It isn't really about encryption, as the title implies, but about deleting communication records (whether encrypted or not).
> However, companies have an obligation to preserve records that may be reasonably seen as relevant to litigation or that fall under data retention rules set by industry regulators
There are numerous legitimate reasons for wanting to speak out loud for a conversation. But, if they said "let's do a call so that we can avoid putting possibly incriminating material to disk" then that would violate the rules, and is analogous to what is being alleged here.
IANAL, but the rule must be more subtle than that, because I lost the count of times I saw "Everyone please stop responding to this email. If anybody has a question please call us." while I was at $(huge SV company). Or something like "This conference will not be recorded due to the sensitivity of the topic."
(Not the exact wording, but the intent was clear. They even educated every employee on the importance of not writing down stuff that may be later quote-mined in a lawsuit.)
>(Not the exact wording, but the intent was clear. They even educated every employee on the importance of not writing down stuff that may be later quote-mined in a lawsuit.)
There's a MASSIVE difference between not writing stuff down because you have no idea if your competitors may use it against you in a future lawsuit, and not writing stuff down because you know what you're discussing is illegal.
Outside of the fact that's a ridiculous question because I could cite COUNTLESS things the every day man knows is illegal - it's not the point. The point is if you aren't writing stuff down because you BELIEVE what you're discussing is illegal, and it violates your own retention policies - if you aren't outright breaking a law in your state, you're actively engaging in a massive ethics violation.
Then you should from the start make a policy not to keep any logs. The only use of those logs is to prove that you are guilty so it makes no sense to keep them.
Even if you didn't do anything illegal, they can be used against you anyway.
That's the reasoning behind data retention policies. Lawyers don't see data older than N months. Even if you're not guilty lawyers can be costly when they need to analyze large amounts of data.
If your specific conduct is under investigation, sure.
This stuff is more about opposing counsel searching for keywords and finding something that adds supposed context to whatever they are suing about. If you send an inappropriate picture of a woman and make some crude comment, that can be used to bolster a harassment claim or establish a pattern of boorish behavior. If you make crude comments on the phone, that isn’t going to as easily reappear 5 years later.
I believe the difference is intent--a phone call self destructs by default. They are not meant to be recorded (we even have laws here that prohibit it without consent of both parts). Messaging apps have, traditionally, kept logs, in both ends and in the server.
Generally speaking you have latitude to do what you normally do within a medium. If you routinely delete mail every quarter, that’s ok. If you routinely record phone calls that’s ok. But there is no requirement to talk or write.
Once you reasonably suspect that you are in the scope of an investigation or litigation, you need to take steps to preserve relevant things. Guidance from counsel is a good idea.
Discovery is a double edged sword. Moving deliberative activity to phone calls or meetings doesn’t mean there is no record of the encounter. To the contrary, one or more parties are probably taking notes that align with their perceptions. (And self interest!) It all depends on the situation.
In most cases no, but the difference is only due to the greater challenge of recording conversations "in the field." There are plenty of cases where phone calls must be recorded.
The way this works is that the law (lawmakers, courts, police) take a dim view of loopholes, as it's a threat to their own power. So they sit down and decide whhether you were in compliance with the spirit of the law and write laws in a way to criminalize that to the extent possible. It's not code.
It depends how important your phonecall is from National Security point of view. If its a matter of bribery or even kidnapping, nothing can be done, but if its about some proven terrorist plot, ATT can recover your calls (so do probably all other vendors; we just don't know the details, aka black boxes)
The concept of spoliation of evidence is usually well-established. Is that the charge against Uber here?
Or is the charge that they in general did their communication on Wickr?
What happens if the service I am using has an inherent 24-hour window after which all data is erased? What if that window is 0 hour now? No data storage.
If FB deleted all data about a druglord (who used FB for some nefarious purposes) after she deleted his profile, will FB be considered guilty of deleting evidence that could have been used to incriminate her?
I think the big problem, in my opinion, is not that they had disappearing messages so much as it is that they started requiring disappearing messages specifically so they could avoid being caught for anything illegal.
In your example, I don't think FB would be at fault here any more than Wickr is at fault. The problem is with Uber (or the druglord), not the tool that happened to do the deleting.
> Richard Jacobs, a security analyst whom Uber fired in April and now consults for the company, testified Tuesday that up to dozens of employees were trained to used ephemeral messaging systems, including Wickr, to communicate so that their conversations would be clandestine and could not surface in any “anticipated litigation.”
Maybe he provided proof of that... maybe it was just his understanding?
Legal departments know it's impossible to be 100.00% legal (who has never trespassed a single law?), and they're tasked with avoiding any legal risk. To them, it's probably just risk mitigation to ask employees to avoid leaving unnecessary evidence.
There’s a line between managing risk and abetting. Uber likes to push or cross boundaries in many other areas, so it stands to reason that perhaps they did that here.
Except if they can be found guilty because of suppositions.
I guess it's just a case where the law makes no sense: you can't prove you've innocently suggested to use a secure communication tool for the right reasons, so there will always be a doubt about your sincerity.
It’s more like when you claim that you don’t remember anything, but the investigators find out that the email trail (which jogged your memory) mysteriously stops at a time when you are suspected to have engaged in illegal activity.
Then the investigators find that email stopped when you decided to use a “secure” messenger tool that automatically self-destructs messages.
Agree... Why not insinuate that people who use phone calls instead of emails are simply covering their tracks? And the worst, those who prefer face-to-face communication?
Even simple logic fails so often with law/justice/government.
Wickr: 'Secure Communications for Teams and Enterprises'... The law isn't OK with the concept of security I think (except security it can bypass of course).
Governments are supposed to be in service of the people. People's security should be their goal, not a hindrance. They shouldn't abuse the power we gave them to enslave us.
The more the world is upside down, the harder it is to respect the law for normal honest citizens.
When you are told you are under investigation you have an obligation to not delete anything, even if the automatic window expires.
My company has a policy that outlook will expire all messages in my inbox after 30 days (saved messages folders have a different policy). However when we get legal notice IT quickly changes a setting and now it is not possible for that person to delete any existing email. (eventually legal will review every email you have saved, they will then let you delete the ones that are not affected, but they err on the side of keeping anything) Even if you hit delete, the system will not let you delete the message. Our IM system makes it hard to save conversations, in part of make it hard for investigators to get access to conversations.
As for Facebook, that is complex, depending on which situation. If the "evil person" deleted his account with no knowledge that he was under investigation than Facebook is safe. However the evil person could be in trouble if he knew he was under investigation. If Facebook knew about the investigation they could not legally delete all his data, I presume they have something in place for this situation.
Of course in most cases evil people don't know they are under investigation. This mostly is a factor when a company is sued.
I wonder why should email be different (why should you change the expiration policy?) Is it explicitly called out in some law that it has to be treated differently? What about if you always use a service that auto-deletes communication every few hours (and it is well-known that this is what the service does and you have no control over it), will that be treated like you are using the phone service for communication?
I think the right question is, "Why should a phone call be different?" What intrinsic quality of a phone call makes it not subject to data retention, whereas an E-mail or a text message would be?
Not sure what you mean -- everyone knows that a phone call is not routinely recorded and there is no expectation that it be recorded when an investigation is on and businesses routinely use a mix of phone calls and emails (and other means) for communication. Why should there be a "by default" expectation that you would increase retention just because there is an investigation in progress (which is why I asked if there is some explicit law/requirement for emails).
And the answer boils down to: in a phone call you can blurt out shit such that, if it were written down in an edit window, you wouldn't click "Send".
Also: a phone call can capture surrounding audio not intended to be part of the phone call. That audio can either leak information itself, or reveal the originator's location.
These are post-facto justifications that are not sound because the same concerns don't hold for other mediums. You can write shit you would regret later in emails too.
And privacy should NOT be about just protecting you from shit that you might regret.
Suppose that instead of using e-mail or instant messaging you use BSD ntalk, where every keystroke you type is immediately seen by the other party; they can see you backspacing over everything, fixing typos, rewording. You are saying that you will not say less shit in ntalk than in an e-mail?
It's not a question of what medium will make me more likely to say shit. It's a question of whether my choice of that medium should be, de facto, considered incriminating. It's a question of whether a company can ask its employees to use ephemeral mediums to communicate.
See, if we get down to brass tacks, I personally would be willing to put my money on Uber being guilty as sin.
But that doesn't mean that I think a company should not be allowed to ask employees to prefer a confidential or ephemeral medium of communication.
a phone call can capture surrounding audio not intended to be part of the phone call. That audio can either leak information itself, or reveal the originator's location.
Most people delete their email messages as soon as they read it. This has been changing in the last few years as storage becomes cheap enough that it is possible to save everything, but most people are still subject some sort of maximum bytes in saved messages. (gmail was an early pioneer in the never delete space so some of you might be used to this)
Specific people. We have ~60,000 people. There are ~100 cases in progress at any giving time where someone has a legal no delete on their email. Doing this company wide would mean nothing gets destroyed ever.
The problem isn't how they communicated, and the article acknowledges this. Wickr and other "secret" apps are perfectly fine. But at the end of the day if the court asks you for records relevant to a case, you are obligated to hand them over. "Oops the app deleted them" might not work for a judge.
But what if those logs didn't exist to begin with? Surely you are not suggesting that literally every communication that takes place in a company (verbal, written, or via gestures) be recorded and retained?
It's not whether the logs exist, but whether the conversation was deliberately had using an ephemeral messaging service, in order to evade statutory data retention obligations.
That's the criminality — the evasion, itself; not which tool was used, but why.
So... if you're doing something illegal, and you know your phone is tapped by the police, it is MANDATORY to use this phone to discuss your illegal activities. Otherwise you'll be prosecuted for it.
I'm not the one "fixated" on the mechanism of communication. I've consistently talked about the motivation for using a given mechanism, and, when specific mechanisms have been raised, whether those mechanisms satisfy those motivations. I even specifically said, "not which tool was used, but why."
Please don't drag the actual point down into the weeds like that — particularly while accusing me of being the one to do so.
Does that hold if it’s company policy to do all communication over an ephemeral chat system?
I’m struggling to understand this. It seems to suggest a company cannot discuss anything potentially problematic unless there’s a log.
From the article:
>companies have an obligation to preserve records that may be reasonably seen as relevant to litigation or that fall under data retention rules set by industry regulators.
So, is that saying watercooler chat is ok over Snapchat but nothing serious?
If they were using an ephemeral messaging app to talk about the theft of trade secrets — a thing that is "black-letter" illegal — then the laws against destroying evidence of criminal behavior might be relevant?
Data retention laws are well-established and every major company I've worked for required training on what communications we are legally required to retain, how it should be retain and for how long.
Uber is not in a regulated industry. Taxi companies do not have any obligation to store email or any other communication for x number of years.
You can destroy whatever you want pre-lawsuit. Once the suit is filed, you are not allowed to destroy anything that is evidence, and most lawyers will caution you away from destroying anything at all at that point, since the most mundane things could be perceived as evidence under argument.
This is being painted as "Uber is being super slimy". Anyone who has sat through a trial having anything to do with electronic communications knows that it's a benefit to everybody if as little logging is done as possible.
> On December 18th, you responded "OK", but on December 19th you responded "Will Do" to the same request from another co-worker. Why was the second co-worker more deserving of a positive response?
Trials are littered with this kind of mundane exchange.
It's why Clinton, Bush, and I'm sure Obama and Trump all used alternative communications systems - because when every thought that is laid down will come under scrutiny, you lose productivity. How are we going to hold companies to standards that we don't expect our nations leaders to follow?
That's at best imprecise; the duty to preserve evidence is triggered when a lawsuit is threatened, filed, or reasonably anticipated.
> This is being painted as "Uber is being super slimy". Anyone who has sat through a trial having anything to do with electronic communications knows that it's a benefit to everybody if as little logging is done as possible.
That is entirely untrue. While records can be inconvenient, they can also be critical to the case of the party retaining them.
"We're going to be doing illegal stuff, so don't talk about it where the courts might hear"
Sounds like the underlying implication of an ethics class. I think reasonable anticipation would be at the point that Uber knew or should have known they were deriving development from stolen material.
Per the article, legal experts seem to agree that the above is not true:
However, companies have an obligation to preserve records that may be reasonably seen as relevant to litigation or that fall under data retention rules set by industry regulators. In Uber’s situation, chat logs that could help get to the bottom of the trade secrets case are now inaccessible. Uber also faces a criminal investigation over the alleged theft.
“It’s a knotty question for courts and lawyers on when the obligation arises” to preserve records, said Julia Brickell, general counsel at the legal discovery firm H5. But “if someone uses a communication device to specifically hide information from litigation because you knew it would result in litigation, that would be foul from the start.”
...
An app such as Wickr “could be a way for Levandowski to communicate ‘By the way, how did we do that back at Waymo?’ and all that vanishes in 30 seconds,” [Judge] Alsup said. “To me it’s plausible that it happened. And the evidence is gone now. Because it was an intentionally set up system to not leave a paper trail.”
Federal civil court guidelines enable judges to tell jurors that they can presume that information covered up by a litigant and now missing would have been negative for that party, Brickell said.
Such a declaration could hurt Uber, as its primary defense has been that Waymo has turned up no concrete evidence of the trade-secret theft. Now, Waymo can claim that such evidence was simply deleted.
“That they were so concerned about covering things up meant that they could have known what they were doing was a crime,” said Nick Akerman, a lawyer at Dorsey & Whitney and a former federal prosecutor in Manhattan. “To me, that’s very powerful evidence.”
> Richard Jacobs, a security analyst whom Uber fired in April and now consults for the company, testified Tuesday that up to dozens of employees were trained to used ephemeral messaging systems, including Wickr, to communicate so that their conversations would be clandestine and could not surface in any “anticipated litigation.”
Given two identical actions, the law can find one illegal and the other permissible based solely on intent.
Crimes generally involve a mens rea and actus reus — a guilty mind and a guilty act. For example, battery is the intentional touching of a person, either against their will or to cause them harm. If it weren’t like that, then every time one person bumped another in the street it would be a crime.
I'm surprised that this isn't turning into a conspiracy charge. That's basically what it amounts to, right? An agreement to commit illegal acts and actions taken to further the commission of those illegal acts? Honestly, this seems like exactly the kind of thing that the conspiracy laws were meant to deal with - you know that one of them did something illegal, but you can't tell who because they covered the details up well enough to prevent identification.
Give it time. The courts don't move fast, but they do move. Recall that this stuff came out because the judge in the Waymo case referred the situation to federal prosecutors.
How is this any different than in-person conversations that are not recorded? Should companies be required to record all conversations that happen face to face?
I, too, don't understand how this is a legal issue given that people can talk face-to-face, or over non-recorded voice services. If it's written communication, what if you're writing things on whiteboards?
How would this not set a legal precedent that essentially requires all communication be through Slack/etc?
Depending on the content of your communication, you might be legally required to commit it to writing, be in the presence of someone transcribing it, etc. This is not exactly unheard of, especially wherever lawyers tread, such as the world of business.
I feel that many of these legal arguments have not caught up with modern technology. If we had had the capabilities we have today 100 years ago, I am sure the lawyers would have pushed for maximum recording of all things. But face to face discussions are some how grandfathered in.
Ok so what if, by policy, the company uses an ephemeral messaging app with a 30 day log rotation? Can a court hold them in contempt for using that product or is it fine because it's a policy to have log rotation?
Business records are legally required to be retained for a period of time (which varies depending on its content). Failure to do so is a violation of the law, and is evidence against you in the event of a lawsuit.
I used to work in an industry where everyone from the local police all the way up tot he F.B.I. would routinely send us subpoenas. The corporate (big company - 30k employees around the world) policy was that we would delete all paper notes every seven days, and destroy anything recorded (especially videotapes) every 14 days. We were told this was specifically so we could dodge subpoenas, otherwise we'd drown in them.
That's fine. The company you worked for was apparently not legally required to store those documents for a certain period of time.
My viewpoint is not at all IT related. I work in a heavily regulated industry and am required to do training a few times a year on data retention policies because of how much we are legally required to keep.
I don't think they'd hold them in contempt. I think the encrypted messages being deleted is about adverse inference - where it can be assumed that the destroyed evidence negatively affects Uber.
Also, if anyone is interested in reading about it, I found this enjoyable article [1] about the topic.
Probably not, but again depends on the circumstances. If, say, the company normally used Slack but for a single project all communication was strictly off-the-record on something like Wickr. And that project just happened to be involved in an espionage lawsuit. And someone testified that they used the secret app specifically to avoid future litigation...
>“It’s a knotty question for courts and lawyers on when the obligation arises” to preserve records, said Julia Brickell, general counsel at the legal discovery firm H5.
Is it really knotty though? Even I know that communication related to running a business must follow data preservation rules. It may not be massively illegal, but at its base using encrypted messaging in this manner is contempt, especially since they knew it could be used in litigation.
Pretty much everyone here is missing the point, so i guess i'll try to make it more clearly.
Once you have reasonable anticipation of future litigation, you are required to preserve evidence.
This why most litigation holds companies place do not let you delete emails, for example.
The purpose of discovery is to get all relevant evidence out in the open in order to help resolve the case.
These two things are true regardless of medium.
IE If i am making phone calls that are relevant to litigation, and you otherwise would keep records or recordings of them, you must preserve them. I can be called to testify to them.
Use of mediums like this is a grey area, but that's irrelevant. You can argue till you are blue in the face that you have legitimate reasons to use self-destructing/encrypting mediums.
"Once a party has notice that litigation has been filed, courts uniformly impose a duty to preserve potentially relevant evidence on parties to the lawsuit. The duty “includes an obligation to identify, locate, and
maintain, information that is relevant to specific, predictable, and identifiable litigation.” The duty applies only to relevant data, documents and things."
Remember that at one point, email preservation and other things did not exist.
Courts forced companies to preserve that data:
"To be sure, as part of a litigation hold, a company may be required to cease deleting e-mails, and to disrupt its normal document destruction protocol."
So let's turn to here.
First, regardless of anything else, the use of anything with a specific goal of avoiding the duty to preserve evidence is going to be held against you.
Full stop. It does not matter what that is.
So regardless of the medium in use here, that's problem #1.
How far does anticipation of a lawsuit go?
In the oft-cited Zubalake decision, the court found that a company employer had a duty to preserve electronic records destroyed before an employee filed the charge of discrimination that triggered a government investigation because almost everyone with whom that employee worked anticipated she might bring a lawsuit. That is, the court held that duty to preserve attached at the time that litigation was “reasonably anticipated,” and that key company employees anticipated litigation months before the employee filed a charge of discrimination.
Boom. This case is pretty much already lost in those jurisdictions.
Problem #2 is what if the medium normally keeps no records.
Again, if you did it deliberately to avoid discoverability, you are already going to lose.
It's true that there is no general duty to preserve, but once that duty kicks in, the fact that the medium is ephemeral is irrelevant.
There is literally nothing that prevents preservation of evidence here other than desire. They could make records of conversations (screen grabs, what have you), they could record the ephemeral keys and data (they have physical access), and they could also tell people who they anticipate (above) to be involved in litigation to not use such mediums, and in fact, pretty easily force compliance.
You should also realize that if these forms of communication become incredibly common, the discovery rules will adapt.
They have adapted as texting and instant messaging became more common, they will adapt as self-destructing messages become more common. That adaptation is not going to be "self-destructing messages get a free pass", it's going to be "you may be required to preserve keys"
Honestly that makes no sense. Why should company management collect evidence against themselves? That sounds like something that only exists in dictatorship countries. Aren't you misunderstanding something?
And how are they supposed to record phone calls if they use "dumb" phones or personal smartphones?
At least if I received such an order I would stop using anything that can be saved (like email) and would discuss the problem only in person. Now go try to prove anything.
I understand that the court can order to preserve existing records. But this "reasonable anticipation" is clearly a gray area that can be interpreted any way and allows to make anyone guilty.
This is a civil, not criminal, proceeding. You will be required to collect evidence that may be against you. If you have done something criminal you can try to claim fifth amendment privilege but then you are certainly going to lose the civil lawsuit because that can be used against you there.
I understand the rules here quite well, being licensed in four states, many federal courts, etc.
"And how are they supposed to record phone calls if they use "dumb" phones or personal smartphones".
I said if they record, they would have to turn it over.
Otherwise, yes, I will subpoena the records, including any relevant records from personal phones, if the relevant people use personal phones for business.
I will then depose people as to the content of those calls if they are possibly relevant. Most will not lie. If they do it will go very badly for them.
Your plan of trying to hide stuff and lie in court is not going to go well for you.
You seem to desire a very adversarial civil system.
It is mostly existing to resolve disputes.
That requires getting all the evidence out on the table, partially in the hopes that both parties then decide to resolve it themselves. Which they mostly do.
Thank you for the detailed explanation. But I cannot say that I like the requirement that I have to keep the records that can be later misinterpreted and used against me.
This keeps going around but it's simply not true...
For snaps that are not saved, those are not retained on any server after their expiration.
Why would snap spend the money and/or hold the liability of keeping expired snaps stored... They know if it was all leaked they'd be done. And with the number of daily snaps, that would add up storage costs real fast or no reason.
> This keeps going around but it's simply not true
How do you know?
> Why would [...]
Because you can't think of a reason it must not be true? Or are you claiming internal knowledge or taking the company's word for it? I don't know for sure what's retained, and therefore I won't go around saying I know.
I'm half-joking here, but one reason we might know it isn't true is the "argument from cash flow": Snap is still hemorrhaging money, to the consternation of investors, mainly because they're paying astronomical sums to Google for GCE hosting. Given the amount of data that passes through Snapchat every day and the cost to host it, I can make a decent guess that they're not hanging on to it, or else their infrastructure costs would be even greater.
Their costs is already in the hundreds of million of dollars. They could hang on to all videos with no issue whatsoever. That's financially easily doable within their budget, and that's technically easily doable because google storage will take any amount of TB thrown at it.
The only fair assumption is that they store all videos. Remember that they are an ad business.
If it's too annoying, the wise decision would be to cut storage to only 1 month, or store only 1% of randomly selected videos. It will never be to stop storing videos.
choosing not to store the data is different than it being unencrypted in transit. nothing stops snapchat from building an internal "product" that captures, say, messages with certain geolocation, or comments, or, hell, based on some sort of image recognition system. Nothing stops the government from subpoening them asking for this functionality (see lavabit 1.0 https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_ord... )
You'll see that when notable stories stop hitting the news so frequently. I think this complaint should be forwarded to Uber. Perhaps directly to the CEO since you might get a big payday out of that.
I dislike them quite a bit honestly due to the way things have been developing for a while, but it's getting tedious that every time I open HN all I see is Uber.
That's fair, but it doesn't mean it shouldn't be there. I think people feel that way about a lot of things right now, like Trump on the news daily, regardless of where you stand.
It's because Uber is a massive company which had a massive impact on transportation and employment while simultaneously being a complete inferno of unethical and illegal behavior internally and externally. It is simply a lot of news.
Did you say the same thing about Enron when they were in the news essentially every day from August until December 2001? It's a big corporate scandal with frequent new revelations; there's going to be lots of posts about it.
I recall a case where after a subpoena for records hard drives were wiped clean and mobile phones where smashed with a hammer. So what is it, OK to destroy or not as a legal precedent?
In the broader picture, this seems pretty unreasonable. What if you used iMessage in the context of your business, or if you communicated entirely over the phone verbally? Is it fair to assume if there is no evidence of problems that it was simply deleted, as the judge said? That's like trying to prove a negative, is that really legal?
For iMessage specifically (which is not ephemeral), the judge would just order you to unlock your phone and show the messages, or provide your iCloud password, and jail you for contempt if you refused.
Sarbanes-Oxley requires corporate record-keeping and outlaws interference with investigations. While it doesn't specifically mention ephemeral messaging, it would seem to preclude its use in anything business-related. So it's not "trying to prove a negative" so much as it seems to be saying these applications are illegitimate for business use period.
This is not even a little bit true. What you're implying is that businesses are required by law to keep all internal communications in case someday there's litigation, and that is just flatly false.
Deleting data once litigation has been initiated is tampering/obstruction. Deleting data when not under litigation is the company's choice, with very few exceptions. Many companies explicitly require all communication be ephemeral - email, messaging, etc. it explicitly only preserved for X days and then deleted entirely from all systems.
IANAL, but I'm pretty sure the laws around tampering with/destroying evidence are crafted in such a way to make knowingly destroying evidence of a crime — even before that crime is under investigation — unambiguously illegal.
If not, that would be an oil-tanker sized loophole for avoiding prosecution, and I don't think the folks crafting criminal evidentiary law were that dumb.
IANAL, but it is an oil-tanker-sized loophole - as is conducting all your criminal dealings via in-person communications, instead of e-mail.
If you are under a litigation hold, you cannot delete any data. If you are not under litigation hold, and your policy is that you shred all your records every Friday at 3PM... The courts will not hold your lack of records against you.
> the judge would just order you to unlock your phone...
Depending on which Federal circuit applies, and how you authenticate to your device, only if they already had proof that your messages were material to the case. Unlocking your device (with a passcode or password, as distinct from biometrics) has been ruled to be "testimonial", so the State must have specific knowledge that your iMessage has inculpatory evidence in order to compel you to unlock it and hand those messages over.
iMessage can be deleted with no trace. If messages don't exist there, can you assume that they were deleted? That's basically what the judge is saying. What if a company has a deletion policy of 6 months, and someone starts litigation after 2 years, can the judge assume that any evidence was deleted as opposed to not knowing if evidence even existed?
The Supreme Court has held that corporations don't have fifth amendment rights. They have done so precisely because they've never categorically held that "companies are ... persons," but rather have in various cases stamped out attempts to infringe on personal rights just because those people happen to act through a corporation.
You, as an individual, have a right against self-incrimination, but you're simultaneously subject to laws against tampering with or destroying evidence.
You don't have to hand over the incriminating evidence, or even tell the cops that you have it. But if they find out you did have it, and knowingly destroyed it to hide your illegal behavior, that is a legitimate additional charge.
> "This is not even a little bit true. What you're implying is that businesses are required by law to keep all internal communications in case someday there's litigation, and that is just flatly false.
Deleting data once litigation has been initiated is tampering/obstruction. Deleting data when not under litigation is the company's choice, with very few exceptions. Many companies explicitly require all communication be ephemeral - email, messaging, etc. it explicitly only preserved for X days and then deleted entirely from all systems."
"That they were so concerned about covering things up meant that they could have known what they were doing was a crime"
When the government says "Only criminals want privacy. Why do you care about privacy if you're doing nothing wrong", every one is up in arms (and rightly). What happened now?
"However, companies have an obligation to preserve records that may be reasonably seen as relevant to litigation. Chat logs that could help get to the bottom of the trade secrets case are now inaccessible"
Why does someone automatically have a right to know what communication took place just because that knowledge would help incriminate the communicator?
There seems to be a double standard in the community here when it comes to privacy. Usually, everyone's all gung-ho about privacy and encrypted communication and VPNs that don't keep logs. At that time, no one seems to be concerned about who is using that encrypted channel and for what purpose. But now suddenly Uber did it and it's bad?
If you want to operate a business you need to play by the rules for businesses. Private individuals have different expectations and laws governing their privacy.
One major difference between individuals and corporations is that you can not really jail a corporation (though you can jail execs, but this rarely happens) and running a company is a privilege, not an innate right.
So it stands to reason that if the law says you need to preserve your records that you do so in order to be able to hold the company accountable for its actions. Similar laws apply to your financial recordkeeping.
Willfully destroying evidence, whether you are a private individual or a corporation is going to be frowned upon by a judge anyway, the best way to avoid all of this is to simply not commit any deeds that could be labeled crimes.
So if an organization says that its employees should always use an ephemeral messaging service for communication, it's inherently in the cloud of suspicion?
Because that seems tantamount to saying that literally any communication between employees of the company (even verbal) must be recorded? What if all this communication had happened between them in those 'long walks' they took in San Francisco?
Yes. Sarbanes-Oxley requires business records to be kept for a reasonable length of time, and with ephemeral messaging that is impossible. So it would seem that these applications are illegal for business use by default.
> However, companies have an obligation to preserve records that may be reasonably seen as relevant to litigation or that fall under data retention rules set by industry regulators
Seems pretty clear that Uber violated this.