Messaging platforms with automatic sunset capabilities – ephemeral apps like Snapchat, Wickr, Signal, Telegram, and Dust – are slowly creeping into the business world. These apps offer end-to-end encryption and automatic deletion after a certain period of time, or even deletion immediately upon opening.  The benefits of such apps are obvious in a world  increasingly concerned with data security, and where doing business in insecure environments and in countries with broad search and seizure capabilities and authority renders trade secrets and confidential information vulnerable.

What is the current state regarding the use of such platforms in a business or government context? Federal and local laws provide record retention requirements for public officials. While they vary by jurisdiction, they usually require records created or received in connection with public business be maintained for a certain period of time. Recently in 2018, an independent investigation of the Long Beach police department’s use of TigerText, an ephemeral messaging app that deleted messages after five days, was launched to determine if this was a violation of the state records laws. The investigation concluded it did not violate the California Public Records Act because it was mainly used for operational planning and compared the use of the app to making a telephone call. Additionally, the investigation established that Long Beach had similar capability with its prior BlackBerry system which allowed for a three-day deletion of messages [1].

During discovery in 2017 in Waymo v. Uber , a case involving the trade secrets of the self-driving programs at each, Waymo learned that Uber used Wickr, an app that sends encrypted messages that self-destruct, even after the implementation of a legal hold. Waymo argued spoliation, but Judge William Alsup ruled that while Waymo could mention the use of the app “as a possible explanation for why Waymo has failed to turn up more evidence of misappropriation in this case,” it was not permitted to use that evidence to “the extent that it becomes cumulative, invites improper speculation, vilifies Uber without proving much else, or threatens to overwhelm the trial and distract from the merits of the case. (Waymo LLC v. Uber Technologies, Inc., et al., Omnibus Order on Extent to Which Accusations re Uber’s Litigation Misconduct May Feature at Trial, No. C 17-00939 WHA, N.D. Cal. [2]) In other words, Judge Alsop did not rule that the use of Wickr itself was necessarily spoliation of evidence. The parties settled several days into trial, so the question was left there.

Recently, the Department of Justice (DOJ) relaxed its stance on the use of ephemeral messaging in connection with its Corporate Enforcement Policy of the Federal Corrupt Practices Act (FCPA). In the 2017 policy, the DOJ provided for declination if the company under investigation satisfied record retention requirements that prohibited “the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.” Dep’t of Justice, U.S. Attorney’s Manual § 9-47.120 (Nov. 2017). This appeared to directly prohibit ephemeral messaging. However, in March 2019 the DOJ removed this condition. The revised policy requires “[a]ppropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” Dep’t of Justice, U.S. Attorney’s Manual § 9-47.120(3)(c) (Mar. 2019), [3].

In the March 2019 Report on the Investigation into Russian Interference in the 2016 Presidential Election, Special Counsel Robert S. Mueller, III appears to disapprove of ephemeral messaging. He stated on page 10, “Further, the Office learned that some of the individuals we interviewed or whose conduct we investigated — including some associated with the Trump Campaign — deleted relevant communications or communicated during the relevant period using applications that feature encryption or that do not provide for long-term retention of data or communications records. In such cases, the Office was not able to corroborate witness statements through comparison to contemporaneous communications or fully question witnesses about statements that appeared inconsistent with other known facts.” [4]

It’s clear that the legal acceptability of ephemeral messaging turns a great deal on company policies, compliance programs, and the purpose for the use of such messaging. Business and governmental use of ephemeral messaging is increasing and will likely continue to do so for the reasons noted above – security and protection of information. Certainly, going forward, it will be prudent to weigh the benefits of ephemeral messaging against the legal risks, and to develop appropriate policies, procedures, and training in the implementation of their use.