An interesting article by William Semins, Daniel Miller and Hugh McKeegan from K&L Gates LLP looking into some of the workplace changes occurring due to Covid-19 and the impact that this will have on compliance and discovery. They focus on messaging applications of all shapes and sizes, but no focus on ephemeral messaging systems - something that is becoming more common place!
These are very differently structured applications, where data is not centrally resident and in fact, true ephemeral data is data that is not maintained as a matter of course (i.e. has an expiration) and is only stored for as long as it is valid, at which point it becomes non-accessible (i.e. it self-deletes). On top of these two characteristics, it is often common for ephemeral data to be encrypted throughout its transmission and storage. Some common applications that operate in this way would include: Slack, Wickr, Signal, WhatsApp and Telegram.
Not all of those are truly ephemeral data systems. A true ephemeral data system would have functionality that deliberately deletes messages after a specific trigger (e.g. a period of time), have no archiving capability and full end-to-end encryption. Most systems therefore are quasi-ephemeral where only some of the characteristics described above are present in full. This allows for preservation of messages and metadata under specific circumstances.
These data systems have specific relevance to eDiscovery and investigation cases where the parties concerned are using them (sometimes legitimately, sometimes not) for communications, and where those communications would normally be disclosable or accessible to the investigation team. A classic example is Waymo vs Uber where Waymo accused Uber of instructing their employees to use Wickr after legal hold notices had been issued. This case was settled before a final ruling, but a preliminary ruling set out that Waymo could cite Uber’s use of Wickr as a negative inference.
Dealing with these systems is going to become more and more prevalent as they encroach on everyday and business life – therefore, organisations need to be prepared to deal with them in an investigation, regulatory or litigation context when they introduce them to their workplace. This means they need to build in sufficient controls and mechanisms to allow for data to be collected and analysed, if legally required to do so.
If you’d like to know more about how to deal with the challenges of ephemeral data, please contact myself or my colleague Rob DeCicco.
Indeed, while developers tout ephemeral messages as the functional equivalent of off-the-record phone calls, courts and law enforcement often do not share this view. Instead, they often adopt the position that, like email, ephemeral messages are business records that, depending on content, should be subject to retention and preservation requirements. Thus, it is now more important than ever for companies to implement data retention policies that address ephemeral messaging platforms, their functionalities, their approved uses and their attendant risks.