You may have recently noticed that many of your casual work conversations, which previously occurred face-to-face, have moved to digital apps in your evolving working environment. But beware: Your messages to your colleagues may not be as private as you think.
Before we delve into the topic, I’d like to remind you that the Help Desk is here to help you with your biggest questions and qualms. We also want to know what’s happening at your workplace. Are there workplace technologies you are concerned about? Are certain policies changing the way you work? How is the future of work playing out at your employer? Tell us about it, and we will do our best to dig into your biggest issues.
Now, back to your workplace privacy. We spoke to several privacy experts to understand how workers should think about their digital workplace communications and the services they use. Here’s what they had to say.
Q: Can my employer see my private messages at work?
A: Privacy experts agree that there are two things workers should think about when they send a message to a colleague. First, is the service you’re using provided by your employer? Second, are you having the conversation on a device provided by your employer?
If the answer to either of these questions is yes, be aware there’s a chance your employer could see or retrieve your messages. Additionally, even if you’re using your own device and your own personal account on a digital service, your messages still may be at risk if you have workplace software installed.
“The reality of what’s happening is a lot is changing very quickly,” said Alan Butler, executive director and president of the research organization Electronic Privacy Information Center. “Devices, software and different things are being used … and the onus is on the individual [to understand it all].”
The general rule of thumb is to assume that if your workplace is providing you a tool or device, they can and will see what you do on it, Butler said. In some cases, that might mean using administrative privileges to read direct messages or private channels on the company’s Slack workspace. It could mean retrieving emails, messages on Microsoft Teams or texts on your company-provided mobile devices. Or, it could mean screenshots of a person’s messages on other services like Facebook, Twitter or Apple’s iMessage that come from the company’s monitoring software.
The matter can get particularly consequential if workers are using messaging apps to unite against unfair working conditions or policies, said Cynthia Khoo, senior associate at Georgetown University Law’s Center on Privacy and Technology.
“There’s a standard level of monitoring that’s been on the rise,” she said. “But there’s an additional level of monitoring that’s out to squash labor organizing and activism.”
Even if employers can’t retrieve messages on your device, they may be able to get metadata that will help them map out which employees may have been part of the same conversation, said Daniel Kahn Gillmor, senior staff technologist at the American Civil Liberties Union’s Speech, Privacy, and Technology Project. They also may ask you to provide your private messages off your private device related to a workplace conversation in an internal investigation, said Edgar Ndjatou, executive director of the nonprofit organization Workplace Fairness.
“You can decide whether you want to honor [the request], but you may potentially be fired for not honoring it,” he said. “It is fair game.”
So what can workers do?
First, if you want to have a private conversation with a colleague, it’s best to do that on your own device using your services, experts note. Also, look for services that provide end-to-end encryption versus just encrypted messages, Khoo said. End-to-end encryption means that your message will be encrypted the moment before it leaves your device until it arrives at the receiving device. Anything less than that means it could be decrypted somewhere in transmission.
She also suggests looking for services that offer ephemeral messaging so that messages disappear within a certain amount of time. Several experts agree that one of the gold standard services for private messages is Signal. WhatsApp is also a popular alternative, though Khoo points out users should be aware that it’s owned by Facebook-parent Meta, which is widely known for massive data collection.
Gillmor says to think about your digital conversations as in-person conversations, during which the location of where those discussions happen matters.
“You wouldn’t go have a conversation outside of your boss’s door,” he said. “You would find a more discreet way to do that — maybe when you’re out for drinks or near heavy machinery on a factory floor.”
It may be best to establish what service workers collectively will use in-person before moving online, experts say. That way there’s no record of the consensus.
But even with the best software, “nothing is foolproof,” said Butler of EPIC. While Signal allows users to disable screenshots of their conversations, the message receiver could always use a second mobile phone to take a photo of a message on the phone where the message was received, he added. And your privacy also depends on the person with whom you’re talking as they could ultimately hand over any private messages despite the service or device, Gillmor said.
That said, sometimes workers need to hold truth to power and that may need to happen on company channels. “It’d be a shame if everyone only toed the line,” he said.
And some conversations are protected by law. So if someone is talking to colleagues about poor workplace conditions and pushing them to collectively respond or act, employers would be breaking labor laws if they retaliated against that, Ndjatou said.
Ndjatou says in general the best advice for workplace messages, regardless of their level of privacy, is to know your audience and use common sense. Anything you say can always be used against you and if a conversation is particularly sensitive, it might be best to fall back on the old-fashioned way of communicating.
“If it’s possible, just meet in person and not digitally at all,” said Khoo.