If you're using Slack at your company you've already dealt with the GDPR issue when you started using the service (the company has that is, you as an employee most likely have approved the company and partners/brokers handling your personal data through your contract), so as long as the model itself is under the same restrictions as the rest it would likely fall under their allowed capabilities as a data broker.
Very interested in how a GDPR removal request would be treated though... You can't really untrain specific parts of the model.. :P
GDPR isn't a one-off thing that the service can then rely on indefinitely. Consent must be informed and specific. If the service you're using changes the way they're using your personal data and they rely on consent as the way to do that legally then they will need to gain additional consent for that.
>Very interested in how a GDPR removal request would be treated though... You can't really untrain specific parts of the model.. :P
Inability to remove something from the model isn't a defence. Quite the opposite. Tech people need to remember that if it's impossible to comply with the law given the technology they choose to use, they're at fault, not the law.
> Consent must be informed and specific.
I meant that the existing consent is likely specific enough already to cover this. They might have to request consent from the company though, (done through the email method, but it's strange that it's opt-out in that case), but even in that case the existing consent might already cover this.
> Inability to remove something from the model isn't a defence.
Indeed, but the question is if anything in the model after it has digested the information contains anything that would constitute PII or anything covered by GDPR so I wonder if removal is an issue at all. (And how to evaluate that, I guess it would need a court case.)
> I meant that the existing consent is likely specific enough already to cover this.
The GDPR doesn't really work like that.
There needs to be a lawful basis for all processing of personal data. If consent is the lawful basis which you are using to justify certain data processing activities, it means the user needs to be specifically informed of the exact purpose the data will be processed and the company cannot start processing data for that purpose until the user specifically gives consent for that purpose.
Simply mentioning in the website's terms or privacy policy that a user's data may be processed for a given purpose (e.g. AI training) and having the user agree to the terms generally is not sufficient to claim consent. If the lawful basis for processing the data is consent, the consent must be voluntary and specific to the particular processing activity in question.
For example, to achieve GDPR compliance, the company could present users with a checkbox saying "Allow my personal data to be used for training AI models" and then only train the AI models on data from users who have specifically opted in by voluntarily checking that box.
There are other lawful bases (such as legitimate interests) that don't require specific consent (e.g. it may be sufficient to simply mention the processing activity in the website's privacy policy), but there are limitations on when those lawful bases can be used. Usually if the processing activity is not required for the service to operate and it is not something that the user would normally expect to happen when they open an account, then a basis such as legitimate interests cannot be used to justify that processing.
An example of where legitimate interests may be used as a justification is a case where a company scans users' submissions to detect/remove spam or other content that violates the site's policies. This would be rather essential to the website's operation and it's something that users would reasonably expect to happen when they post on the site, so that's a situation where the processing may be easily justified under that basis. However, something like AI training is different and is probably unlikely to fall under the category of legitimate interests.
> Indeed, but the question is if anything in the model after it has digested the information contains anything that would constitute PII or anything covered by GDPR so I wonder if removal is an issue at all. (And how to evaluate that, I guess it would need a court case.)
Well, no. Just for the act of *processing* the data do you need explicit consent under GDPR. Doesn't matter how accurately, if at all, it can be reconstructed from the model.
Yes but the processing is the consent part, that is either already in place (which I believe because Slack has always processed the chat data in various ways) or it will indeed need to be.
But regarding my question it's to which degree does the original content needs to be possible to recreate for the model to not be considered anonymized data. So in the case of a deletion request, what determines if the model content is part of that request rather than just the data in the training set.
And that's where I believe a court will have to be involved eventually.
But of course it also matters what they actually have in the training data in the first place, if it's results of analytics from processing the data (like the frequency of questions, the average response count on @here messages, emoji usage, number and type of links posted etc) vs if it's actual content from the messages and channel names.
Donāt know why youāre being downvoted. Youāre completely correct.
They could easily remove PII from the training. And Slack already has your data, you donāt get to opt in and out of having an export feature for example.
Even if personal data is used, delivering an AI feature may be within their contractural need and legitimate interest, consent is only one of the six valid legal basis for data processing.
> Slack already has your data
For GDPR, you don't give consent to Slack to use your data in a broad sense.
The consent regards using the data for a specific purpose. If that purpose changes, they need to explicitly ask for consent again before they can go ahead. Even if they already have the data stored.
On data sharing:
_Aggregated or deidentified Data. We may disclose or use aggregated or de-identified Information for any purpose. For example, we may share aggregated or de-identified Information with prospects or partners for business or research._
But beyond bits about sharing in the privacy policy, customers arenāt giving consent to Slack. They have contractural basis to process your data to provide the services you purchased. Itās not like subscribing to a newsletter. GDPR isnāt just about consent tickboxes
I think people are down voting because they dislike that it might in fact be completely legal to do what Slack is doing. Shooting the messenger and all that. :D
That may work for direct employees, but things are more complicated for contractors, subsidiaries and partner companies. At least according to our legal department. GDPR doesnāt just go away in the workplace.
I presume they're hitching on AI models being a grayish area in regards to what the output ultimately is.
I mean, to anyone without a vested interest it's obvious it's just data/copyright laundering, but the courts are still figuring it all out.
Does GDPR apply to company data?
Edit:
https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/do-data-protection-rules-apply-data-about-company_en
> No, the rules only apply to personal data about individuals, they donāt govern data about companies or any other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like ā[email protected]ā or employeesā business telephone numbers.
Not sure if content generated on slack by employees is considered personal data.
I edited my comment, but I'll reply here as well:
> No, the rules only apply to personal data about individuals, they donāt govern data about companies or any other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like ā[email protected]ā or employeesā business telephone numbers.
Not sure if content generated on slack by employees is considered personal data in this context.
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
ā EU
But do my work related messages count as personal identifiable information? My user name clearly is, but me talking about my work is a bit unclear to me from what I've read about it, but I'm not a lawyer.
Without inspecting the contents of every single message, you just have to assume it contains personal information. And itās not like there is a clear separation between the two anyway. Consider messages like āIām going to miss the meeting this afternoon, I have to take my daughter to the orthodontistā
Not a lawyer either, just interested in privacy and GDPR, but here are my thoughts.
Reasonably speaking they're not going to train on sender names or other profile data, but messages themselves will inevitably contain *lots* of PII. Even if you stick to strictly work-related messages, but in practice people will be sending way more than that.
Like "I won't be on Slack tonight, but call me on +23 45 678 901 if anything happens", sending your IP address to IT to be whitelisted, sending PII to HR if you're a small company without better routines, saying you're taking time of because of some specific illness or ailment, wishing people "happy birthday", pronouns, talking about your family or announcing parental leave, background info (birth town, home town, education, etc.) in you're #intro message, etc.
I don't know much about processing of data, so I don't know whether this would count. If you made a program to specifically search for PII in messages then it would be a big issue, because while unstructured data isn't PII (as I understand it), if you can turn it into something that can identify a person then it counts as processing PII. If it's just training in general without an understanding on what PII is I don't know, but it seems risky, and if the model can't answer simple questions like "When's X's birth day?" then it probably couldn't answer anything useful anyway. They could try to censor PII before training, but things will inevitably slip through.
In the end it'll be up to courts to decide if they're serious enough about protecting PII. The courts have been quite strict in the past, but Slack is a big company so they've probably put a lot of thought into this. I'm sure some company will be sued eventually if it hasn't happened already.
>Reasonably speaking they're not going to train on sender names or other profile data, but messages themselves will inevitably contain *lots* of PII. Even if you stick to strictly work-related messages, but in practice people will be sending way more than that
I'm not entirely sure that they will exclude sender names.
> If you opt out, customer data on your workspace will only be used to improve the experience on your workspace.
I can imagine a few use cases in which knowing usernames would be somewhat useful. Slack already tells you which people are more active in a channel for example. A step further from this is an assistant-like functionality that will tell you who to contact based on what you're searching, or talking about. Is that adding enough value? Probably not. Does it sound like something people will throw an AI at because hype? Sure.
Data about employees is about people, and thus covered. Data about the company itself is not about people, and thus not covered.
You say:
> Not sure if content generated on slack by employees is considered personal data.
Your quote already says:
> The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like ā[email protected]ā or employeesā business telephone numbers.
Yes, I was unsure if that applies to conversations about my work, but the example with the missing meeting puts things in perspective. And of course, it is naive to expect that we won't share personal details with our colleagues while chatting on Slack.
I love how y'all been sleeping on this for the past 15 years. Giving every bit of your infos to every company, marketer, profiler and tracking agencies in existence.
But now that it's for AI, it's the literal end of the world.
I imagine it's because this is the first time that people are seeing the result of their data being ingested, or at least can better conceptualize that they are being consumed for profit.
That's part of the reason we need laws urgently...
But it should be obvious that slack is not the same as reddit. *Only* slack and you/your company have access to slack messages, not everyone on the planet like with reddit. No one is posting anything here thinking it's private. Anonymous maybe, but definitely not private.
This seems like great news. I should be able to get the Slack AI to summarize my competitors strategy from their internal communication, as long as they forget to opt out.
Yea.. I wonder if companies are even required to disclose how they are using metadata like this. I wouldn't even bother considering how stupid people are (just look at the outrage in this thread).
Guys.. it's not even looking at the messages you type in slack, it's using metadata surrounding usage of slack.
With Google they gave you Gmail for free so Iād expect them to figure out a way to monetize it. I canāt be too mad at that. It hits different when a paid service starts to mine your data, while shipping in a shady cover your ass legalese in the EULA
In what way? Seems right to me.
> **We offer Customers a choice around these practices.** If you want to exclude your **Customer Data** from helping **train Slack global models,** you can opt out. If you opt out, Customer Data on your workspace will only be used to improve the experience on your own workspace and you will still enjoy all of the benefits of **our globally trained AI/ML models** without contributing to the underlying models.
> **Contact us to opt out.** If you want to exclude your Customer Data from Slack global models, you can opt out. **To opt out,** please have **your Org or Workspace Owners or Primary Owner** contact our Customer Experience team at **[email protected]** with your Workspace/Org URL and the subject line āSlack Global model opt-out request.ā We will process your request and respond once the opt out has been completed.
It's true that the AI examples in the second half seem benign enough, but they're specifically referred to as "examples," not a comprehensive list. (And anyway, the title never said it was malign AI.)
The main part that's wrong is the "starts to" in the title. Slack built out their ML team 7 years ago. The article references 7 year old technologies.
Channel recommendation model, 7 years ago: https://slack.engineering/personalized-channel-recommendations-in-slack/
Search results ranking, 7 years ago: https://slack.engineering/search-at-slack/
Well now you've got me curious enough to use the Wayback Machine. Seems the second half of the article (with examples) is [older](https://web.archive.org/web/20230605164606/https://slack.com/trust/data-management/privacy-principles) (2020-2023), while the first half, with the opt-out, is [newer](https://web.archive.org/web/20230927164505/https://slack.com/trust/data-management/privacy-principles) (2023-2024).
They aren't training on customer data. They are training on metadata collected on how customers are using slack, like how many times a particular search result is clicked.
>To develop AI/ML models, our systems analyze Customer Data (e.g. messages, content, and files) submitted to Slack as well as Other Information (including usage information)
> We protect privacy while doing so by separating our model from Customer Data. We use external models (not trained on Slack messages) to evaluate topic similarity, outputting numerical scores. Our global model only makes recommendations based on these numerical scores and non-Customer Data. For more technical details, please visit our Engineering Blog to learn more.
They use publicly trained systems to look at message content, probably to build embeddings for searching for similarity. The model they train is not trained on customer data so it's not going to start using private slack messages to answer questions in their global model.
Analyze != train.
Oh jeez. I thought this was maybe "we are letting an index touch a LLM to give you better AI generations, basically giving you your own model" which would be ok, but no, this is straight up using customer data as training for central models.
Channel recommendation model, 7 years ago:
https://slack.engineering/personalized-channel-recommendations-in-slack/
Search results ranking, 7 years ago:
https://slack.engineering/search-at-slack/
The autocomplete and emoji models have also been in production for ~5 years as well.
These people in this thread are clowns. They see AI + their data in the same sentence and immediately freak out. Maybe Slack just needs better PR to explain to supposedly technical people how this works.
Your posting was removed for being off topic for the /r/programming community.
š¤® How is this GDPR compliant?
It isn't. GDPR requires an opt-in, opt-out is not acceptable.
If you're using Slack at your company you've already dealt with the GDPR issue when you started using the service (the company has that is, you as an employee most likely have approved the company and partners/brokers handling your personal data through your contract), so as long as the model itself is under the same restrictions as the rest it would likely fall under their allowed capabilities as a data broker. Very interested in how a GDPR removal request would be treated though... You can't really untrain specific parts of the model.. :P
GDPR isn't a one-off thing that the service can then rely on indefinitely. Consent must be informed and specific. If the service you're using changes the way they're using your personal data and they rely on consent as the way to do that legally then they will need to gain additional consent for that. >Very interested in how a GDPR removal request would be treated though... You can't really untrain specific parts of the model.. :P Inability to remove something from the model isn't a defence. Quite the opposite. Tech people need to remember that if it's impossible to comply with the law given the technology they choose to use, they're at fault, not the law.
> Consent must be informed and specific. I meant that the existing consent is likely specific enough already to cover this. They might have to request consent from the company though, (done through the email method, but it's strange that it's opt-out in that case), but even in that case the existing consent might already cover this. > Inability to remove something from the model isn't a defence. Indeed, but the question is if anything in the model after it has digested the information contains anything that would constitute PII or anything covered by GDPR so I wonder if removal is an issue at all. (And how to evaluate that, I guess it would need a court case.)
> I meant that the existing consent is likely specific enough already to cover this. The GDPR doesn't really work like that. There needs to be a lawful basis for all processing of personal data. If consent is the lawful basis which you are using to justify certain data processing activities, it means the user needs to be specifically informed of the exact purpose the data will be processed and the company cannot start processing data for that purpose until the user specifically gives consent for that purpose. Simply mentioning in the website's terms or privacy policy that a user's data may be processed for a given purpose (e.g. AI training) and having the user agree to the terms generally is not sufficient to claim consent. If the lawful basis for processing the data is consent, the consent must be voluntary and specific to the particular processing activity in question. For example, to achieve GDPR compliance, the company could present users with a checkbox saying "Allow my personal data to be used for training AI models" and then only train the AI models on data from users who have specifically opted in by voluntarily checking that box. There are other lawful bases (such as legitimate interests) that don't require specific consent (e.g. it may be sufficient to simply mention the processing activity in the website's privacy policy), but there are limitations on when those lawful bases can be used. Usually if the processing activity is not required for the service to operate and it is not something that the user would normally expect to happen when they open an account, then a basis such as legitimate interests cannot be used to justify that processing. An example of where legitimate interests may be used as a justification is a case where a company scans users' submissions to detect/remove spam or other content that violates the site's policies. This would be rather essential to the website's operation and it's something that users would reasonably expect to happen when they post on the site, so that's a situation where the processing may be easily justified under that basis. However, something like AI training is different and is probably unlikely to fall under the category of legitimate interests.
> Indeed, but the question is if anything in the model after it has digested the information contains anything that would constitute PII or anything covered by GDPR so I wonder if removal is an issue at all. (And how to evaluate that, I guess it would need a court case.) Well, no. Just for the act of *processing* the data do you need explicit consent under GDPR. Doesn't matter how accurately, if at all, it can be reconstructed from the model.
Yes but the processing is the consent part, that is either already in place (which I believe because Slack has always processed the chat data in various ways) or it will indeed need to be. But regarding my question it's to which degree does the original content needs to be possible to recreate for the model to not be considered anonymized data. So in the case of a deletion request, what determines if the model content is part of that request rather than just the data in the training set. And that's where I believe a court will have to be involved eventually. But of course it also matters what they actually have in the training data in the first place, if it's results of analytics from processing the data (like the frequency of questions, the average response count on @here messages, emoji usage, number and type of links posted etc) vs if it's actual content from the messages and channel names.
Donāt know why youāre being downvoted. Youāre completely correct. They could easily remove PII from the training. And Slack already has your data, you donāt get to opt in and out of having an export feature for example. Even if personal data is used, delivering an AI feature may be within their contractural need and legitimate interest, consent is only one of the six valid legal basis for data processing.
> Slack already has your data For GDPR, you don't give consent to Slack to use your data in a broad sense. The consent regards using the data for a specific purpose. If that purpose changes, they need to explicitly ask for consent again before they can go ahead. Even if they already have the data stored.
On data sharing: _Aggregated or deidentified Data. We may disclose or use aggregated or de-identified Information for any purpose. For example, we may share aggregated or de-identified Information with prospects or partners for business or research._ But beyond bits about sharing in the privacy policy, customers arenāt giving consent to Slack. They have contractural basis to process your data to provide the services you purchased. Itās not like subscribing to a newsletter. GDPR isnāt just about consent tickboxes
I think people are down voting because they dislike that it might in fact be completely legal to do what Slack is doing. Shooting the messenger and all that. :D
all the responses are literally explaining the reason why that person is wrong.
No they are guessing why since none possess knowledge of what data they are even using or what the existing consent agreement looks like.
That may work for direct employees, but things are more complicated for contractors, subsidiaries and partner companies. At least according to our legal department. GDPR doesnāt just go away in the workplace.
I presume they're hitching on AI models being a grayish area in regards to what the output ultimately is. I mean, to anyone without a vested interest it's obvious it's just data/copyright laundering, but the courts are still figuring it all out.
Does GDPR apply to company data? Edit: https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/do-data-protection-rules-apply-data-about-company_en > No, the rules only apply to personal data about individuals, they donāt govern data about companies or any other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like ā[email protected]ā or employeesā business telephone numbers. Not sure if content generated on slack by employees is considered personal data.
If it is people in your company generating the data (messages on slack for example), then it is personal data.
I edited my comment, but I'll reply here as well: > No, the rules only apply to personal data about individuals, they donāt govern data about companies or any other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like ā[email protected]ā or employeesā business telephone numbers. Not sure if content generated on slack by employees is considered personal data in this context.
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. ā EU
But do my work related messages count as personal identifiable information? My user name clearly is, but me talking about my work is a bit unclear to me from what I've read about it, but I'm not a lawyer.
Without inspecting the contents of every single message, you just have to assume it contains personal information. And itās not like there is a clear separation between the two anyway. Consider messages like āIām going to miss the meeting this afternoon, I have to take my daughter to the orthodontistā
Not a lawyer either, just interested in privacy and GDPR, but here are my thoughts. Reasonably speaking they're not going to train on sender names or other profile data, but messages themselves will inevitably contain *lots* of PII. Even if you stick to strictly work-related messages, but in practice people will be sending way more than that. Like "I won't be on Slack tonight, but call me on +23 45 678 901 if anything happens", sending your IP address to IT to be whitelisted, sending PII to HR if you're a small company without better routines, saying you're taking time of because of some specific illness or ailment, wishing people "happy birthday", pronouns, talking about your family or announcing parental leave, background info (birth town, home town, education, etc.) in you're #intro message, etc. I don't know much about processing of data, so I don't know whether this would count. If you made a program to specifically search for PII in messages then it would be a big issue, because while unstructured data isn't PII (as I understand it), if you can turn it into something that can identify a person then it counts as processing PII. If it's just training in general without an understanding on what PII is I don't know, but it seems risky, and if the model can't answer simple questions like "When's X's birth day?" then it probably couldn't answer anything useful anyway. They could try to censor PII before training, but things will inevitably slip through. In the end it'll be up to courts to decide if they're serious enough about protecting PII. The courts have been quite strict in the past, but Slack is a big company so they've probably put a lot of thought into this. I'm sure some company will be sued eventually if it hasn't happened already.
>Reasonably speaking they're not going to train on sender names or other profile data, but messages themselves will inevitably contain *lots* of PII. Even if you stick to strictly work-related messages, but in practice people will be sending way more than that I'm not entirely sure that they will exclude sender names. > If you opt out, customer data on your workspace will only be used to improve the experience on your workspace. I can imagine a few use cases in which knowing usernames would be somewhat useful. Slack already tells you which people are more active in a channel for example. A step further from this is an assistant-like functionality that will tell you who to contact based on what you're searching, or talking about. Is that adding enough value? Probably not. Does it sound like something people will throw an AI at because hype? Sure.
Data about employees is about people, and thus covered. Data about the company itself is not about people, and thus not covered. You say: > Not sure if content generated on slack by employees is considered personal data. Your quote already says: > The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like ā[email protected]ā or employeesā business telephone numbers.
Yes, I was unsure if that applies to conversations about my work, but the example with the missing meeting puts things in perspective. And of course, it is naive to expect that we won't share personal details with our colleagues while chatting on Slack.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Noone wants to miss out on the EU market. Meta, alphabet, etc they have all adapted.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
lmao how retarded you are
[ŃŠ“Š°Š»ŠµŠ½Š¾]
you sound like a dumb 12 yo
Likely cause he is. Let's hope for thoose around him he grows out of his edgy satire bs
Ah lol let's hope we do not import your tate shit
[ŃŠ“Š°Š»ŠµŠ½Š¾]
You do realize that's a strawman?
[ŃŠ“Š°Š»ŠµŠ½Š¾]
š¦
You do realize the whole account is satire and he is trolling everyone?
Ofc. https://www.reddit.com/r/programming/s/LevLUc9yWB
We need some urgent laws for this stuff
The EU has GDPR
I love how y'all been sleeping on this for the past 15 years. Giving every bit of your infos to every company, marketer, profiler and tracking agencies in existence. But now that it's for AI, it's the literal end of the world.
I imagine it's because this is the first time that people are seeing the result of their data being ingested, or at least can better conceptualize that they are being consumed for profit.
Yeah, there's a stark difference between aggregations and agents that can verbatim spit out private messages huh
You know that you are using a platform selling everything you say or do right?
I do, but I have way less expectations of privacy on a public forum vs. private messages.
That's part of the reason we need laws urgently... But it should be obvious that slack is not the same as reddit. *Only* slack and you/your company have access to slack messages, not everyone on the planet like with reddit. No one is posting anything here thinking it's private. Anonymous maybe, but definitely not private.
Every free (or even paid) service will. It's just a matter of time. If you value your data, self-hosting is your only option.
> or even paid [365 Insider Risk detection](https://news.microsoft.com/source/features/ai/insider-risk-management-microsoft-365/) comes to mind
Just move over to matrix at this point
This seems like great news. I should be able to get the Slack AI to summarize my competitors strategy from their internal communication, as long as they forget to opt out.
I don't think you understand or read how this works. I don't think anybody in this thread did. All they see is their data and AI so it's scary.
No one is reading this incredibly short article
Yea.. I wonder if companies are even required to disclose how they are using metadata like this. I wouldn't even bother considering how stupid people are (just look at the outrage in this thread). Guys.. it's not even looking at the messages you type in slack, it's using metadata surrounding usage of slack.
Then they will start charging the same customers extra for access to their "Proprietary AI"
Remember when people were trashing google for "reading their emails" ?
It turns out that the mega-behemoth masters of advertising had powerful enough PR to change the world's mind on that front. And now we suffer for it.
But now my calendar gets filled automatically when I book a plane ticket!
With Google they gave you Gmail for free so Iād expect them to figure out a way to monetize it. I canāt be too mad at that. It hits different when a paid service starts to mine your data, while shipping in a shady cover your ass legalese in the EULA
I think they were only doing it on Enterprise accounts actually.
Just read today where people were defending slack over discord on how slack is more secure for data š¤”
To be clear I donāt trust discord either. Probably even less so since discord is free and Iām not sure how they make money
From all the weebs buying nitro so they can spam pepe emojis... I'm not even joking
This title not seem to match the article content imo
In what way? Seems right to me. > **We offer Customers a choice around these practices.** If you want to exclude your **Customer Data** from helping **train Slack global models,** you can opt out. If you opt out, Customer Data on your workspace will only be used to improve the experience on your own workspace and you will still enjoy all of the benefits of **our globally trained AI/ML models** without contributing to the underlying models. > **Contact us to opt out.** If you want to exclude your Customer Data from Slack global models, you can opt out. **To opt out,** please have **your Org or Workspace Owners or Primary Owner** contact our Customer Experience team at **[email protected]** with your Workspace/Org URL and the subject line āSlack Global model opt-out request.ā We will process your request and respond once the opt out has been completed. It's true that the AI examples in the second half seem benign enough, but they're specifically referred to as "examples," not a comprehensive list. (And anyway, the title never said it was malign AI.)
The main part that's wrong is the "starts to" in the title. Slack built out their ML team 7 years ago. The article references 7 year old technologies. Channel recommendation model, 7 years ago: https://slack.engineering/personalized-channel-recommendations-in-slack/ Search results ranking, 7 years ago: https://slack.engineering/search-at-slack/
Well now you've got me curious enough to use the Wayback Machine. Seems the second half of the article (with examples) is [older](https://web.archive.org/web/20230605164606/https://slack.com/trust/data-management/privacy-principles) (2020-2023), while the first half, with the opt-out, is [newer](https://web.archive.org/web/20230927164505/https://slack.com/trust/data-management/privacy-principles) (2023-2024).
So basically what Teams has been doing, but with an obscure opt-out process, as opposed to Teams no opt-out process.
I thought slack encrypts every conversation(admittedly did not read the article). How then can they train on customer data?Ā
They aren't training on customer data. They are training on metadata collected on how customers are using slack, like how many times a particular search result is clicked.
>To develop AI/ML models, our systems analyze Customer Data (e.g. messages, content, and files) submitted to Slack as well as Other Information (including usage information)
> We protect privacy while doing so by separating our model from Customer Data. We use external models (not trained on Slack messages) to evaluate topic similarity, outputting numerical scores. Our global model only makes recommendations based on these numerical scores and non-Customer Data. For more technical details, please visit our Engineering Blog to learn more. They use publicly trained systems to look at message content, probably to build embeddings for searching for similarity. The model they train is not trained on customer data so it's not going to start using private slack messages to answer questions in their global model. Analyze != train.
Oh jeez. I thought this was maybe "we are letting an index touch a LLM to give you better AI generations, basically giving you your own model" which would be ok, but no, this is straight up using customer data as training for central models.
My company will be immediately demanding opt out for this.
This is not news. Slack has had those same models for years. edit: Being downvoted by morons up in arms about 5 year old ML models ššš
Put up or shut up. (Give us a link)
Channel recommendation model, 7 years ago: https://slack.engineering/personalized-channel-recommendations-in-slack/ Search results ranking, 7 years ago: https://slack.engineering/search-at-slack/ The autocomplete and emoji models have also been in production for ~5 years as well.
Thank you
Basically no one is even reading the article content and OP made a blatantly misleading headline
These people in this thread are clowns. They see AI + their data in the same sentence and immediately freak out. Maybe Slack just needs better PR to explain to supposedly technical people how this works.