This Message Will Self-Destruct in Five Seconds: eDiscovery and Ephemeral Messaging

Once squarely the domain of James Bond movies, the concept of self-destructing messages has gone from spy trope to mainstream in record time. You no longer must be an international man (or woman) of mystery to reap the benefits of sending a message that leaves no lasting trace. And that spells a big headache for those of us who have made a career out of preserving and discovering electronically stored information (ESI).

The use of self-destructing (or Ephemeral) social media and messaging applications has gone from primarily personal and potentially less than legal use to wide adoption even within global fortune 500 organizations. The use of ephemeral messaging applications like Wickr, Telegram and even snapchat is already generating case law and adverse inferences for the unlucky few who have discovered that not only are these messages potentially relevant and discoverable, but that failure to apply adequate retention practices to these ephemeral messaging apps can open them to a whole host of sanctions for spoliation.

The ephemeral messaging headache for legal professionals and eDiscovery practitioners is a complex one that is most certainly far from self-destructing any time soon.

What the Heck is Ephemeral Messaging?

So, What the heck are ephemeral messages and why should legal and eDiscovery experts care? At the most basic level, ephemeral messaging is a type of communication that allows a user to set up auto delete or encryption of messages after a specified period. Initially mostly in the realm of tweenagers using the video sharing social media platform Snapchat or people looking to have super-secret possibly less than legal text like exchanges on Telegram or Signal, usage of these apps has exploded in the last few years. And it has also crossed over from primarily personal communication and often includes communication for business purposes today.

Additionally major legacy social media and short format communication platforms like Facebook, WhatsApp and most recently Apple Text messages have all added ephemeral deletion functionality. Clearly ephemeral is moving out of the shadows onto the main stage. WhatsApp alone boast over 100 Billion messages sent a day, any of which can have ephemeral auto delete settings turned on.

The ephemeral nature of these messages is achieved through end-to-end encryption combined with automated deletion triggered either by an action like opening a message or with a preset timer.  Many of the ephemeral messaging platforms prevent copy and paste function and some even go so far as to block screen shots of the communication to further ensure destruction of the communication.

Trouble in Ephemeral Messaging Paradise

For many of us that have spent the last decade or two wading through a veritable tsunami of ESI, the prospect of self-destructing messaging may be an enticing one. But... as with anything that seems too good to be true there are draw backs to deploying ephemeral messaging platforms for business use. Many of these ephemeral messaging platforms are being procured through shadow IT that is not within the document retention policies and supervision of the information governance professionals in an organization. This makes data identification, data retention and complying with preservation obligations extremely challenging.

And yet, ephemeral data is no less subject to the Federal Rules of Civil Procedure and the people using it no less liable to be sanction for spoliation if potentially relevant ESI is autodeleted by an ephemeral messaging platform. Even if spoliation is not due to bad faith, a judge may still apply sanctions or an adverse inference because the organization or individuals used a technology that thwarts litigation holds and discovery obligations by default.

Use at Your Own Risk

The bench and regulators alike have issued guidance, sanctions and rulings that reflect a less than cozy view with users of Ephemeral Messaging platforms. Law firms and corporations alike should take a close look at the potential benefits of confidentiality weighted against a high profile adverse inference like in the Uber v. Waymo case. Facing discovery obligations with ephemeral data without a backup can pose quite the sticky wicket for legal professionals.

The SEC’s National Office of Compliance Inspections and Examinations stated that investment advisers should prohibit business use of ephemeral messaging technologies because they can readily be misused by “allowing an employee to . . . communicate anonymously” or “allowing for automatic destruction of messages or prohibiting third-party viewing or back-up.” The U.S. Department of Justice (DOJ) has also urged caution around the use of ephemeral messaging. Issuing Guidance for investigations, requiring “appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.”

Don't Self-Destruct Your eDiscovery Process

Ephemeral messaging platforms were not built with eDiscovery in mind, in fact it was quite the opposite. As Facebook CEO Mark Zuckerberg Noted, “ Facebook CEO, Mark Zuckerberg, noted that,”[P]eople are more cautious of having a permanent record of what they’ve shared” and when the court dictates that you must preserve precisely that conflict is bound to arise. Ensuring that you or your client does not run afoul of preservation obligations when self-destructing messages are potentially relevant is critically important.

• Training: Educate your team on the risks and limitations of each tool covered in the policy and revise this often as new platforms are springing up frequently.
• Define Why: Articulate a clear business justification for any standard policy of using ephemeral messaging and short retention periods and employ this consistently.
• Build Policy Guardrails: Clearly define permissible use, authorization, and communication policies for any ephemeral application. Revise this often.
• Get Personal: Ephemeral messaging platforms often reside on mobile devices and the apps may be used for business or personal use. Ensure you have a way to collect the relevant devices and app data even if it is a BYOD or personal device.
• Say NO: Clearly outline any legal prohibitions on using ephemeral communication.
• Hold up: Once legal hold obligation is triggered, disable the automatic deletion of ephemeral messaging and relevant documents and evidence. Explicitly call out the ephemeral messaging platforms in any legal hold notifications sent to potential custodians.
• Trust but Verify: Audit the ephemeral messaging platforms and messages for data security and compliance with the above policies across your organization.
• Give the Policy Teeth: Penalize bad actors misusing the technology.

Hundreds of BILLIONS of ephemeral messages, videos and chats are being sent daily, playing ostrich is not a viable solution. Ensure that your internal policies, training, and employee obligations clearly address ephemeral messaging. Pretending employees are not using this type of communication will only set an organization up for big data retention headaches down the road. If you are a serial litigant or law firm, explicitly prohibiting use of ephemeral messaging applications or at minimum instituting mandatory legal hold policies that discontinue auto deletion upon reasonable anticipation of litigation is a critical first step.