US agencies warn companies: Don’t delete Slack or Signal chats(news.bloomberglaw.com)
news.bloomberglaw.com
US agencies warn companies: Don’t delete Slack or Signal chats
https://news.bloomberglaw.com/antitrust/dont-delete-slack-or-signal-chats-us-agencies-warn-companies
136 comments
It's still bizarre to me that this has become the industry standard in the US.
Sure, it's all legal and perfectly reasonable at the micro level considering that every stored email increases the legal fees (due to making discovery more expensive during any hypothetical future lawsuit), but at a macro level, the outcome "companies legally delete all written communications as soon as feasible" seems baffling.
At the opposite end of the spectrum is the financial industry, where regulators effectively require recording every single bit of business communication (by taking a very liberal interpretation of some quite old law, as far as I understand), written or spoken (unless it was in person, of course), and under threat of massive fines.
It seems to me like there should be some pragmatic middle ground somewhere between these two extremes?
Sure, it's all legal and perfectly reasonable at the micro level considering that every stored email increases the legal fees (due to making discovery more expensive during any hypothetical future lawsuit), but at a macro level, the outcome "companies legally delete all written communications as soon as feasible" seems baffling.
At the opposite end of the spectrum is the financial industry, where regulators effectively require recording every single bit of business communication (by taking a very liberal interpretation of some quite old law, as far as I understand), written or spoken (unless it was in person, of course), and under threat of massive fines.
It seems to me like there should be some pragmatic middle ground somewhere between these two extremes?
The "companies legally delete all written communications as soon as feasible" outcome isn't (mostly) because companies are trying to hide illegal shit. It's because when you get sued for whatever, and your email/chat/whatever get subpoenaed, there's going to be who-knows-how-much embarrassing personal gossip in there, too and that just makes folks look bad. The easiest way to avoid that (and other forms of embarrassment) is to just not keep that stuff around.
If it's policy, it's legal. You can't go around and delete the stuff after the fact.
If it's policy, it's legal. You can't go around and delete the stuff after the fact.
Not only that, conversations can be misunderstood. People can have offline conversations, which then continue online, but missing all the context. People can use industry buzzwords to describe something in an inaccurate way.
All of that is pure gold to an attorney looking to put a company in as bad a light as possible.
All of that is pure gold to an attorney looking to put a company in as bad a light as possible.
It's also just a massive time/money sink to have your own legal team review all of that stuff. You don't want to send anything to another party before you have reviewed it. In addition, there are often conflicting rules there, where there is private information of unrelated parties in the messages, so the review process just becomes unmanageable if it is an archive over a long period of time.
Meanwhile, we now have people putting stuff into their own personal information management systems, training various models on the data, etc. When the company ceases to be a valuable library of the information necessary to do your job, people start specifically archiving things that might be useful at some point in the future, and the discovery process becomes unbounded.
Meanwhile, we now have people putting stuff into their own personal information management systems, training various models on the data, etc. When the company ceases to be a valuable library of the information necessary to do your job, people start specifically archiving things that might be useful at some point in the future, and the discovery process becomes unbounded.
This is what got a company I worked at several years ago. It cost hundreds of thousands of dollars just to have everything reviewed to be sent off to the government agency investigating us. We ended up settling for about a quarter of what it would have cost us to fight them in an actual court trial just because we were a large pile of money in before we even got near a trial and they abused their position and knowing our cash position to low ball us on settlement and force us into a settlement so they could save some face. The whole experience made it pretty obvious most of these agencies should be mostly gutted and rebuilt.
Yup this one is it, right here.
It's absolutely about discovery costs. Document review is typically like a quarter of all litigation cost, and that's assuming the problem of "get all the docs" is solved already.
It's absolutely about discovery costs. Document review is typically like a quarter of all litigation cost, and that's assuming the problem of "get all the docs" is solved already.
People write candid stuff on internal channels all the time that are not official company statements. And it's mostly not about illegal shit they did. It's things like $COMPANYA is eating our lunch because our sales processes are so screwed up. So when you file a lawsuit against $COMPANYA claiming that some questionable action caused you to lose business, their lawyers can cite the fact that you were already messed up for totally different reasons. [Corrected confused who is who :-)]
(Very loose retelling of just a few of the sorts of things I saw when writing an expert witness report years ago.)
(Very loose retelling of just a few of the sorts of things I saw when writing an expert witness report years ago.)
It's also stochastically increases privacy and security. Restricts any adversary from obtaining your data outside of certain windows. Which can be important in dynamic environments where allies can become adversaries (be that prior employees, foreign governments, or whatever). This seems to have a huge advantage considering it means any adversary must make more noise and use longer term action to cause damage (i.e. hard to "smash and grab").
This is why when I saw the Signal Forum discussions on deleting chats that I was really surprised that that community was extremely against it (strongly in favor of immutable texts). All arguments against privacy were dismissed with claims that one can screenshot and arguments for immutable texts were bad analogies to mail and assertions about "my device, my data." The Signal Forums are a weird place and I think Signal's reliance on them contributes to their slow progress, adoption, and why they get weirdly sidetracked about things no one cares about.
This is why when I saw the Signal Forum discussions on deleting chats that I was really surprised that that community was extremely against it (strongly in favor of immutable texts). All arguments against privacy were dismissed with claims that one can screenshot and arguments for immutable texts were bad analogies to mail and assertions about "my device, my data." The Signal Forums are a weird place and I think Signal's reliance on them contributes to their slow progress, adoption, and why they get weirdly sidetracked about things no one cares about.
Software that can delete your copy of a text is fine. Software that can delete somebody else's copy of a text is not going to satisfy the somebody else, and is also not going to work because if they don't like it there are several other ways they can copy it, which in turn means you have no guarantees that they've deleted it and shouldn't expect any.
I appreciate the comment but I feel it fails to address mine.
> is also not going to work because if they don't like it there are several other ways they can copy it
>> All arguments against privacy were dismissed with claims that one can screenshot
> you have no guarantees
>> stochastically increases privacy and security
I'm not sure why we have to frame privacy and security with strict guarantees. If we need strict guarantees then we should abandon all efforts because guarantees do not exist (my preemptive response to what you are thinking is "implementation.") Fundamentally it is always stochastic as statistics is a way to capture error and uncertainty.
Everyone that advocates for deletion is well aware that one can screenshot, copy, or even write down information. It is a weird assumption to make, because it implies an exceptional level of stupidity to the person you respond to. Every 12 year old knows that you can screenshot Snapchats and they know it can be done without Snapchat warning the other person. So forgive me, because while I know you are acting in good intent (we've had enough conversations that I have that respect for you), I think I need to point out that it is easy to read such a response as indicating you did not bother to read my comment (so why comment?) or that you imply I am incredibly naive. I say this because this topic is often heated so stating this can help reduce the inference gap. I know you are not trying to do such a thing, but not all others will have that shared history to give benefit of the doubt.
There's nuance necessary beyond the existence of copy methods. People with positions similar to mine understand that the act of copying requires time and energy. That someone needs to either preemptively implement a system of record keeping or that such an action is responsive. In the latter case, having the ability to delete acts as a windowing operation. You do not know your adversaries a priori nor do all adversaries begin as adversaries. So if you can delete the information before a log is created, you have succeeded. Yes, this is stochastic. But I'd rather have a 1% of protection than a 0%, because an immutable history just means the adversary has unlimited time to strike. Basically, you are doing your adversary's job for them. tldr: the game has a temporal component and it is not turn based.
I will understand arguments about communication, of how some may assume stronger protection than received, but I'd also respond that this is a fairly universal claim and we do not apply it to many other domains as we still find utility.
I'll also add that this stochastic protection is why companies will remotely wipe your devices if they are reported lost or stolen. You wipe for protection but operate under assumption that the data was copied. This is fairly standard practice.
> is also not going to work because if they don't like it there are several other ways they can copy it
>> All arguments against privacy were dismissed with claims that one can screenshot
> you have no guarantees
>> stochastically increases privacy and security
I'm not sure why we have to frame privacy and security with strict guarantees. If we need strict guarantees then we should abandon all efforts because guarantees do not exist (my preemptive response to what you are thinking is "implementation.") Fundamentally it is always stochastic as statistics is a way to capture error and uncertainty.
Everyone that advocates for deletion is well aware that one can screenshot, copy, or even write down information. It is a weird assumption to make, because it implies an exceptional level of stupidity to the person you respond to. Every 12 year old knows that you can screenshot Snapchats and they know it can be done without Snapchat warning the other person. So forgive me, because while I know you are acting in good intent (we've had enough conversations that I have that respect for you), I think I need to point out that it is easy to read such a response as indicating you did not bother to read my comment (so why comment?) or that you imply I am incredibly naive. I say this because this topic is often heated so stating this can help reduce the inference gap. I know you are not trying to do such a thing, but not all others will have that shared history to give benefit of the doubt.
There's nuance necessary beyond the existence of copy methods. People with positions similar to mine understand that the act of copying requires time and energy. That someone needs to either preemptively implement a system of record keeping or that such an action is responsive. In the latter case, having the ability to delete acts as a windowing operation. You do not know your adversaries a priori nor do all adversaries begin as adversaries. So if you can delete the information before a log is created, you have succeeded. Yes, this is stochastic. But I'd rather have a 1% of protection than a 0%, because an immutable history just means the adversary has unlimited time to strike. Basically, you are doing your adversary's job for them. tldr: the game has a temporal component and it is not turn based.
I will understand arguments about communication, of how some may assume stronger protection than received, but I'd also respond that this is a fairly universal claim and we do not apply it to many other domains as we still find utility.
I'll also add that this stochastic protection is why companies will remotely wipe your devices if they are reported lost or stolen. You wipe for protection but operate under assumption that the data was copied. This is fairly standard practice.
> It is a weird assumption to make, because it implies an exceptional level of stupidity to the person you respond to.
Part of this is that the rest of the argument is often implied and then you say something expecting the other person to fill in the rest without actually writing the words.
> stochastically increases privacy and security
The question is, whose security? If you can delete the message from the recipient's device then they can't use it against you, or otherwise use it to their advantage even if their use doesn't negatively affect you (e.g. so they can refresh their recollection of what was said or confirm your assertion that you did say that). Which means it's a trade off, but also means that the other user often has the incentive to take action to defeat this, because their device is acting against their interests in favor of yours.
This is how you get forks of the client, which is one of the things Signal doesn't like.
> If we need strict guarantees then we should abandon all efforts because guarantees do not exist (my preemptive response to what you are thinking is "implementation.") Fundamentally it is always stochastic as statistics is a way to capture error and uncertainty.
Yes and no. Everything is always stochastic because there is a 1 in 2^256 chance they could guess your AES key by random chance on the first try, but even if that's true in theory it need not be in practice. In many cases you can regard something as having a strong guarantee when the chances are low enough to be disregarded, even if they're not low enough to be literally zero in a theoretical sense.
Whereas the ability of someone to screenshot a message you don't want them to be able to retain is within the capability of ordinary users, so the amount of practical protection it provides is minor and is only worth doing if it isn't a trade off against something non-trivial. And then you have the trade offs against the desire of the recipient to not have their messages deleted against their will and the desire of the foundation to not give those users an incentive to fork the client to reduce their inconvenience in retaining them.
There is also the potential to mislead a naive user into relying on the feature not contemplating how easily it could be bypassed and then they give someone a permanent copy of something they only intended to provide access to temporarily.
What you could do is make support for the feature optional. The sender requests deletion and then the recipient can configure their client to respect it or not. This was always within the recipient's power, the sender couldn't have enforced it anyway, but now the message can be automatically deleted if the sender and the recipient both want it to be, and no one is given a false understanding of how the system works or an incentive to try to defeat it because they're in possession of a device which is acting against their wishes.
Part of this is that the rest of the argument is often implied and then you say something expecting the other person to fill in the rest without actually writing the words.
> stochastically increases privacy and security
The question is, whose security? If you can delete the message from the recipient's device then they can't use it against you, or otherwise use it to their advantage even if their use doesn't negatively affect you (e.g. so they can refresh their recollection of what was said or confirm your assertion that you did say that). Which means it's a trade off, but also means that the other user often has the incentive to take action to defeat this, because their device is acting against their interests in favor of yours.
This is how you get forks of the client, which is one of the things Signal doesn't like.
> If we need strict guarantees then we should abandon all efforts because guarantees do not exist (my preemptive response to what you are thinking is "implementation.") Fundamentally it is always stochastic as statistics is a way to capture error and uncertainty.
Yes and no. Everything is always stochastic because there is a 1 in 2^256 chance they could guess your AES key by random chance on the first try, but even if that's true in theory it need not be in practice. In many cases you can regard something as having a strong guarantee when the chances are low enough to be disregarded, even if they're not low enough to be literally zero in a theoretical sense.
Whereas the ability of someone to screenshot a message you don't want them to be able to retain is within the capability of ordinary users, so the amount of practical protection it provides is minor and is only worth doing if it isn't a trade off against something non-trivial. And then you have the trade offs against the desire of the recipient to not have their messages deleted against their will and the desire of the foundation to not give those users an incentive to fork the client to reduce their inconvenience in retaining them.
There is also the potential to mislead a naive user into relying on the feature not contemplating how easily it could be bypassed and then they give someone a permanent copy of something they only intended to provide access to temporarily.
What you could do is make support for the feature optional. The sender requests deletion and then the recipient can configure their client to respect it or not. This was always within the recipient's power, the sender couldn't have enforced it anyway, but now the message can be automatically deleted if the sender and the recipient both want it to be, and no one is given a false understanding of how the system works or an incentive to try to defeat it because they're in possession of a device which is acting against their wishes.
> Part of this is that the rest of the argument is often implied
To be fair, there is a lot of compression in language. I am often accused of being overly verbose but I only object to the adverb. We're both verbose here and inference is still necessary. I believe there was the necessary information to make the inference jump. Screenshot was an explicit illustrative example where I think you can sufficiently assume that I'm aware of mechanisms to copy the data or at least could infer that the existence of such mechanisms would be unconvincing. I will still stand by the stronger claim that we can assume that an average person is aware of screenshots or some copy mechanism as usage is quite prolific.
> The question is, whose security?
This, is a great question and the one I'd rather have. There is certainly arguments for both sides. I think the argument you are trying to make is about protection. Such as if someone sent you something that constitutes harassment but then deletes it prior to you using this as evidence against their abuse. I agree that that is of concern. But I am a firm believer in Blackstone's Ratio and subsequently my preferred mode of failure for the judicial system is to bias towards failing to prosecute criminals (false negatives) rather than biasing towards prosecuting law-abiding citizens (false positives).
> the other user often has the incentive to take action to defeat this, because their device is acting against their interests in favor of yours.
I do not buy this claim. I have no incentive to make or use a Signal fork when friends default to disappearing messages. The incentive only exists if I am suspicious of an adversarial reasoning for their data retention policy. In fact, in today's age, one could argue that this policy could imply reason to trust over reason to suspect as it implies that they are operating in an environment where they are unable to leverage my data against me (such as creating a LLM that speaks like me). I think there is a lot of nuance here that can't be easily dismissed. I think, like the former issue, that position is going to be more dependent on one's preferred mode of failure rather than preference of normal operation (which is likely not severely affected). I'll mention that we can use Reddit as a natural experiment, where users have actually a large incentive to edit their comments to make the person they're arguing with look foolish or naive. In practice, we see editing being used at far higher rates for resolving types/grammar or means of increasing clarity (like adding links), and often volunteering what content was modified. There's sufficient evidence for me to believe, on average, people value their own integrity over incentives to manipulate the conversation.
> Everything is always stochastic because there is a 1 in 2^256 chance
My preemptive response was more about that you must not just account for the brute force calculation, but the implementation. This is why I mentioned how statistics captures uncertainty. The tool is quite powerful in even fully deterministic frameworks because infinite resolution does not exist. We're both on HN so I think it is fair to assume we are both familiar with many examples where highly encrypted data was accessed and when implementation was performed by experts or those we'd expect to be experts. Something something weakest link.
I will claim that all security is stochastic and there are no (epsilon = 0) guarantees and I will make an additional claim about the former being unobjectionable (self-referential stochasticism intended)
> Whereas the ability of someone to screenshot
This may be where we've speaking past one another. I think we have different conditioning in how we're optimizing here. I place little weighting to the desired condition. I am more concerned with utility focused conditions. While I recognize that the search function is used (and even use it myself), generally we're just hoarders. The vast majority of text, pictures, and other data we generate serves little utility beyond a small temporal window. FWIW, I do advocate for Signal implementing an archival/favoriting mechanism (currently I forward messages to Notes To Self, which is analogous to a screenshot ;). Maybe I am jumping the gun here though and we will find future utility in that data. I could in fact want to train a LLM to act as me. Or maybe I want to build a classifier to search the internet and locate all posts that have a high likelihood of being written by me regardless of the username I used. But I think the bias should be to act conservatively and collect minimal information. Without a doubt that information does represent a avenue for abuse, so without an intended usage it does not warrant archiving. If we're going to get into legality, data often belongs to the person that generated it. As an example, a photographer can take a picture of Taylor Swift and because she is a public icon she can be sued for posting the photo on her instagram (I'm sure this would change if she was not a public icon).
So to be explicit on the conditioning: I do not see that allowing one to delete or even nuke chats would result in a meaningful difference in a standard setting. I do recognize there are special circumstances where this can be abused and used against you. But I also recognize that there are special circumstances where this can be used in your favor (e.g. suppose you are a political dissident in an authoritarian regime. Your friend sees you picked up by police. Your friend can nuke your chat, which can serve to protect both of you, as it is clear that authorities will be unable to copy the phone's contents at time of arrest). So the optimization objective is different. I do not believe my optimization objectives (which consider threat models not faced by a typical American or even likely typical human) would meaningfully decrease conversational utility. I want to stress that I am only proposing the capacity to destroy information, not any specific data retention policy. My concerns are about being able to adapt to the dynamic environment as I do not have sufficient a priori knowledge to predict who may be a future adversary nor what type of data makes me vulnerable and the potential damage. "First they came for..." is of concern as we do not need technology to change for vulnerabilities to rapidly change.
> There is also the potential to mislead a naive user
I agree and actually acknowledged this point. The acceptable level of users misunderstanding features is non-zero. I believe a warning contained in the deletion dialogue is sufficient to met an acceptable threshold. Do you disagree?
And I must be clear, I do not believe there are many people that would put in the effort to fork, log, or screenshot messages were there a standard policy of auto-deletion. While it isn't hard to screenshot, the task is tedious in the environment. I am sure you do not log HN, Reddit, or other forums that you may chat on. I'm sure there are many methods of communication where logging is trivial but you do not implement it. Certainly this is true for all code we write hahaha
> What you could do is make support for the feature optional.
I do actually advocate for that position despite actually believing the capacity to disable does substantially decrease utility. The proposal was rejected by the Signal community while there was strong support from other users on my side. But it is a concession I am willing to make for the same reasons I request the feature in the first place: something is better than nothing. I'd strongly advocate for the feature to be enabled by default (referencing aforementioned low rates of abuse), and that the mechanism needs to be configured beforehand. I would oppose a system that requires confirmation from the non-issuing side as this undermines the main utility that the functionality provides. I assume default applies to any new chat, configuration can happen at a per chat level (with consent), and again the default falls to enabled as this is what I believe provides the higher level of security and privacy.
So if you want to convince me, I'd say you would need to focus your argument on topics such as how the feature provides little to no utility, not to just the average user (who I expect to never use it) but to those most vulnerable. Or address why I may have poor assumptions about rates of abuse. Or if you can provide some strong convincing examples of how no capacity to delete provides a higher rate of security and/or privacy (of course, weighed against counterexamples (everything is stochastic to me, you can use that in your favor), since I think we're both intelligent enough to recognize that there are examples for both directions and singular non-generalizable examples are insufficient. I will do my best to read examples as illustrative and attempt to infer additional scenarios that are similar). I am very open to being wrong and am certain there are aspects that I have not considered, but I do think I have strong evidence for my current position.
And lastly, I do appreciate the more nuanced discussion. I think more of these need to happen as I think many topics are much more complex than we like to think.
To be fair, there is a lot of compression in language. I am often accused of being overly verbose but I only object to the adverb. We're both verbose here and inference is still necessary. I believe there was the necessary information to make the inference jump. Screenshot was an explicit illustrative example where I think you can sufficiently assume that I'm aware of mechanisms to copy the data or at least could infer that the existence of such mechanisms would be unconvincing. I will still stand by the stronger claim that we can assume that an average person is aware of screenshots or some copy mechanism as usage is quite prolific.
> The question is, whose security?
This, is a great question and the one I'd rather have. There is certainly arguments for both sides. I think the argument you are trying to make is about protection. Such as if someone sent you something that constitutes harassment but then deletes it prior to you using this as evidence against their abuse. I agree that that is of concern. But I am a firm believer in Blackstone's Ratio and subsequently my preferred mode of failure for the judicial system is to bias towards failing to prosecute criminals (false negatives) rather than biasing towards prosecuting law-abiding citizens (false positives).
> the other user often has the incentive to take action to defeat this, because their device is acting against their interests in favor of yours.
I do not buy this claim. I have no incentive to make or use a Signal fork when friends default to disappearing messages. The incentive only exists if I am suspicious of an adversarial reasoning for their data retention policy. In fact, in today's age, one could argue that this policy could imply reason to trust over reason to suspect as it implies that they are operating in an environment where they are unable to leverage my data against me (such as creating a LLM that speaks like me). I think there is a lot of nuance here that can't be easily dismissed. I think, like the former issue, that position is going to be more dependent on one's preferred mode of failure rather than preference of normal operation (which is likely not severely affected). I'll mention that we can use Reddit as a natural experiment, where users have actually a large incentive to edit their comments to make the person they're arguing with look foolish or naive. In practice, we see editing being used at far higher rates for resolving types/grammar or means of increasing clarity (like adding links), and often volunteering what content was modified. There's sufficient evidence for me to believe, on average, people value their own integrity over incentives to manipulate the conversation.
> Everything is always stochastic because there is a 1 in 2^256 chance
My preemptive response was more about that you must not just account for the brute force calculation, but the implementation. This is why I mentioned how statistics captures uncertainty. The tool is quite powerful in even fully deterministic frameworks because infinite resolution does not exist. We're both on HN so I think it is fair to assume we are both familiar with many examples where highly encrypted data was accessed and when implementation was performed by experts or those we'd expect to be experts. Something something weakest link.
I will claim that all security is stochastic and there are no (epsilon = 0) guarantees and I will make an additional claim about the former being unobjectionable (self-referential stochasticism intended)
> Whereas the ability of someone to screenshot
This may be where we've speaking past one another. I think we have different conditioning in how we're optimizing here. I place little weighting to the desired condition. I am more concerned with utility focused conditions. While I recognize that the search function is used (and even use it myself), generally we're just hoarders. The vast majority of text, pictures, and other data we generate serves little utility beyond a small temporal window. FWIW, I do advocate for Signal implementing an archival/favoriting mechanism (currently I forward messages to Notes To Self, which is analogous to a screenshot ;). Maybe I am jumping the gun here though and we will find future utility in that data. I could in fact want to train a LLM to act as me. Or maybe I want to build a classifier to search the internet and locate all posts that have a high likelihood of being written by me regardless of the username I used. But I think the bias should be to act conservatively and collect minimal information. Without a doubt that information does represent a avenue for abuse, so without an intended usage it does not warrant archiving. If we're going to get into legality, data often belongs to the person that generated it. As an example, a photographer can take a picture of Taylor Swift and because she is a public icon she can be sued for posting the photo on her instagram (I'm sure this would change if she was not a public icon).
So to be explicit on the conditioning: I do not see that allowing one to delete or even nuke chats would result in a meaningful difference in a standard setting. I do recognize there are special circumstances where this can be abused and used against you. But I also recognize that there are special circumstances where this can be used in your favor (e.g. suppose you are a political dissident in an authoritarian regime. Your friend sees you picked up by police. Your friend can nuke your chat, which can serve to protect both of you, as it is clear that authorities will be unable to copy the phone's contents at time of arrest). So the optimization objective is different. I do not believe my optimization objectives (which consider threat models not faced by a typical American or even likely typical human) would meaningfully decrease conversational utility. I want to stress that I am only proposing the capacity to destroy information, not any specific data retention policy. My concerns are about being able to adapt to the dynamic environment as I do not have sufficient a priori knowledge to predict who may be a future adversary nor what type of data makes me vulnerable and the potential damage. "First they came for..." is of concern as we do not need technology to change for vulnerabilities to rapidly change.
> There is also the potential to mislead a naive user
I agree and actually acknowledged this point. The acceptable level of users misunderstanding features is non-zero. I believe a warning contained in the deletion dialogue is sufficient to met an acceptable threshold. Do you disagree?
And I must be clear, I do not believe there are many people that would put in the effort to fork, log, or screenshot messages were there a standard policy of auto-deletion. While it isn't hard to screenshot, the task is tedious in the environment. I am sure you do not log HN, Reddit, or other forums that you may chat on. I'm sure there are many methods of communication where logging is trivial but you do not implement it. Certainly this is true for all code we write hahaha
> What you could do is make support for the feature optional.
I do actually advocate for that position despite actually believing the capacity to disable does substantially decrease utility. The proposal was rejected by the Signal community while there was strong support from other users on my side. But it is a concession I am willing to make for the same reasons I request the feature in the first place: something is better than nothing. I'd strongly advocate for the feature to be enabled by default (referencing aforementioned low rates of abuse), and that the mechanism needs to be configured beforehand. I would oppose a system that requires confirmation from the non-issuing side as this undermines the main utility that the functionality provides. I assume default applies to any new chat, configuration can happen at a per chat level (with consent), and again the default falls to enabled as this is what I believe provides the higher level of security and privacy.
So if you want to convince me, I'd say you would need to focus your argument on topics such as how the feature provides little to no utility, not to just the average user (who I expect to never use it) but to those most vulnerable. Or address why I may have poor assumptions about rates of abuse. Or if you can provide some strong convincing examples of how no capacity to delete provides a higher rate of security and/or privacy (of course, weighed against counterexamples (everything is stochastic to me, you can use that in your favor), since I think we're both intelligent enough to recognize that there are examples for both directions and singular non-generalizable examples are insufficient. I will do my best to read examples as illustrative and attempt to infer additional scenarios that are similar). I am very open to being wrong and am certain there are aspects that I have not considered, but I do think I have strong evidence for my current position.
And lastly, I do appreciate the more nuanced discussion. I think more of these need to happen as I think many topics are much more complex than we like to think.
[deleted]
> If it's policy, it's legal.
I don't disagree that it's legal and mentioned that in my comment. What I'm claiming is that the way in which the legal system has evolved has incentivized problematic behaviors.
> there's going to be who-knows-how-much embarrassing personal gossip in there, too and that just makes folks look bad
That's what I was referring to by "making discovery more expensive during any hypothetical future lawsuit". Part of that cost is due to legal fees for discovery, but the other part is reputational harm:
The problem here again isn't courts and parties to the lawsuit having access to that data, but rather that it's being explicitly published for the entire world to see and share.
Personal gossip has absolutely no reason to be published as part of a lawsuit, in my view. If it's relevant to the case, make it available to its parties, read it out during the (usually public but non-broadcast) trial etc., but don't put it on an online case filing platform. Get rid of that, and the incentive to delete literally anything that's not legally required to be archived goes away too.
I don't disagree that it's legal and mentioned that in my comment. What I'm claiming is that the way in which the legal system has evolved has incentivized problematic behaviors.
> there's going to be who-knows-how-much embarrassing personal gossip in there, too and that just makes folks look bad
That's what I was referring to by "making discovery more expensive during any hypothetical future lawsuit". Part of that cost is due to legal fees for discovery, but the other part is reputational harm:
The problem here again isn't courts and parties to the lawsuit having access to that data, but rather that it's being explicitly published for the entire world to see and share.
Personal gossip has absolutely no reason to be published as part of a lawsuit, in my view. If it's relevant to the case, make it available to its parties, read it out during the (usually public but non-broadcast) trial etc., but don't put it on an online case filing platform. Get rid of that, and the incentive to delete literally anything that's not legally required to be archived goes away too.
> Get rid of that, and the incentive to delete literally anything that's not legally required to be archived goes away too.
Not exactly.
One of the reasons companies do this is that random employees don't know how laws and courts work. They'll say things without knowing that the words they're using are a term of art with a different meaning in the law than it has the way they're using it, and then write something which would be damning if it was what they actually meant, but it wasn't what they actually meant. Or that sounds damning if taken out of context. Also, sometimes they really are breaking the law without knowing it and not having the evidence of that sitting around isn't really to the company's advantage either.
The only real way to prevent companies from wanting to delete it would be to make it so it couldn't be used against them if they kept it.
Not exactly.
One of the reasons companies do this is that random employees don't know how laws and courts work. They'll say things without knowing that the words they're using are a term of art with a different meaning in the law than it has the way they're using it, and then write something which would be damning if it was what they actually meant, but it wasn't what they actually meant. Or that sounds damning if taken out of context. Also, sometimes they really are breaking the law without knowing it and not having the evidence of that sitting around isn't really to the company's advantage either.
The only real way to prevent companies from wanting to delete it would be to make it so it couldn't be used against them if they kept it.
> They'll say things without knowing that the words they're using are a term of art with a different meaning in the law than it has the way they're using
And this is what we need to change. We need a presumption that when a non-lawyer says “we should form a cartel with our competitors” that they aren’t implying anything illegal, even though cartels are illegal.
And this is what we need to change. We need a presumption that when a non-lawyer says “we should form a cartel with our competitors” that they aren’t implying anything illegal, even though cartels are illegal.
...Except the core problem is we've let legal language elevate itself in such a way as to become doublespeak.
If you saying ”we should form a cartel with our competitors" somehow magically maps to a different sense than the form that'd be illegal, you've turned it into nonsense.
Not to mention that I could say "Boop bop bleep zorp skippidy do da", and if every time I do, me and the chums go off and form a cartel; then it doesn't matter the words I'm using to describe it, it matters what I'm doing.
If you can't put it in writing for fear of eDiscovery; you probably shouldn't be doing it.
If you saying ”we should form a cartel with our competitors" somehow magically maps to a different sense than the form that'd be illegal, you've turned it into nonsense.
Not to mention that I could say "Boop bop bleep zorp skippidy do da", and if every time I do, me and the chums go off and form a cartel; then it doesn't matter the words I'm using to describe it, it matters what I'm doing.
If you can't put it in writing for fear of eDiscovery; you probably shouldn't be doing it.
This is what the purpose of a trial is, hence the evidence gathering, and rebuttal in court. The best evidence against you is no evidence.
Lets jump from civil to criminal law, where you do have the presumption of innocence.
Let's say you send a message that says "I'm going to kill Jon with kindness" to someone else on your team . Then the next day Jon ends up violently murdered. Even though the content of your message is one that does not condone any particular violent act, you should 100% expect to be a target of the investigation.
This is reasonable. In civil trials where it's not beyond a reasonable doubt, but a preponderance of evidence, these little things could tip the balance out of your favor.
Lets jump from civil to criminal law, where you do have the presumption of innocence.
Let's say you send a message that says "I'm going to kill Jon with kindness" to someone else on your team . Then the next day Jon ends up violently murdered. Even though the content of your message is one that does not condone any particular violent act, you should 100% expect to be a target of the investigation.
This is reasonable. In civil trials where it's not beyond a reasonable doubt, but a preponderance of evidence, these little things could tip the balance out of your favor.
The issue is that sure you can fight that out in court-- at great cost and expense and risk of being unsuccessful for reasons of pure chance.
Or you could just not retain the record and instantly avoid what is potentially hundreds of thousands of dollars in cost for review and argument and millions of dollars of "loss in the expectation". A 1% chance of failing the win in your argument and taking a $100m loss as a result is a million dollar loss in the expectation, and even a darn good legal position will still often have a more than 1% chance of being lost.
> these little things could tip the balance out of your favor.
Yes, and out of the direction of justice... and certainly at a disproportional cost.
Or you could just not retain the record and instantly avoid what is potentially hundreds of thousands of dollars in cost for review and argument and millions of dollars of "loss in the expectation". A 1% chance of failing the win in your argument and taking a $100m loss as a result is a million dollar loss in the expectation, and even a darn good legal position will still often have a more than 1% chance of being lost.
> these little things could tip the balance out of your favor.
Yes, and out of the direction of justice... and certainly at a disproportional cost.
> Personal gossip has absolutely no reason to be published as part of a lawsuit, in my view. If it's relevant to the case, make it available to its parties, read it out during the (usually public but non-broadcast) trial etc., but don't put it on an online case filing platform. Get rid of that, and the incentive to delete literally anything that's not legally required to be archived goes away too.
The sentence "This seems like a really shitty way to treat our customers," is going to both look bad and be relevant to lots of lawsuits. On the other hand, if a company doesn't have a communications channel in which people can freely say this, they're going to end up treating their customers in shitty ways a lot more.
The sentence "This seems like a really shitty way to treat our customers," is going to both look bad and be relevant to lots of lawsuits. On the other hand, if a company doesn't have a communications channel in which people can freely say this, they're going to end up treating their customers in shitty ways a lot more.
[deleted]
It is very mich be ause companies are trying to hide illegal shit. Cause, companies that font do not have "delete in 7 days" policies. And yes they do exist and have layers.
It is not about gossip, it is very much about management knowing about illegal shit, wanting to keep it and wanting to hide it.
It is not about gossip, it is very much about management knowing about illegal shit, wanting to keep it and wanting to hide it.
It's not simply deleted for legal reasons - hacks and other data breaches can turn excessive retention policies into massive liabilities.
It should be personal policy too, the costs of dealing with it in discovery are all the more ruinous personally.
Although you'll get in trouble if you make that a policy after being told to keep stuff: https://www.fastcompany.com/90955785/google-deleted-chats-in...
"...at a macro level, the outcome 'companies legally delete all written communications as soon as feasible' seems baffling."
That leads us to directly to "2028 – A Dystopian Story" By Jack Ganssle:
http://www.ganssle.com/articles/2028adystopianstory.htm
That explains why no records are to be kept, and this is the real law:
Known as ’The Rule of 26’, which is sometimes given as a reason NOT to keep engineering notebooks etc. By Federal Rule 26 you are guilty if you did not volunteer the records before they are requested. Including any backups.
From Cornel Law:
LII Federal Rules of Civil Procedure Rule 26. Duty to Disclose; General Provisions Governing Discovery
Rule 26. Duty to Disclose; General Provisions Governing Discovery
(a) Required Disclosures.
(1) Initial Disclosure.
(A) In General. Except as exempted by Rule 26(a)(1)(B) or as otherwise stipulated or ordered by the court, a party must, without awaiting a discovery request, provide to the other parties:
(i) the name and, if known, the address and telephone number of each individual likely to have discoverable information—along with the subjects of that information—that the disclosing party may use to support its claims or defenses, unless the use would be solely for impeachment;
(ii) a copy—or a description by category and location—of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment; …
https://www.law.cornell.edu/rules/frcp/rule_26
That leads us to directly to "2028 – A Dystopian Story" By Jack Ganssle:
http://www.ganssle.com/articles/2028adystopianstory.htm
That explains why no records are to be kept, and this is the real law:
Known as ’The Rule of 26’, which is sometimes given as a reason NOT to keep engineering notebooks etc. By Federal Rule 26 you are guilty if you did not volunteer the records before they are requested. Including any backups.
From Cornel Law:
LII Federal Rules of Civil Procedure Rule 26. Duty to Disclose; General Provisions Governing Discovery
Rule 26. Duty to Disclose; General Provisions Governing Discovery
(a) Required Disclosures.
(1) Initial Disclosure.
(A) In General. Except as exempted by Rule 26(a)(1)(B) or as otherwise stipulated or ordered by the court, a party must, without awaiting a discovery request, provide to the other parties:
(i) the name and, if known, the address and telephone number of each individual likely to have discoverable information—along with the subjects of that information—that the disclosing party may use to support its claims or defenses, unless the use would be solely for impeachment;
(ii) a copy—or a description by category and location—of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment; …
https://www.law.cornell.edu/rules/frcp/rule_26
> sometimes given as a reason NOT to keep engineering notebooks etc.
Don't we see this in practice? I mean I'm not talking about engineering logs or documenting code (we all know that doesn't happen, but it is due to laziness), but how there are some people who have strong preferences to conversations happening via phone conversations or in person. Since those prevent official records and there are stronger protections around those media.
Don't we see this in practice? I mean I'm not talking about engineering logs or documenting code (we all know that doesn't happen, but it is due to laziness), but how there are some people who have strong preferences to conversations happening via phone conversations or in person. Since those prevent official records and there are stronger protections around those media.
But that is exactly how corporations work. When I worked at Microsoft more than 10 years ago, they set everyone's exchange storage to a small amount and they auto-deleted old email, but the storage per person was too small, with lots of messages with embedded docs, etc. So every developer was wasting time deleting messages, trying to get under the storage limit so you could send and receive new email. And they were auto-deleting chats after a time. I was in some random group of people that were supposed to preserve material for a lawsuit, but they wouldn't give me more storage, I think what I did was store appropriate emails locally on my desk top.
In later jobs we were using slack and they auto-deleted them after a week or two. We were allowed to create persistent slack channels that were private. This whole area is a waste of time, where the lawyers reduced the legal risk of the company from lawsuits, they transferred the cost to their dev teams wasting time managing this. At this company "our developers are our most important resource" but we weren't that important. I told my manager that all the devs were wasting time with this, probably a few hours a week figuring out if they should "preserve something" to remember decisions that were made. He agree it was a huge waste of time.
In later jobs we were using slack and they auto-deleted them after a week or two. We were allowed to create persistent slack channels that were private. This whole area is a waste of time, where the lawyers reduced the legal risk of the company from lawsuits, they transferred the cost to their dev teams wasting time managing this. At this company "our developers are our most important resource" but we weren't that important. I told my manager that all the devs were wasting time with this, probably a few hours a week figuring out if they should "preserve something" to remember decisions that were made. He agree it was a huge waste of time.
> When I worked at Microsoft more than 10 years ago, they set everyone's exchange storage to a small amount and they auto-deleted old email, but the storage per person was too small, with lots of messages with embedded docs, etc. So every developer was wasting time deleting messages, trying to get under the storage limit so you could send and receive new email.
I think Amazon also follows that practice. It assigns something like 2GB of email storage for everyone, and also has a policy in place to ask to increment storage by 250MB bumps. At each request, users are gently nudged to just delete emails.
I think Amazon also follows that practice. It assigns something like 2GB of email storage for everyone, and also has a policy in place to ask to increment storage by 250MB bumps. At each request, users are gently nudged to just delete emails.
It's right there in the name, Searchable Log of All Company Knowledge.
Saved for the next junior pm, who tries to add Slack to the stack.
Searchable Log of All Communication and Knowledge, actually.
now that's a good backronym
It was the original origin of the name Slack, actually
> I know what you're thinking, "Slack is our project archive." If that's actually true, .gov investigations are the LEAST of your problems.
I'm thinking Slack is my conversation archive.
I'm thinking Slack is my conversation archive.
We must not have the same employer. Our private message retention rate must be 30 days. It's fucking infuriating but I also believe it's directly correlated to TFA.
Why do you have a "conversation archive"?
Wouldn't you consider it really fucking weird if every time you had an informal, in-person discussion with a friend, or maybe a partner, or even a co-worker, that they insisted on writing everything both of you said in a notebook to keep a permanent record of it, in case they wanted to call you out on something you kind of blurted out without too much thought ten years from now, or to be able to turn it over to the authorities if they ever (incorrectly?) thought you might be implicated in something dodgy? Or for it to be available for someone to steal and/or make copies of?
They can never just have a chat with you? Shoot the shit and put the world to rights, without you keeping meticulous records of every goddamn word they said off the cuff?
You don't think that, maybe, the more our real lives move online, the more that that kind of friendly, informal, ephemeral conversation ought to be able to move online?
Wouldn't you consider it really fucking weird if every time you had an informal, in-person discussion with a friend, or maybe a partner, or even a co-worker, that they insisted on writing everything both of you said in a notebook to keep a permanent record of it, in case they wanted to call you out on something you kind of blurted out without too much thought ten years from now, or to be able to turn it over to the authorities if they ever (incorrectly?) thought you might be implicated in something dodgy? Or for it to be available for someone to steal and/or make copies of?
They can never just have a chat with you? Shoot the shit and put the world to rights, without you keeping meticulous records of every goddamn word they said off the cuff?
You don't think that, maybe, the more our real lives move online, the more that that kind of friendly, informal, ephemeral conversation ought to be able to move online?
These are not informal conversations though. Maybe a small percentage is informal on slack, but even that is "SFW" communication that no would would care if it is logged.
It's script snippets, customer support information, links, design decisions etc.
Of course this stuff should be preserved in knowledgebases, tickets, commit messages etc, and it is, but sometimes people forget or something doesn't seem worth documenting. That's slacks main selling point for me, the ease of finding some technical conversation from 6 months ago.
It's script snippets, customer support information, links, design decisions etc.
Of course this stuff should be preserved in knowledgebases, tickets, commit messages etc, and it is, but sometimes people forget or something doesn't seem worth documenting. That's slacks main selling point for me, the ease of finding some technical conversation from 6 months ago.
It's supposed to be SFW but the endless series of articles and lawsuits about info found in slack shows it's not really sfw across the business world. And yeah its true for all other texting systems.
it sounds weird, but there is a reason why i prefer written over spoken communication. it helps me remember what we talked about. very often i need to find some detail that i remember me and my wife discussed. if we did in in text chat, i can often find it. if it was a phone call it is lost forever (audio recordings are useless until the tech has evolved to make them searchable)
yes, it is a tradeoff. most things don't need to be recorded. but what we like to record and what not varies from person to person. many chat apps allow you to temporarily turn on automatic deletion of messages, and some allow you to delete old messages. it would actually be good to do from time to time to weed out the actually irrelevant stuff but it takes effort to do that.
the key feature though for me is that recording messages helps me resume an interrupted conversation. and when you get older and start loosing friends as they pass away, these are also memories of the good times that you have had together.
what we need is better laws to protect our privacy, that say don't allow old messages to be used regardless if they are stored or not, so that we don't run into the current situation that those who were so dumb to not delete the messages are at a disadvantage.
yes, it is a tradeoff. most things don't need to be recorded. but what we like to record and what not varies from person to person. many chat apps allow you to temporarily turn on automatic deletion of messages, and some allow you to delete old messages. it would actually be good to do from time to time to weed out the actually irrelevant stuff but it takes effort to do that.
the key feature though for me is that recording messages helps me resume an interrupted conversation. and when you get older and start loosing friends as they pass away, these are also memories of the good times that you have had together.
what we need is better laws to protect our privacy, that say don't allow old messages to be used regardless if they are stored or not, so that we don't run into the current situation that those who were so dumb to not delete the messages are at a disadvantage.
> they insisted on writing everything both of you said in a notebook
Like....my emails? My SMS messages?
Like....my emails? My SMS messages?
Tools are see up to log by default.
Apps exist for the ephemeral conversation you desire. Like Snapchat. Where one of the features is conversations disappear.
I don't think everything is so gloom and doom like you make it out to be.
Apps exist for the ephemeral conversation you desire. Like Snapchat. Where one of the features is conversations disappear.
I don't think everything is so gloom and doom like you make it out to be.
As perf evals become more thunderdome in this environment, this issue is going to get worse, not better.
> What sensible people do is have a retention policy of not keeping chats longer than, say seven days.
Maybe that's good from a company perspective, but from an employee perspective not being able to search old conversations is abysmal.
Maybe that's good from a company perspective, but from an employee perspective not being able to search old conversations is abysmal.
Most tech companies shut down or slow down for 1-2weeks around Christmas. Imagine coming back to an empty Slack.
Sounds wonderful :)
That is what unethical people do. Sensible people have a retention policy that balances storage cost with need to look at the archives, rather than "we have to make sure we don't get caught doing illegal shit".
It’s often not that anyone is doing illegal shit or not, it’s that archives can be mined for out of context quotes that will ruin the company or people involved regardless.
And large archives also dramatically increase costs of complying with civil discovery, which already can make the most ridiculous lawsuit costs millions just to ‘deal with’.
And large archives also dramatically increase costs of complying with civil discovery, which already can make the most ridiculous lawsuit costs millions just to ‘deal with’.
For example (1998)
https://www.wired.com/1998/09/microsoft-subpoenas-bad-attitu...
(not linking to jwz's own recollection of the event, due to HN referral trap)
https://www.wired.com/1998/09/microsoft-subpoenas-bad-attitu...
(not linking to jwz's own recollection of the event, due to HN referral trap)
(why not link? it's not like we don't know how to circumvent that)
https://www.jwz.org/gruntle/rbarip.html
about that list, i am sorry, but i don't feel that badmouthing anyone is healthy ever. doing that in a group is not catharsis but it is reinforcing bad attitudes, discontent or even hatred. that is not something i want in my company.
if any of my employees set up such a list or forum, i would tell them to stop that immediately, under threat of being fired if they didn't comply. not because of the risks involved, but because i do not want anyone to think that doing that is ok. it isn't!
Perhaps its best to just never say anything that you wouldn't want published.
https://www.jwz.org/gruntle/rbarip.html
about that list, i am sorry, but i don't feel that badmouthing anyone is healthy ever. doing that in a group is not catharsis but it is reinforcing bad attitudes, discontent or even hatred. that is not something i want in my company.
if any of my employees set up such a list or forum, i would tell them to stop that immediately, under threat of being fired if they didn't comply. not because of the risks involved, but because i do not want anyone to think that doing that is ok. it isn't!
Perhaps its best to just never say anything that you wouldn't want published.
Sure, but that doesn’t mean people don’t do it all the time.
some people maybe.
but that is not an excuse.
and it's not healthy to encourage others either.
but that is not an excuse.
and it's not healthy to encourage others either.
Who was encouraging anyone?
Noting people murder each other too doesn’t encourage it.
If one would prefer to not have folks murdering each other near them, if anything it can help them keep an eye out better.
Noting people murder each other too doesn’t encourage it.
If one would prefer to not have folks murdering each other near them, if anything it can help them keep an eye out better.
creating a list/forum to mouth off is encouragement. in one case to join you has to mouth off really bad. and leaders thanking the existence of the list...
I think we’re talking about vastly different things.
apparently we are now. the thread from the beginning was about spaces where people can badmouth others without reprisal. i read your question in that context. some people doing this all the time, is not an excuse, and the existence of such spaces encourages that kind of behavior. no more no less.
regarding murder, lynch mobs did exist, and they were also encouraged by allowing them to gather and normalizing that behavior. it's not talking about murder that encourages it, it's talking about it in a positive way that does.
groups that tolerate bad behavior generally tend to end up encouraging it if they don't put a stop to it. there are plenty of examples for that out there. just think about protests go out of hand. one person breaks a window, sets a trash can on fire, steals something from a shop and more people join in.
the only way to stop that is to keep ourselves in check and not allow such behavior but stop it when it happens. allowing those lists to be created did the opposite.
if you need to badmouth something, find a therapist.
regarding murder, lynch mobs did exist, and they were also encouraged by allowing them to gather and normalizing that behavior. it's not talking about murder that encourages it, it's talking about it in a positive way that does.
groups that tolerate bad behavior generally tend to end up encouraging it if they don't put a stop to it. there are plenty of examples for that out there. just think about protests go out of hand. one person breaks a window, sets a trash can on fire, steals something from a shop and more people join in.
the only way to stop that is to keep ourselves in check and not allow such behavior but stop it when it happens. allowing those lists to be created did the opposite.
if you need to badmouth something, find a therapist.
I think we're saying the same thing, you're just angrier about it - and seem to be pointing at me. Which seems impolite.
Don’t think illegal, think ammunition for the opposition.
Retaining messages for no longer than a week or two would act as a forcing function to keep project management and comms sane.
True in theory.
In practice, I’ve never seen a “more-correct” system actually replace the value of long-lived chat channels and a culture of discussing things out in the open on those channels.
Long-lived chats don’t replace documentation and project management, but I’ve yet to see those replace the value of long-lived chats.
Now, it probably could be replaced by companies putting project management in a non-hellish tool that’s close to the code and has a pleasant chatting-about-issues experience and low structure so you don’t feel like you’re knocking over some PM’s sand castle if you mess with it (so NOT jira, asana, et c) but I’ve never experienced a company that does that. Communicating in the PM tools is always terrible.
In practice, I’ve never seen a “more-correct” system actually replace the value of long-lived chat channels and a culture of discussing things out in the open on those channels.
Long-lived chats don’t replace documentation and project management, but I’ve yet to see those replace the value of long-lived chats.
Now, it probably could be replaced by companies putting project management in a non-hellish tool that’s close to the code and has a pleasant chatting-about-issues experience and low structure so you don’t feel like you’re knocking over some PM’s sand castle if you mess with it (so NOT jira, asana, et c) but I’ve never experienced a company that does that. Communicating in the PM tools is always terrible.
Even though I commented up thread that not having logs for more than 7 days would be horrible for an employee, I don't necessarily disagree fully with this statement.
It would ideally force employees to take notes and keep comms/project management sane, however I'm more likely to believe people would just get used to finding an easier workaround or guessing.
It would ideally force employees to take notes and keep comms/project management sane, however I'm more likely to believe people would just get used to finding an easier workaround or guessing.
The thing Google got chastised for is having a short retention policy.
This goes without saying, but those in the financial industry should be aware that there are stringent record keeping requirements that apply to things like text messaging, Slack, etc. Quite recently a set of firms were fined $1.1 billion for not retaining text messages, for instance.
Seven is almost certainly too short of a timeline for this? I'd expect the retention policy to be at least months, if not longer. Certainly for top level employees.
> What sensible people do is have a retention policy of not keeping chats longer than, say seven days.
or seven years if the SEC is watching over you.
or seven years if the SEC is watching over you.
It’s not after an investigation begins, it’s the moment that it’s likely or foreseeable that an legal action may come. Basically, if you think you might be in trouble and you delete stuff, you definitely are.
Edit: illegal -> a legal
Edit: illegal -> a legal
Wouldn't any chance to retention policies be a bit of a possible canary trap?
Not really an issue. When you're in a situation where you need to retain data for legal reasons, You TELL people that, so they don't inadvertently destroy the data. It's the opposite of a secret.
And, there is software for it that automates sending and getting confirmation the notification has been received and understood.
One example: https://www.exterro.com/e-discovery-software/legal-hold
One example: https://www.exterro.com/e-discovery-software/legal-hold
There are already companies in this space that specialize in archival tools for old messages - Smarsh or Global Relay.
Matt Levine has written about this a lot - back in the day when these rules were made, the only writing that were meant to be preserved were handwritten letters and memos. Today, regulators have a treasure trove of communication on which to build a case - their only limitation is the ability to process it.
It's funny to me how many of these cases end up getting built on an email that turns up in a search where someone says "gee - I really think we are doing a crime here! Are we doing a crime? I really hope we aren't doing a crime."
Like, the person might have had the most innocent intentions, but they end up manifesting the charges they are complicit in. Meanwhile, companies who do some real evil stuff get off scot-free because no one had the moral thought to have their doubts in writing.
Matt Levine has written about this a lot - back in the day when these rules were made, the only writing that were meant to be preserved were handwritten letters and memos. Today, regulators have a treasure trove of communication on which to build a case - their only limitation is the ability to process it.
It's funny to me how many of these cases end up getting built on an email that turns up in a search where someone says "gee - I really think we are doing a crime here! Are we doing a crime? I really hope we aren't doing a crime."
Like, the person might have had the most innocent intentions, but they end up manifesting the charges they are complicit in. Meanwhile, companies who do some real evil stuff get off scot-free because no one had the moral thought to have their doubts in writing.
> Meanwhile, companies who do some real evil stuff get off scot-free because no one had the moral thought to have their doubts in writing.
No, belief or doubts has absolutely nothing to do with whether you committed a crime or not.
It has to do with whether it was with malice/intention.
No, belief or doubts has absolutely nothing to do with whether you committed a crime or not.
It has to do with whether it was with malice/intention.
So, it seems like you don't understand mens rea versus actus reus
Your speaking with too much absolutism. It doesn't matter whether you committed a crime or not, it matters if you can be convicted. That distinction illuminates the ambiguity and uncertainty that is it inherent in the justice system.
Intent is a required element in many crimes (mens rea), and proving so is often hard. Unless someone writes one of these emails, like they noted.
Fraud, for instance. Or murder vs manslaughter vs ‘an accident’.
Smoking gun emails can totally sink a case or get people convicted.
Fraud, for instance. Or murder vs manslaughter vs ‘an accident’.
Smoking gun emails can totally sink a case or get people convicted.
Intent is relevant to the severity.
Murder is a crime, manslaughter is a crime.
Criminal fraud requires intent, civil fraud does not.
Lacking intent does not make it "scot-free."
Murder is a crime, manslaughter is a crime.
Criminal fraud requires intent, civil fraud does not.
Lacking intent does not make it "scot-free."
The difference between murder, manslaughter, an accident, or even justifiable homicide is exactly one of intent/knowledge. 2 of those 4 are crimes. 2 are not.
Criminal fraud and civil fraud both require knowledge (or a reasonable belief that it was likely) that one was lying - which is intent, if one moves forward.
Thinking you are telling the truth (actually!) means no fraud.
There are many crimes that do not exist without intent.
There are also many crimes that exist regardless of intent, like possession of controlled substances, statutory rape, etc.
Now damn near anything can be a tort of course, but while those can produce large damages in a civil suit - they aren’t crimes per se. You’d need a criminal violation for that.
Criminal fraud and civil fraud both require knowledge (or a reasonable belief that it was likely) that one was lying - which is intent, if one moves forward.
Thinking you are telling the truth (actually!) means no fraud.
There are many crimes that do not exist without intent.
There are also many crimes that exist regardless of intent, like possession of controlled substances, statutory rape, etc.
Now damn near anything can be a tort of course, but while those can produce large damages in a civil suit - they aren’t crimes per se. You’d need a criminal violation for that.
This is not surprising. When an investigation gets underway, the company being investigated will notify employees that any assets relating to the subject of the investigation should be retained. Typically, this covers all physical and digital documents and communications.
Which some employees may interpret as wink wink destroy everything...
They might, but HR will (or at least should) fire anyone who does that - that is guards escort you from your desk to the door. Then to add insult to your bad day, you get summoned to court for your contempt of court hearing. It is to the companies advantage to turn in anyone who attempts to destroy everything - it shows the court they are serious about saving everything which might be useful if they need to claim something was an oversight. Of course if you are the subject of that wink wink thing - assume they are trying to make you take the blame for the company.
Not that they are likely to be able to do much. My company first presses the button in exchange to lock everything electronic I have so I cannot delete it, before they let me know that I need to save everything (or so they claim...). Thus I cannot really delete anything. I might be able to shred something, but who keeps paper records of anything (and if by chance I do have one, odds are it is a printout of something where there is still an electronic copy). While I don't know what company you work for, it they have any size at all they should have similar processes in place so there is nothing you can delete - but the act of attempting it will be noted and brought to court.
Not that they are likely to be able to do much. My company first presses the button in exchange to lock everything electronic I have so I cannot delete it, before they let me know that I need to save everything (or so they claim...). Thus I cannot really delete anything. I might be able to shred something, but who keeps paper records of anything (and if by chance I do have one, odds are it is a printout of something where there is still an electronic copy). While I don't know what company you work for, it they have any size at all they should have similar processes in place so there is nothing you can delete - but the act of attempting it will be noted and brought to court.
Very good points!
Reviewing the actual FTC announcement:
"Companies that allow or provide applications with ephemeral messaging capabilities must continue to retain all relevant documents during government investigations and enforcement actions."[1]
Looks like this is only (especially) applicable once the company in question has been officially notified of an active ongoing government investigation.
[1] https://www.ftc.gov/enforcement/competition-matters/2024/01/...
Looks like this is only (especially) applicable once the company in question has been officially notified of an active ongoing government investigation.
[1] https://www.ftc.gov/enforcement/competition-matters/2024/01/...
Good thing that it's not (easily) possible to back up Signal chats. Lose the devices and the history is gone.
I was about to question this statement, but then I remembered that it's actually a few steps you need to go through. Enabling backup, remember to transfer the backup file regularly, and keep track of the passphrase. I wouldn't say it's hard though. A bit cumbersome, but not hard.
I think it depends on the platform. On iOS I'm not sure if it's even possible to get to the messages without a jailbreak.
Enjoy your bankruptcy and/or jail time when they decide you lost it on purpose.
If only that were true. Jenny Durkan would be in jail right now.
(Background: https://www.seattletimes.com/seattle-news/law-justice/no-cha...)
(Background: https://www.seattletimes.com/seattle-news/law-justice/no-cha...)
A previous employer who shall not be named had a policy that all Slack DMs older than 2 weeks were immediately deleted. Can't find any smoking guns if the gun has been incinerated.
We did this at a previous startup and it had nothing to do with smoking guns. We were in healthcare and, although we had a strict policy against posting any PHI in slack, we still purged history in the off chance that it did end up somewhere. It’s just another layer to privacy protections.
It also had the nice benefit of forcing people to store actual knowledge in Notion where it could be organized and more easily discoverable.
Anyway, all this to say - there are many reasons to purge slack history that aren’t nefarious (even if the practice is ill advised by some)
It also had the nice benefit of forcing people to store actual knowledge in Notion where it could be organized and more easily discoverable.
Anyway, all this to say - there are many reasons to purge slack history that aren’t nefarious (even if the practice is ill advised by some)
A small side question: what if Slack or Signal do delete or alter them instead? Not necessarily the parent company, just some rogue employee inside them. Oh, that's MIGHT happen with emails as well IF they are left on someone else server or some internal admin decide to do nasty things, but emails can be stored locally on ANY system, it should be used grabbing messages with the classic fetchmail and keep them locally, shared maildirs as well, just mirrored. A local approach to locally work and sync against the remote.
Instead we keep choosing a SPOF after another with some that even state "that's for safety"...
Try to imaging why we chose for instance to switch from classic cvs/svn systems to dCVS ones. Try to realize how simple is design desktops that works like desktops, of course you do not sync a copy of a multi-TB database locally but most stuff, docs, sources, mails and so can perfectly be local+sync issueless. Of course on a FDE storage.
Why keeping modern desktops used as dumb terminals since they are far more capable than a classic dumb terminal and they cost as well because of that?
Instead we keep choosing a SPOF after another with some that even state "that's for safety"...
Try to imaging why we chose for instance to switch from classic cvs/svn systems to dCVS ones. Try to realize how simple is design desktops that works like desktops, of course you do not sync a copy of a multi-TB database locally but most stuff, docs, sources, mails and so can perfectly be local+sync issueless. Of course on a FDE storage.
Why keeping modern desktops used as dumb terminals since they are far more capable than a classic dumb terminal and they cost as well because of that?
[deleted]
For Slack, this seems like it should be a checkbox you set somewhere that causes Slack to archive everything instead of deleting it. And if you want to be ISO 9001 (or whatever) compliant you have to set the checkbox.
IIRC, slack archive by default, you don't have access to previous messages after a certain point unless you pay for the service.
Messages older than 90 days are only hidden in the free plan, not deleted: https://slack.com/help/articles/7050776459923-Pricing-change...
As soon as you start/resume paying, you can access them again.
As soon as you start/resume paying, you can access them again.
Companies really shouldn’t be required to keep messages unless they are legally bound to do so. It’s very intrusive and very costly to keep.
I don’t really have an issue with bezos using it unless he was under investigation.
If they want to get access maybe they should try some sort of wiretap law to get access to messages before they are deleted ? Place bugs in the board rooms ? Maybe there needs to be a modern way to capture the crime in progress the same way they bugged gotti?
I don’t really have an issue with bezos using it unless he was under investigation.
If they want to get access maybe they should try some sort of wiretap law to get access to messages before they are deleted ? Place bugs in the board rooms ? Maybe there needs to be a modern way to capture the crime in progress the same way they bugged gotti?
Ah this. Meanwhile, a face to face meeting is ultimately much more secure and avoids any ability of investigators to get a neat, clean transcript without bugging a cafe table with a mic. I routinely collect signal messages for my job. Not LE either! So be wary of what you trust. The capabilities of your adversary probably exceeds yours.
I suspect this will almost certainly lead to more companies that have policies against these tools. I'm also assuming data retention policies would be the same as email? Such that you can delete them, but it has to be a stated policy with legally applicable timelines.
This doesn't seem much different than what companies must do with E-mail when they are under investigation or getting sued. Surely these chat applications have a configuration to allow for messages to not be deleted when under "litigation hold". No company that I know of has a policy against E-mail.
Most policies regarding email are that some topics are off limits for email. Certainly speculative business conversations should not be done on email, largely because context matters a lot for those discussions.
Though, you are right that most places ignore email until you get going pretty well, and then by that point the cat is out of the bag. It used to be that only official communications where important. And that was largely managed by you only kept official communications archived. Now that we can archive anything, it is getting kind of silly.
Though, you are right that most places ignore email until you get going pretty well, and then by that point the cat is out of the bag. It used to be that only official communications where important. And that was largely managed by you only kept official communications archived. Now that we can archive anything, it is getting kind of silly.
The fact that these tools do not have the default setting of keeping chat messages for no more than 30 days is ridiculous. On each and every conversation I can, I'm always changing (where possible) to not leave the digital stench eternally.
I worked at a company that changed the retention policy for email and other communication to 12 months. I instantly lost tons of old notes. I started saving important emails to Google Docs so I could still reference. It was very annoying.
For Slack specifically, the US agencies could probably also ask Slack themselves to enforce the "don't delete stuff for company XYZ".
Signal though would be a different matter entirely.
Signal though would be a different matter entirely.
When this interesting is when they start requiring any LLMs trained on your internal data be handed over for interrogation.
This will encourage RTO. If off-site workers can't engage in illegal and anticompetitive behavior without it being documented, then they'll be shut out of the important roles.
Unlikely. Video and phone calls aren’t recorded. I’ve used them tons of times to discuss things with coworkers I don’t want seen by management.
That's a throwback to a time when it wasn't possible or practical to record them.
There's no technical reason that lets you keep Slack, chat, or email and prevents keeping phone calls and video. It's all just digital data.
I'd expect we'll see the requirements change to include these.
There's no technical reason that lets you keep Slack, chat, or email and prevents keeping phone calls and video. It's all just digital data.
I'd expect we'll see the requirements change to include these.
Sure, it could change in the future. It's not the reality now, so data retention rules on chat programs isn't likely to cause a return to office.
Management have been using phones to bypass record keeping for well over half a century.
Management have been using phones to bypass record keeping for well over half a century.
Its just a matter of time before some LLM will transcribe them and log your calls though. It might allready be happening.
Recording laws get in the way of this. You’ll start seeing/hearing a warning every time you start a call if they begin doing this.
The live-captions tool in Teams is already better at understanding some of my colleagues than I am. The tech’s there, and probably already was good-enough before LLMs.
The live-captions tool in Teams is already better at understanding some of my colleagues than I am. The tech’s there, and probably already was good-enough before LLMs.
Almost every corp phone line already can be (and often are) recorded. People sign away those rights when they sign their companies info processing rules (the ‘company equipment belongs to the company and can be monitored at any time’ stuff).
Folks outside the company often join calls and video meetings. Some orgs may have their shit together-enough to exempt only those, perfectly, so they never violate recording laws, but I’d expect most would just notify on all calls/meetings if they started doing this.
Or just record and expect no one to attempt to prosecute (most likely), since it was ‘by accident’ (no mens rea).
Generally recording phone calls is only a crime if there is an expectation of privacy, which would also be hard to say existed on a group phone call or video chat, especially if one of the parties knew for sure it could be recorded (and consented to it by continuing to work for the company).
Federal law would make it legal to record such a call, for instance.
California might make it illegal, might not - all the parties would have to expect it to be a non confidential call.
Which a group call? Hard to argue that’s confidential.
Calling a random person in a company, where you don’t know if it is being recorded or not? Ehhhh.
Also, in California there is an exemption to these recording laws - you can use illegal recordings to defend yourself against perjury, or in the prosecution/defense of certain heinous crimes like extortion, kidnapping, murder, etc. (633.5 CPC) [https://leginfo.legislature.ca.gov/faces/codes_displaySectio....]
It’s a shame Justia doesn’t link to that, as it’s quite important in some situations.
[https://www.justia.com/50-state-surveys/recording-phone-call...]
“Under California law, it is a crime punishable by fine and/or imprisonment to record a confidential conversation without the consent of all parties, or without a notification of the recording to the parties via an audible beep at specific intervals. The California Supreme Court has defined a confidential conversation as one in which the parties have a reasonable expectation that no one is listening in or eavesdropping. In addition to criminal penalties, illegal recording can also give rise to civil damages.
CA Penal Code § 632 (definition & penalty), § 637.2 (civil damages), Flanagan v. Flanagan, 41 P.3d 575 (Cal. 2002), Cal. Pub. Util. Code Gen. Order 107-B(II)(A)”
Generally recording phone calls is only a crime if there is an expectation of privacy, which would also be hard to say existed on a group phone call or video chat, especially if one of the parties knew for sure it could be recorded (and consented to it by continuing to work for the company).
Federal law would make it legal to record such a call, for instance.
California might make it illegal, might not - all the parties would have to expect it to be a non confidential call.
Which a group call? Hard to argue that’s confidential.
Calling a random person in a company, where you don’t know if it is being recorded or not? Ehhhh.
Also, in California there is an exemption to these recording laws - you can use illegal recordings to defend yourself against perjury, or in the prosecution/defense of certain heinous crimes like extortion, kidnapping, murder, etc. (633.5 CPC) [https://leginfo.legislature.ca.gov/faces/codes_displaySectio....]
It’s a shame Justia doesn’t link to that, as it’s quite important in some situations.
[https://www.justia.com/50-state-surveys/recording-phone-call...]
“Under California law, it is a crime punishable by fine and/or imprisonment to record a confidential conversation without the consent of all parties, or without a notification of the recording to the parties via an audible beep at specific intervals. The California Supreme Court has defined a confidential conversation as one in which the parties have a reasonable expectation that no one is listening in or eavesdropping. In addition to criminal penalties, illegal recording can also give rise to civil damages.
CA Penal Code § 632 (definition & penalty), § 637.2 (civil damages), Flanagan v. Flanagan, 41 P.3d 575 (Cal. 2002), Cal. Pub. Util. Code Gen. Order 107-B(II)(A)”
Its already an optional feature of a lot of chat platforms.
https://support.microsoft.com/en-us/office/view-live-transcr...
https://www.microsoft.com/en-us/microsoft-365-life-hacks/org....
https://support.microsoft.com/en-us/office/view-live-transcr...
https://www.microsoft.com/en-us/microsoft-365-life-hacks/org....
Oh ...
Well I wonder when "Facebook-scale" can do untargeted spying? Like, record and transcribe your Whatsapp calls without knowing that you are a high value product or dissident. I guess it would be to expansive to do right now, compute wise?
I am seriously thinking about making my own VOIP app for the phone to try to mitigate these kinds of attacks.
Well I wonder when "Facebook-scale" can do untargeted spying? Like, record and transcribe your Whatsapp calls without knowing that you are a high value product or dissident. I guess it would be to expansive to do right now, compute wise?
I am seriously thinking about making my own VOIP app for the phone to try to mitigate these kinds of attacks.
Pgphone was a thing in the nineties. https://en.wikipedia.org/wiki/PGPfone
Technological infeasibility is not necessarily an excuse for skipping record-keeping. I've heard that financial organizations, which often have strong compliance requirements, do in fact record phone calls and video chats - possibly even face-to-face meetings. And they will actively discourage you from using a line not controlled by the company, because otherwise they could have compliance violations.
And such organizations would already not be deleting slack messages and therefore their stance on return to office isn't likely to change. :)
I mean, they say that, but if I have incriminating messages I’m fairly certain I’m better off deleting them and being dinged for obstruction of justice (assuming the main charge doesn’t stick).
So creepy
I know what you're thinking, "Slack is our project archive." If that's actually true, .gov investigations are the LEAST of your problems.