Mastering Ephemeral Data for Ediscovery

Disappearing messages were once a staple of spy movies - and now are a daily part of the way in which people communicate, generating ephemeral data that savvy ediscovery professionals are beginning to mine for electronically stored information (ESI). 

People from all walks of life — including engineering departments for billion-dollar Fortune 500 companies (like the Wickr controversy at Uber in 2017) and protesters (like the widespread use of Signal in the 2020 Black Lives Matter protests in the U.S.) — are relying on self-destructing messaging applications, also known as ephemeral messaging, to communicate without leaving a digital trail. 

Larger technology players like Facebook, Google, and WhatsApp have also incorporated ephemeral settings, and, increasingly, other messaging services have options for “vanishing” mode. 

What it is: Messaging platforms that don’t leave a digital trace (e.g., Signal, Snapchat, Confide, Dust, and an increasing number of other tools that have messaging functions with “vanish” mode available)

How many users: 

• Snapchat has 406 million daily users 
• Telegram has 196 million daily users 

Challenges: Messages don’t leave behind data… or do they?

Generally, ephemeral messaging apps are short-form communications which disappear from the recipient’s screen after the message has been viewed.

This self-destruct function is deployed in several ways, including: 

• Programmatic self-destruct function
• Specific trigger event (e.g., opening or closing a message)
• Expiration of a pre-defined timeframe

Deletion happens concurrently on the receivers device, the senders device, and on the system servers. Any lasting records are eradicated. 

The applications can further obfuscate data with functions that preclude screen shots, limit distribution, auto-encrypt, and remove messages from recipient devices. 

‍

Considerations and best practices: ephemeral data

Internal? Make sure your company has proper policies on ephemeral messaging 

If this is internal (i.e., within your own organization), ensure your company has clearly defined retention and acceptable use policies that address ephemeral messaging and the use of ephemeral messaging tools. These are required per the Federal Trade Commission and Department of Justice.

You can find best practices on use of ephemeral communications channels in businesses explored in great detail following this section.

Proactively preserve ephemeral data

Consider the preservation of ephemeral data, potentially even before litigation commences, especially when such data can be foreseen as relevant to future disputes.

Suspend use of ephemeral messaging tools immediately

Per Perkins Coie, once a legal hold is issued, have the client cease all use of ephemeral communication channels. If they do not (or if they begin newly using channels where data cannot be preserved), there is a risk of sanctions or spoliation.

The department of Justuice has revised the language it uses in preservation letters to expressly state that documents created using collaboration tools and messaging applications are included in those requests. ‌The recent revisions make it clear that all forms of communication - whether through ephemeral or non-ephemeral messaging applications - are considered documents. Companies must take appropriate steps to retain relevant documents, including turning off automatic deletion and may even include stopping use of certain applications altogether. 

Prioritize collection of still-accessible data

Use tools or engage a partner that can collect any data that is still accessible or is backed up, and prioritize this collection. Unless you have appropriate native preservation capabilities, data that may still be accessible when a case is filed, may disappear during investigation or trial, and the failure to collect it may lead to sanctions.

(See: JP Morgan & Chase Co.’s $125 million fine paid to the SEC for failing to preserve messaging data. Google also got sanctioned for deleting thousands of unfavorable chats during litigation.)

Leverage a consistent custodian interview process to identify sources that may contain potentially relevant ephemeral data

Use the sample custodian questionnaire in the appendix of our “Ediscovery Expanded: Mastering Complex Data” guide to learn as much as possible about the nature of these communications, as well as collect screenshots or summaries.

Think practically about burden

It is critical to assess the nature and significance of ephemeral data on a case-specific basis, applying preservation, collection, and review methods that are justified by a proportionate cost-benefit analysis.

Are preservation and collection efforts of this data practicable and proportional to the needs of this case? If not, consider a motion to quash.

Considerations and caution for using ephemeral messaging in a business environment

While there are legitimate business reasons to deploy ephemeral messaging in a business context, including productivity gains, the risk of improper handling during litigation remains substantial.

Use of applications that have an automatic purge mechanism substantially complicates the ability to meet discovery and preservation obligations; without proper governance the use of these capabilities may open an organization to spoliation, sanctions or, as was the case in Uber v. Waymo, the court may determine that the use of such applications alone is grounds for adverse inference. 

The context of ephemeral messaging use, as well as the timing of implementation, both play a role in whether sanctions are levied. In the case of WeRide Corp. v. Huang, a directive by executive leadership to use ephemeral messaging following the litigation filing (in order to mitigate discoverable data) led to sanctions. 

The DOJ offered further guidance on mitigating risk when using ephemeral messaging as an enterprise in its update to Evaluation Of Corporate Compliance Programs. Specifically, if a company adopts a short retention period or adopts an ephemeral messaging tool, it should generate a thoughtful, advanced business justification statement that: 

1. Shows how the company weighed the risks when setting its policy and 
2. Serves as a record that could later explain why the company took this approach. 

From the bench to regulators, the message is clear: Use ephemeral messaging in a business context at your own risk. And the onus is on you to demonstrate a business need, appropriate preservation protocols, and spoliation mitigation efforts — on penalty of sanctions, adverse inference, and loss of remediation credits. 

Best practices for using ephemeral data in a business environment 

• Ensure your team understands the risks and limitations of each tool covered in the policy and that employees are trained on this. 
• Construct a clear business justification for any policy that allows or encourages the use of ephemeral communication and short retention periods, and ensure it is used consistently. 
• Clearly outline permissible use, authorization, and communication protocols for any ephemeral application. 
• Clearly outline any legal prohibitions on using ephemeral communication. 
• Once on reasonable notice of potential litigation, disable the automatic deletion of ephemeral communications and institute a “litigation hold” to preserve relevant documents and evidence. 
• Audit the ephemeral applications for data security and use across your organization. 
• Regularly review the use of ephemeral messaging within the organization to ensure compliance with policies and legal requirements.
• Regularly train employees on the legal implications of using ephemeral messaging, including the potential risks of evidence spoliation
• Penalize bad actors for misusing the technology. 

Depending on how ephemeral messaging apps are used in an organization, and what the preservation protocol is, you may have to make preservation of ephemeral data a top priority to avoid spoliation. 

Like messages sent on mobile devices and messaging applications like Slack and MS Teams, special care may need to be taken to ensure the data can be transformed into a format that is useful for review and production

Ediscovery Expanded: Mastering Complex Data from Slack to Signal and Beyond

Now that you’ve mastered ephemeral data, uncover the considerations and best practices for handling other complex data types in ediscovery, including:

• Mobile data
• Internet of things devices
• Social media platforms
• Virtual conferencing data

Download the complete guide here.

‍

And, if you’re ready to collect data from collaborative data sources with DISCO, request a demo to see what we can do for you.

‍