Not All Messaging Apps Are Ephemeral

April 5, 2023
39:42 minutes

In this final part of a special podcast series unpacking recent DOJ policy updates, There Has to Be a Better Way? hosts Hui Chen and Zach Coseglia check in with Ropes & Gray’s global head of e-discovery, Shannon Kirk, to better understand how companies should think about non-email electronic communications. Shannon explains why using more precise language when talking about different forms of communication is important in order to manage them appropriately, and offers some options for meeting DOJ’s expectations for preserving data.


Zach Coseglia: Welcome back to the Better Way? podcast brought to you by R&G Insights Lab. This is the podcast where we are on a curiosity-driven hunt for good ideas and better ways of tackling long-standing organizational challenges. I’m Zach Coseglia, and I’m joined by my friend and co-host, as always, Hui Chen. Hui, how’s it going?

Hui Chen: Good. Hello, everyone—welcome back.

Zach Coseglia: We are still on a bit of a detour from our regularly scheduled programming to continue this discussion about the recent Department of Justice announcements about corporate compliance and related revisions to the “Evaluation of Corporate Compliance Programs” (ECCP) document/guidance. Today, we’re talking about document retention, acceptable use of corporate devices, and the use of so-called ephemeral messaging and related applications. And we are very lucky to be joined by Ropes & Gray’s own Shannon Kirk. Shannon, say hi to everybody. Thanks for joining us.

Shannon Kirk: Hi, everyone.

Zach Coseglia: Shannon is the global head of e-discovery, discovery strategies & data analytics, here at Ropes & Gray. She’s also literally one of my favorite colleagues and is the leading voice on the challenges companies are facing and the compliance initiatives that they’re developing to better manage all of this that we’re going to be talking about today. Shannon, why don’t you tell our listeners a little bit more about you?

Shannon Kirk: Sure. Thanks for having me—and I share the same about you, Zach. I am, as Zach said, the global head of e-discovery (long title truncated) at Ropes & Gray—I’ve been in this position at Ropes for 15 years. Prior to that, I was litigation counsel at a mid-sized firm in Chicago, Ungaretti & Harris, and I started their e-discovery committee. And so, I’ve been doing e-discovery now since around 2006 and full-time since 2008, and happy to be here.

Zach Coseglia: Awesome. I wonder if maybe the best place to start is to define some key terms, because I gave an intro and you very well may have even been cringing in the way in which I was introducing this topic. So, Shannon, what are some of the key words that are part of this discussion around the use of ephemeral messaging applications and modern communications that people use, maybe misuse, or that we should all just know?

Shannon Kirk: It’s almost like I paid you to present the question in that way, because let’s talk terminology—it matters. It matters substantively and technologically. You used the word “ephemeral,” and a lot of people do. In fact, I believe even the regulators, plaintiff’s counsel, defense counsel, and everybody in corporate America uses this word “ephemeral.” It’s not true and it’s not accurate, and that matters. “Ephemeral” means fleeting or not existing for a long time—we just use that as a Band-Aid word when we’re talking about electronic communications that aren’t email. It’s sort of this blanket term, but we need to stop using the word “ephemeral” because it puts in the minds of some folks—and I know this in talking with clients over the years—that it is not capable of being preserved because it’s not saved. That’s what ephemeral means, and some people take that literally, and therefore, for years, some folks have thought they could not do anything about it. That’s not everybody, but that’s one example of how terminology matters.

What we’re talking about here is generally about non-email electronic communications—we are talking about generally two buckets of communication. I’m going to keep out of this conversation all of the forms of communication that can happen within social media, such as direct messaging in Facebook or Twitter—I’m not talking about that. I’m talking about text messaging and app-based communications—two buckets. Again, that division matters because it matters what you put into your paper policy, and it matters what technological solutions exist for both, in terms of preservation and monitoring. When I say “text messaging,” that’s another thing that folks will do—they’ll use “text” as a Band-Aid word, a blanket word, to mean all non-email communications. So, one trap people do is they’ll either call it “ephemeral” or they’ll call it “texting,” but when we start putting pen to paper on a policy and technological solutions, we really need to be precise here because there’s differences. When I say “texting,” I mean your traditional SMS texting that comes and you use traditionally on your phone, it comes with your phone number. Note, I did not include in there iMessage.

Zach Coseglia: Yes, explain the difference to folks.

Shannon Kirk: iMessage is really just another form of app-based communication, and it is not the same as SMS texting, even though the user experience is the same. It’s the same because those messages are coming within the same container, the SMS and the iMessage. Why do you care? You care because technological solutions around text messaging, SMS or iMessage, will react differently. Some of them will not capture and preserve iMessage, whereas some will, so we want to be precise there. When I talk about app-based communications, I mean literally apps that allow you to communicate. Examples include (and the more typical ones in the United States would be things like), WhatsApp. In China, the predominant one is WeChat, but folks in the U.S. use that, as well. Latin America is predominantly WhatsApp. Japan is Line. There’s also Telegram, which is pretty popular. There’s a number of them, but those are the main ones that we get concerned about. The ones that I just mentioned, almost all of them are not ephemeral, or they could be if your settings were such that you set them up to disappear after you log out or something, but for the most part, you can have settings that retain that information for who knows how long. For example, when we do internal investigations and we collect phone data, we often have WhatsApp data going back a long time, or sometimes we don’t—it depends on the user’s settings, etc.—but to just call it all ephemeral, again, it’s not accurate. So, that’s what we’re talking about in terms of the communications terminology.

Zach Coseglia: We just did a podcast recently that came out with our data analytics guy, where he talked about how his journey as a data journalist was really about precision journalism and how what we are trying to do is precision compliance or precision diversity, equity & inclusion, and so, I like the theme here of the importance of being precise around these terms. Given the importance of precision and differentiating between all forms of communication, and specifically distinguishing between app-based communications and text messaging, helps us just underscore why the difference between text messaging and app-based communications matters.

Shannon Kirk: Sure. It matters, again, for two buckets. It matters for what your paper policy is going to say, and whatever your paper policy says, under that, is, “How are you going to train your people? How are you going to enforce? How are you going to monitor?”, etc. So, when we’re talking about text versus app, what is your paper policy going to tell your people is allowed and is not allowed? At this stage, given what we’re seeing with the SEC, the DOJ, and civil litigation, if your paper policy says, “You are permitted to use text for business purposes,” but what you really mean is they’re only allowed to use SMS texting but not app-based communications, then your paper policy is not in line with your intent. Then, I can almost guarantee it’s not in line with whatever technological solutions led you to say, “We will allow you to use text messaging.”

Zach Coseglia: Got it. So, it’s important to be precise in the language that you use in the policy so that it’s clear that your intent is reflected accurately in the policy around what is allowed and what is not. But, then, it almost more importantly matters because the technological solution that you’re going to use to retain those messages as part of your risk mitigation plan is going to be different depending on which types of communications we’re talking about.

Shannon Kirk: Precisely, right. A lot of organizations right now are doing exactly this: getting a little more precise and simple. Precision doesn’t mean more complicated—it actually means it’s easier to digest. We’re writing for people who often do not live in this legal, techno-whatever world. They’re on the road making sales. They’re conducting business. They have to comply with policies that they can easily read, digest, understand, and follow. So, when I talk about technology and terminology being precise, I mean just be really clear about it and making sure that your policy is written in a way that is reflecting your intent with clear language.

Hui Chen: I just want to say amen to that because I think a lot of times, we see people struggling with policy language that is not precise, not clear, or not meant for non-legal people to read, so I do think that’s the very first step to anything, not just on this subject. So, thank you so much for saying that. We very much embrace precision, simplicity, and clarity.

Zach Coseglia: Let’s talk about some of the other terms: personally owned, BYOD. Talk to us about the other key terms that we need to know.

Shannon Kirk: Another area of terminology that really matters for, again, paper policy writing and technological solutions is understanding that what we’re talking about here for a corporate environment is typically three buckets of devices. Corporate-issued or corporate-owned: the company buys your iPhone—that’s bucket one. Bucket two is BYOD—this is when the employee buys the device but enrolls in some formal BYOD program (we’ll talk about that). The third bucket then is personal: a straight-up personal phone. We need to talk about them in those three buckets, and be clear in our paper policy and our technological solutions which one we’re talking about and what treatment applies to each. When folks out there now who are dealing with, addressing, and reacting to what the SEC is doing in the sweeps and the DOJ’s latest statement and they refer to it all as “personal devices,” you can see how they’re doing a disservice to themselves. When you dig into it and you ask, “What do you mean by personal devices,” and they say, “I mean their iPhones and stuff—you know, whatever they’re using,” and then I say, “Did you issue that to them? Did you give them and buy them the iPhone?” “Yes, we did.” That has a different meaning in the law and in terms of information governance requirements, because if what you really meant was, “People out there are using their own phones doing X, Y, Z and we have no MDM policy on it, we have no technological solutions on it,” that’s also a different context, and so, let’s deal with it.

Hui Chen: I have a question about the BYOD. When you say a BYOD program is where an employee buys the device and enrolls it in a program, when you say “employee buys” in that sense, is the employee actually paying for that device? Is that correct?

Shannon Kirk: It’s going to be different in every organization. Typically, the employee buys their own phone. Some programs or some organizations then reimburse that person…

Hui Chen: For the cost of the phone itself or also for the subscription to use wireless services?

Shannon Kirk: It could be all of it, could be some of it—it’s all over the place. Also, within some organizations, depending on if it’s a global organization with multiple different units, it could be different within an organization. It could be different because this business unit has X, Y, Z budget for tech and they’ve chosen to use it in this way on BYOD, so it is a mixture.

Hui Chen: The reason I ask that question is I like to understand how that affects the corporation’s ability to have access and control over the communications that occur—so, to me, different scenarios, even under BYOD. One is—and I’m not even going to use the word “buy” because buy, to me, is an act of purchasing (that doesn’t actually tell me who actually pays for the phone)—if I go out and spend my money but I get reimbursed for it, I just made the purchasing decision. I didn’t actually pay for the phone—the phone’s actually paid for by the company, and they just paid me later. So, I’m going to say the company has some sort of ownership interest in the phone, in the physical phone itself. The second bucket is after you own the phone, you’ve got to pay for some kind of connecting service provider, so there’s a cost associated with that. To the extent that the company pays for the phone and/or the subscription services, does that impact the company’s ability to access and control what happens on that phone and through those services?

Shannon Kirk: My favorite question. When we have a BYOD or corporate-issued device, most of the time, both of those phones get installed on them what’s called mobile device management (MDM) software. MDM can help to restrict certain apps that are allowed to be downloaded within the container of MDM on the phone, whether it’s BYOD or corporate-issued, and it can also allow for access to company-supplied data sources, etc. So, that’s one way of control on BYOD. The issue of ownership of the actual device, when we’re talking BYOD, is only a factor under consideration, because what we’re really talking about here is the data and the information. Most companies have some form of policy language somewhere that says, “By the way, we own our information. We own our IP. If you are conducting business, that business information belongs to the company.” When you talk to regulators or you talk to your opposing counsel in litigation, the focus is more on the information, and the possession, custody, and control argument. There’s several cases now in the United States that would say, “What we’re talking about here is not the device itself and who paid the money for it, but who has possession, custody, and control of the information and the data, wherever it is?”

Hui Chen: For employees who join a company that says, “We have a BYOD. You can bring your own phone, whatever phone you have and give it to us to enroll in our program. We’re going to basically install some kind of management device,” so, I’m the employee, I’m thinking, “What? I’m going to bring my phone and because I use it for work now, you’re going to be able to dip your hand into my phone, and potentially read everything that I have on my phone? I send a message to my family, or I send a message to my butcher—all this is going to be captured by you?” I’m going to say, “No, thank you. If you don’t give me a phone, then I’m just not going to work with a phone, thank you very much. So, if you don’t give me a device that you allow me to use for my work that’s completely separate from my personal life, then you’re just going to have to accept that I’m not going to use a phone in connection with this job,” which is almost impossible for many jobs. Are you seeing this kind of sentiment at all? Or any reaction from you from the scenario that I just presented?

Shannon Kirk: Absolutely a reaction. And absolutely there are people out there, rightfully, who don’t want their employer to see everything they do on their phone. Now, there’s a few things, though, that I should clarify when we’re talking about mobile device management software being put on a BYOD device or a corporate-issued one. What that technology is doing is not necessarily giving the company the ability to see the content of everything on your phone—it might, depending on the configuration or what tools you’re using—but most of the time, your typical MDM is not going to allow the company, without more, to see the content within WhatsApp. It will know you have it. It might even restrict it from being able to be downloaded on your phone. And so, a lot of companies now are looking into that: “What can we block, by using MDM or another technological solution, from even ever being downloaded on the phone?” To actually get to the content, you have to have other technological solutions and configurations put into place, and that is exactly where you are seeing folks now in the wake of the SEC sweep and other industry groups looking. They’re looking at technological solutions—it’s called middleware. There’s a couple of top ones out there right now. I think of it in the most laywoman’s way as a bear hug: This is middleware that lives on the phone that essentially bear hugs that content and captures it (the WhatsApp communications), so that corporations could ultimately fix their paper policies to say, “We know our people want to use WhatsApp, so let’s add on this middleware that would bear hug that data. We know we’re preserving it, so we’re complying with whatever reg requires us to monitor or preserve it. And then, the bear hug of all of that gets thrown into an archive.” So, it’s a long way of saying just simply because you allow BYOD or just simply because you give somebody a corporate-issued phone, without more, doesn’t necessarily mean that the company sees all the content.

Zach Coseglia: That’s super helpful. Let’s continue—let’s switch gears just a little bit. I do want us to obviously get to the recent DOJ statements and the revisions to the ECCP, but before we get there, I think you can provide some really important context for our listeners—some context for the attention that the Department is putting on the use of these applications, because it’s not as though the Department of Justice just woke up in March of 2023 and decided that this was an important question or that this was an important issue. There’s been quite a lot of regulatory and law enforcement attention on the use of these modern communication channels. See, I already changed my language in response to the education that you’ve just provided me. So, talk to us a little bit about what’s been going on. You’ve already mentioned SEC sweeps a couple of times and the broader enforcement environment that’s really focused in large part on financial services.

Shannon Kirk: There’s obviously been a number of headlines about what the SEC is doing. They’ve been looking at the financial industry for several months now and pressing on the question of: What are folks doing with respect to these app-based communications, text, etc.? Headlines have been out there about the (I think it might be up to) $2 billion in fines (at this point, the last time I checked) across the board, so there’s that. And there, the SEC is arguing that under their regs, certain communications must be preserved. If you are not preserving WhatsApp, WeChat, etc., the SEC would argue that that is not in compliance with X, Y, Z regs. Now, of course, there’s defenses to that and arguments to that, but that’s what’s going on there. The DOJ has also recently come out and just boiled it all the way up. They’ve made statements in the past that are similar—it’s not any new concept, from my perspective at least, from the DOJ, but essentially, what they’re saying is, “We do expect companies to be thinking about (and we will be asking questions about), how far they have looked into app-based communications, etc., and what their policies are around that.” And they’ve just said that now—they’ve said, “No, we will be asking those questions.”

Zach Coseglia: Yes, let’s talk about that. At the recent ABA conference, which we’ve referenced a couple of times, Assistant Attorney General Ken Polite introduced changes to the “Evaluation of Corporate Compliance Programs” document/guidance. They’ve actually added an entire section on messaging applications under the broader heading within the ECCP of how companies investigate misconduct. I’m going to share a couple of excerpts from the ECCP as it exists now. The ECCP now says, “In evaluating a corporation’s policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law, prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communication platforms, and messaging applications, including ephemeral messaging applications.” Side note, I think folks just like the word “ephemeral”—I think there’s something

that folks just like about the way it rolls off the tongue. Then, the ECCP continues with, “Policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.” So, Shannon, what was your reaction when you heard about these revisions, these updates to the ECCP?

Shannon Kirk: Zach, where I’ve sat for years (15 years), all I do every day, day in and day out, is deal with corporate data sources and communications. My perspective is so laser-focused on this issue all the time that when the DOJ came out, for me, I just thought, “This is just another evolution of what the DOJ has been saying,” in some ways, a little bit more precise because now they’re making a specific section on app-based communications. They’re still using the word “ephemeral,” which is just one category of app-based communications, because there are some apps that are truly ephemeral. I don’t mean to be too pedantic, but there we are with that terminology again. So, my reaction is I’m not so surprised, especially since everybody has been reading the headlines of what’s coming out of the SEC. You would almost expect other regulators to give some clarification on the issue, as well.

Zach Coseglia: Hui, I want to come to you now, because there’s been quite a few announcements from the Department of Justice over the course of the past year, year and a half-plus, and each time those announcements have come out, I feel like your reaction has largely been, “This isn’t a big surprise. This wasn’t a massive change in policy. This wasn’t a massive shift from where things were.” And yet, we’ve seen the compliance community get really excited about these changes. So, I’d love your reaction to this because I suspect that you had a similar reaction to Shannon and not thinking that this was so fundamental.

Hui Chen: For as long as I can remember, it’s been the case. I remember still being in the Fraud Section as the compliance counsel, and the whole compliance world just got all excited about the Yates Memo, and we’re like, “The Yates Memo is exactly how we’ve been operating all these years.” It’s interesting—it’s like all of these things are out there, and suddenly, one day, somebody puts a spotlight on something and everybody reacts as if this is a whole new thing that they had never thought of before. I think it’s just because maybe there’s just so much out there, people are not, understandably, paying attention to every little bit, so something gets highlighted and they perhaps truly feel like this is something new. I also think, sometimes, to recognize the sense that when the Justice Department, SEC, or someone chooses to highlight a certain component of their existing practice, people read it as, “Now there’s new emphasis on this.”

Shannon Kirk: I think that’s exactly right. I think you hit the nail on the head, that everybody would recognize we all know what we’re doing to communicate. When the DOJ puts an emphasis on something, and that’s probably it, that’s what people are probably reacting to, which is, “The DOJ’s putting an emphasis on this now, and that’s important.” I think that that’s really probably exactly what’s happening.

Zach Coseglia: The ECCP asks questions—it doesn’t exactly provide answers. This was actually something that we talked about in our last episode, or the episode before that in this series. But, Shannon, what do you think the DOJ expects? Are they saying that these messaging applications shouldn’t be used, that they can be used but you need to retain the messages, or that if they’re not allowed or if they are allowed, companies should monitor to see whether people are using them? What do we think the expectations are?

Shannon Kirk: We went through this a few years ago with the DOJ, where they came out with a statement that I think did use ephemeral messaging….

Zach Coseglia: Yes, I think that’s right.

Shannon Kirk: There was this uproar in a sense because people interpreted that as the DOJ saying, “You’re not allowed to use these messaging tools.” And then, the DOJ came out shortly after and made a clarification—essentially, my read of it was, “We’re not saying you can’t. We just need to make sure you have some controls around it.” Now, my interpretation of the DOJ’s latest statement is essentially the same—it’s essentially saying, “We’re going to ask questions about your policy around messaging apps. And we’re going to want to know if there’s been thought around if certain messaging apps are permitted: What controls do you have around that? Do you have the ability to preserve it?” To me, they are, again, not dictating what a corporation can and cannot use for communication tools—they are saying, “We’re going to ask questions about the policy and the technological controls around it, and we would expect you to be able to answer those questions.”

Zach Coseglia: Hui, I wanted to ask you what your thinking is about what the DOJ expects, especially having been there when the original ECCP was being developed?

Hui Chen: I agree with Shannon. Certainly, from the perspective of how ECCP was initially developed was just to ask questions. I remember a lot of people after the initial ECCP had come out came up to me and said, “That is a great document. It’s just too bad you don’t provide answers.” And I thought it was hilarious because that is precisely the point—the answer we want is your thinking. We want to know that you’re thinking about these issues in a way that is thoughtful, human-centered, and looks to the outcome that you’re trying to achieve.

Zach Coseglia: And that recognizes that every company is different, has a different risk profile, operates in different places, and has a different business model, all of which actually impact the answers to these questions rather than having a monolithic approach.

Hui Chen: Absolutely. It’s also about, “We encourage you to experiment, even. If you’re thinking through this issue and you decide to approach it a certain way, we want to see you gather evidence and data to support (to validate), your assumptions. And if it’s wrong, we expect you to keep tweaking your program until you get it to a place where you feel like it’s responding to the need to have that program in the first place.” So, really the desire is to get people thinking, experimenting, and looking for something that works. This is something that goes on forever, which is why you also cannot provide an answer because the answer today, in this space, in particular, is going to be invalid in 30 days, probably.

Zach Coseglia: That’s right.

Hui Chen: Let me ask you a question, Shannon, because some of it is making me nervous, putting myself in the shoes as an employee. Conceptually, what we’re talking about here is we now have all of these tools, and the companies have the ability to monitor those tools, so there’s an expectation that they use some sort of ability to do some kind of monitoring, preserving, whatnot. One of the tools that we’re constantly using since the pandemic for everyone, including right now, is Zoom. Zoom has recording capacities. How far are we going to push this? Is there going to be an expectation that companies say, “Whenever you get on a Zoom meeting, you must record it. We’re going to archive it somewhere, and someday, we’re going to look at it if we feel like you might be misusing it.” Lawyers like to talk about the slippery slope, so that’s the direction of the slippery slope that I’m seeing, and it makes me nervous.

Shannon Kirk: The recording issue is completely different and here’s why. In the normal course of business, we are getting on Zooms. They should not be recorded—they are the same as an in-person meeting, and they should be thought of that way. They are just the same as going to the office, sitting in a conference room, and having a meeting—it’s just virtual. We had to do more of it because of COVID, and now, because we have a hybrid work environment. I emphasis this to clients—clients really should be thinking hard about whether they allow recording of Zoom meetings or any kind of virtual meeting. It shouldn’t be reflexive, because, why? They should be asking themselves, “Why am I allowing recording?” That has nothing to do with what we’re talking about here, e-com policies—I’m going to get to that and the tools for monitoring that because there’s something you said, Hui, that I want to hit. But, when we’re talking about just allowing this unfettered, uncontrolled recording that employees might probably be doing just for whatever reason, companies really should be giving long and hard thought about that because there should be restrictions on that. Why, from an information governance standpoint, do you want to allow that? Are people actually really using all of these recordings later in time? What’s the point? Now, once they are recorded, once they are there and it is a unit, if the company is under a duty to preserve, then now you’ve got to preserve it. But, in the normal course of business, if there’s no need to record, a company should be asking, “Why am I allowing this?” So, that’s different.

When we’re talking about, as you said, “Now we have all this ability to monitor,” there is one thing I do want to clarify there because it’s important. There are tools. I mentioned the bear hug middleware that allows for that captured content, but it doesn’t necessarily mean that it’s going to be a good solution for your organization. Every organization has to do their own due diligence: Is it really going to work for them? The implementation of these takes a long time—it’s not an easy push-the-button. To the extent regulators, opposing counsel, etc., think that “It’s just out there and you’re just not using it, and you’re irresponsible,” that’s not true. There’s a long lead line on implementation, due diligence, and testing that it works in your environment, on training, etc. So, I did just want to make sure that that was clear, because it is not the case that I can just go down to Staples for my company and buy some technological solution, slap it on, and everything’s fine.

Zach Coseglia: Shannon, this has been an incredible conversation. We could surely go for another 30 minutes—I’m sure we could go for another several hours. And you know what? We should. We would love to have you back on the podcast, and when we do, you will get to experience the Proust questionnaire, the James Lipton questionnaire, the Vanity Fair questionnaire so that everyone can get to know you a little bit better. But, until then, any just final thoughts for our listeners?

Shannon Kirk: I guess play back my terminology portion of this segment and let’s all start using the same words. It’s really not hard—it’s not above anybody’s pay grade or technological aptitude to use these words. I really do think that it would improve all of us on all sides if we can all just get around these basic fundamental terms.

Zach Coseglia: Terrific. Thank you, Shannon. It’s funny, on some of our previous podcasts, we’ve landed on Better Ways like “think” and “listen”—these are not terribly innovative concepts. Today, I think we have “be precise.” Hui, as always, it’s been fun. And, Shannon, we really appreciate it. For more information about this or anything else that’s happening with R&G Insights Lab, please visit our website at You can also subscribe to the series wherever you regularly listen to podcasts, including on Apple and Spotify. And, if you have thoughts about what we talked about today, the work the Lab does, or just have ideas for better ways we should explore, please don’t hesitate to reach out—we’d love to hear from you. Thanks again for listening.


Zachary N. Coseglia
Managing Principal and Head of Innovation of R&G Insights Lab
See Bio
Subscribe to There Has to Be a Better Way? Podcast