also ask
| Slack themselves to enforce the "don't delete stuff for company
| XYZ".
|
| Signal though would be a different matter entirely.
___________________________________________________________________
(page generated 2024-01-26 23:01 UTC)