Ephemeral messaging – pros, cons and obstructing justice

January 2025  |  FEATURE | RISK MANAGEMENT

Financier Worldwide Magazine

January 2025 Issue

Ephemeral, third-party messaging applications offer parties impermanent forms of communication in a variety of ways. Some automatically delete messages after the recipient has read them. Some store messages for a set period of time and then delete them. And some enable users to delete messages manually but otherwise continue to store messages by default.

These apps can, however, be a double-edged sword.

From a security perspective there are obvious benefits. Messages that are automatically deleted when read are ideal for private information intended solely for conversation participants. Security professionals often tout the benefits of ephemeral messaging for sensitive communications because it leaves nothing on servers or devices for hackers or other unwanted guests to appropriate. Other benefits include reduced exposure to data breaches and lower data storage costs.

Regulatory scrutiny

However, there are risks when using ephemeral messaging – particularly related to regulatory compliance and evidence preservation.

The EU’s General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA), for example, require certain data retention practices to ensure accountability, transparency and protection of personal information. Ephemeral messaging may automatically erase data which legally should be preserved for regulatory compliance, legal holds or evidence in litigation.

This area has attracted heightened regulatory scrutiny in recent years. In the US, for example, the US Securities and Exchange Commission and Commodity Futures Trading Commission issued fines totalling more than $2.5bn in 2022 and 2023 to companies for violations of record-keeping requirements stemming from use of third-party messaging applications.

In January 2024, the US Department of Justice (DOJ) and Federal Trade Commission (FTC) revised their Evaluation of Corporate Compliance Programs guidelines, setting out new data retention expectations for personal devices and, specifically, ephemeral messages. This included updating the language in their “standard preservation letters and specifications for all second requests, voluntary access letters, and compulsory legal process, including grand jury subpoenas, to address the increased use of collaboration tools and ephemeral messaging platforms”.

There are risks when using ephemeral messaging – particularly related to regulatory compliance and evidence preservation.

The guidance “reinforces parties’ preservation obligations for collaboration tools and ephemeral messaging” to address the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace.

“Companies and individuals have a legal responsibility to preserve documents when involved in government investigations or litigation in order to promote efficient and effective enforcement that protects the American public,” said Henry Liu, director of the FTC’s Bureau of Competition. “Today’s update reinforces that this preservation responsibility applies to new methods of collaboration and information sharing tools, even including tools that allow for messages to disappear via ephemeral messaging capabilities.”

“The Antitrust Division and the Federal Trade Commission expect that opposing counsel will preserve and produce any and all responsive documents, including data from ephemeral messaging applications,” stated Manish Kumar, deputy assistant attorney general at the DOJ’s Antitrust Division.

Policies and training

This heightened focus on ephemeral messaging requires organisations to put into place policies and best practices which ensure they remain on the right side of compliance. The DOJ has made it clear that it will be checking whether firms have robust policies that are clear, easy to follow, readily accessible and proactively communicated to all affected staff.

By establishing clear policies to govern the use of ephemeral messaging, companies can balance the advantages of reduced data storage with the need to uphold their legal obligations.

Training sessions must be provided to staff. These sessions should set out what is expected of individuals and the consequences if they fail to adhere – in this instance, criminal liability may be at stake. Training should be engaging, offering real-life examples and context as to why the policy exists.

Technology solutions

Beyond manual policies and training, technological solutions are available to help mitigate compliance risks. For example, technology can be implemented to limit access to ephemeral messaging. Mobile device management tools can remotely enable or disable ephemeral messaging features within apps.

Some enterprise ephemeral communications solutions enable IT staff to save one copy of all communications to designated firewalled storage, making them compatible with certain compliance obligations.

Similarly, compliant communication platforms like the Global Relay App allow employees to use services such as WhatsApp or SMS while disabling disappearing message options. This ensures all communications are captured and archived automatically, making them available if needed for future investigations.

Efforts can also be made to capture communications from ephemeral messaging apps. Data connectors integrate communication data from various sources into a compliant archive, ensuring complete data retention. They capture messages at the source, including those sent via ephemeral messaging apps, before they disappear. This enables organisations to retain critical communications across all channels for compliance purposes.

Ephemeral messaging is a complex issue, requiring companies to identify tailored solutions. As the technology continues to evolve, companies will need to consider whether additional steps should be taken to limit future liability, particularly as regulatory scrutiny intensifies.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.