The self-destructing message is a classic spy movie trope, used in everything from cheeky classics like Get Smart to more straightforward action films like the James Bond series and Mission Impossible. Once squarely in the domain of Hollywood’s international men (and women) of mystery, businesses and individuals now have access to a whole host of applications that disappear or automatically encrypt upon reading.
As always, should you or any of your IM force be caught or killed, the Secretary will disavow any knowledge of your actions. This tape will self-destruct in five seconds. Good luck, Jim.
— Mission Briefing tape, Mission: Impossible
Increasingly, people from all walks of life are relying on self-destructing messaging applications (also known as ephemeral messaging) to communicate without leaving a digital trail. Engineering departments for billion-dollar Fortune 500 companies and protesters across the globe are communicating and coordinating via this new technology with increasing frequency.
What does this deluge of self-destructing messaging mean for data preservation and ediscovery, and should people be wary of this too-good-to-be-true innovation?
What the heck is ephemeral messaging?
Ephemeral messaging, as the name implies, is a form of digital communication that lasts a very short time. Generally, the genre consists of applications for short-form communication on mobile devices that disappears from the recipient's screen after the message has been viewed. This self-destruct function is deployed in several ways, including: programmatic self-destruct function, specific trigger event (e.g. opening or closing a message), or upon the expiration of a pre-defined time frame. Deletion happens concurrently on the receiver's device, the sender's device, and on the system servers. Any lasting records are eradicated.
The applications can further obfuscate data with functions that preclude screen shots, limit distribution, auto-encrypt, removal of messages from recipient devices, and untraceable messaging.
Ephemeral communication has been around forever, literally since the dawn of speech. In-the-moment communication without a lasting record was the norm from prehistory until the advent of the written word and even then the vast majority of communication remained transient and ephemeral in nature until written and digital communication began to outpace phone and in-person communication as the primary means of communication.
Today the ratio of ephemeral to permanent is inverse from the historical norm (when was the last time you answered a call instead of just sending a text?). Ephemeral methods of communication are shifting the balance back toward the norm and legal practitioners are scrambling to catch up.
The OG of ephemeral: the telephone
While ephemeral messaging applications are new to the dataverse, the concept of ephemeral communication is not. Calls are consumed in real time, and barring having your wires tapped by the FBI, there is no lasting record once you hang up the phone. Much of the innovation around ephemeral applications is an attempt to move away from the permanent record afforded by current digital communication tools and back to the ephemeral nature of the phone call.
Two ends of the spectrum: Dust & Snapchat
Early forays into the ephemeral communication sphere came from opposite ends of the communication spectrum but with similarly prurient aims. On one hand, teens and tweens flooded Snapchat starting in 2011 because the self-destructing videos and images let them send naughty pics without fear of them resurfacing and getting them in trouble down the road (apparently nobody thought about screenshots).
At the other end of the spectrum, Mark Cuban co-founded Dust (originally Cyber Dust) in 2014 as a business application following a sweep by the SEC of all his social media postings in an effort to uncover insider trading. Speaking about his SEC experience, Cuban noted “when you hit ‘send’ on a text, you lose ownership of that. Not only do you lose ownership, you retain responsibility for that text.” In contrast to Snapchat, Cuban’s application had the explicit business purpose of mitigating discovery in litigation, as he explained, “if you are in a business with a lot of lawsuits, you save a lot of time and money because nothing sent or received on here is discoverable.”
Signal, Wickr, and Telegram, oh my!
Initially, neither Snapchat’s legions of tweenagers nor the half a million more business-minded users of Dust made much of a splash in ediscovery. The former were not generally sending material that was relevant to litigation and the latter constituted such a small number of users that the likelihood of impact on a case was nominal. Snapchat’s massive $50 billion valuation and an increasing distrust of email and more permanent messaging platforms lead to an explosion of new ephemeral applications. Now numbering in the dozens of applications, ephemeral applications have outpaced more permanent forms of communication in many organizations and in countries like India and China may have fully replaced email.
A single ephemeral application, Telegram, boasts a user count of over 400 million monthly active users according to the SEC, with 100M users added in just the last 12 months. The app adds about 1.5 million users each day and is the most downloaded social media app in over 20 nations. If you have not yet come across it in ediscovery scoping, you likely will soon.
The big boys join the fray
While the astronomical growth of Telegram and other members of the class of ephemeral messaging apps is impressive, that is not the largest factor in the deluge of ephemeral messaging data to come. The biggest baddest tech platforms are now introducing their own ephemeral settings to traditional digital communication solutions. Google added a Snapchat-inspired confidential mode in April 2018 that allows users to predetermine on a message by message basis how long a message will last and whether the recipient can email, copy, or forward the contents.
Facebook has announced a Vanish Mode in their messenger application and Instagram as part of the large September redesign. This new offering allows users to let you send texts, photos, voice messages, emoji, and stickers that disappear immediately once they’re viewed. This new addition augments the existing Messenger Secret conversation mode and takes it a step further, replacing the end-to-end encryption that could be saved locally with a function that is designed to delete anything sent forever once it’s been viewed.
A final arrow in the quiver of ephemeral going mainstream was the November announcement of WhatsApp messages self-destructing seven days after sending. With over 2 billion users sending 100 billion messages a day, many of which are business-related especially for international users, this shift will have a profound impact on digital evidence.
From fad to trend, ephemeral goes mainstream
The release of ephemeral functionality on the top communication platforms opens up self-destructing communication to the entire Facebook ecosystem of 2.5 billion users (across 5.5 billion accounts) and the 1.5 billion Gmail users. More than half of the humans on the planet can now have the ability to communicate without leaving a digital footprint. This means that as legal practitioners, we cannot simply write off these applications as an anomaly or irrelevant data source and must face the unique challenges they pose head on if we want to uncover key evidence for our clients.
The shift to virtual workforce as a result of COVID-19 has also accelerated the adoption of video conferencing, ephemeral platforms, and collaboration tools at an unprecedented rate and driven up the adoption of tools that have a more transient digital footprint. And yet, preservation requirements and spoliation sanctions have not lessened as a result.
While there are actually many legitimate business reasons to deploy ephemeral messaging in a business context (including lower storage costs, better compliance with data privacy regulations, confidential and encrypted communications), the risks remain substantial. Use of the applications complicates meeting discovery and preservation obligations substantially and may open up an organization to large spoliation sanctions or, as was the case in Uber v. Waymo, the court may determine that the use of such applications alone is grounds for an adverse inference.
The context of ephemeral messaging use plays a role in whether sanctions are levied as does timing. In the case of WeRide Corp. v. Huang, a directive by executive leadership to use ephemeral messaging following the litigation filing to mitigate discoverable data led to sanctions.
In the case of government investigations, the regulators expect that data loss from ephemeral messaging is mitigated. The SEC has issued guidance “[s]pecifically prohibiting business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up." and the And while the DOJ has loosened their prior prohibition of ephemeral messaging slightly, the guidance remains that the agency “prohibits the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of…ephemeral messaging platforms.”
The DOJ offered further guidance on mitigating risk when using ephemeral messaging as an enterprise this summer in its update to Evaluation Of Corporate Compliance Programs. Specifically, if a company adopts a short retention period or adopts an ephemeral messaging tool, it should generate a thoughtful, advanced business justification statement that (1) shows how the company weighed the risks when setting its policy and (2) serves as a record that could later be used to explain why the company took this approach.
From the bench to regulators, the message is clear: employ ephemeral messaging in a business context at your own risk. And the onus is on you to demonstrate a business need, appropriate preservation protocols, and spoliation mitigation efforts on penalty of sanctions, adverse inference, and loss of remediation credits.
Best practices to manage ephemeral data
Billions of people are using ephemeral messaging at an increasing rate in business and personal communication. Be sure that your data governance and communication policies cover this new category. Ensure that you have a clear business justification, protocols to meet discovery obligations and a method to extract potentially relevant ESI from whatever ephemeral application is being used in your organization.
While I would not recommend relying on ephemeral messaging in a business context to anyone, there are some steps practitioners can take to protect themselves and their organizations. Navigating ephemeral evidence in terms of preservation obligations and avoiding spoliation sanctions or adverse inferences is a veritable minefield, but there are some best practices to proactively to mitigate future discovery headaches.
- Ensure your team understands the risks and limitations of each tool covered in the policy and that employees are trained on this.
- Construct a clear business justification for any standard policy of using ephemeral communication and short retention periods and ensure it is employed consistently.
- Clearly outline permissible use, authorization, and communication protocols for any ephemeral application.
- Clearly outline any legal prohibitions on using ephemeral communication.
- Once on reasonable notice of potential litigation, disable the automatic deletion of ephemeral communications and institute a “litigation hold” to preserve relevant documents and evidence.
- Audit the ephemeral applications for data security and use across your organization.
- Penalize bad actors misusing the technology.
As with all atypical data types, ensure that you are asking questions during custodial interviews and preliminary ediscovery scoping about whether and in what manner any ephemeral applications are being used, as well as what the preservation protocol is for your organization and the data retention settings on each ephemeral application. Depending on both, you may have to move preservation of ephemeral data to a top priority to avoid spoliation. I recommend seeing an example of how each application is rendered in any review tool you work with. Like mobile and Slack, the data format is challenging to render in a readily reviewable way and this can impact review speeds significantly.
Messages may self destruct, but legal obligations persist
As with email before, ephemeral messaging is subject to all the obligations set out in the Federal Rules of Civil Procedure for data preservation and discovery and is likewise subject to all of the penalties for spoliation of data. The messages and images may self-destruct, but the impact of poorly managing ephemeral data sources can have a lasting impact on your ediscovery matters and organization as a whole.