Ephemeral messaging: Don’t assume the details are in the documents
Both businesses and their lawyers should be wary of the implications arising from the use of software which employs ephemeral messaging functionality. When it comes to ephemeral messaging, simply gone doesn’t necessarily mean forgotten, and the consequences can be severe.
What is ephemeral messaging?
Ephemeral messaging, also known as self-destructing messaging, refers broadly to any messaging software that automatically erases conversation history between users (whether by default or through settings). Popular applications include SnapChat, Instagram’s disappearing photo and message feature, Signal, and Telegram, among others. Different applications use different terminology to describe the disappearance or deletion of the content, but the result is the same: the message is either deleted permanently, no longer exists, or can no longer be accessed, read, or otherwise preserved, screenshotted, or shared by the sender or the recipient. Often, outside of the assistance of a forensic expert (and in some cases, even an expert may not be able to obtain messages exchanged with ephemeral messaging applications, either), the only way to “save” messages sent with an ephemeral messaging application is to take a contemporaneous screenshot (if the program allows it; some do not, while others include an alert feature for messages which have been subjected to a screenshot, and in some instances, a third party application may be required) or to take a photo of the message with another device before it disappears. Ephemeral messaging is not to be confused with encrypted messaging applications, such as Apple’s iMessage or WhatsApp, which provide users with end-to-end encryption for mobile messages and implements certain steps intended to prevent third parties from monitoring conversations (although some applications offer both ephemeral and encrypted messaging).
Ephemeral messaging software offers users a variety of practical benefits, including increased security, anonymity, and data protection. For example, many journalists rely on ephemeral messaging when travelling abroad and dealing with security concerns; organizations such as Reporters Without Borders recommend the use of such technology. However, the use of ephemeral messaging also invites complications and risks. The Government of Canada has warned against cybersecurity threats stemming from the use of this technology by foreign actors. The Communications Security Establishment of Canada also linked the use of this technology to the spread of misinformation and organized crime. For businesses, the use ephemeral messaging could create a greater risk when it comes to various regulatory violations and present litigation challenges related to discovery and document preservation.
In a growing number of matters, those with more nefarious intentions who are participating in unlawful or illegal activities make use of ephemeral messaging in engaging in criminal and civil misconduct, with the benefit to the users being that there is no documentary trail to later be produced in litigation that can be used against them.
Potential for regulatory problems
The use of ephemeral messaging software inherently contradicts data retention requirements and destruction parameters imposed on certain corporate entities by regulators, and may also violate various internal records retention policies at a wide variety of organizations. Simply put, the mere use of ephemeral messaging software carries with it a variety of risks when it comes to the rules created by regulators. Although regulators in Canada have not yet scrutinized this technology, reactions from regulators in other jurisdictions, like the United States, offer insights into how Canadian regulators are likely to address challenges arising from the increased use and growing popularity of ephemeral messaging software.
In the United States, various regulators and government agencies have already scrutinized the use of ephemeral messaging in regulatory proceedings. For example, the Securities and Exchange Commission (SEC) has provided comments on how the use of ephemeral messaging violates SEC rules, including specifically noting that the use of “apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up” is “specifically prohibit[ed]. In 2021, the Director of the SEC’s Division of Enforcement gave a speech in which he noted that entities “… need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.”
Shortly after the October 6, 2021 speech, a variety of entities discovered that a failure to abide by the requirements for document preservation can have serious consequences. SEC Rule 17a-4(b)(4) requires that certain security dealers retain originals of communications for a minimum of three years. In September of 2022, the SEC announced that it had charged 15 brokers and one affiliated investment adviser which had admitted to wrongdoing for their failure to preserve electronic communications in circumstances where the individuals text messaging applications on their personal devices to communicate about business matters. The firms acknowledged their violation of the SEC's recordkeeping provisions and agreed to pay combined penalties of more than USD$1.1 billion.
For more information about the SEC’s enforcement action and details about guidance from the United Sates Department of Justice, please review DLA Piper’s previously published legal update here.
Legal issues in litigation
The use of ephemeral messaging also raises important considerations for lawyers and their clients when it comes to documentary discovery and disclosure in litigation. According to the Third Edition of the Sedona Canada Principles Addressing Electronic Discovery, published in 2022, the use of ephemeral messaging technology creates additional issues regarding discovery and expectations of privacy. The Sedona Principles also note that, to date, there is little case law and guidance in Canada on these issues.
The courts in the United States have begun to address the issue of these (intentionally) deleted documents. For instance, some cases suggest that juries can draw negative inferences from a lack of evidence, when the lack of evidence is caused by the use of ephemeral messaging. Other case law from the United States offers guidance on the interaction of documentary discovery and ephemeral messaging. For example, the United States Federal Court has found that a plaintiff who used Signal (a popular messaging application with ephemeral messaging features), despite an order to produce certain text communication, was acting in bad faith and intentionally hiding communications from the defendant. These findings can have considerable weight on the outcome of a trial.
Ephemeral messaging is likely here to stay; its use will only continue to grow. However, recent case law from the United States and scrutiny by regulators like the SEC highlights the need for caution when using this technology. Given the limited case law in Canada and the lack of further guidance at this time from provincial and federal regulators, businesses and litigants should err on the side of caution and avoid the use of ephemeral messaging if at all possible.
Importantly, any business which implements the use of ephemeral messaging should consider a risk assessment to ensure that its use does not inadvertently violate regulatory requirements in Canada. This is particularly true for any business that must adhere to regulatory reporting or recording-keeping requirements. Companies relying on or allowing the use of ephemeral messaging applications should consider adopting, at minimum, the following practices as part of a more comprehensive policy to address the use of messaging applications, including ephemeral messaging:
- Conducting a cost-benefit analysis of the use of ephemeral messaging compared to its foreseeable risks;
- Developing an internal program/policy that identifies which employees can use ephemeral messaging, for what particular purposes, why the use is necessary, and what information can be communicated through ephemeral messaging;
- Maintaining a record of employees or agents who are authorized to use ephemeral messaging in the course of business and the scope of the use;
- Providing training on the use of ephemeral messaging and the associated risks; and,
- Consulting with experts in the field on best practices when using ephemeral messaging for business purposes.
Additionally, businesses and individuals engaged in litigation or those facing a risk of litigation must also consider applicable disclosure obligations in the jurisdiction in which litigation may occur. For example, in Ontario, the Rules of Civil Procedure provide for a broad documentary discovery process and regime for relevance for documents to be produced in the course of litigation. This is a positive obligation which requires a litigant to take steps to ensure that relevant information, data, and documents in the power, possession, or control of an individual or entity are not deleted, lost, or otherwise unrecoverable. In the case of ephemeral messaging, while there is limited guidance at this time, obligations in respect of ephemeral messaging likely includes adjusting settings on applications with automated message deletion functions to ensure that any and all records of messages and documents exchanged are retained. A failure to preserve all relevant documents when litigation is reasonably anticipated can have serious consequences in a civil litigation matter, including costs awards and measures up to and including dismissing a Plaintiff’s case or strike out a Defendant’s defence.
Ephemeral messaging is a prime example of the expression “gone, but not forgotten.” Don’t let disappearing messages come back from the dead to haunt your business or litigation matter at a later date. Contact a member of DLA Piper (Canada) LLP’s Corporate Crime, Compliance and Investigations group on the best way to manage and reduce risk from ephemeral messaging use.