When we launched Wickr in 2012, we set out to put real messaging security in the hands of the average person. We built an app on a strong commitment to user privacy, state-of-the-art end-to-end crypto, and security engineering and made it all easy enough for a 3-year-old to use (one of our early tag lines). We also set out to change the status quo in messaging apps from default save to default delete, and in so doing, introduced the concept of ephemerality as a security control.
Recently, some great lawyers and friends of mine published a public comment version of “The Sedona Conference Commentary on Ephemeral Messaging,” a guide on the proper organizational use of ephemeral messaging solutions. I can’t say enough to praise it, as it not only provides guidelines for legal compliance teams to deploy the technology, but it also educates and offers recommendations to judges and regulators for evaluating its use. It wasn’t easy getting here. Here’s the back story.
Rise of Ephemeral Messaging
There are really only two things that make electronic communications more difficult to secure than face-to-face communications. One is that you can eavesdrop on electronic communications anywhere along the path between the parties. Avoiding this risk could mean securing thousands of miles of wire and IT systems, whereas you basically need to be in the room to overhear a face-to-face conversation. Fortunately, we can address this with good crypto.
The other is the fact that electronic communication is so easily and so often stored beyond delivery. Why so often? I don’t know. Think about it — we don’t need to record everything we say to one another in face-to-face conversations. We don’t enter conference rooms and see the words from the people who met before us hanging in little cartoon bubbles around the room. Why do we need to store everything we type to one another?
The average messaging product/provider stores electronic communications long after transmission for reasons ranging from ensuring system health to “because.” The problem is that the longer it sits in storage, the longer it needs to be secured, and securing data, as we know, is no trivial matter. Ephemeral messaging for us was an attempt to rebalance this risk, recognizing that the vast majority of day-to-day communications — face-to-face or electronic — need not persist after reaching the eyes and ears of the recipient.
Ephemeral Messaging vs. Legal Teams
Security professionals get it. To them, ephemeral messaging is a strategy to mitigate serious technology risks. It’s Infosec 101: spending resources to secure data you no longer need makes no sense.
Many legal professionals, however, don’t. Too many of them view ephemeral messaging as something to fear. From birth, lawyers are conditioned to avoid ‘spoliation’ — the destruction of evidence — and the significant consequences that could meet them if a court detects it. So, when a technology came along that deletes message history automatically, their first reaction was to be a little nervous. Couple that with a lack of clarity for how courts were going feel about it, and they went to full-on 10-foot-pole mode. It also may have — and it pains me to say this — caused some lawyers to go the other way entirely and advise that the safest path to legal compliance for corporate communication tools was a full-blown surveillance regime.
Let’s Be Besties
This brings us to the present and the turning tide. The Sedona Commentary is packed with practical guidance for lawyers and establishes a solid legal basis for the corporate use of ephemeral messaging. Some of today’s tools are fully capable enterprise solutions that can satisfy data security requirements and implement lawyerly things like legal holds and corporate data retention policies at the same time. There is no reason why CISOs and GCs can’t see eye to eye on it. Now, with Sedona’s guidance, corporate legal compliance can finally embrace ephemeral messaging as a tool to keep employee communications private, secure, and compliant. I think this is the beginning of a beautiful friendship.