Last year, instant messages from Gawker staffers were cited as evidence in the defamation lawsuit filed by professional wrestler Hulk Hogan.
What they revealed wasn't pretty: tasteless jokes about the former pro-wrestler’s sexual trysts and his genitals, snide remarks that weren't meant for publication.
The transcripts quickly became a cautionary tale for journalists who might exchange sensitive information via instant message (and the companies that host them).
Newsroom instant messaging apps have only gained momentum since then, with Slack among the vanguard thanks to its ease of use and its cool-kid factor.
Though Slack doesn’t release specific client demographic data, industry sites report that newsrooms are adopting Slack more than ever before, in efforts to move away from email and give journalists an edge in communicating with each other.
It’s easy to see its appeal: team members can chat in real-time, exchange files and connect with third-party apps and services. Signing up is very easy, and a news organization can have the application running in just a few minutes.
But what writers and editors say inside an instant messaging channel can come back to haunt them in a lawsuit, and chat logs are also fair game for law enforcement agencies investigating criminal cases. Those requests go directly to the company, not necessarily the IT department of a news organization.
Third-party apps like Slack are adding a new level of complexity to criminal cases, such as the Microsoft Ireland case, where the Second Circuit Court of Appeals ruled that Microsoft did not have to turn over email records found in a cloud backup stored outside of the U.S. in Ireland. (However, if those records are stored in U.S. servers, Microsoft would need to comply with the warrant).
Slack clearly spells out its data retention policies and security practices in plain and simple language on its website. The policy boils down to this: After an admin inside a newsrooms’ Slack deletes chats, Slack deletes those records within the next 24 hours. Slack keeps a backup after 14 days, then destroys them.
However, they do keep certain metadata, such as the names of the channels, as well as search terms embedded in URLS, which could still be used in court. This deletion and retention policy is only available for administrators.
Email retention practices for newsrooms vary widely, though they may be less tidy than Slack’s. If an IT manager doesn’t follow diligent practices to retain email records, it’s possible that retrieving them may take a lot longer.
Journalists should exercise more caution when it comes to digital tools like Slack, said Wolfgang Goerlich, director of cyber security strategy at CBI, a risk management firm that provides security solutions for companies.
“As no chat system is immune to being misconfigured or misused, my advise is to limit any information over such channels," Goerlich said. "Meeting in person for conversations remains the gold standard for the highest level of privacy.”
Some organizations may try to back off from Slack for privacy reasons, but these transitions aren't exactly easy. Motherboard, the science and technology site from VICE, tried unplugging from Slack to avoid wasting time with the product.
They returned to Slack after about four weeks because they found they still needed its features.
“We unplugged because we disliked expectation that people need to pay attention to Slack,” said Derek Mead, Motherboard’s editor in chief. “And during our break we made up a new game plan for how to use Slack.”
Motherboard’s new plan was to stop using Slack as a real-time chat app, Mead said. Editors eliminated all but four chat channels: a main room for discussion, one for staff announcement (in which there is no conversation), one for story assignments and one free-for-all channel. Their new Slack guidelines were aimed at better productivity and making sure that very sensitive conversations stay out of Slack.
“What we tell staff is that everything they email or Slack is public,” Mead says. “If we get hacked or subpoenaed, or sued, all those chats can be discoverable. Our Slack install erases (chats) after three days. These are passive steps to make sure we don’t have anything too embarrassing come out. We try to be as protective of our (editorial staff) as possible.”
The newsroom of Ars Technica, Conde Nast’s tech news site, was an early adopter of remote communication for journalists. For many years, writers and editors used a combination of instant messaging (AOL or gchat) with Internet Relay Chat (IRC), which the newsroom managed and operated directly. Ars Technica’s remote staff spread out all over the U.S. and the UK.
“Many of us are former system administrators, or developers, or IT people,” said Lee Hutchinson, senior technology editor at Ars Technica. “We have in the past had employees who have had a very hard time dealing with the fact that we only really interact with each other in person once a year at our all-hands. But (remote chat) affords us a flexibility that other sites don’t have. Plus, man, the overhead savings for not having physical office space in NYC is massive.”
Ars Technica switched earlier this year from IRC to Slack because some staffers were reluctant or unable to use IRC. The transition from IRC into Slack also comes at the expense of having full control over the data that is shared inside company chats.
“You have to trust that no nosy power-tripping Slack admin is whiling away his evening hours flipping through your private communications,” Hutchinson said. “Slack confirms that some employees can see all Slack chats, public and private. Those fun emojis and gifs come at a high cost.”
The process of lowering risk is not simple, nor neat, Hutchinson said.
“If you wake up tomorrow and decide that you want your newsroom to operate in a manner that’s more secure and less vulnerable to being targeted by a punitive lawsuit or other discovery…you’re screwed,” he said, “Because changing how you do things today doesn’t help with what you were doing yesterday, or the day before. Don’t debate policy or legal stuff in Slack channels, because everything you say is being recorded and can be used against you.”
Goerlich’s advice for newsrooms is to select communication apps wisely, assume all exchanges are potentially public information and protect individual accounts of employees with good privacy and security measures.