skip to content

Ephemeral Messaging Data in Ediscovery

Download this guide

Various types of chat apps have become hugely popular in recent years. But a growing number of users have also turned to secure communications known as ephemeral messaging. Ephemeral messaging apps appeal because the messages are designed to automatically vanish after viewing. 

This chapter discusses ephemeral messaging data, regulatory and data preservation requirements, common challenges teams face, and best practices for handling this type of data in ediscovery.

What Is Ephemeral Messaging, and Why Is It Important in Ediscovery?

The term ephemeral originates from the Greek word ephemeros, meaning “lasting only one day,” which highlights the temporary nature of these messages.

Ephemeral messaging apps are communication applications that support the sending and receiving of temporary messages. These apps typically include features such as self-destructing messages, end-to-end encryption, and screenshot protection to ensure privacy and security. 

Thanks to their short-lived nature, ephemeral messages in the corporate context pose special challenges for ediscovery. One obvious problem is how to preserve something that’s designed to self-destruct – and leave no trace. Another is the fact that employees can use ephemeral messaging apps without IT or the legal team’s knowledge. And even when the organization is aware, there’s no way to preserve ephemeral data without notifying the custodian first – if you know who it is – making it harder to preserve communications before they’re lost.  

Popular ephemeral messaging apps include the following:

  • Snapchat, which allows users to send photos and videos that automatically disappear – either after being viewed or after 24 hours.

novel-data-ch3-snapchat-delete-chats
Snapchat deletion settings dialog.

  • Signal, a privacy-focused messaging app, offers end-to-end encryption and an optional disappearing messages feature. Users can set a timer for messages to be deleted after a specified duration, ranging from a few seconds to a week.

  • Wickr, a secure messaging app, provides end-to-end encryption and self-destructing messages. Users can set a timer for messages, photos, and videos to be deleted automatically after they have been viewed.

  • Telegram, a messaging app, offers end-to-end encryption in its “secret chats” feature. In secret chats, users can send messages, photos, and videos that will self-destruct after a set period.

novel-data-ch3-auto-delete
Telegram auto-delete settings dialog.

  • DingTalk, an enterprise communication and collaboration platform founded in 2014, was one of the world’s largest professional communication and management mobile apps in China by 2018, with over 100 million users.

New apps enter the market regularly, and legal professionals need to stay up to date with their capabilities and impact on ediscovery.

The Sedona Conference in its Commentary on Ephemeral Messaging (published in 2021), outlined three categories of messaging apps:

  1. Purely ephemeral messaging. These apps provide for the deliberate, permanent, and automated deletion of messages with an unchangeable deletion trigger, which means that messaging deletion features may not be altered. Messages from purely ephemeral messaging apps cannot be archived or stored (although capturing screenshots of the messages is possible).

  2. Quasi-ephemeral messaging. These apps permit preservation of messages in certain circumstances allowing users to change message deletion as a default setting. Message metadata is retained, however.

  3. Non-ephemeral messaging: For these apps, the option for deliberate and permanent deletion is not built into the application. As a result, deletion of a message, photo, or video does not delete the content from other sources (such as servers). There is no end-to-end encryption, meaning third parties can access messages.

All messaging apps fit into one of these three Sedona Conference categories, which impacts how messaging data will be handled in ediscovery. In this chapter, the discussion will focus on the first two categories and the potential for automatic deletion of messages.

How Can Ephemeral Messaging Impact Litigation and Investigations?

Ephemeral messaging can significantly complicate the ediscovery process and pose challenges for legal and regulatory compliance, not least of which is the increased risk of spoliation. Litigation and investigations challenges associated with ephemeral messaging data include the following:

  • Preservation and collection challenges. Due to the temporary nature of ephemeral messages, preserving and collecting relevant communications can be difficult. The self-destructing messages may be deleted before they can be properly preserved, potentially leading to spoliation of critical evidence. If a party fails to preserve relevant communications in ephemeral messaging apps, they may face sanctions, which could be severe if there is intent to deprive.

  • Obstruction of justice allegations. The use of ephemeral messaging apps during ongoing criminal litigation or investigations may raise suspicions of attempting to conceal or destroy evidence, leading to allegations of obstruction of justice.

  • Incomplete conversations. Conversations involving ephemeral messages can be tricky to understand without proper context, as messages within the conversation may have been automatically deleted. This lack of context can make it difficult to accurately interpret the content and relevance of the remaining messages.

To be prepared to address these challenges, legal teams must be proactive in establishing and enforcing policies regarding the use of ephemeral messaging apps within the organization, including guidelines for preservation and data retention, especially once litigation is anticipated or an investigation begins.

The Sedona Conference Guidelines on Ephemeral Messaging

  1. Regulators and courts should recognize that ephemeral messaging may advance key business objectives.

  2. Organizations should take affirmative steps to manage ephemeral messaging risks.

  3. Organizations should make informed choices and develop comprehensive use policies for ephemeral messaging applications.

  4. Regulators, courts, and organizations should consider practical approaches, including comity and interest balancing, to resolve cross-jurisdictional conflicts over ephemeral messaging.

  5. Reasonableness and proportionality should govern discovery obligations relating to ephemeral messaging data in U.S. litigation.


Ephemeral Messaging and Data Preservation Requirements

An ephemeral messaging preservation requirement is typically triggered by anticipated litigation, investigations, or other events.


General Practice

Even in the absence of active legal matters, organizations may still face general data preservation requirements for ephemeral messages. These are typically driven by industry-specific regulations, legal compliance, and internal policies and may vary depending on the organization’s jurisdiction, industry, and the nature of the data involved. Some general data preservation requirements are as follows:

  • Regulatory compliance. Companies in certain industries, such as financial institutions and healthcare organizations, are subject to specific data retention regulations. Organizations must comply with these regulations by preserving relevant records, including ephemeral messages, for the required duration.

  • Audits and monitoring. As part of their compliance efforts, organizations may be subject to periodic audits or monitoring by regulatory authorities. To meet these requirements, organizations should ensure that they can provide relevant ephemeral messages as part of their recordkeeping practices.

  • Data security and privacy. Organizations should consider data security and privacy requirements when establishing ephemeral message retention policies. Doing so may involve implementing appropriate encryption measures, access controls, and data disposal procedures to protect sensitive information.

  • Disaster recovery and business continuity. Organizations should also consider disaster recovery and business continuity plan requirements as part of a retention policy that includes ephemeral messages. Preserving these messages can help ensure the availability of critical communications data in the event of a system failure, data loss, or other disruptions.


Regulatory Guidance

The Department of Justice, or DOJ, in March 2023 released its updated Evaluation of Corporate Compliance Programs, which included new guidance on ephemeral messaging platforms. The DOJ acknowledged the value of ephemeral messaging platforms to businesses, consistent with their evolution on these and other matters involving technology and technological advances in the workplace. The DOJ expects companies to address accessibility and preservation of business-related electronic data and communications (including those made by third-party vendors and other agents of the company).

Regardless of the business use case, organizations should establish and enforce internal data retention policies and procedures that include the preservation of ephemeral messages. These policies should outline the types of data to be preserved, the duration of retention, and the procedures for data management.

Regulated Industries

Strict regulatory requirements apply to certain industries that impact management and preservation of ephemeral messages. 

Financial Institutions

Financial institutions are subject to various regulatory requirements from federal agencies, such as the Securities and Exchange Commission, or SEC, and the Financial Industry Regulatory Authority, or FINRA, and laws that impact their use of ephemeral messaging apps. While specific regulations may vary depending on the jurisdiction, some of the key regulatory requirements applicable to financial institutions in the United States include the following:

  • SEC Rules 17a-3 and 17a-4. The SEC imposes recordkeeping requirements on broker-dealers, including the preservation of electronic communications related to their business activities. These rules specify the types of records to be retained, the format of the records, and the duration of the retention period. Ephemeral messages, if used for business communications, would fall under these requirements. In September 2022, the SEC issued over $1.1 billion in fines to 15 broker-dealers and one affiliated investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications for their use of messaging apps.

  • FINRA Rule 4511. FINRA requires its member firms to preserve electronic communications related to their business activities in a non-rewritable, non-erasable format for a period of at least three years. This rule covers various communication channels, including ephemeral messaging apps if used for business purposes.

  • FINRA Regulatory Notice 17-18. This notice provides guidance on the use of social media and digital communication channels by FINRA member firms. It emphasizes the requirement to retain records of all business-related communications, regardless of the medium used. If financial institutions use ephemeral messaging apps for business purposes, they must ensure that relevant communications are preserved in accordance with applicable regulatory requirements.

  • Dodd-Frank Act. The Dodd-Frank Wall Street Reform and Consumer Protection Act requires certain financial institutions to maintain records of communications, including electronic messages, related to swap transactions. If ephemeral messaging apps are used in this context, financial institutions must ensure that they comply with the recordkeeping requirements imposed by the Dodd-Frank Act.

Healthcare Organizations

Healthcare organizations are subject to various regulatory requirements that impact their use of ephemeral messaging apps, including the Health Insurance Portability and Accountability Act,  or HIPAA; the Health Information Technology for Economic and Clinical Health, or HITECH, Act; and state privacy laws. While specific regulations may vary depending on the jurisdiction, some of the key regulatory requirements applicable to healthcare organizations in the United States include the following:

  • HIPAA. This law sets forth privacy and security standards for the protection of health information, or PHI, in both electronic and non-electronic formats. Under HIPAA’s privacy rule, healthcare organizations must implement safeguards to ensure the confidentiality, integrity, and availability of PHI. If ephemeral messaging apps are used to transmit or store PHI, healthcare organizations must ensure that these apps comply with HIPAA’s privacy and security requirements.

  • HIPAA Security Rule. This rule specifically addresses the security of electronic protected health information, or ePHI. Healthcare organizations must implement appropriate administrative, physical, and technical safeguards to protect ePHI, including encryption and access controls. If ephemeral messaging apps are used to transmit or store ePHI, they must meet the security requirements established by the Security Rule.

  • HITECH Act. The HITECH Act expands upon HIPAA’s requirements and introduces additional provisions for healthcare organizations regarding the protection of electronic health records, or EHRs, and the use of health information technology. If ephemeral messaging apps are used within the context of EHRs or health IT, healthcare organizations must ensure compliance with the HITECH Act.

  • State privacy laws. Healthcare organizations may also be subject to state-specific privacy laws that impose additional requirements for the protection of personal health information. These laws may impact the use of ephemeral messaging apps, depending on the jurisdiction and the nature of the data involved.

Federal Government Agencies

Federal government agencies in the United States are subject to various regulatory requirements that impact their use of ephemeral messaging apps, including under the Federal Records Act, or FRA; the Freedom of Information Act, or FOIA; and the Federal Information Security Modernization Act of 2014, or FISMA 2014. Some of the key regulatory requirements applicable to federal government agencies include the following:

  • FRA. This law establishes the framework for records management in federal agencies, requiring the preservation of records that document the activities, policies, and decisions of the federal government. If ephemeral messaging apps are used for official government communications, agencies must ensure that relevant records are captured, managed, and preserved in accordance with the FRA.

  • National Archives and Records Administration, or NARA. The nation’s record keeper provides guidance and regulations for federal records management, including the use of electronic messaging apps. NARA Bulletin 2015-02, for instance, addresses the management of electronic messages and requires federal agencies to manage and preserve electronic messages that qualify as federal records.

  • FOIA. This law grants the public the right to access government records, subject to certain exemptions. Federal agencies must ensure that records, including those created or stored using ephemeral messaging apps, are managed and preserved in a manner that allows for proper processing and response to FOIA requests.

  • Privacy Act of 1974. This legislation establishes requirements for the protection of personal information held by federal agencies. If ephemeral messaging apps are used to transmit or store personal information, agencies must ensure that these apps comply with the Privacy Act’s requirements, including safeguarding the information and providing appropriate access controls.

  • FISMA 2014. This law updates the Federal Information Security Management Act, or FISMA, and requires federal agencies to implement information security programs to protect their information systems, including the data they process, store, and transmit. If ephemeral messaging apps are used by federal agencies, they must comply with FISMA’s security requirements.

Ephemeral Messaging in the EU and UK

The European Union and the United Kingdom have passed strict regulatory requirements that impact the use of ephemeral messaging apps, particularly in the areas of privacy, data protection, and recordkeeping. New harmonized rules for electronic communications are in the works. Some of the existing regulatory requirements include the following:

  • General Data Protection Regulation, or GDPR. The GDPR is a comprehensive data protection regulation that applies to organizations operating within the EU and, in certain cases, to organizations outside the EU that process the personal data of EU citizens. The GDPR imposes strict requirements on the processing, storage, and transfer of personal data. If ephemeral messaging apps are used to handle personal data, organizations must ensure compliance with GDPR requirements, such as obtaining valid consent, implementing appropriate security measures, and adhering to data retention policies.

  • ePrivacy Directive and ePrivacy Regulation. The ePrivacy Directive, also known as the EU Cookie Law, focuses on the protection of privacy and confidentiality in electronic communications. It sets forth rules regarding the use of cookies, tracking technologies, and direct marketing. The ePrivacy Regulation, which (as of this writing) is currently under development, is expected to replace the ePrivacy Directive and provide updated, harmonized rules for electronic communications, including messaging apps. Organizations using ephemeral messaging apps must ensure compliance with the ePrivacy Directive and be prepared for the upcoming ePrivacy Regulation.

  • Markets in Financial Instruments Directive II, or MiFID II. MiFID II is a legislative framework that governs the provision of investment services and activities within the European Economic Area, or EEA. It imposes recordkeeping requirements for communications related to investment services, including electronic messages. Financial institutions using ephemeral messaging apps must ensure that relevant communications are captured, retained, and managed in accordance with MiFID II requirements.

  • UK Data Protection Act 2018. The UK Data Protection Act 2018 is the UK’s implementation of the GDPR and provides additional rules for the processing of personal data within the UK. Organizations using ephemeral messaging apps to handle personal data in the UK must ensure compliance with both the GDPR and the Data Protection Act 2018.

When a Preservation Requirement Is Triggered

As stated in Zubulake v. UBS Warburg, “Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure preservation of relevant documents.”

With that in mind, once a preservation requirement is triggered, continuing to use messaging apps that are purely ephemeral can be challenging, since doing so would potentially lead to the destruction of relevant evidence. This could expose the organization to sanctions or negative consequences in litigation. Unless the organization can limit the use of purely ephemeral messaging apps to specific, non-critical communication purposes that are unlikely to be subject to litigation, their use may need to be suspended.

Organizations can continue to use quasi-ephemeral messaging apps; however, settings on them should be changed to suspend auto-deletion of messages – just as you would on email or any other ESI source set for automatic deletion.

Challenges with Ephemeral Messaging in Discovery, Investigations, and Litigation

There are several challenges associated with ephemeral messaging as it relates to discovery, investigations, and litigation:

  • Auto-deletion of messages. The most well-known problem associated with ephemeral messaging apps is the fact that many of them are set to automatically delete after a defined period of time. This makes it imperative not only to include notification for custodians to suspend auto-deletion in the ephemeral messaging apps they use, but also to proactively follow up to minimize the possibility that relevant data will be spoliated.

  • Proliferation of apps. Another challenge is the growing use of ephemeral messaging apps. Each requires a plan for instructing custodians how to suspend auto-deletion, and each may have unique considerations when it comes to collecting data for litigation and investigations.

  • No “secret hold” capabilities. Unlike enterprise solutions within the organization that may support the ability to place the data for a custodian being investigated on “secret hold” (i.e., preservation of their data without notifying the custodian), access to data from ephemeral messaging apps often requires the custodian’s cooperation. Unless the investigation team can quickly identify parties with whom the custodian being investigated is communicating, it may be difficult to identify and preserve communications before they are lost.

  • Shadow IT. Often, ephemeral messaging apps are being used by potential custodians without IT involvement or approval. Identifying these shadow IT uses quickly is paramount; otherwise, the data may have been automatically deleted by the time usage of the apps is discovered.

  • Presentation of conversations for review. As noted above, there’s a danger that relevant messages may already be deleted by the time a hold is issued – even if auto-deletion is suspended promptly – resulting in incomplete conversations. Unlike emails – for which each message in a conversation provides a thread of the entire conversation up to that point – messages automatically deleted in a chat conversation are likely gone forever.

How to Preserve and Collect Ephemeral Messaging

The transient nature of ephemeral messages makes the preservation and collection of that data challenging. That said, it is crucial for organizations to comply with legal obligations related to ESI preservation and discovery. Some best practices to consider are as follows:

  • Limit the use of purely ephemeral messaging apps. To the extent possible, restrict the use of these apps to non-critical or non-sensitive communications to minimize the risk of losing relevant information. For critical or sensitive communications, use quasi-ephemeral (with auto-deletion suspended once litigation is anticipated) or non-ephemeral messaging apps.

  • Include ephemeral messaging data in your legal hold process. In the event of litigation, have a well-defined legal hold process in place to ensure the preservation of relevant data from all sources, including ephemeral messaging apps. This may involve notifying users to suspend the deletion of messages, collecting data using available tools, or working with the app provider to obtain the necessary information, if possible.

  • Conduct custodian interviews promptly. With potential shadow IT uses of ephemeral messaging apps, time is of the essence to identify those uses and instruct custodians to suspend auto-deletion within quasi-ephemeral messaging apps or suspend altogether the use of purely ephemeral messaging apps.

  • Leverage technical solutions. To the extent possible, implement technical solutions that enable the archiving or backup of messages from ephemeral messaging apps in a legally compliant manner, while adhering to the app’s terms of service and privacy policies. Organizations can use three types of solutions for the collection of messages from ephemeral messaging apps:

    1. Enterprise versions of ephemeral messaging apps. Some popular ephemeral messaging apps, such as Slack and Microsoft Teams, offer enterprise versions that come with built-in features for archiving, monitoring, and managing messages.

    2. Third-party ediscovery and archiving tools. Third-party tools, like Smarsh and Global Relay, are available to help organizations collect, archive, and manage messages from ephemeral messaging apps. Some of these tools integrate directly with messaging apps, while others provide a separate platform for archiving messages.

    3. Digital forensics and mobile device management, or MDM, tools. Digital forensics tools and MDM solutions, like Cellebrite and Oxygen Forensics, can help organizations collect data from mobile devices, including messages from ephemeral messaging apps. These tools can create forensically sound copies of mobile devices, allowing investigators to extract and analyze messages and other data.

novel-data-ch3-telegram
Telegram messages in the Cellebrite UFED Physical Analyzer.

  • Document your processes. Keep a detailed record of your organization’s processes to preserve and collect data from ephemeral messaging apps, including the policies, guidelines, technical measures, and any challenges faced during the process. This documentation may be critical in demonstrating your organization’s good faith efforts to comply with legal obligations during litigation.

Key Case Law Rulings to Know on Ephemeral Messaging Data

Every year, courts issue important case law rulings regarding ephemeral messaging data discovery. Here are some of the most notable case law rulings regarding mobile data in ediscovery over the past several years:

Waymo v. Uber Tech. (N.D. Cal. January 30, 2018)

In this trade secret misappropriation dispute over autonomous vehicle technology, Waymo argued that its competitor Uber used the ephemeral messaging app Wickr to delete key information about stealing its trade secrets while a litigation hold was in place. The court ruled that Waymo would be permitted to present evidence and argument on this subject at trial but that Uber would also be allowed to present its own evidence and argue that its use of ephemeral messaging shows no wrongdoing, including by pointing out Waymo’s own use of ephemeral messaging. The case settled before the parties were able to present their evidence at trial.

Herzig v. Arkansas Foundation for Medical Care, Inc. (W.D. Ark. July 3, 2019)

In this age discrimination case, the plaintiffs started using the ephemeral messaging platform Signal after receiving preservation orders. Based on earlier communications between the plaintiffs, the Court determined that communications using Signal were responsive, and because the plaintiffs had manually configured Signal to delete communications, the deletion was intentional. As a result, the case was dismissed with prejudice.

WeRide v. Huang et al. (N.D. Cal. April 24, 2020)

The defendants in this trade secret misappropriation case against former plaintiff employees began communicating via DingTalk’s ephemeral messaging feature after the preliminary injunction was issued (among other instances of spoliation). The court issued terminating sanctions against many of the defendants in the case.

Doe v. Purdue, et al. (N.D. Ind. July 2, 2021)

The plaintiff in this case produced a Snapchat download (to replace one with expired links) that was missing 11 Snapchat videos and images. The plaintiff claimed he deleted them from his cell phone to free up space, not realizing that they would also be deleted from his Snapchat account and Snapchat servers entirely. The court sanctioned the plaintiff to pay the defendants’ attorneys’ fees and costs associated with litigating the motion and also permitted the parties to present evidence to the jury concerning the loss of the Snapchat data.

FTC v. Noland (D. Ariz. August 30, 2021)

When the defendants realized they were being investigated by the FTC, they started using Signal and encrypted email platform ProtonMail the very next day. They also failed to disclose use of those platforms in the deposition and deleted the Signal app from their phones before turning them over, making it impossible to recover any of the Signal messages. The court sanctioned the defendants with an adverse inference instruction for their intent to deprive the FTC of that evidence.

Fast v. GoDaddy.com (D. Ariz. February 3, 2022)

The court issued several sanctions (including adverse inference sanctions and costs and fees) for the spoliation of various data sources by the plaintiff, including Telegram messages where the plaintiff was found to have “tried to conceal the existence of Telegram Messenger communications from Defendants” and unsending her messages sent through Telegram so that the defendants couldn’t request them from other parties.

In re Google Play Store Antitrust Litig. (N.D. Cal. March 28, 2023)

In this matter, the court sanctioned Google for Google Chat spoliation, ordering Google to cover the plaintiffs’ attorneys’ fees and costs in bringing the Rule 37 motion – with additional sanctions possible “at the end of fact discovery.” Google had not suspended auto-deletion of Google Chat messages after the litigation began, instead choosing to let employees make their own personal choices about preserving chats.

Download these court rulings in PDF.

Conclusion

Ephemeral messages are created to vanish. These short-lived communications serve up special obstacles for ediscovery professionals, including around preservation and collection, which can lead to incomplete context for the content of conversation threads, and even potential allegations of obstructions of justice claims regarding missing evidence. 

Though it can seem anathema to successful ediscovery, there are specific steps teams can take to protect their companies. It’s crucial to understand how ephemeral communications work and where the pitfalls are. It’s also important to develop comprehensive use policies for ephemeral messaging apps. Professionals in certain regulated industries, such as healthcare and the financial sector, need to be familiar with the regulatory requirements their companies are subject to. Finally, legal teams need to use the right ediscovery technologies to ensure success in litigation and investigations.

Regulators and courts recognize that ephemeral messaging may be important to businesses – and they put the onus on organizations to manage the risks associated with this type of communication. 

Next Chapter

Handling Zoom and A/V Data in Ediscovery and Investigations