Disappearing messages: updating best practices
Tuesday 13 September 2022
Tanya Ganguli
Panag & Babu, Delhi
tanya.ganguli@pblawoffices.com
Nilesh Sanwalka
Panag & Babu, Delhi
nilesh.sanwalka@pblawoffices.com
Introduction
As has been witnessed, remote working has led to blurring of the lines for personal and company owned data, specifically over mobile phones, with employees increasingly using personal communication channels such as WhatsApp, Telegram and iMessage to conduct business. This, while convenient for employees in reducing communication latency and potentially benefitting companies and employers from a data storage or confidentiality perspective, could seriously affect an employer’s responsibility towards the preservation of business-related records when such communications take place on unapproved or unidentifiable platforms.
The advent of instant messaging technologies which provide an option only to retain data for a short period of time, (usually ‘self-destructing’ on review of the receiver or within up to 24 hours of message being delivered and referred to as ‘ephemeral messaging platforms’), means that managing communication records is becoming increasing difficult for organisations and employers. This is consequently troubling law enforcement agencies and regulators across jurisdictions who may be interested in reviewing such information and collecting evidence from the perspective of internal investigations or initiating enforcement action.[1]
With the advancement in instant messaging platforms and ever-increasing regulator expectations, this article aims to analyse whether data transmitted over ephemeral messaging platforms can be recovered/preserved for the purposes of investigations; and the updating of best practices for preserving data in line with regulatory expectations.
Recovery of ephemeral data
The premise of ephemeral communication apps is the instant deletion/disappearance of data after a short period of time, making data recovery increasingly difficult, if at all possible.[2] Advancements in data recovery procedures, however, appear to demonstrate a trend that shows promising results.
According to a study conducted in the United Kingdom,[3] certain portions of the ephemeral data (including log files containing vocal communications, account data, contacts etc) were recovered by the team performing the experiment. This, while being far from ideal retrieval circumstances from the perspective of investigations, shows intriguing results.
An ideal approach, therefore, could be that the company or employer takes appropriate measures by engaging forensic advisers in an attempt to preserve ephemeral data to the extent feasible.
Regulatory expectations
While regulators are attempting to strike a balance between access to all company records (for the purposes of investigations) and privacy, reliance can be placed on proactive regulators such as the US Department of Justice (DoJ), which currently provides an insight into what could be the global norm for managing ephemeral messaging platforms during conduct of investigations and enforcement actions.
Waymo v Uber Technologies[4] contextualised the above idea in part and brought about the issues pertaining to ephemeral messaging. In particular, Waymo (Google’s autonomous vehicle unit) claimed that Uber stole Waymo’s trade secrets pertaining to self-driving technology and the evidence was destroyed as the alleged improper communications occurred over ephemeral messaging platforms. While the parties settled shortly after the commencement of the trial, this case raises serious issues regarding preservation of data over ephemeral messaging apps.[5]
While references of ephemeral messaging are not a recent issue, what’s interesting to note is how the DoJ has passively done away with its discouragement regarding use of ephemeral messaging, recognising it as a legitimate communication platform which could be used by businesses, provided adequate controls are in place.[6] To this end, under the 2019 Corporate Enforcement Policy,[7] the DoJ had done away with its 2017 phrasing of Corporate Enforcement Policy while discussing credits to companies for timely remediation which seemingly banned the use of technologies which do not allow record retention. A comparison of the phrasing is provided in Table 1 below (emphasis added).
2017 Corporate Enforcement Policy (Section 3) | 2019 Corporate Enforcement Policy (Section 3 (c)) |
‘appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications’ | ‘appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations’ |
Table 1: changes in DoJ Corporate Enforcement Policy phrasing
Updating best practices
The revised 2019 phrasing has highlighted some guidance to companies regarding the use of ephemeral messaging tools. However, it has created increased expectations on employers and companies to put adequate controls in place to retain business records or communications, especially for correspondence over such ephemeral messaging apps. While the regulatory expectation in this regard can be debatable, it appears that regulators do not seek to put a blanket ban on use of ephemeral messaging platforms and render all such communications illegal or bar companies from taking advantage of relevant cooperation credit. It rather ensures that employers and companies put appropriate measures in place to ensure data retention in such cases.
This places importance on what could be reasonably expected from organisations anticipating internal investigations, litigation or facing enforcement actions in terms of data preservation:[8]
- Organisations should be able to demonstrate that they have an electronic records/IT policy in place which specifically defines and explains in detail the permitted use and management of ephemeral messaging platforms.
- Organisations must identify, determine and conduct an outreach with third parties to assess to what extent third parties can be permitted to use ephemeral messaging tools to conduct business with the organisation. Clauses defining the expected conduct of such third parties in managing correspondence through such ephemeral messaging platforms with such organisations must also form part of their contractual agreements.
- Closely monitor and undertake appropriate disciplinary measures against employees who breach in-house norms pertaining to permitted use of ephemeral messaging tools.
- To the extent possible, devise central (company owned and monitored) infrastructures with capabilities which not only monitor automatic deletion, but also prevents it in the event of a ‘litigation hold’ or ‘document retention hold’.
- Equip employees with designated company-provided devices having ephemeral communication capabilities, if need be.
- In an event that requires document retention (such as an anticipated litigation or an impending investigation – internal or otherwise), the document hold notices issued by companies should include wording instructing employees to turn off or stop the use of ephemeral communications.
- Periodically test whether the policies adopted are actually being followed to the letter across all organisational levels.
Conclusion
There is only so much that employers and companies can do to prevent employees from using preferred channels of communication. However, adoption of central systems that define permitted use of ‘self-destructing’ messages could effectively allow companies to mitigate risks accruing from e-discovery related compliance obligations. The commercial merits of ephemeral messaging notwithstanding (ie, data storage efficiency, confidentiality, privacy etc) communications outside business approved channels using such technologies could be used to ‘hide’ something, which is more often than not illegal or improper, and may raise significant compliance issues for the employer or business.
The argument regarding upholding employee’s privacy in the use of ephemeral messaging platforms may not hold merit. This is because all communications in the conduct of business, ordinarily, remain company records, which are required to be preserved.
[3] M A Hannan Biz Azhar, Rhys Cox and Aimee Chamberlain, Forensic Investigations of Popular Ephemeral Messaging Applications on Android and iOS Platforms’ (2020) 13 (1&2) International Journal on Advances in Security, www.iariajournals.org/security/sec_v13_n12_2020_paged.pdf, accessed 31 August 2022.
[4] 252 F Supp 3d 934 (N D Cal 2017).