Messaging apps have become a ubiquitous form of communication, with billions of users worldwide. They have changed the way we communicate and share information with others in our personal lives and business, such that employees now routinely use messaging apps to conduct business. As the use of messaging apps has grown, so too has the need to collect data from these apps in a forensically sound manner from corporate-managed systems, as well as mobile devices for legal or investigatory reasons.
In this post we will discuss several challenges associated with collecting data from messaging apps, we will provide an overview of related data types, and also touch upon new developments impacting data retention approaches and policies.
Challenges Collecting Data from Third Party Messaging Apps
Most employees nowadays use messaging apps and mobile devices to conduct business. This includes company required devices, which many businesses still provide due to considerations linked with enforcing effective BYOD policies, which we also covered in a prior blog (BYOD Policy Considerations); however, depending on the type of investigation, personal devices may be within scope of the inquiry and require collection. Either way, the use of messaging apps and mobile devices, in general, creates more risk for companies since they have less control or access to business-related communications. The challenges that companies currently face in managing the use and collection of this data can be compartmentalized into two general areas: (1) Mobile Forensics and (2) Ephemeral & Quasi-Ephemeral Messaging Apps.
Mobile forensics is the process of accessing, recovering, and analyzing digital evidence from mobile devices using a court accepted methodology. The biggest challenge in mobile forensics is keeping up with the rapid pace of version changes, such as the newest version of Apple iOS that provides the ability to edit and unsend messages, and recover recently deleted messages – thereby making it challenging to have tools available that can access all data on devices during time-sensitive investigations. New devices and operating systems are constantly being released, each with its unique file system and data storage methods, which makes it tough for mobile forensics experts to stay current with the latest changes.
It is critical that your forensic analysis provider have a deep understanding of mobile operating systems, how data is stored on mobile devices, and the forensic artifacts available on a device that relate to the various apps contained within to help explain user activity with a high level of detail and certainty. For example, forensic practitioners must understand if data is stored within the application on the device or in the cloud, and whether it’s encrypted; they must also be able to understand information automatically parsed by forensic tools to help tell the story of user activity.
Ephemeral messaging apps allow users to automatically delete messages within an application. Unlike traditional messaging software, which allows a user to delete content within their own account but not on the recipient’s device, ephemeral messaging gives the user the ability to control the history of content for both the sender and the recipient. Quasi-ephemeral messaging refers to communications for which some defining features of ephemeral messaging can be altered. The most common ephemeral messaging systems are quasi-ephemeral in that administrators can adjust retention settings and frequently do so at the enterprise level. Examples of quasi-ephemeral messaging applications include Microsoft Teams and Slack.
There are strong business rationales for companies to consider messaging apps such as the following:
Increases efficiency and cost savings.
Compliance with data minimization requirements in many privacy statutes and regulations.
Minimizes data breach exposure.
Facilitates privacy by design.
Below are three issues that organizations commonly face when collecting data from messaging apps:
Encryption – Many messaging apps use end-to-end encryption, which means that the messages are encrypted on the sender's device and can only be decrypted by the recipient's device.
Lack of Standards – Unlike traditional communication methods such as email and SMS/text, there are no established standards for collecting data from messaging apps. This means that forensic teams must often rely on proprietary tools and techniques to extract data from specific apps, which can be difficult to scale and create inefficiencies during extraction or intake by receiving parties.
Sheer Volume of Available Apps – There are many messaging apps available, each with their own unique features and user base. This makes it difficult for forensic analysts and organizations to keep up with the latest apps. Furthermore, new apps are constantly being developed and released, which means forensic practitioners must stay up-to-date with the latest technologies and be able to adapt quickly to new apps as they become available.
Other Messaging Apps and General Considerations
We have so far discussed general challenges with ephemeral and quasi-ephemeral messaging tools, but it is also important to accept the reality that app developers will continue to innovate and leverage new technologies as they become available, which will present new challenges with data preservation and collection. For example, during Legalweek in New York this past March, we had the opportunity to join a session in which panelists were lamenting about the current difficulties and complexity involved with collecting data from relatively new messaging apps, Signal and Discord.
Looking ahead, we should plan to prepare for future data types – new and existing – that may require novel solutions to forensically preserve and collect data, such as Blockchain, which is also known as Bitcoin or crypto; another example may be Salesforce’s new solution called Einstein GPT, which is ChatGPT-based and expected to integrate with Slack upon release.
There is no question that eDiscovery stakeholders will rise to future challenges created by messaging app innovations, as has been done in the past; however, given that significant government and regulatory focus is currently on “off-platform” or “off-channel” communications, which include text messages, instant messages, and communications via third-party messaging apps such as WhatsApp or other ephemeral chat services discussed in this post, legal teams must stay vigilant and prepare to deal with new communication solutions.
Data Retention Policy Trends
For decades, companies were focused on data retention because this was required by industry-specific regulations and statutes. Now, companies are grappling with contradictory legal regimes that encourage or require routine purging of data. For example, the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) require companies to practice data minimization and storage limitation by securely and permanently discarding data that no longer has a business purpose or is no longer subject to a retention obligation. However, in recent years there has been a trend towards increased data retention requirements for messaging apps, driven by concerns over national security, law enforcement, and privacy. Agencies that have prohibited, limited, or cautioned against the use of ephemeral messaging include:
The Department of Justice (DOJ). The DOJ initially prohibited organizations being investigated in FCPA matters from using ephemeral messaging in 2017 but loosened the prohibition in 2019, allowing ephemeral messaging use where there is “appropriate guidance and controls” and where it does not undermine “the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations” (DOJ Justice Manual, FCPA Corporate Enforcement Policy § 9-47.120(3)(c), available at justice.gov).
The Securities and Exchange Commission (SEC). The SEC continues to recommend that investment advisers prohibit “business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back up”.
The use of ephemeral messaging software inherently contradicts data retention requirements and destruction parameters imposed by regulators, and may also violate internal records retention policies at a wide variety of organizations.
In the United States, in 2021, the Director of the SEC’s Division of Enforcement gave a speech in which he noted that entities “… need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.” Shortly after the October 6th speech, a variety of entities discovered that a failure to abide by the requirements for document preservation can have serious consequences.
In September of 2022, the SEC announced it had charged 15 brokers and one affiliated investment adviser for their failure to preserve electronic communications for individuals using messaging apps to communicate about business matters on personal devices. The firms acknowledged their violation of the SEC's recordkeeping provisions and agreed to pay combined penalties of more than USD$1.1 billion.
The Department of Justice (DOJ) also increased focus on this type of activity expressing concern over corporations’ usage of personal devices and third-party applications, and the ability to monitor for misconduct and recover relevant data during investigations. The DOJ stated”…prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.”
Additionally, it is important to note that courts in the United States have begun to address the issue of (intentionally) deleted documents. For instance, there have been cases in which juries were allowed to draw negative inferences from a lack of evidence, when the lack of evidence is caused by the use of ephemeral messaging.
Data Retention Policy Considerations
Previously, documents would be stored in a shared company drive along with specifically approved apps, but as applications such as Slack and Sharepoint have become more integral to the business tech stack, the means of tracking, storing, and sharing documents has become more complex.
When developing, reviewing and enforcing retention policies, companies need to invest time in determining which platforms employees actually use for business communication so corresponding records can be correctly preserved. Depending on the industry, companies may want to consider implementing a policy that prohibits sending substantive information over certain messaging platforms. Another approach towards gathering usage information could involve instituting a program to gather insights into the nature of communication that employees exchange in applications, so you can have actual details regarding the data that is generated across the organization.
Once you have gathered the necessary usage details, one prudent approach, if a clear records retention policy currently exists, could be to simply extend existing retention requirements to apply to all new and existing messaging apps data that employees generate to conduct business.
All of the issues, risks, and challenges raised in this article may seem overwhelming, but rest assured that the eDiscovery/Legal industry has faced similar challenges in the past, such as when SMS/text and Bloomberg chats were the newest chat capabilities 15 or so years ago and required new forensic solutions. The eDiscovery community includes savvy, experienced legal professionals who recognize that the environment for data preservation and collection is very reactionary with respect to scalable solutions for new communication technologies. As long as companies establish policies that include monitoring and periodically reviewing how the workforce is engaging technology to communicate, and aim to keep close ties with trusted eDiscovery service providers or forensic firms, organizations will be well prepared to overcome future challenges as advances in messaging apps introduce new ways of interacting and collaborating in business.