When you first hear about “auto-deleting” or “ephemeral” messaging, you may think of nefarious techniques to hide evidence of wrongdoing. In fact, ephemeral messages – which are typically end-to-end encrypted and set for deletion shortly after they are sent and/or read – in various forms are routinely used for business and other relevant communications. That means that they must be considered for preservation and potential disclosure, raising all sorts of legal, technical, and optical considerations. This came up recently in Federal Trade Commission v. Noland, No. CV-20-00047-PHX-DWL, 2021 WL 3857413 (D. Ariz. Aug. 30, 2021), where the court considered the use of ephemeral messages in the context of an investigation by the Federal Trade Commission (FTC) of the company Success By Health (SBH) and its officers for a potential pyramid scheme. The day after learning of the inquiry, the officers switched from their existing communication means (WhatsApp and iOS messages) to other encrypted mobile messaging apps including Signal, which they set to “auto-delete” all messages on reading. Company leaders exchanged thousands of such messages over many months, despite the FTC’s instruction to preserve documents and suspend ordinary-course document destruction. Further, defendants colluded to remove all traces of the apps and messages from their phones right before turning them over for inspection. The truth came out when the FTC received anonymous information alerting it to the undisclosed use of the apps. On the FTC’s motion against defendants for sanctions, District Court Judge Lanza found defendants had intentionally deprived the FTC of relevant documents, and sanctioned them under Fed. R. Civ. P. 37(e)(2) with an adverse inference that the spoliated evidence was unfavorable to the individual defendants.
Examples of Ephemeral Platforms
There are many different communications software and applications (apps) with ephemeral capabilities, deployed at the business enterprise level as well as by individual users. Some examples are SnapChat, WhatsApp, Wickr, Confide, Signal, and Telegram. The sender of an ephemeral message generally controls when it must be deleted from both the sender’s device and the recipient’s device. Most ephemeral messaging programs employ end-to-end communication encryption, which secures data in transit, and require credentials to view the message when received. Providers boast that, when carefully chosen and integrated with a company’s information technology and information management policies and appropriately used, such message platforms can safeguard secure content, decrease corporate data storage, effectuate information retention and destruction policies, and minimize data breach risks. Some platforms even enable a company to effectuate a “legal hold” to prevent the destruction of required messages. See generally The Sedona Conference, Commentary on Ephemeral Messaging (July 2021).
Complications of Using Ephemeral Message Platforms
The very qualities that make transient messaging attractive for efficiency, security, and data management purposes, however, may also lend it to covert behavior or that perception. Courts, regulators, and government officials have expressed alarm and quickly issued guidance steering organizations away from using ephemeral messaging for covered communications, to promote appropriate recordkeeping and compliance measures, and avoid spoliation of evidence.
For example, commentators suggest that ephemeral messaging risks non-compliance with the U.S. Securities Exchange Commission (SEC) “books and records” rule. The SEC’s National Office of Compliance Inspections and Examinations declared that investment advisers should prohibit business use of technologies that can be readily misused by “allowing an employee to . . . communicate anonymously” or “allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.” And FINRA has issued guidance that recordkeeping rules specifically apply to text messaging apps and chat services, which would include ephemeral messaging apps.
The U.S. Department of Justice (DOJ) has also historically urged caution around the use of ephemeral messaging. In November 2017, the DOJ issued guidance in connection with Foreign Corrupt Practices Act investigations, requiring “appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.” However, in 2018 it revised that guidance and took a more tolerant stance. The guidance now states that appropriate retention of business records “including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms” could satisfy its standards – although how that may satisfactorily be accomplished is left to the user to determine.
As we have seen in FTC v. Noland, the use of ephemeral messaging must also be squared with parties’ preservation and disclosure obligations. To avoid being pulled into a compliance or spoliation debate, companies should not only have, but train on and enforce, clear policies and procedures at the personnel and IT level regarding proper use and management of all means of corporate communications, and to preserve relevant messages in whatever medium in required situations such as regulatory and legal hold purposes. Where ephemeral messaging is desired, companies should consider a platform that centrally controls preservation periods and allows deletion to be suspended when required. Companies also should consider permitted use policies that specify the channels through which business communications may be sent and/or preserved, and provide training on recordkeeping and preservation obligations. By showing that it has taken reasonable steps to comply with retention/preservation obligations, a company may avoid the harshest of sanctions if relevant messages nevertheless are destroyed. Outside counsel, too, must appropriately educate themselves about their clients’ communication platforms and information management practices in order to meet ethical and professional obligations.