“What can you do to protect personal information when you collect data from a phone?” This is one of the most frequently asked questions of our forensics practice group.
One reason we hear this question so often is we’re seeing a lot more mobile devices. In particular, the explosive growth of mobile messaging is driving a rapid increase in mobile device discovery.
Of course, the main reason we get asked this question is there’s a tremendous amount of personal data on mobile devices. People may have their entire lives on their smartphones.
This is a serious issue for our corporate clients as well as for our individual clients. A separate device used solely for work is the rare exception. Intermingling of business and personal data on one device is the norm. This is true whether the device is employer-owned or BYOD.
Companies involved in litigation have a legal duty to obtain relevant business data from employees’ mobile devices. At the same time, they want to respect their employees’ privacy. They also don’t want to waste time and money having outside counsel review irrelevant material.
In some instances, respecting privacy can be more than a good thing – it can be an essential requirement to access the device. An example is friendly third parties who agree to turn over their phones for discovery but only on the condition that appropriate privacy safeguards are put in place.
Targeted collection of mobile data is infeasible and inadvisable
It isn’t feasible or advisable to try to exclude personal data during the collection process itself. This is primarily for technical reasons. Mobile device forensic software isn’t designed to identify and exclude information based on content as part of device acquisition.
Additionally, phones and other mobile devices generally don’t support targeted collections. From an eDiscovery perspective, this is one of the most significant differences between mobile device collection and more familiar sources like e-docs on a PC.
Technical obstacles aside, targeted mobile collections are inadvisable for legal and strategic reasons. Our clients seldom have a complete picture of what data is relevant or where it resides on the device prior to collection. This is often because even the device user doesn’t know the answers to those questions.
Messaging data is a prime example. “Text messages” is a typical response to a custodian questionnaire asking about sources of relevant data. On its face this identifies SMS/MMS (plus contacts for context) as collection targets.
However, it’s highly likely that the custodian actually uses WhatsApp, Facebook Messenger and iMessage in addition to SMS/MMS. He just doesn’t realize there’s a difference between social media messaging applications and text messages. Maybe he also forgot about saving attachments from relevant messages.
In short, a targeted mobile collection has a high risk of being incomplete. The best case scenario is a supplemental collection will be required, with the attendant cost and inconvenience. The worst case scenario is spoliation because data has been overwritten by the device operating system, deleted by the user or lost due to an auto-delete function.
Personal data can be filtered prior to review
The good news is it’s possible to identify and filter a great deal of personal data between collection and review.
All of the collected data is stored until the matter is closed and we are directed to destroy the data or transfer it to the client. However, only potentially relevant data is exported from the preservation copy for review.
We use the mobile forensic software Cellebrite for acquisition and analysis of mobile data. Cellebrite and other industry-recognized mobile forensic software have robust search and filter capabilities.
For example, if the only relevant data is messaging and contacts, then other, non-relevant categories can be withheld from export. This would include GPS location data, email, internet history, calendar, notes and more. All likely sources of personal information.
More granular filtering is also possible. We use a combination of inclusionary and exclusionary filters. We work with the client to develop a customized filtering strategy for the matter.
Inclusionary filters are designed to identify relevant data for export, which is then transferred to the case team for review. Typical examples of inclusionary filters are date ranges, search terms and contact information (e.g., name, handle, phone number).
Exclusionary filters are used to identify non-relevant data such as personal information, systems data and spam. This data is excluded from the export. A common exclusionary filter for personal data is contact information for the device user’s family members and friends.
People have a legitimate privacy interest in the non-relevant personal data on their mobile devices. By working together to implement reasonable safeguards, litigators and eDiscovery professionals can respect privacy during discovery. Cutting costs from review of non-relevant data is an added bonus.