I will say, however, that I don't use my personal phone to host any employer apps. It is my phone, not theirs. I pay the service fee.
So conversations I have on my phone are mine. My coworkers all operate the same way.
[1]: https://www.microsoft.com/en-us/microsoft-viva/insights
Could someone head over to MS HQ and slap some sense into whoever thought blessing the world with this is a win?
How good the AI is, depends on the flood of false positives the current system generates. If MS is true to form getting anything useful comes at great expense.
The #1 thing they search for is notably missing from the list.
As a part "of being sold company" When I wanted to interview to the new company, my future to be manager send me his phone number, and advised not to use Teams for any sensitive conversation.
What even is this site? It looks like grade A content rehashing from various MS sites...
Unless you’re too valuable for them to care.
How should companies defend themselves from insider threats?
Have you never worked for a bank or financial company? Never had to take a drug test for your programming job?
US Federal law and the Hundreds of billions of dollars spent on audit, insider trading, cyber security, ex filtration tools STRONGLY point to a corporate culture that is obsessed with defending against internal threats, because that’s the highest source of risk.
But seriously, I always found it amusing that once you step into a corporate you can get food, drinks & other amnesties for free.. almost like it's a socialist society.. But when said employees step outside, they are the first in-line for the capitalist agenda..
The government won’t save you from efforts like this. The government represents the interests of the capital owning class.
The demonization of unions is one of the most successful cases of propaganda in the last century. It’s gone so far s people who will die on the hill of Jeff Bezos paying slightly more taxes because everyone seems to think they’ll be Jeff Bezos one day.
I see that phrase thrown around a lot. It's a variant of "you're never going to be a billionaire (so you shouldn't be against X)." Why do people assume that you have to think you'll be a billionaire to be against something that would affect billionaires negatively? Is something only wrong if you think you'll find yourself in that position one day?
For example I often hear "The riches 1% pay 80% of the taxes" (or whatever the correct values are). The person makes this argument against the idea of raising taxes, however they aren't explaining why it shouldn't be done
Since they don't offer an explanation the assumption is they are either already rich or think they'll be rich.
Because there is a group who struggles to reconcile what looks like a contradiction - another group who appears to advocate for policies which harm themselves. The quote and its derivatives attempt to explain this apparent contradiction.
Many people think Jeff Bezos should exist and have his wealth because he got there by playing the game better than everyone else, and that this game is just the way things are. He earned it. Attempts to change the game will just make everything worse and people won't get what they deserve, and thus these attempts are unethical. Equal societies are an absurd liberal fantasy.
My attempts to advocate that Jeff Bezos shouldn't have the money he does are actually just selfish attempts to cheat at the game and stuff my own pockets with money and get something I haven't earned. The real issue here is a lack of discipline.
Watch the rest of the videos. People who think like this largely can't be argued with.
I don’t expect I would become a billionaire (…anymore). I imagine that I would be a benevolent one, but fear the gravity pull of such wealth would collapse any good intentions. Capital demands such rigor. I would think that if some some policy or popular uprising made wealth distribution flatter, the billionaires of the world could exhale. The burden to care becomes much lighter when borne by many hands.
> “John Steinbeck once said that socialism never took root in America because the poor see themselves not as an exploited proletariat but as temporarily embarrassed millionaires.”
There's plenty of circumstantial evidence to back this up. The 2000 election is a good example although I can't find a good quote for this. Gore famously daemonized the "top 1%". An illuminating poll in 2000 revealed that 19% of Americans thought they were the "top 1%" and another 20% thought they would be someday. So 39% of the population thought of themselves as the "top 1%".
Americans also love the slippery slope fallacy. The idea, that you allude to, is that people will defend Jeff Bezos's taxes being raised because the next step is apparently them coming for the working class.
This too is propaganda. B does not necessarily follow from A. But political leaders and plutocrats are happy to use this argument to their own benefit. It's the sort of argument people make when they have no argument.
It's a byproduct of American exceptionalism [2].
[1]: https://www.goodreads.com/quotes/328134-john-steinbeck-once-...
Obviously cappies (meaning people who support capitalism, who are not necessarily actual capitalists--most aren't) don't walk around believing they personally have a greater than 50% chance of being billionaires. It's hyperbole. That said, they do overestimate their future earning potential while severely underestimating the number of ways in which preexisting social class will block them. This is evidently true; behavior and preferences reveal beliefs, and no one supports capitalism and its extreme inequities unless they harbor a belief--perhaps an underexamined and irrational one--that they'll one day be invited to join the capitalist class, since there's literally nothing to justify the system but "It's good if you're one of them."
It is possible to see unions as both the source of some and solution to other forms of abuse.
What people are saying is workers need a say in how the workplace is run and companies spending millions convincing folk otherwise should be forced to stop.
Unfortunately unions will not represent my interests in a huge swath of other areas (meritocracy, politics, etc). So choosing a union just trades one set of shitty things for another. For all but unskilled workers, the benefits are basically an illusion imo
Ever notice how unions are somehow all the same entity, and seem to have to answer for things completely different unions in completely different industries did?
Nobody treats corporations this way, even though (if you look at interlocking BoD membership) there's a more reasonable case to be made for collusion in some industries...
Oh yes they do. "All corporations are evil exploitive money-grubbing polluting anti-democratic anti-worker..." I've seen it, here on HN, on the regular. I don't recall if I've seen it today, but I see it a lot.
> ... even though (if you look at interlocking BoD membership) there's a more reasonable case to be made for collusion in some industries...
The AFL-CIO looks (or at least looked) like the same thing, but for unions.
>The government won’t save you from efforts like this. The government represents the interests of the capital owning class.
You realize that the power/existence of "labor organization ie unionization" is dependent on the government? Without government protection labor unions don't stand a chance.
Like if a manager learns something and takes action because of it?
Or learning about employee behavior and sentiment and using that information to suppress promotions…
Or being informed of employee misbehavior and not taking action against it…
You just installed it locally off a disc and it just worked when you needed it. You didn’t even need internet.
So I won't think about it.
Mine doesn't. I know that because I am the 365 admin.
For now. Remember MS can literally run these tools on your communications and if/when something gets flagged... raise it out-of-band to a senior business person at your company for follow up.
They likely have the contact details for senior business people at your company already. ;)
Trust is all well and good, but trust ain't gonna pass an audit or get you out of trouble if shit hits the fan.
Even if it doesn't work right - having it at all is going to result in all sorts of bullshit for employees where this is enabled.
Someone digging through your emails because you happened to mention some vaguely related keywords... yeah, no.
Office suites were a mistake. Return to text editor.
With this premise, the author doesn't even identify the argument that while members of the hierarchy have relative positions, the wealth creation resulting from the hierarchy ensures everyone's absolute position increases. A side effect of this is how a country can have poor people who are wealthier than other countries middle classes.
Destroying that hierarchy without a design to replace that progress mechanism means everyone's absolute position would not continue to move primarily up. If conservativism was just "a hierarchy where everyone stays in their absolute positions, but they may move around relatively sometimes," it would be a lot less appealing. The whole point is that it is the most effective driver of overall progress.
"Except for the field organizers of strikes, who were pretty tough monkeys and devoted, most of the so-called Communists I met were middle-class, middle-aged people playing a game of dreams. I remember a woman in easy circumstances saying to another even more affluent: 'After the revolution even we will have more, won't we, dear?' Then there was another lover of proletarians who used to raise hell with Sunday picknickers on her property. I guess the trouble was that we didn't have any self-admitted proletarians. Everyone was a temporarily embarrassed capitalist. Maybe the Communists so closely questioned by the investigation committees were a danger to America, but the ones I knew — at least they claimed to be Communists — couldn't have disrupted a Sunday-school picnic. Besides they were too busy fighting among themselves." (source: https://en.m.wikiquote.org/wiki/John_Steinbeck)
Ronald Wright somehow turned this into a quip about Gramscian false consciousness, in the great global game of telephone we're all playing with each others' words.
Top 1% earns 21% or income, pays ~40% of taxes (has ~34% of wealth): https://www.heritage.org/taxes/commentary/1-chart-how-much-t...
Principled makes sense though.
Many workforces in Australia are highly unionised. Unions have been largely effective - even in recent years - at using their collective bargaining power for the good of the worker. Hell, our ruling political party is literally called the Labor party. It has strong union ties and a history of passing pro-worker legislation. Union corruption exists as it exists in all areas where power can be had, but in Australia’s case you’d truly be throwing the baby out with the bathwater by saying “unions are bad!”, even in industries like tech where we’ve never really sought collective bargaining on a large scale, the universal protections ushered in by the union movement benefit all workers here. It sounds like you’ve fallen for the same propaganda as everyone else but you particularly think that you have “smarter” reasons. You don’t.
What's not to like? Common functions are one click away, and others are two clicks away. Are you saying lengthy drop-down menus were better? I don't see how.
You can nutpick to find people saying anything, of course.
Show me someone in a position of power saying that. I think they closest you'll find is someone like AOC, who has gone nowhere near that.
> The AFL-CIO looks (or at least looked) like the same thing, but for unions.
The AFL-CIO has been in decline for several decades. If you want to tar, say, the Amazon efforts with things the AFL-CIO did in the 60s, you're just making my point for me.
I don't know whether that was a typo or deliberate, but it's beautiful. I'm stealing it.
Yes, you absolutely can find a nut who will say anything - even several nuts. Absolutely. But in this case, I think it's a bit stronger than that. I see it too often. It could be just a few loudmouths saying the same thing over and over, but to me it feels more like, say, 5% of HN users actually believe that. True, that's far less than the number who believe "all unions are evil", but it still seems to me to be enough people to be significant.
> If you want to tar, say, the Amazon efforts with things the AFL-CIO did in the 60s, you're just making my point for me.
Well, I didn't want to do that, so don't put that on me. All I wanted to say is that, as corporations can collude (or at least appear to), so can unions, and we have historical examples of it happening - and, unlike corporate collusion, happening formally and in the open.
But there were laws allowing freedom of association, so something like unions were default allowed, in the absence of any other laws.
There are many examples of this including Solidarity [1] and the Peasants' Revolt of 1381 [2] following attempts to freeze wages following the Black Death where demand suddenly exceeded supply and pushed up wages.
And this isn't even counting the cases where peasant and worker uprisings that led to revolutions.
The concept of a general strike is a relatively modern one but an extremely powerful one regardless of any legalities.
[1]: https://en.wikipedia.org/wiki/Solidarity_(Polish_trade_union...
So that group of billionaires who think the government can use their money more efficiently than they can in order to advance American society are absolutely free to do so! Go them! They don't need the government to compel them. They can form their own Philgubernatorial group -set their own donation rules and taxation (donation) bands and percentages and come tax season give it to the feds.
These same people likely also donate a huge amount of money to charities and etc. On an individual basis it's easier to draw a line between funds donated and outcomes.
> They don't need the government to compel them.
Do they? Do you? Why not just make the government a charity then.
> It's like they only want it to happen if its forced on everyone
Well if we take a law to mean "forced on everyone" that's really the definition of "it to happen".
Does that bother you at all?
Not just about the employees you’re doing this to, but about being part of the system that normalises this kind of surveillance generally?
Is this really the kind of world you want to live in?
But in the business realm, you have no privacy whilst your at work on work devices, the company owns that data not you. Want to send a message privately about something not work related. Fine, but use your own device. Man I spent like the first decade of my working career in all forms of laboring being exposed to OH&S violations of epic proportion which were unable to be prevented or retrospectively acted upon because no data was captured that proved it happened. Think stuff like bosses bi-passing fire suppression systems that prevented machine operation on drill rigs punching holes in ground littered with methane gas pockets just in order to keep the rig running at risk of all employees running it.
I'm sick of companies getting away with abuse of customers and employees. Most of this can be prevented or at least discouraged via tech based monitoring. If you want privacy.....keep it for your private life.
This is really the problem in a nutshell.
Would you let the company install cameras in the bathroom to film you using the toilet? I am guessing probably not.
So why do you think you "have no privacy whilst at work". This is a fiction. Privacy is a human right if you're at work or not.
Only because some people decided that should be so, and other people worked to ensure it happened. You state it like it's an immutable law of the universe, but it's a choice we collectively make, and a policy we enact. Or, a choice we passively allowed others to make for us, and a policy we allowed others to enact upon us.
How the free market will I get internet?
A software company running a Microsoft-based email/etc system is also a red flag in this context. I mean, why...
How do you think reality works?
At my present workplace, we have cameras with microphones. They also have installed spyware on laptops and desktops, to be able to see the screens of employees. They also go through mails and have a list of all web traffic done by employees.
Which is one of the reasons I've handed my resignation a few days ago.
So my rule of thumb for workplace is: expect no privacy.
If you want to use work-provided email, slack, etc to discuss things which you'd be very uncomfortable discussing in your office in the open, especially in the presence of your bosses, don't. Find a different venue.
E2EE doesn't mean anything if you have the same entity controlling the server as is controlling the endpoints.
If you control both ends of an E2EE communication and they are closed then you gain nothing over normal TLS encryption, you still trust the authority. (Whatsapp is obviously closed and yes, signal can be considered effectively closed as their client is not reliably or reproducably built from public sources and has hidden their agendas before[0]; and even depends on binary blobs from Google..)
I know your favourite closed/walled messenger platform is basically religion at this point: but for heavens sake; please understand that unless you're auditing your clients or you can run trustable third-party clients; then end-to-end doesn't mean anything at all.
It's just marketing buzzwords.
WhatsApp/Signal may not be perfectly private, but it’s plenty private enough to hide trivial things like job offers from your employer.
- Everyone's understanding of this issue is different. It's hard enough to convince technical people to use matrix/element vs signal, vs what ever they already have installed. Non-Technical people will either just ignore you or trust you entirely, I'm not sure which is worse.
- When something goes wrong I have to fix it myself. now I'm 24/7 on call.
- Even If I have knowledge enough to run the infrastructure myself, to compile clients and servers myself, to register domains etc.. I cant understand the source code to identify every possible un-trust worthy thing. even if I could, system security is not just about the code.. what is a trusted architecture to run it on?
It just isn't in any way, by any stretch of the imagination, feasible to self host any messaging service myself, that I want to use with the aim of talking to a wide range of people, from all parts of my life.. When I just want to chat with my work colleagues and arrange to go to drinks, or about their break up, or some other company or whatever..
I’m kind of surprised so many people are shocked by this. I know of one company where dozens of people were fired because their email was scanned for external job interviews and the CIO had a report, which he used to prematurely cut staff when he needed to save budget.
The only difference now is that the tech is smarter and cheaper so that you don’t need to pay as many people to spy on their coworkers.
Your defence against this is to find a job where you’re too valuable for them to do anything. As with any jurisdiction where there is at will employment.
Once I discovered that every school-issued machine had a VNC server running on it I assumed that the contents of my screen were being recorded at every moment. Turns out I was half right, as I caught up with the IT guy afterwards and the principal (a paranoid sociopath who shouldn't be anywhere near kids) wanted the ability to catch kids when she thought they were looking at non-school related things.
It's fundamental safety in a society with these sorts of companies to assume: company infra = logged until you die. Once your company has come under a subpoena for information or under some kind of long term discovery, you write emails under the assumption they're going to be in court for everyone and your mother to see.
they're free people who somehow are getting to oppress and censor individual humans (otherwise the corporation is who is being oppressed), but let's pretend that we can punish them by "taking our dollars elsewhere" such that it's our own fault
IMO, tracing this towards the root, I find along the way the grand system of royalties and other kinds of rent schemes. Nobody cares cuz we prefer the promise (for the majority is a promise) that we can come up with something great to make it BIG and then get to live from rent or other kinds of royalty payments
The proper place to include that sort of interpretation is by adding it in a comment in the thread. Then your interpretation is on a level playing field with everyone else's (https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...). Also, a comment gives you room to actually substantiate your interpretation.
On the other hand, a thread like this probably wouldn't have gotten attention without the sensational title in the first place, so this kind of submission is a borderline case and at worst a venial sin. (We still change the title once it does make the frontpage though.)
https://docs.microsoft.com/en-us/microsoft-365/compliance/co...
So I think if Microsoft existed in the world of 1984, they would easily be the preferred tech vendor for IngSoc.
Side note, do you think this would also detect the money laundering and bribery going on within Microsoft itself?
https://www.theverge.com/2022/3/25/22995144/microsoft-foreig...
Side-side note, I think the reason why that is allowed to still keep going on given that the SEC knows about it and that there's ample evidence has to do with national security reasons.
It's extremely troubling that given all this corporate authoritarian AI tech they built that Microsoft is still trying to be the voice of reason about the dangers of AI.
A) Be accurate
B) Work across multiple contexts
C) Run efficiently on billions of messages
This will just result in many false positives, and unnecessary eavesdropping on employees personal conversations.
Once its revealed an organization is using this, people will quickly move all conversations to another platform, even if policy forbids that. Resulting in an even greater security risk potentially.
And as per usual, if Microsoft gets someone fired (e.g. comes in looking for money laundering, finds out the staff member is making fun of their boss), there will be no repercussions.
if you accidentally fire 10% of good people you still have 90% of them left, and if that lets you fire 80% of the staff that are committing thought-crime it's probably a win.
Because of this, one might feel like the same standard applies to other one-on-one and small group communication avenues, but it’s actually completely the opposite.
Anyone using Teams is already a red flag.
- Zulip - https://zulip.com
- Mattermost - https://mattermost.com
- Rocket chat - https://rocket.chat
- Matrix - https://matrix.org
Why is this exactly newsworthy? Any communication through official channels is the property of the employer anyway. To collude, leave & other stuff use personal channels maybe.
I don't know why jumping to the most far reaching evil option is popular in threads like this is the default.
> This kind of software is Zyklon B for the 21st century
is a bit of an over-the-top comparison
We have come a long way now that we have these advanced classifiers. You would be surprised how low tech the initial product was, by low tech I mean devoid of any ML/AI. We went GA in end of 2019.
Saw a lot of interesting use cases too for e.g Japanese enterprises wanting to detect cases like suicide or intent to suicide, that is why we have multiple types of classifiers.
I worked on the Infra side (not ML). That too was “low-tech” or the more apt term would be “not the latest tech”. Core parts of the app were part of a monolith (think Exchange). Then we were using a really old .NET Framework version for our MVC app. Lot of the storage technologies we used were very MS specific as well. AFAIK, all of this is still valid today.
(I kid, VS Code is great for many, but it's not my cup of tea).
EDIT: apparently these 2 are just jokes, sorry for not checking my sources!
`Negative emotions: Expressions of sadness, unhappiness, discontent, anger, rage, anguish, or existential ennui, as these may negatively affect team cohesion.
Joy: Language suggesting hopefulness, optimism, anticipation of a brighter future, faith in humankind and/or in a loving and benevolent creator, as these may imply that the user is thinking about topics other than the best interests of the organization.`
From https://old.reddit.com/r/sysadmin/comments/v3b2mn/microsoft_...
Is this still accurate? Are there any features in the pipeline planning to change this?
Microsoft offering "communications compliance" within the same product is certainly chilling enough as it is. The reality where people lose their job as a result of previously-protected casual [voice] chat doesn't seem so crazy now. All it takes is missing a quietly-introduced feature update by a week before the organization flips the switch and doesn't tell anyone.
Pissing people off does incur a cost, though. Perhaps you're right.
Remember the famous "will the atom bomb test ignite the atmosphere" gentleman's bet those scientists had? Nobody actually thought it would but they discussed it semi-seriously. Today discussing some fanciful bad outcome like that (be it the mundane failure to deliver a product or something more interesting) is a liability when it's sitting in your company email servers. Even if that bad thing isn't what winds up happening or the people speculating aren't in a position to have accurate info the other side's lawyer or the regulator will try and construe it as proof that the company should have known ahead of time.
Or, more likely, say there's some sexual harassment or adultery kerfuffle between employees. It's way better for the company if none of that happened on company provided communications tools.
From the company's perspective it's avoidable risk to have work communication tools be used for informal BSing between employees. But they can't realistically prevent that so they introduce Skynet in order to make people watch their mouths and move those sensitive conversations elsewhere.
I don't know what I found funnier, the idea that some poor fool at a Soviet embassy had to listen to our conversation because a key word hit caused the recording to be saved, or the idea that the author even proposed that the idea would work.
Your comment implies this isn't potentially an enormous difference. The difference is between having to pay people to spy on their coworkers, and having computers that do it passively, invisibly, continuously, in real time?
The law won’t help (they want more surveillance). Democracy won’t help (most people want more surveillance on their neighbors). Exploit the system.
On a related note, if you were a Microsoft employee, how comfortable would you be talking with recruiters on LinkedIn?
Even MS's own recruiters will use LinkedIn to contact current MS employees for internal positions.
Tech is a double sided coin. Things like this have the power to be abused, even easily at times, but that doesn't mean they always will be.
Some people are weird like that. There’s also old people who only have work emails. Lots of different people in the world.
In your specific example, there could be a slightly more positive reason --- proof that you do actually have a job at where you claim to be working.
So Microsoft's cloud ecosystem generally owns your work email, and the site you use to find a job.
Honestly: I don't care what they say (because it'll be "we datamined LinkedIn, but don't worry we did it with only the public APIs and just bypassed rate limiting so technically...to add data to our "employee leaving" filter...) - Microsoft and LinkedIn, specifically, need to be forcibly broken up with this sort of control over the full employee lifecycle.
* https://www.microsoft.com/en-my/microsoft-365/roadmap?filter...
* https://www.microsoft.com/en-my/microsoft-365/roadmap?filter...
* https://www.microsoft.com/en-my/microsoft-365/roadmap?filter...
* https://www.microsoft.com/en-my/microsoft-365/roadmap?filter...
* https://www.microsoft.com/en-my/microsoft-365/roadmap?filter...
* https://www.microsoft.com/en-my/microsoft-365/roadmap?filter...
* https://www.microsoft.com/en-my/microsoft-365/roadmap?filter...
The title "Microsoft Purview: Additional classifiers for Communication Compliance (preview)" sounds like nothing at all. It doesn't seem like exaggerating to say that the reality is literally Big Brother in a corporate context. Seems like your changing the title is just going to have the effect of reducing attention given to something that really needs to be exposed in clear terms.
I'm not saying the current title is the perfect outcome—I'm just not sure what the perfect outcome is. I do think that in this case, the dystopian title adds to the quality of the post (but only once it's on the front page).
It's impossible to cover the general case with a simple rule. Even a paragraph of rules wouldn't be enough—people would discover corner case after corner case and you'd eventually need a book. I think HN's guideline covers the domain as well as any single sentence could; and then we can cover all the exceptions ad hoc, and talk about them in the comments.
It's interesting that the HackerNews guideline makes no statement about whether a custom headline is sensational or reasonable. It is: "Please use the original title, unless it is misleading or linkbait; don't editorialize." They probably have a slightly different reason for this rule than many people first imagine. And that reflects in the actual wording of the rule being slightly different than many people would first phrase it themselves.
I tried to summarize the article in the title. Will follow the guidelines from now on.
Just speculating, but this phenomenon could either be explained by 1.) diverse internal opinion; the parts of Microsoft responsible for warning against AI are not the same parts pushing authorarian AI software, or 2.) Moat-building/ladder-pulling; Microsoft is warning people of the danger of _other people's_ AI, but of course you can trust _their_ AI, because they're the ones warning you after all!
Everything in corporate email has always been subject to read by others, there is no expectation of privacy.
As we’ve seen from countless court cases, they range from boring nothingburgers, to evidence of actual crimes.
Hopefully it doesn't make it outside of the corporate world though.
An automated process that alerts whomever is chosen as overseers to all possible missteps and misdeeds.
One is a very targeted and conscious effort the other is automated and pervasive everywhere all the time.
Depends where you work? I expect my work emails to be private.
Why is there always this attitude of "it's a private business, they can do what they want". Why does the fact that they can do something distract from criticism of them doing it? The fact that this tech exists is horrifyingly dystopian on its own merits. But it also has widespread consequences in a country with so many employment monopolies and opportunities for outright wage slavery. Heavy-handed workplace surveillance and heuristics-based crap are becoming increasingly difficult to simply opt-out of.
Pretty clear one of the major things they're going for here is detecting "jobsite troublemakers", ie employees who are upset with job conditions/agitating for improvements/discussing salaries/etc, which is given specific legal protection. It is explicitly legal and protected for employees to discuss labor conditions, organizing, or salaries regardless of whether you do it "on company property" or "on company chat". Just because the company owns it doesn't mean you have no legal rights - just like a company can dismiss you for no reason but they can't dismiss you for any reason.
They are wrapping it up with "think of the children" justifications like "employees who are discussing salary might be considering leaving and they might take nefarious action if they do so" but that's the core of the situation here - these are tools to detect and fight against legally-protected activities by employees.
> Workplace collusion: The workplace collusion classifier detects messages referencing secretive actions such as concealing information or covering instances of a private conversation, interaction, or information.
> "The leavers classifier detects messages that explicitly express intent to leave the organization, which is an early signal that may put the organization at risk of malicious or inadvertent data exfiltration upon departure"
Hypothetically, do you think it would be a good idea for Microsoft to build a classifier and provide managers with a list of potential "religiously devout", eg based on correlated work/away periods, language patterns, etc? Sure, it's a legally protected classification, but there's an elevated risk of extremist activity, which surely presents a business risk, right? So why not?
Is this sentence meant descriptive or normative? Because there are definitely juristrictions where it is not that easy (e.g EU).
If it is meant normative then I wonder if you also think they "own" all conversations happening on corporate ground? Should they be allowed to record anywhere on corporate property, and use what they record in any way?
Your corporate comms are monitored and there is no privacy.
That's entirely intentional. You really don't want internal evidence of something that's going to be construed 10 years down the line as cancel-worthy, or worse, something that politicians/regulators are going to take out of context to attack you with.
Technology, like advanced weapons, doesn’t solve political problems for long, as the other side eventually gets their hands on it.
Be good cogs; don’t leave logs.
We already filter out people who aren’t smart enough to keep their mouth shut when necessary.
Scaling the problem is likely to increase the damage.
Although sending it to work is probably the most secure from a spouse.
15 years ago I worked at a place where there was an entire room of people who were hired to literally do nothing but read your internal mail all day. One of the deployment rules were to make sure they had unimpeded access to everything (except for executives of course). Please don't misinterpret me as suggesting I like the practice.
I can see why people are upset that this technology is being offered, I am too. But I can't see why people are suggesting it's a new low for corporations that have always been doing this.
The only solution that I can see: Exploit the system….
My view is this kind of thing is inevitable and pervasive because there’s a lot of internal risks that companies and governments are worried about. The only solution is to be so valuable that it doesn’t matter.
The other one is instigated and deliberate at the official request of legal and can take a lot of time.
It’s very different. It instills a climate of untrust. Everyone is “guilty”. In the other scenario everyone is innocent till a specific and circumscribed “matter” is started.
It's not just that they don't care: it's like they see some privacy-invasive thing and automatically use it because it's privacy invasive
Like whenever people not only use chrome, but are logged into their google account 24/7 while using chrome (I'm sorry if the reader does this...). I get it if there's some niche feature that requires it, but most of the people I know who do this aren't doing it for that reason (or any reason at all I guess)
2) https://signal.org/blog/reproducible-android/
> the Signal Android codebase includes some native shared libraries that we employ for voice calls (WebRTC, etc). At the time this native code was added, there was no Gradle NDK support yet, so the shared libraries aren’t compiled with the project build.
A good answer in my opinion, but it does mean that what you install from the play store is not reproducible and thus can never really be confirmed to be the same as public sources. There are also binary blobs needed for interacting with Google Play.
3) Signal is openly hostile to third party client implementations: https://github.com/LibreSignal/LibreSignal/issues/37 Meaning they have a near monopoly on all signal communications through their client.. and since it's not reproducible, I hope everyone is building from source.
2) Isn't WebRTC open source too?
3) Their code, their decisions.
I expect more of people on this forum honestly.
Taking the core of your argument: "Trust".
The point of E2EE is that we don't trust the network. We put all the trust in the client, something we control. Or at the very least we seperate our concerns. (please refer to this lovely interactive "Tor" diagram by the EFF for what I mean by splitting out concerns: https://www.eff.org/pages/tor-and-https )
Not being able to run your own client is a pretty big problem. At the very least in that case you should expect to be able to run on another network.. Otherwise that's a lot of trust for one entity and it's not different than just using TLS with HPKP/CA pinning
To give a direct refutation to one of your points: "Isn't WebRTC open source too?"
It is, but they're using native libraries which are compiled. Like I said, it's a good argument, but the result is that they don't have reproducible builds.
> Their code, their decisions.
Extremely dismissive, almost to the point of insulting.
It is absolutely not true that they are above criticism because they built something. They've positioned their product as a security product. Thus it will be judged on those merits. There are many pro-signal zealots who will bend over backwards to defend it in all circumstances. It's intellectually dishonest to do so in the face of valid criticisms.
I will shut up when federation is supported, or you can run your own network, or you can bring third party clients.
You need this to be able to trust your client, because the point is to decouple some trust from a single entity.
that's what e2ee is!
> What's not trust worthy exactly?
to:
> Their code, their decisions.
It's okay to be a fanboy! Evangelism is needed for any great product/company/ideology. But on HN you'll get typically called out for disingenuous or bad-faith lines of rhetoric.
The person above gave you a perfectly reasonable answer to your original question of "What about Signal is not trustworthy?". It'd be kind to acknowledge that they at least have a single iota of merit.
My point is, you totally should. I am friendly with my coworkers too, if I want to have a non "work-friendly" talk with them, we talk in the kitchen or at the pub. It baffles me that people would use a work provided form of communication and _not_ assume it's auditable in some way.
edit: should clarify that my work is probably more calm than most and would probably not GAF about it regardless.. but it's just good opsec. Never write something down you wouldn't be comfortable having read out to you if it can be traced back to you.
If you say something to your colleague via Whatsapp, the only scenario it can be used against you is if you commit an actual crime with reasonable evidence, they subpoena the records, and FB will be willing to go on record to the entire world as lying about Whatsapp E2EE, all in the name of putting you behind bars.
(Also, maybe we can imagine that products actually do what they do and it is not normal to fear lies and nefarious agenda behind every offering?)
1) Signal and whatsapp are not 100% trustworthy
Maybe the implication is that it will leak info to your employer, but I think this is more like a general statement; one that is likely an attempt to discuss why we still put our conversations into the hands of large companies with potentially unknown motives; and the questionable state of using "end-to-end" where one entity controls the network, access to the network and both ends of the exchange.
2) Why not use something you can host yourself
to which a reasonable reply is: network effects; I already have signal/whatsapp/telegram and I do not worry about them sending information to my employer.
Unless your employer is facebook, then I think that's a perfectly legitimate rebuttal, but one nobody is making.
In fact, people would rather argue that signal/whatsapp is the best privacy platform in the universe due to e2ee!
Using signal is the same as using WhatsApp. Eventually Facebook will buy it.
Its weird how much people fight against their own interests though eh.
In addition to the theoretical benefits of E2E, I get actual noticeable behavior benefits. I've sent links to a family member on Facebook Messenger that it decided to censor and my messages didn't get sent. This happens to others as well[1]. There are reports of similar things happening with SMS[2]. That doesn't happen with WhatsApp or Signal.
>
> > What's not trust worthy exactly?
>
> to:
>
> > Their code, their decisions.
Two separate comments addressing two different points. One doesn't follow from the other. Stop arguing in such dishonest manner.
That would be obvious in their source code, wouldn't it?
I would stop using them then.
That's not a refutation of my counterarguments at all. It just shows you're frustrated and talked yourself into a corner. We both know you don't audit your OS code, your drivers code, your hardware. All of them can be leaking your secret messages.
> Extremely dismissive, almost to the point of insulting.
Another non-refutation, another frustration, because you have no counterargument.
> It is absolutely not true that they are above criticism
Straw man logical fallacy. I never claimed they were above criticism. Criticize all you want. But expect your arguments disassembled.
> You need this to be able to trust your client, because the point is to decouple some trust from a single entity.
Without auditing your OS, your drivers and your hardware it's pointless. Any of them can leak your messages. Yet you're fine with it.
I'm typing this from my OpenBSD laptop, which, I assure you, I have audited extensively; but that's hardly relevant to this topic.. I just think it's funny that you would assume this of me. I'm also big on system-transparency[0] and micro systems like Oasis Linux[1] which attempt to limit things being able to hide.
Granted, nothing is perfectly secure.
But, again, besides the point entirely.
Your central thesis is that nothing is safe.
Why, then, should I not just use telegram? Or VK, or WeChat?
We have consensus in the HN community that those chat systems (especially telegram) are inherently insecure. Why?
Don't worry, I'll answer for you: Because they do not support E2EE except when specifically asked to, and because they used their own encryption.
This is enough for the security community to decide that Telegram is a bad product(tm).
I'm not arguing in defense of telegram, I'm just letting you know what happens to "secure messengers" under a microscope.
The same criticism has not been levied to Signal, despite them offering no more protection in real terms than HTTPS would. There are theoretical safety-nets but nothing you can concretely audit.
Your argument that "it's their code they can do what they like" holds as much water as an inverted plate, given the context that they've chosen to live under.
So, instead of attempting to talk me down with and Argument from fallacy[2] perhaps you can talk about this point.
[0]: https://www.system-transparency.org/
For which I call BS.
Did you audit your OS code, drivers code and your laptop's hardware? We both know you didn't. Why do you make such an obvious lie?
If it's magically not a lie, how exactly did you do it and how long did it take?
OpenBSD is a lot of code, sure, but far from insurmountable, the drivers are few and quite generalised.
I can’t really say how long it took me to read it because it was over a few years of getting curious and diving in, but it wasn’t much.
I’d say if you were to study the code for 8 hours a day it would probably take about 3-5 weeks.
That said: I’m not claiming that I did a full security audit and found all the bugs: I am stating outright that I have read every line of code in the source tree, and the majority of the code that I run from ports, it’s simple enough that you can do that.
And yes; I still get horrified at a lot of the ports; not everything is perfect.
Exceptions to my curious browsing include Chromium and firefox due to sheer complexity, (and I have had reason to dive into those: the tweaks file is fun); and I have read the majority of the GCC code too (which somehow is much less complex and is quite easy to wrap your head around once you’ve read the dragon book than the browsers).
But the OS. Like you claimed. Is not a binary blob, at least to me. I compile it myself, with a compiler I understand, and with code I have read and understand; this is not uncommon in OpenBSD users; the OS is literally designed in a way that is easy to read; because being easy to read means security bugs have less places to hide. (As per the OpenBSD philosophy).
All of the above notwithstanding, I’m writing this message from an iPhone so not everything in my life is so rigorously understood; I’m not a purist, just a curious tinkerer, like most Linux enthusiasts used to be before the ecosystem became a bit too complex to understand for any one person.
You could argue my phone can leak my chats, to which I say: your matter of “trust” comes back, and I don’t think I would trust my phone with my life to not leak my secrets (signal is asking people to trust them with their lives; journalists and dissidents). But I would trust my laptop.