Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?

It’s time to double-check your settings

Illustration: Vinnie Neuberg

InIn response to Covid-19, many organizations have allowed or even required employees to work remotely. This means workers can practice social distancing without falling behind on work and while still collecting a paycheck.

It’s no secret that connecting with co-workers and management through tools like Slack, Zoom, and Google Hangouts is just not the same as going into the office. But technical glitches aren’t the only area of concern as meetings are relegated to bits and bytes. User privacy is, as well.

“As we move more of our everyday lives onto these platforms, we’re going to be looking at new and different and maybe even greater privacy risks in terms of corporate surveillance and employer surveillance,” said Gennie Gebhart, associate director of research for the Electronic Frontier Foundation, a leading nonprofit digital rights group. (Disclosure: I’ve previously written for the EFF, most recently in early 2019.)

Transitioning to being on these tools the entire day while employees work from home may give some employers a new opportunity to see what workers are doing. You should be aware that, depending on the software your company uses and the policies it has in place, there may be some privacy concerns.

Your boss may be able to read your Slack DMs

Many people have used Slack at work already, but if everyone’s working from home, it’s only natural to move watercooler conversations that would’ve happened in person to the platform instead. That isn’t always a good idea.

“What many workers in a company Slack may not know is that your DMs (direct messages) to another user, while seemingly private, may be just as visible to your boss and human resources department as anything you post in a channel to other users,” said Tarah Wheeler, a cybersecurity policy fellow at New America, a think tank focused on technology and media.

“Corporate export for all messages” is only available for organizations that have a paid Plus or Enterprise Grid account, rather than the Free or Standard accounts, and Slack states that workspace owners need to have appropriate employment agreements and corporate policies in place to use the feature. Companies also must follow any applicable laws. Even so, direct messages only offer a veneer of privacy.

“If you wouldn’t want something read out loud during an all-hands meeting, don’t put it on Slack—not even in a direct message,” Gebhart advises.

You can review team settings for your Slack groups at to figure out who the administrators are, what retention policies and export settings are implemented for your group (including whether message exporting is switched on) as well as the retention settings for your public and private channels, direct messages, and files.

Pay attention to screen-sharing in Zoom

While you might expect a presenter to notice if you looked down for a minute during an in-person meeting, you might not expect the same when video chatting from the comfort of your own home. Turns out that Zoom has an attention-tracking feature that can alert hosts if you look away.

If enabled by an account administrator, “attention tracking” allows (or can even require) meeting hosts who are sharing their screen to see if the participant’s Zoom app is out of focus (not open and active on their screen) for 30 seconds. There is no notification feature for attendees.

“It’s important to note the feature only tracks if the Zoom video window is open. It does not track any aspects of the audio or video content. The feature also does not track any other applications on your window,” a Zoom spokesperson said in an email.

What happens in the conference room…

Services like Zoom, Google, and Slack all have acceptable use or reasonable use policies. That’s to make sure you’re following rules about the sharing of copyrighted materials, nudity and sexual activity, and so forth. But it also means that — unless you’re using Zoom’s encrypted video chat feature — these companies have the ability to know what you’re doing on their platforms.

“At any moment, anybody who runs these services… could just dial into a room or look through the stored video of these feeds,” said Sean O’Brien, a lecturer at Yale Law School and founder of Yale Privacy Lab. Organizations say they’re doing so to provide technical and operational support and to improve their services, but their ability to eavesdrop still gives people pause. “There’s a creepiness factor there, and as we’ve seen in the past [with other companies that have similar capabilities], there’s a lot of employee misconduct,” O’Brien said. For example, in 2018, a Facebook engineer stalked women using data he had privileged access to. And in 2019, Snapchat employees spied on users with an internal tool called SnapLion.

Slack retains data — even when you can’t see it

Free Slack workspaces do not allow workspace owners to set data retention limits. They also limit visibility to just 10,000 messages, requiring a paid plan for users to see messages past that limit. But just because you can’t access your previous messages doesn’t mean they’re gone forever.

“What I think a lot of people might not understand immediately is that Slack does still have all those old messages,” said Gebhart. “You don’t have the ability to delete them or edit them, but they’re still hanging around on Slack servers.”

That content that’s inaccessible to you is accessible to Slack, to law enforcement requests, and susceptible to hacks or leaks. “People using a free account have no control over data retention. You’re very much at Slack’s mercy,” she said.

Information leakage

Email notifications are turned on by default in Slack, meaning that messages and @ replies can find their way into your inbox unless you make changes to your notification settings.

“That might be an unpleasant surprise for some people, especially if they signed up with a personal email address,” said Gebhart. In effect, this means that even if messages are scrubbed from Slack, they could remain accessible via your inbox.

And Google Hangouts requires the use of a Google account (whether you use a Gmail address specifically or link another email address to your account). This can lead people to initiate chats using their personal Gmail addresses, rather than their work accounts. Giving out a personal email address to co-workers can reveal information you’d prefer to keep private.

Beyond that, different accounts online with the same phone number or email address can get strung together in unexpected ways, linking different aspects of your activities into a single identity. “You can imagine union organizing activities, different kinds of activism, sex work, all of that could be accidentally exposed by linking accounts in unexpected ways,” Gebhart said.

A Google spokesperson pointed out that the Hangouts support page provides details about how information is stored on the service, and how to change those settings. Keep in mind that your G Suite admin controls these settings for your workplace.

I’m an investigative reporter covering technology, online privacy and security, hacking and digital freedom.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store