Ephemeral messaging technologies, which retain messages for a limited period of time before automatically destroying them, have been around for years. But these technologies are just starting to capture the attention of the legal community, as lawyers grapple with ephemeral messaging’s implications on document retention requirements in regulated industries and preservation obligations when litigation is pending.
Today, there is an ever-growing number of increasingly popular ephemeral messaging services available. Snapchat, perhaps the first widely popular ephemeral messaging app, boasts 37 million active users, for example. For the security minded, services like Wickr, Signal, and Confide combine both advanced encryption and self-destructing messaging. Such apps have been adopted by journalists, activists, “the Davos class,” and others concerned with the exposure of valuable secrets.
Now, the trade secrets litigation between Uber and Waymo could force courts to start confronting the legal implications of ephemeral messaging, after an eleventh-hour revelation of previously undisclosed documents derailed the suit less just days before trial. Those documents, from an ex-Uber employee, claim that Uber engaged in a campaign of illicit information gathering against competitors and employed a three-part strategy to avoid a paper trail that could be discovered during litigation. That alleged scheme involved a combination non-attributable hardware, over designation of attorney-client communications, and the ephemeral messaging app Wickr.
Logikcull recently sat down with Jennifer DeTrani, general counsel and associate-founder at Wickr, to discuss ephemeral messaging, the likely precedent-setting implications of the Uber suit, and why she is pleased that courts are now addressing this technology. A transcript of that conversation, lightly edited for concision and clarity, follows.
Logikcull: Let’s start with the basics. What is Wickr? Can you walk us through the technology, how it works, and how it compares to similar services out there?
Jennifer DeTrani: Wickr is a secure communications platform where you can message, share files and hold end-to-end encrypted conference calls. It is built on proprietary encryption algorithms that ensure privacy and security when sharing critical data. Other areas that I would point to for differentiation include regular independent audits of our platform, the EFF all-star rating for privacy and transparency, and the pretty unique lineup of our backers and advisers who really comprise the checks and balances on the company.
We’ve chosen to go about creating the best-in-class messaging and communication platform in a very unique way. From the get-go, Wickr is founded on a desire to provide privacy to high-value communications – from sources and journalists trying to protect the privacy of their communication, to dissidents, and high net-worth individuals making critical decisions. Now Wickr is going into the enterprise market in a very deliberate fashion, providing a full suite of communication tools including messaging and encrypted voice & video, all built on that same security architecture and privacy values.
Logikcull: How has the transition into enterprise been? Have you seen businesses adopt these technologies?
DeTrani: We are seeing a great interest in ephemeral and encrypted communication among teams across industries. This comes down to teams and organizations understanding the information risks associated with leaving communications unprotected. The use cases we see vary – from the incident response teams triaging a breach to boards of directors making critical decisions or communicating in hostile environments or teams that have an obligation to protect the attorney-client privilege. How can you best ensure that?
It's been interesting pivoting into the enterprise because you're really seeing companies think about how their IT department can effectively combat threats from both state and non-state actors which is not something an average business were used to in the past. There is a plethora of other threats that are imminent within many organizations, like phishing and social engineering. How do you ensure that your finance department isn't going to click on a [fraudulent] invoice and make sure that the servers are still operational?
Those kind of mistakes Wickr is designed to nullify by becoming a go-to communication platform for sensitive conversations in those scenarios.
Logikcull: You’ve also been making a push for the legal market. You’ve spoken, for example, at LegalTech West, and recently published a blog about ephemeral messaging for attorney-client communications. Are lawyers responsive to this? How have their reactions been?
DeTrani: The reaction has been positive and very thoughtful. As I'm sure you can imagine, lawyers are creatures of habit. They get very comfortable with using specific tools. Just like journalists who understood that they needed to find something more secure because a source can be exposed, lawyers know they have an obligation to protect client information against breaches and public exposure. We’ve seen firms like DLA Piper suffer significant incidents.
But lawyers also understand risk. Here, where you’ve got constant parades of cyber-breaches in the daily headlines, we all are looking to try to reduce risk for our own communications and also for our clients’ communications. So, we've had a lot of positive response from legal teams who are seeking out a tool to ensure attorney-client privilege or to ensure that, after a data breach, their clients are turning to the right tool to get operations back up and running.
Logikcull: Speaking of attorneys being risk-motivated, in the discovery space, attorneys are often motivated by the fear of sanctions for spoliation or something similar. The big spoliation cases have been the catalyst for a lot of changes in the industry.
So, I wanted to talk about the discovery implications of the ephemeral messaging. Would messages sent through Wickr be ESI that is required to be preserved if litigation is pending? Then, if so, there's obviously a risk that the messages might not exist at that point or that they might be spoliated later on. How does Wickr address that—or does it?
DeTrani: The question whether ephemeral messages are ESI is very interesting. I expect that we'll see it debated in the near future. I do think there is a strong argument to be made that ephemeral communications are closer to voice than email communications given that by nature messages are never stored on a server nor are they accessible to anyone except the parties to the conversation. And there’s some interesting case law that supports that.
While it is unclear how the court is going to view that yet, it is certainly clear that, absent any litigation holds or compliance requirements mandating retention, enterprises can and should consider data minimization as an effective tool for data protection.
I think it's an interesting question on how to get lawyers thinking more strategically about retention. That's something that I myself had to go through when I started using Wickr as my primary communication tool as a lawyer to realize that there's a treasure trove of data that we create that don't belong anywhere and serve no legal or business purpose. Take all the back-and-forth between lawyers on the team culminating in something final—it’s that final piece that is really important.
What data minimization and ephemerality do is force people and entities to be deliberate in their choice of what to retain, where to put it, how long to keep it, to understand who they're sharing it with.
Again, to those of us who like to keep all of our drafts, we have to look at the numbers: almost 70 percent of data does not have any legal or compliance purpose, $4 million is the average cost of a data breach. When you think about the amount of proprietary, confidential information that lawyers are sitting on top of, you realize that our habits could damage a client or an entity itself. Then it really does make you want to change your practices quite a bit.
Data storage is like your family garage. You've just got more and more junk that you're putting in there, and none of it is going out.
What data minimization and ephemerality do is force people and entities to be deliberate in their choice of what to retain, where to put it, how long to keep it, to understand who they're sharing it with. And of course, it helps you become compliant because you now know exactly what you have when it's time to preserve information.
Logikcull: If I’m a GC and my employees are using Wickr, how would I institute a legal hold? Would I tell them to stop using Wickr, or is there something in the application itself?
DeTrani: Wickr Enterprise allows for continued use of encrypted ephemeral platform even during a litigation hold. In other words, preservation is a part of that product. It is important for us to our customers know that Wickr and compliance go hand-in-hand. We have specifically built the platform to enable preservation during litigation holds so that there are no more excuses to leaving valuable information unprotected.
For law firms, the financial sector, or government, if retention requirement is there, Wickr Enterprise is the go-to tool to ensure data security at the device level, and enforce a retention policy on the back end for specific team members under lit hold to make sure that their communications are retained for compliance needs.
Logikcull: Speaking of, let’s talk about the Waymo-Uber lawsuit. As I’m sure you're aware, the trial was set to begin earlier this month but that was thrown off track by revelations that a former Uber employee had accused the company of trying to evade both regulatory requirements and its discovery obligations through a variety of means—one of which was the use of ephemeral messaging. What do you feel the impacts of this on the adoption of ephemeral messaging and technologies like Wickr might be?
DeTrani: We definitely welcome the public conversation on ephemeral communications in the enterprise. The interesting part is we actually are seeing a pretty significant increase in sign-ups for our platform.
Lawyers and the business community are really now looking into ways to deploy this tool responsibly. The case has brought up some good questions that come up when any new technology enters the stage.
I do believe that ephemerality is here to stay. When you look at the case and all the different issues that are going on there, you've got video conferencing tool Zoom, Wickr, and other tech brought up. The question becomes do we ban the use of all technology in business settings to avoid any ambiguity while compromising data security, or should we rather come together to develop a responsible information governance approach to the use of any technology in business settings?
The case has brought up some good questions that come up when any new technology enters the stage.
This conversation is definitely bigger than any one company. Whether it is Uber or anyone else, the tools are here to help us get the work done and protect information, they are agnostic. We can’t be condemning companies failing to protect our data like in the Equifax case, while at the same time stigmatizing those who do take a proactive approach to security like many organizations in today’s risk environment.
Logikcull: When the Jacobs Letter was first revealed, at the initial hearing, Judge Alsup, who is the judge in the Waymo-Uber case, described ephemeral messaging and the other strategies that Uber was supposedly implementing as a “shadow system” and said that, “any company that was set up that kind of system is suspicious as can be.” How do you respond to that characterization or even the idea that ephemeral messaging is inherently suspicious?
DeTrani: I think that it’s a viewpoint not that widespread, at least not in the circles where teams are dealing with information security risks facing legal and corporations. I think it is okay to see some confusion in response to change, most technologies started out as somewhat suspicious—think computers, email, fax and e-signatures. There's always a learning curve when it comes to a new tool.
The Center for Democracy and Technology [has argued] that data-minimization should be something that society is strongly considering at this point, given all of the data breaches and risks that are posed by not implementing something that reduces the risk of having too much “bounty” out there for bad guys. Most companies that we talk to and most people within security are familiar with that.
The interesting part is we actually are seeing a pretty significant increase in sign-ups for our platform.
That is where a robust information governance policy is a critical piece to any security strategy. When courts see that an organization has an ongoing 30-day data retention policy for emails, which is what many responsible organizations now do, judges would have no issue with ephemerality being a routine business practice enforced for cost-effectiveness or security. But if it appears that you only start using a particular tool to avoid discovery, then it becomes an issue. It comes down to taking a proactive and responsible approach to data management.
Logikcull: Let's say that I am a company who's now learning about Wickr because of this case or related publicity. What things should I keep in mind when considering whether or not to move to a product like Wickr? How would those considerations vary if I was a current user facing pending litigation?
DeTrani: What we do is we tell all of our customers, future and present, that they need to obviously bring the technology in house pursuant to a reasoned information governance policy. There are two pretty seminal cases that establish that if the information is discarded under an IG policy that is reasoned, there is no inference of bad faith.
Ultimately, it's a matter of risk tolerance. That risk tolerance extends to both sides of the pendulum.
Likewise, we want people to think about the duty to preserve. That duty to preserve only really arises if you are in a regulated industry, if you’ve contractually obligated yourself to retain something, or if there's a litigation hold. So, when any of those issues arise, it's a different playing field and that is why we built Wickr Enterprise. Just like with any tool, such as Microsoft Office for example, you’d want to be very deliberate in thinking through what makes sense for your organization. We've seen most law firms now move over to a 30-day retention period for emails. So, ephemerality is not that farfetched for companies. That makes the conversation very easy for IT and information management departments that are considering a tool like Wickr.
Ultimately, it's a matter of risk tolerance. That risk tolerance extends to both sides of the pendulum. There's the risk tolerance of having an insecure infrastructure and there is risk tolerance of having an infrastructure that's more private but that's using a more cutting-edge tool. And we built platform to ensure that there can be no more reasons to leave your data unprotected because Wickr enables both data privacy and compliance.
Logikcull: The Waymo-Uber litigation is probably going to be precedent-setting around ephemeral messaging. What factors do you think that the court should focus on in terms of addressing the use of ephemeral messaging and when that usage might cross a line from permissible to impermissible?
DeTrani: I have a lot of faith that the court will diligently apply the Federal Rules of Civil Procedure to examining the IG policies, the cyber risks and the intent of the parties. With more and more information being generated by companies every minute, organizations large and small have to come up with ways to protect their customers and employees. Storing every piece of communication is certainly a losing game. You simply become the target. So we have to engage everyone, including courts, in developing a responsible approach to data protection.
Stigmatizing proactive security strategies and communications tools will only result in weaker security for all, and I’m sure the judge won’t see that as an acceptable outcome in this case.
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at firstname.lastname@example.org or on Twitter at @caseycsull.