Perils of Ediscovery for Mobile Devices: SMS, Emojis and BYOD, oh my!
Why discovery for mobile devices is more complex than meets the eye
Mobile devices are hardly a new kid on the block when it comes to inclusion in ESI requests and creating discovery headaches. In fact, even my earliest cases involved BlackBerrys, Nokias, and Palm Pilots! When the smartphone hit the stage, the nuance and complexity around mobile data in the ediscovery process was substantially amplified because the devices themselves went from a discrete and somewhat self-contained data source to a huge repository of potentially relevant information.
Early cases involving mobile data centered around call logs, voicemail, and occasionally text messages. Today, the types of potentially relevant ESI and methods necessary to capture it are drastically different than the previous decade. This article unpacks the new mobile ESI sources, best practices to defensibly manage ESI, and the pitfalls to watch out for along the way.
Better, cheaper, faster
The evolution of mobile devices has come at a breakneck pace. The industry leapt from 2-pound, brick-like monstrosities that cost $4,000 in 1983 to Star Trek-inspired flip phones in the mid-nineties. In half that time, we leapt again from clamshell phones with T9 texting to the interactive touch screens of the iPhone in 2007.
Cell phones have not only gotten significantly sexier over the decades, they have also become much more sophisticated and powerful. This has impacted everything from the number and types of applications a phone can support to the cost for things from text messages to internet. The last several years have seen a sharp decline in overall phone bills and movement into unlimited plans for users, while the use of text messaging has steadily increased. SMS messaging surpassed phone calls in 2007 and has ballooned to a 2 trillion message per year behemoth. New short form communication applications like WhatsApp and WeChat are beginning to cut into the dominance of SMS/text messaging, but for 77% of people texting is still the preferred method.
How does this mobile revolution impact ediscovery?
Increasingly, people have moved from traditional communication methods like email and phone calls to a more mobile-forward approach in their personal and professional lives. Key information related to business transactions, product development, and nefarious behavior is often found buried in mobile data, and the work-from-home revolution of the last several months has only amplified this. What does this mean for ediscovery practitioners?
Getting the data in the first place
Because there are multiple layers of authentication required to access all potentially relevant information on a mobile device, physical possession alone is not sufficient to access everything. For iPhones in particular, you will want to ensure that you not only have the device passcode and necessary information for two-factor authentication, but also login credentials for iCloud to access material stored off the device.
New phone, who dis?
As a result of the rapid innovation around mobile devices and the variety of devices on the market, it is extremely important to ensure you or your forensic partner are using the right tech to access the data on the specific model and version of device(s) you are faced with. The type of mobile device you’re dealing with (BlackBerry, Android, iPhone, etc.) as well as the device model impact what technology can forensically and defensibly image from a device. Be sure to discuss this with your forensic provider to ensure you get usable data from collection efforts.
Making ugly mobile data pretty
Texting remains the dominant communication style of mobile device users, with over 23 billion messages sent every day. Unfortunately, the data directly exported from collection tools like Cellebrite is challenging to understand and quickly review. It is important to work with a technology that can render the text messages in an easy-to-understand manner to accelerate time to insight. Not all tech is created equally on this front, so be sure to ask for an example of text data in any review tool you are evaluating for a matter that will be SMS-heavy.
Managing emoji overload
If you have ever sent or received a text message, there is an extremely high likelihood you have come across an emoji. Those little pictures are added as punctuation or can have an entire meaning in the context of SMS or other short form communication. Increasingly they are showing up in courtrooms, which has given rise to some challenges.
Differing phones depict emojis differently, interpretation is highly subjective, and not all review platforms are equipped to support rendering emojis in anything like the native format. Does the money bag imply bribery or good luck? Is the eggplant a message about dinner or sexual harassment? As with text messaging generally, I recommend asking for an emoji exemplar if you anticipate a text message- or collaboration tool-heavy review.
Knowing where to look
Cell phones are not a data source monolith — there are a variety of data types and locations that may be relevant in mobile data discovery. Data may reside on the physical device, in a cloud-based backup, and in third-party applications. In the event you are dealing with international matters and/or data in a chat app like WhatsApp or WeChat, global data privacy concerns may be implicated depending on where the third party application hosts the relevant data.
The proliferation of bring your own device (BYOD) policies that allow employees to use personal devices as their business smartphone further complicates the mobile data conundrum. From increasing the variety of potential device types and models to commingling of personal and business related data, these policies add nuance to data preservation and collection. Additionally, BYOD policies may limit an enterprise’s control over what applications an employee adds to the device and what remote collection and wiping capability the device has. Dig into what sort of device policy your client has early in the preservation discussion to uncover these issues.
But wait there’s more!
There is an increasingly wide array of data types that may be relevant in evaluating ESI from mobile sources. Traditionals sources like calendars, call logs, text, and device-based email are always a great place to start. Today, it is also important to consider whether collaboration tools like Slack and Teams or short form communication like WhatsApp and WeChat are in scope.
Photos and device geolocation (from GPS or photo metadata) can also be extremely impactful in investigations and litigation where a key actor’s whereabouts are relevant to the issues of the case (just ask John Macafee!). Contacts, social media posts, and messaging and even the notepad application have all been relevant in certain cases. Be sure to understand the data types you want to extract from a device before you determine the preservation plan because there may have to be additional steps taken to ensure you capture all the data you need from mobile devices.
At the end of the day…
Mobile data continues to be on an upward trajectory in our everyday lives and shows no signs of abating. To ensure that you capture the behavior of key actors in your cases, understanding what type of data you want to extract from a mobile device should be a first step in determining your preservation plan and ESI posture. New applications are popping up every day and impacting how we interact, work and play. The supercomputer in everyone’s hand is a wealth of potentially relevant information and the right tech and advisors can help you navigate the complexities of extracting this evidence.