Where Did the Data Really Go?

Learning about deleted information is part of eDiscovery. Perhaps an opponent deliberately deleted important files, or relevant information was subject to a scheduled data purge. But what of data that isn’t available because it was actually designed to self-destruct? What happens if that data turns out to be crucial to a dispute?

This puzzle has yet to be solved. Despite that, a growing number of applications send a message and then automatically destroy it at a later time. The highly publicized SnapChat allows users to share photos for just a few seconds. Burn Note sends e-mail messages that automatically self-destruct after they are read. Dstrux destroys sent files and blocks the recipient from saving messages or even taking screenshots. And a new entry, Wickr, lets users send texts, pictures, and audio or video messages that destroy themselves anywhere from three seconds to six days after being viewed or heard. But Wickr does not just destroy the message—it also wipes the recipient’s hard drive and RAM to remove any data related to the deletion.

Aside from these applications, data destruction is also becoming part of hardware design and marketing. Boeing—yes, that Boeing—developed a secure Android phone that erases all its data if someone tampers with it. The phone is an unusual choice for product diversification, but it will be interesting to see if Boeing finds a new market niche.

It’s easy to imagine a range of both legitimate and less savory reasons to use self-destructing data. Unfortunately, though, not all of these services work exactly as intended. Vanish software was developed to provide security by deleting messages, but the system was easily hacked. In 2009, a group of academics published a paper about the system’s vulnerabilities. The program was taken off the market, and is currently available only as a free download for research purposes.

Other failures come not from hacking, but from outside pressure. In the mid-2000s, Hushmail promised its users confidentiality through message encryption. These users believed their communications were inaccessible . . . right up until the company responded to a 2007 subpoena by turning over e-mails of customers under criminal investigation in Canada. Hushmail’s ability to serve up data that was believed to be beyond retrieval begs the question: Can data ever really be permanently deleted?

Assuming that a user could be assured of complete privacy, other issues present themselves. Given the potential compliance and even perception issues, would most corporations want to use automatic data destruction technologies? Dstrux suggests that its service could be useful for version control when parties review drafts of documents that will undergo many changes, such as business plans. And the Boeing phone might be attractive to CIOs of companies with large, traveling sales forces. But is it possible to train staff how to use these systems to obtain their benefits without compliance problems over data that should have been retained? Automatic destruction coding cannot tell if a message is relevant to potential litigation.

Courts have yet to weigh in on the topic formally, but self-destructing data raises spoliation concerns galore. Would a user of such a system be subject to sanctions for shredded messages? Less formally, how will fact finders view those who choose to routinely delete data in this manner? And are there current users who will be chagrinned to find that their data still exists somewhere? We will continue to follow developments in this area as new technologies come online, and as the courts have their say.

About the Author Chris

Author Avatar Christine Chalstrom is the Founder, CEO, and President of Shepherd Data Services, Trustee, Mitchell Hamline Law School and Adviser, Center for Law and Business. She has spoken widely on the Amendments to the Federal Rules of Civil Procedures, Digital Forensics, and eDiscovery best practices. Her credits include presentations to the American Bar Association, Association of Certified e-Discovery Specialists (ACEDS), Corporate Counsel Institute, MN Association of Corporate Counsel, MN Association of Litigation Support Professionals, MN CLE, Mitchell Hamline School of Law, Upper Midwest Employment Law Institute. She is an attorney, programmer, and forensic examiner.