Many of us use end-to-end encrypted messaging or ephemeral messaging apps every day or at least have some familiarity with popular apps like WhatsApp, Signal, and Snapchat. Users enjoy the privacy that end-to-end encryption provides because the information remains secure against threats of third-party access. Ephemeral messaging allows a message to exist for a short period and then automatically expire, making the data potentially irrecoverable. While these messaging methods are increasingly omnipresent in our daily lives and useful for keeping personal conversations private, their use within the business sphere poses serious compliance and litigation concerns.
Substantial legal repercussions may arise when bankers and members of the financial service industry use ephemeral messaging or end-to-end-encryption apps in the context of securities trading. For example, in September 2022, the SEC announced charges against fifteen different broker-dealers and one investment adviser for violating provisions of 17(a) of the Securities Exchange Act of 1934, resulting in more than $1.1 billion in collective penalties. 17(a) requires broker-dealers to keep records for the protection of investors and for the public interest. Employees at the firms charged with the highest penalties had been using their personal devices to communicate internally and externally via WhatsApp. Use of such apps remove the paper trail necessary to ensure compliance with laws protecting investors and market integrity, and raise issues of cybersecurity.
Related to these concerns, in March 2023 the Department of Justice published a document titled Evaluation of Corporate Compliance Programs, acknowledging the growing ubiquity of messaging platforms in the business-sphere and advising that “prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.” Firms are advised to make sure electronic data and communications are accessible and preservable. Further, prosecutors should consider the rationale behind a certain firm’s communication channels and preservation policies, and whether they are being enforced. Additionally, one attempt at regulation has been sponsored by Senator Lindsay Graham through the introduction of a bill called the Lawful Access to Encrypted Data Act, which would require platform providers to assist law enforcement agencies in decrypting remotely stored electronic information. Critics suggest this would effectively be an “outright ban on end-to-end encryption.”
Consequences from businesses’ use of ephemeral messaging and end-to-end encryption may arise not just in the day-to-day communications, but particularly in the context of a firm anticipating or engaged in litigation. Firms that fail to preserve communications pertinent to litigation by using ephemeral messaging apps may face spoliation of evidence allegations. Where messaging apps allow a user to disable the auto-delete feature, litigants may have a duty to preserve messages that are pertinent to the legal action, particularly if the firm is under a litigation hold order to preserve electronically stored information (ESI).
For example, in We Ride Corp. v. Huang, a suit concerning trade secret misappropriation of WeRide’s autonomous car source code, sanctions were issued against Huang and his firm AllRide for use of the ephemeral messaging app DingTalk. Huang and other employees started using DingTalk after a preliminary injunction had been issued enjoining it from destroying or altering all documentation, including ESI related to WeRide’s confidential information and AllRide’s source code. While AllRide had also deleted several employee email accounts and wiped their computers after WeRide’s complaint was filed, the court considered the evidence that AllRide started using DingTalk after the issuance of the injunction in its decision to issue sanctions. The court reasoned that AllRide’s decision to have employees start using the ephemeral messaging app only after the injunction issued showed that AllRide knowingly engaged in spoliation.
The issue of spoliation through ephemeral messaging has arisen in another misappropriation of trade secrets case, Waymo LLC v. Uber Technologies, LLC, and in the case of Herzig v. Arkansas Foundation for Medical Care, Inc. concerning the plaintiff’s download and use of the Signal app after being placed under a litigation hold. A uniform framework for how courts might analyze these issues has yet to develop, though this type of spoliation may be analyzed under Federal Rule of Civil Procedure 37. Rule 37(e) provides:
[i]f electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court (1) upon finding prejudice to another party from loss of the information, may order measures no greater than necessary to cure the prejudice; or (2) only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation may: (A) presume that the lost information was unfavorable to the party; (B) instruct the jury that it may or must presume the information was unfavorable to the party; or (C) dismiss the action or enter a default judgment.
To avoid these sanctions, businesses should use caution when implementing the use of encrypted messaging in anticipation of or during pending litigation. Businesses may preemptively implement and review practices for using such messaging systems, like disabling the auto-delete feature, or refraining from using the feature in apps like Signal which require manual configuration of auto-deletion.
While policies to comprehensively address end-to-end encrypted messaging among highly regulated industries, like finance and securities trading, are continually developing, and ephemeral messaging discovery processes remain fairly uncharted, the law surrounding these technologies will increase as widespread use of these messaging apps increase in the workplace. Businesses should attempt to remain ahead of the curve by considering what preservation policies and best practices they should have in place.
Victoria R. Surati is a 2L at Wake Forest University School of Law. Prior to law school she received her B.A. at the University of North Carolina at Chapel Hill. She is interested in the intersection of technology and the law and plans to practice civil litigation upon graduation.
LinkedIn: www.linkedin.com/in/victoria-surati
Email: [email protected]