- Special thanks to Emily Donaldson, Alicia Kapolis and Primrose Mungwari for helping prepare these materials.
- ENCRYPTED TEXT MESSAGING PLATFORMS
Recovering evidence becomes more complex and difficult when dealing with ephemeral data. Applications such as Vaporstream, Wickr and Confide and the like provide attorneys with extensive discovery and authentication problems.
Vaporstream is a mobile application capable of sending electronic communications that are encrypted in transit, and are not stored in the carrier’s infrastructure, the sender’s device, or the recipient’s device. Once the message is read, they are deleted and it no longer exists. These messages cannot be copied, printed, or forwarded.
Wickr is an instant messaging application that allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments. This application military-grade encryption for communications and the application automatically shreds any and all digital evidence or trace that the communication existed.
Confide is another encrypted message application similar to Vaporstream and Wickr. The alleged use of Confide and former Missouri Governor Eric Greitens and his staff has come under heavy criticism. For example, according to an article in the Kansas City Star by the Editorial Board
The app – called Confide – allowed Greitens and his staff to exchange text messages that were erased immediately after they were read. That meant texts involving significant government business might have automatically disappeared, in violation of the state’s record retention policies.
According the Attorney General Josh Hawley back in 2017:
Nonetheless the Governor and his aides were given a “clean bill of health” because there was no proof that official business was conducted through Confide. Others, like Senator Gina Mitten, in response had floated the idea of proposing legislation to prohibit lawmakers and state employees from downloading and using Confide or similar apps.
HB2523 was eventually proposed by Republican Representative David Gregory to deal with this issue. HB2523’s summary is as follows:
HB2059 was also proposed by Democratic Representative Mark Ellebach to address this issue. The summary of the purpose of the bill is stated as this:
Discovery techniques for programs like Vaporstream, Wickr and Confide are extremely burdensome, costly, and in most cases, it is almost impossible to discover the communication or data. At this point in time, there is a lack of technology and procedure that makes preservation of this ephemeral data possible.
b. INSTAGRAM, SNAPCHAT, & OTHER PHOTO & VIDEO SHARING APPS
- EVIDENCE SPOLIATION: CAN YOU RETRIEVE DELETED CONTENT?
There are additional methods of preserving videos. For example, recipients can simply take a screenshot of the message, although this will notify the sender. Alternatively, recipients can take a picture of their phone, thereby circumventing the screenshot notification. Even then, a more complicated approach exists. Snapchat saves [videos] on the phone’s local memory, on some phone models, which you can then recall by installing a file browser, and plugging the phone into a computer. You then search through the file browser, copy and save the content to a computer, and you’re done. Indeed, a May 9, 2013, Forbes article detailed that one forensic firm was able to pull many Snapchat photos from a phone long after they were supposedly deleted. Also, Snapchat has stated that if a file is not viewed it will remain on their servers for 30 days.
Instagram, now owned by Facebook, is another online photo-sharing and social networking service that enables its users to take a picture, apply a digital filter to it and share it on a variety of social networking services, including Facebook. Unlike Snapchat, however, the data is stored on Facebook’s servers and is not automatically deleted a few seconds after viewing. Access to the device should provide access, and materials that are deleted are likely recoverable by a forensic analyst. Further, one could subpoena Instagram, but one would likely face the same challenges one experiences when subpoenaing Facebook.
- CLOUD STORAGE
While over the past decade courts have to some extent learned to cope with electronic discovery from computers, cell phones, and extra storage drives, cloud services present a few new challenges. The National Institute of Science and Technology defines Cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Essentially, the cloud allows for internet based services to provide users with remote access to software, resources, and information stored elsewhere. The computer systems and servers storing the data or applications are often operated by a third party, not the person or company using the resources.
Cloud computing has its advantages for users, and disadvantages for litigants. Cloud computing is growing rapidly for good reason. It substantially minimizes information technology (IT) costs, offers potentially limitless storage capacity, does not require self-management, can be tailored to individual needs and provides instant mobile access. It is the limitless capacity and lack of self-management that poses the challenges for litigants. While computer hard drives now contain vastly more data than ever before, creating even more items of evidence to sort through, cloud storage only exacerbates that difficulty. The particularly interesting aspect is the lack of direct control the cloud user typically has over his or her stored data.
Traditionally, companies stored and owned their own data located at specifically constructed data centers. Even if the company or individual leased the space, they at least owned the hardware and data itself. Cloud services change this to where the user no longer owns the hardware they operate. Cloud services follow three basic service models. The most general model is the Software as a Service (SaaS) model where an individual pays only for existing applications in the cloud. The user has no control over how data is stored or altered within the system. For lawyers, a familiar example of this is Westlaw or LexisNexis. The second model is the Platform as a Service (PaaS) model, which gives the user the ability to install and tailor their own software applications in the cloud. The user still, though, has no control over the servers or storage provided. Finally, the Infrastructure as a Service (IaaS) model offers clients the most control. There the user rents access to the cloud’s servers and hardware, but may use its own operating system and software that enables the cloud to work for the user. Importantly, the service provider may still re-locate data from one physical location to another.
The ability of the cloud provider to re-locate data becomes important in looking at Fed.R.Civ.P. 34(a), which defines discoverable information as “in the responding party’s possession, custody, or control.” Federal courts have held that data in the possession of a third party to be within Rule 34(a) so long as the party “has the right, authority, or practical ability to obtain the documents from a non-party to the action. The problem that generally arises though is locating and preserving the data for pending litigation. Third party control, through a cloud, may leave the user subject to sanctions when the data has been moved, altered, or is otherwise inaccessible.
In discovery, the responding party has the burden to preserve, identify, and collect ESI stored in the cloud. While the comments to Fed. R. Civ. P. 37(e) states: “A preservation obligation may arise from many sources, including common law, statutes, regulations, or a court order in the case,” and it also states that the duty to preserve evidence attaches when the party reasonably anticipates litigation. For those operating under any cloud model but the IaaS model, a responding litigant will not be able to prevent any auto-delete functions associated with the cloud. Important data may also be lost if the service provider chooses to terminate cloud services provided to the user. For instance, Amazon’s 2012 service agreement provided that termination of the agreement terminated all rights to any of the data stored in the cloud.
This inability to retrieve ESI from the cloud may trigger sanctions for the responding party. Court may impose sanctions for spoliation under Rule 37 when they deem it just. The standard seems to vary by circuit, as some will grant a sanction if the responding party is culpable in any way, which is if they have any responsibility or control. Other courts require a showing of bad faith.
Under either standard, it is important that you know the cloud structure and operating methods that your client employs. Having a basic knowledge of your provider will help you negotiate the service agreement to begin with, locate data when the time arises, and ensure that the data is unaltered when it comes time to produce. Moreover, it will enable you to create a prospective litigation plan that may save you time and money in the future.
If you are the party requesting data from the cloud, a basic idea of how the cloud operates will also be useful. It may inform you that the targeted party does have significant control over their data as they are employing an IaaS cloud model or that the documents or the meta-data contained in the documents you have received may have been altered in the cloud. It may even tip you off that other documents may have been deleted, perhaps innocently, while contained in the cloud. Either way, a rudimentary knowledge of the opposition’s system will only help your discovery efforts.
d. TOP STRATEGIES FOR UNCOVERING DISAPPEARING EVIDENCE
If you know that you have deleted relevant data, or you suspect the opposing party has done so, you have several options. First, if you own the device or account in question, you may be able to personally contact the provider without the need for a subpoena. It is important to do this quickly before the service provider deletes the information from its servers. The same goes if you suspect the opposing party has deleted information, although in this case you will likely need a subpoena, but you can attempt to gain consent from the opposing party.
Additionally, and likely your best bet is to hire a computer forensic expert. As discussed above, they may be able to uncover data believed to have been deleted long ago, or they may uncover data that was merely hidden from the common user. They may also be able to provide insight as to the meaning of metadata discovered on various files.
Finally, do not underestimate the ability to locate information elsewhere. People often sync any number of devices to each other. For this reason, a home computer may be a better source of information than you might initially suspect. Also, beyond other devices consider other people. In the process of jubilant celebration or angry venting, people often write, forward, or post about their recent endeavors. You might discover that the photos you forwarded to a friend are still on their device or that text messages to a mistress deleted from the husband’s phone are still located on the mistress’ devices. In today’s day and age, it is rare that a piece of ESI is truly gone forever. Just be prepared for any additional authentication issues you may have when locating data from an alternative source.
Discovery techniques for programs like Vaporstream and Wickr are extremely burdensome, costly, and in most cases, it is almost impossible to discover the communication or data. At this point in time, there is a lack of technology and procedure that makes preservation of this ephemeral data possible.
One potentially possible way to preserve the data of these ephemeral programs is to petition for preservation orders. There is a three-part balancing test that assesses the applicability of the preservation orders in the hope that the evidence can be retained. The court first looks at the level of concern for the disappearing communication’s existence and maintenance of the evidence without a preservation order. The court also looks to whether there is likely to be irreparable harm that is likely to result from the destruction of evidence, and the capability of the party to maintain the evidence sought to be preserved. “Preservation obligations for ephemeral data should not impose heroic or unduly burdensome requirements.”
Other courts have found that the ephemeral ESI is too fleeting to be reasonable to preserve. In Healthcare Advocates v. Harding, Early, Follmer & Frailey, the plaintiffs alleged that defendants were liable for not preserving information that was stored in cache files. The court disagreed, because the plaintiffs made no active efforts to destroy or rid of any evidence.
Snapchat users won’t have very much success with an argument against the preservation order. They have the ability to screenshot, save the snaps they send prior to delivery, and the ability to save the stories they post through the 24-hour life of the story – i.e. it is not unduly burdensome. As previously mentioned, there has been success with forensic experts and recovery of snaps.
Programs like Vaporstream prove more burdensome. The reason that it is burdensome is because the name of the sender is never of the same page as the message itself; therefore, a screenshot would not provide the evidence as sought.
The use of a deposition under Rule 27(a)(3) of the Federal Rules of Civil Procedure prior to filing the suit to determine the extent and nature of ephemeral data that may fall within the scope of potential discovery, and lay the groundwork for its timely preservation.
e. EPHEMERAL DATA
An agreement on the outset of litigation that states that both parties will retain any ephemeral data relevant to the matter can also provide attorneys with the sought-after evidence they need. Additionally, a special data conference prior to commencing litigation under Fed. R. Civ. P. 16(a) could prove beneficial for attorneys. This would help to avoid spoliation sanctions for both parties, and could help prevent the loss of ephemeral data from the outside. The overall effect of this is that it would reduce the costs and time significantly invested into the process if there was an issue to arise over ESI.
Sanctions for spoliation of evidence is governed by Fed. R. Civ. P. 37. A duty to preserve must have been attached prior to the destruction of evidence; the accused party must have acted with the culpable state of mind; and the other party must have been prejudiced by the destruction of evidence. There is an exception for failure to provide evidence under Fed. R. Civ. P. 37(e). “Absent additional circumstances, a court may not impose sanctions on a party failing to provide electronically stored information as a result of the routine good-faith operation of an electronic information system.” Questions about what steps the party took the preserve the data, and did the party act affirmatively in destroying or altering data should be raised and answered in order to impose sanctions under this rule.
Another potential tool to combat the elusiveness of ephemeral data is the litigation hold. This triggers the duty to preserve the information in light of litigation. Holds can be used to establish the first element discussed under Fed. R. Civ. P. 37 that we mentioned earlier (the duty to preserve must have been attached prior to the destruction of evidence). Once an attorney sends out a litigation hold, that duty is attached to the party. More generally, the duty to preserve is triggered when litigation is reasonably anticipated.
There are many issues and topics within ESI and ephemeral data that the courts have yet to address. Does the use of applications like Snapchat, Vaporstream, and Wickr meet the culpable state of mind for spoliation? The argument tends to follow the logic that the individual intentionally chose the application for the ephemeral nature of communicating that it advertises.
A potential clue we have to the future of ESI and ephemeral data is Gatto v. United Air Lines, Inc., a personal injury suit. The respondent asked access to Gatto’s Facebook. Gatto saw that an unknown party was hacking his account so he deactivated it. Normally, 14 days after one deactivates their Facebook account, the information is permanently deleted. Gatto was found by the court to have been subject to spoliation sanctions because he intentionally used the deactivation feature.
Metadata can be vital to a discovery process. It can reveal information such as, who created a document, when they created it, what edits they made, and so much more. This is important to keep in mind when addressing authenticity issues.
Cell towers, GPS, and Wi-Fi all serve to create geological data. Geological data can provide substantial and compelling evidence of devices and persons being present at certain locations. Furthermore, most GPS enabled camera phone also embed longitude and latitude of photos when they were taken. This data, is most commonly referred to as Exchangeable Image File Format (Exif) metadata. This data is typically not stripped when the image is e-mailed or uploaded. This allows for the verification of photos and videos without even having access to the devices that captured the image. Courts have held that system metadata involves neither a statement by a declarant, making it immune to the hearsay objection.
Metadata, or information about information, includes the information embedded in a routine computer file reflecting the file creation date, when it was last accessed or edited, by whom, and sometimes previous versions or editorial changes. Lawyers should also look to system data, which records creation or deletion of files, maintenance functions, and access to and from other computers. Files that are purposely deleted from a computer by the user can be discovered through metadata requests. Residual data also exists on the hard drive, and is most simply analogous to crumpled up newspapers used to pack boxes when one is moving. Expertise in metadata recovery is most likely required to discover this type of information.
The categories of metadata above are in order of cost and difficulty in discovering from least difficult to most difficult to acquire or discover. Attorneys should try to precisely and narrowly tailor their requests for metadata to avoid sweeping and unduly burdensome requests. The metadata information received from the precise and narrowly tailored requests will often reveal more sources of information that can be used to further a successful discovery process.
In White v, Graceland College Center for Professional Development & Lifelong Learning, Inc. an employee who brought a Family Medical Leave Act (FMLA) claim against her employer was entitled to compel her employer to reproduce in native format e-mails and attachments at issue. The creation date of the e-mails and attachments was disputed by the parties, the employee’s computer expert noted discrepancies in the metadata as to the creation dates, and the employer did not adequately explain the discrepancies.
In exceptional circumstances, substantive review of metadata, among other things, can lead to dismissal of claims. In Rosenthal Collins Group, LLC v. Trading Technologies Intern, the defendant forensic expert reviewed one of the plaintiff’s original zip drives with the source code versus zip drives produced by the plaintiff in 2006. The comparison showed that the plaintiff’s expert changed the source code and manipulated last-modified fields and computer time clock. The court dismissed the plaintiff’s claims.
g. DRAFTING A PERFECT PRESERVATION LETTER
When an attorney suspects the contents of the opposing party’s social media accounts might be needed for discovery, the first step is to send out a preservation-of-evidence letter to the opposing counsel as soon as possible, says Peter LaSorsa, a Mapleton-based practitioner. You can use a standard lawyerly letter for other attorneys, but if you’re sending one to an unrepresented party, make sure you’re crystal clear.
“Make it in language that later on, they can’t go into court and say, ‘I didn’t understand it. I don’t know what preservation of evidence is,'” he says. “Spell it out so a high-schooler can understand it. It’s the old [saying], ‘Know your audience.'”
Sharon Nelson, president of Virginia-based digital forensics and information security firm Sensei Enterprises, recommends that attorneys download a guidebook called “The Perfect Preservation Letter” written by Craig Ball, a computer forensic analyst and former trial lawyer.
In the guidebook, Ball notes that preservation letters are intended to remind opponents to preserve evidence but also to serve as “the linchpin of a subsequent claim for spoliation, helping to establish bad faith and conscious disregard of the duty to preserve relevant evidence.”
Missouri House of Representatives, HB2059, https://house.mo.gov/bill.aspx?bill=HB2059&year=2018&code=R (last accessed September 20, 2018)
Ganzenmuller, Ryan G., Snap and Destroy: Preservation Issues for Ephemeral Communications, 62 Buff. L. Rev. 1239, 1260 (2014) (see The Sedona Conference, Best Practices Recommendations & Principles for Addressing Electronic Document Production 95-96 (2d. Ed. 2007)).