According to Merriam-Webster’s dictionary, ephemeral means “lasting a very short time.” A number of messaging apps are designed for this very purpose—to allow messages and photos to self-destruct. SnapChat, Confide, Telegram, Hash, Signal, Wickr and an ever-growing number of similar messaging apps promote themselves based on both the power of their end-to-end encryption and their ability to disappear without a trace. For example, Confide is a self-destructing messaging app that deletes messages immediately upon opening. Confide promotes its app as “encrypted, ephemeral and screenshot proof.” It was the ephemeral messaging app of choice used by White House employees to cover their tracks during the hunt for “leakers.” Signal, which NSA whistleblower Edward Snowden once said he uses every day, allows disappearing messages to be managed by anyone in the conversation thread and a timer can be set to determine how long the message remains once opened. Not all of the disappearing claims are true. Signal warns users that its app is “not for situations where your contact is your adversary” since the recipient could always use another camera to take a photo of the screen before the message disappears. SnapChat’s “disappearing” messages claim was deemed false or misleading by the FTC resulting in a Consent Order being entered against it.
Regardless of which messaging app is used, the essential purpose remains the same—to send and receive encrypted messages and avoid the preservation of the message and its content. While these apps are a great form of social media, they can be problematic in litigation.
There are legitimate business reasons for using ephemeral messaging apps. In particular, confidential communications between employees working on the development of new products or other highly sensitive issues often are encrypted and ephemeral to limit the risks of exposure. In addition, businesses generally don’t want to keep data any longer than necessary or required by law or regulation. And, email remains the most vulnerable point of entry for data breaches. However, even legitimate business reasons for using encrypted disappearing messaging apps can be problematic in litigation.
In Waymo, LLC v Uber Technologies, Inc., which involved alleged misappropriation of trade secrets, Uber employees’ use of ephemeral messaging became an issue in the litigation. Uber claimed that its employees used ephemeral communications like Wickr and Telegram because the ephemerality and end-to-end encryption make it a more secure means of communication. And, Uber asserted ephemeral communication is a best practice because it results in less data for the company to secure. However, the mere use of ephemeral messaging by Uber’s employees resulted in allegations that its use must have been for purposes of thwarting discovery in reasonably foreseeable litigation.
In Waymo, the plaintiff alleged Uber’s use of ephemeral messaging was the reason for gaps in Waymo’s proof that Uber misappropriated trade secrets. After an enormous amount of discovery and motion practice, the court ruled “Uber’s use of ephemeral communications is also relevant as a possible explanation for why Waymo has failed to turn up more evidence of misappropriation...” The result was that Waymo was permitted to present evidence and argument on that issue to the jury, and Uber would be allowed to present its own evidence and argument that its use of ephemeral messaging showed no wrongdoing. Obviously, having to present this issue to the jury distracts from the merits issue and raises the risk of an adverse ruling due to the use of ephemeral messaging apps.
Waymo is a classic example of the tail wagging the dog. The merits issue—whether trade secrets were stolen—became secondary to the fight to win on discovery issues caused by the use of ephemeral messaging apps. While there were a lot of other issues related to alleged discovery abuses in Waymo, the take-away is attorneys need to counsel their clients so they understand the potential problems and risks associated with even the legitimate use of ephemeral messaging apps. At a minimum, clients must have a defensible and effective electronic records retention policy that covers the use of ephemeral messaging apps, that limits their employees’ use to legitimate business purposes and on a need-to-know basis. Clients should further ensure that their employees are trained in the appropriate use of the technology for business purposes and that their litigation hold software or practices have the capability to suspend the use of ephemeral messaging.
By now, the common-law duty to preserve information when litigation is reasonably foreseeable is well-established in Federal law and, more recently, in Florida law. In League of Women Voters of Florida v. Dentzer, the Florida Supreme Court recognized the duty to preserve evidence “when a party should reasonably foresee litigation.” The Dentzer court cites to American Hospitality Management Co. of Minnesota v. Hettiger, which held that a defendant can be charged with a duty to preserve evidence “where it could reasonably have foreseen the claim.” However, “reasonably foreseeable” is an objective standard and fact-specific. If you or the client guess wrong, and data is lost, you potentially face serious consequences. When the lost information is emails or other electronically stored information, a good forensic expert can usually recover the data. But, even the best forensic experts can’t recover encrypted ephemeral messages that should have been preserved but no longer exist.
Fla.R.Civ.P 1.380(e) provides that “[a]bsent exceptional circumstances, a court may not impose sanctions...on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” A recent search found no Florida cases interpreting this rule. A detailed analysis of whether the use of ephemeral messaging is “routine” and being used in “good faith” is beyond the scope of this article. However, Rule 1.380(e) potentially provides a safe harbor if your client has implemented a defensible electronic records retention policy that covers the use of ephemeral messaging apps.
The take away is to counsel clients how they can effectively document, implement and monitor policies addressing the use of ephemeral messaging and to advise them of the risks and benefits of using that technology, including the consequences if litigation arises. To effectively counsel clients, you must have “an understanding of the benefits and risks associated with the use of technology”; in this case, ephemeral messaging apps, or you need to retain someone who does. The Duty of Competence is non-delegable and, while third-party vendors may know the technology, they don’t know the law.
© 2020 Reprint permission from the Palm Beach County Bar Association. This article was originally published in the March 2020 PBCBA Bulletin. All rights reserved.