Ephemeral messaging is a form of digital communication available for only a limited time and is deleted. Popular ephemeral messaging apps include Snapchat, Signal, and Telegram. Because of the growing use of ephemeral messaging, especially in the business context, The Sedona Conference recently released a commentary aiming to provide a comprehensive overview of legal and regulatory issues presented by this type of messaging and also to provide a basic policy framework for both businesses and courts.
The Commentary notes there are two key characteristics of ephemeral messaging distinguishing it from other electronic communications: (1) the automated disposition (deletion) of message content for both the sender and the receiver and (2) end-to-end encryption.
As ephemeral messages are intended to be short-lived, the applications used to generate the messages are designed to automatically delete the messages. However, as discussed later, the extent of the disposition varies between applications.
The second distinguishing factor of ephemeral messaging, encryption, involves the use of cryptography to transform plain text into code that cannot be read without a security key. The coded text is in a way, scrambled, and makes no sense to humans until it is decoded by the messaging app. End-to-end encryption enhances privacy by making it more difficult for hackers and others to read the encrypted data while it is in transition between devices.
As also explained in the Sedona Commentary, there are varying degrees of ephemerality in the messaging applications: pure, quasi, and non-ephemeral.
Purely ephemeral messaging involves the deliberate, permanent, and automated deletion of messages. It also involves an unchangeable deletion trigger, meaning that messaging deletion features may not be altered. Pure ephemeral messaging cannot be archived or stored (although capturing screenshots of the messages is possible).
Quasi ephemeral messaging permits preservation of messages in certain circumstances permitting users to change message deletion as a default setting. However, even then, message metadata may be preserved on certain applications.
Finally, for non-ephemeral messaging, the option for deliberate and permanent deletion is not built into the application. This means that deletion of a message, photo, or video does not delete the content from other sources (such as servers). Also, there is no end-to-end encryption, meaning third parties have the ability to access messages.
The Commentary notes that ephemeral messaging provides several benefits including information governance, legal compliance, privacy by design, and data security.
The massive growth in data requires organizations to adopt information governance policies to manage data life cycles. The Sedona Commentary notes that “[r]esponsible usage of ephemeral messaging tools can offer significant economies in data storage and records management.”
In practice, enforcing systematic data deletion is quite challenging because it is often difficult to determine what data is valuable and should be preserved and what is not. Ephemeral messaging can assist with this by eliminating data with limited ongoing business value. However, as discussed below, businesses must be careful with this approach.
The use of ephemeral messaging may also help organizations comply with data privacy laws such as Europe’s GDPR and the California Consumer Privacy Act.
Automated deletion of messaging by ephemeral messaging apps can help meet data privacy regulation minimization and storage limitation requirements. Ephemeral messaging may also minimize the effort required to respond to data subject deletion or access requests because the data is erased. Additionally, encryption and the automatic deletion of personal data through ephemeral messaging reduces exposure if a data breach occurs.
Privacy by design
Privacy by design is an information management approach that includes privacy and security protection as fundamental goals in the design of information technology systems and business practices. Privacy by design is proactive and generally requires end-to-end data security directing users to keep privacy as the default mode. Obviously, the use of ephemeral messaging complies with such an approach.
Organizations bringing a new product to market or otherwise handling sensitive IP information may rely on ephemeral messaging to better ensure the communications are secure. Therefore, ephemeral messaging tools can minimize the amount of data vulnerable to compromise by hackers. Even if a mobile device is lost, the automatic deletion of data will protect against hackers or other unwanted entities.
Despite its benefits, the Sedona Commentary also notes there are risks associated with ephemeral messaging both regulatory and legal.
In some regulated industries, operational data and communications must be preserved for extended time periods. Accordingly, certain governmental agencies and regulators discourage the use of ephemeral messaging. For instance, the SEC (Securities and Exchange Commission) National Office of Compliance Inspection advises regulated entities to prohibit “business use of apps and other technologies that can be readily misused, allowing for the automatic destruction of messages.” With this in mind, companies opting to use ephemeral messaging apps must be mindful of industry data retention requirements.
One of the main legal risks of ephemeral messaging is compliance with legal hold obligations. Generally, parties must preserve relevant information when litigation is “reasonably anticipated.” As a result, the Sedona Commentary notes that “[o]rganizations may need to have policies and procedures to allow for the suspension of the use of ephemeral messaging for affected custodians or disable the ephemerality function as to affected custodians until a preservation obligation has been satisfied.”
With these benefits and risks in mind, the Commentary offers Five Guidelines regarding best practices for the use of ephemeral messaging applications.
In its first Guideline, the Sedona Conference encourages regulators and courts to acknowledge that ephemeral messaging applications may provide a valuable part of an information governance program. One of the main values ephemeral messaging brings includes confidentiality and security. Another benefit involves data minimization, which limits the retention of corporate data with no business value.
Second, the Sedona Conference Guidelines note that companies must in turn acknowledge that ephemeral communications may be favored by those engaging in a secretive activity. As a result, they must carefully select and evaluate the use and implementation of ephemeral messaging applications. The second guideline notes that legal hold policies may need to be amended to account for and capture ephemeral messaging, but also points out that having such policies may be looked upon favorably by regulators. See e.g. Federal Trade Commission v. Noland, et al., Case No. CV-20-00047-PHX-DWL (D. Arizona 2021)(sanctioning defendants for installing and using ephemeral messaging after learning they were investigation targets).
Third, organizations must determine which ephemeral messaging applications best addresses their regulatory, litigation, and business needs. There should be a structured approach to doing this, which should be clearly and concisely outlined in an ephemeral messaging policy. The policy should also be augmented with employee education and training and periodic auditing of use and to ensure compliance.
Fourth, conflicts with regulations may arise when ephemeral messaging meets requirements in one jurisdiction while simultaneously conflicting with other jurisdictions. To address these issues, regulators, courts, and organizations may use the notions of comity, balance interests, and other accommodations.
Finally, the Sedona Conference points out, as with all electronic discovery and ESI policies, reasonableness and proportionality should govern discovery obligations relating to ephemeral messaging. Guideline five notes that courts should not presume organizations using ephemeral messaging are doing so to avoid preservation obligations. Instead, courts should examine the nature and use of ephemeral messaging within each organization on a case-by-case basis.
Litigation Hold Triggers and the Duty to Preserve Evidence
Attorneys’ Duty to Implement Legal Hold Does Not End After Hitting Send