
Uber's use of encrypted messaging may set legal precedents - thisisit
https://www.reuters.com/article/us-uber-waymo-evidence/ubers-use-of-encrypted-messaging-may-set-legal-precedents-idUSKBN1DU099
======
paxy
It isn't really about encryption, as the title implies, but about deleting
communication records (whether encrypted or not).

> However, companies have an obligation to preserve records that may be
> reasonably seen as relevant to litigation or that fall under data retention
> rules set by industry regulators

Seems pretty clear that Uber violated this.

~~~
conradev
If they switched to using phone calls to discuss sensitive information and
didn't record them, would they still be violating the rules?

~~~
btian
no. that's why most corporate lawyers prefer you call them instead of email

~~~
ryandrake
What is a phone call, if not "a conversation that self-destructs after it's
done"?

Not commenting on how the law (which was written before "apps" existed) treats
it, but on the true nature of a phone call vs. a messaging app.

~~~
DannyBee
There are many many records of phone calls. I can ask your phone provider for
them. I can subpoena you and make you testify to their content, etc.

~~~
Spooky23
If your specific conduct is under investigation, sure.

This stuff is more about opposing counsel searching for keywords and finding
something that adds supposed context to whatever they are suing about. If you
send an inappropriate picture of a woman and make some crude comment, that can
be used to bolster a harassment claim or establish a pattern of boorish
behavior. If you make crude comments on the phone, that isn’t going to as
easily reappear 5 years later.

------
Steeeve
Uber is not in a regulated industry. Taxi companies do not have any obligation
to store email or any other communication for x number of years.

You can destroy whatever you want pre-lawsuit. Once the suit is filed, you are
not allowed to destroy anything that is evidence, and most lawyers will
caution you away from destroying anything at all at that point, since the most
mundane things could be perceived as evidence under argument.

This is being painted as "Uber is being super slimy". Anyone who has sat
through a trial having anything to do with electronic communications knows
that it's a benefit to everybody if as little logging is done as possible.

> On December 18th, you responded "OK", but on December 19th you responded
> "Will Do" to the same request from another co-worker. Why was the second co-
> worker more deserving of a positive response?

Trials are littered with this kind of mundane exchange.

It's why Clinton, Bush, and I'm sure Obama and Trump all used alternative
communications systems - because when every thought that is laid down will
come under scrutiny, you lose productivity. How are we going to hold companies
to standards that we don't expect our nations leaders to follow?

~~~
dragonwriter
> You can destroy whatever you want pre-lawsuit.

That's at best imprecise; the duty to preserve evidence is triggered when a
lawsuit is threatened, filed, or reasonably anticipated.

> This is being painted as "Uber is being super slimy". Anyone who has sat
> through a trial having anything to do with electronic communications knows
> that it's a benefit to everybody if as little logging is done as possible.

That is entirely untrue. While records can be inconvenient, they can also be
critical to the case of the party retaining them.

~~~
saulrh
> reasonably anticipated

Does "We're going to be doing illegal stuff, so don't talk about it where the
courts might hear" qualify as "Reasonably anticipated legal action"?

~~~
dqv
"We're going to be doing illegal stuff, so don't talk about it where the
courts might hear"

Sounds like the underlying implication of an ethics class. I think reasonable
anticipation would be at the point that Uber knew or should have known they
were deriving development from stolen material.

------
JumpCrisscross
> _Richard Jacobs, a security analyst whom Uber fired in April and now
> consults for the company, testified Tuesday that up to dozens of employees
> were trained to used ephemeral messaging systems, including Wickr, to
> communicate so that their conversations would be clandestine and could not
> surface in any “anticipated litigation.”_

Given two identical actions, the law can find one illegal and the other
permissible based solely on intent.

~~~
solidsnack9000
Crimes generally involve a _mens rea_ and _actus reus_ — a guilty mind and a
guilty act. For example, battery is the _intentional_ touching of a person,
either against their will or to cause them harm. If it weren’t like that, then
every time one person bumped another in the street it would be a crime.

------
saulrh
I'm surprised that this isn't turning into a conspiracy charge. That's
basically what it amounts to, right? An agreement to commit illegal acts and
actions taken to further the commission of those illegal acts? Honestly, this
seems like exactly the kind of thing that the conspiracy laws were meant to
deal with - you know that one of them did _something_ illegal, but you can't
tell _who_ because they covered the details up well enough to prevent
identification.

~~~
AnimalMuppet
Give it time. The courts don't move fast, but they _do_ move. Recall that this
stuff came out because the judge in the Waymo case referred the situation to
federal prosecutors.

------
cmansley
How is this any different than in-person conversations that are not recorded?
Should companies be required to record all conversations that happen face to
face?

~~~
QAPereo
In many cases they are, although not “all” it’s true.

~~~
Psilidae
What do you mean by "they are"?

I, too, don't understand how this is a legal issue given that people can talk
face-to-face, or over non-recorded voice services. If it's written
communication, what if you're writing things on whiteboards?

How would this not set a legal precedent that essentially requires _all_
communication be through Slack/etc?

~~~
QAPereo
Depending on the content of your communication, you might be legally required
to commit it to writing, be in the presence of someone transcribing it, etc.
This is not exactly unheard of, especially wherever lawyers tread, such as the
world of business.

------
josh2600
Ok so what if, by policy, the company uses an ephemeral messaging app with a
30 day log rotation? Can a court hold them in contempt for using that product
or is it fine because it's a policy to have log rotation?

~~~
mywittyname
If the policy is against the law, then yes.

Business records are legally required to be retained for a period of time
(which varies depending on its content). Failure to do so is a violation of
the law, and is evidence against you in the event of a lawsuit.

~~~
reaperducer
Kind of an IT-specific viewpoint.

I used to work in an industry where everyone from the local police all the way
up tot he F.B.I. would routinely send us subpoenas. The corporate (big company
- 30k employees around the world) policy was that we would delete all paper
notes every seven days, and destroy anything recorded (especially videotapes)
every 14 days. We were told this was specifically so we could dodge subpoenas,
otherwise we'd drown in them.

~~~
mywittyname
That's fine. The company you worked for was apparently not legally required to
store those documents for a certain period of time.

My viewpoint is not at all IT related. I work in a heavily regulated industry
and am required to do training a few times a year on data retention policies
because of how much we are legally required to keep.

------
matt_wulfeck
> _“It’s a knotty question for courts and lawyers on when the obligation
> arises” to preserve records, said Julia Brickell, general counsel at the
> legal discovery firm H5._

Is it really knotty though? Even I know that communication related to running
a business must follow data preservation rules. It may not be massively
illegal, but at its base using encrypted messaging in this manner is contempt,
especially since they knew it could be used in litigation.

------
DannyBee
Pretty much everyone here is missing the point, so i guess i'll try to make it
more clearly.

Once you have reasonable anticipation of future litigation, you are required
to preserve evidence.

This why most litigation holds companies place do not let you delete emails,
for example.

The purpose of discovery is to get all relevant evidence out in the open in
order to help resolve the case.

These two things are true regardless of medium. IE If i am making phone calls
that are relevant to litigation, and you otherwise would keep records or
recordings of them, you must preserve them. I can be called to testify to
them.

Use of mediums like this is a grey area, but that's irrelevant. You can argue
till you are blue in the face that you have legitimate reasons to use self-
destructing/encrypting mediums.

"Once a party has notice that litigation has been filed, courts uniformly
impose a duty to preserve potentially relevant evidence on parties to the
lawsuit. The duty “includes an obligation to identify, locate, and maintain,
information that is relevant to specific, predictable, and identifiable
litigation.” The duty applies only to relevant data, documents and things."

Remember that at one point, email preservation and other things did not exist.
Courts forced companies to preserve that data: "To be sure, as part of a
litigation hold, a company may be required to cease deleting e-mails, and to
disrupt its normal document destruction protocol."

So let's turn to here. First, regardless of anything else, the use of
_anything_ with a specific goal of avoiding the duty to preserve evidence is
going to be held against you. Full stop. It does not matter what that is.

So regardless of the medium in use here, that's problem #1. How far does
anticipation of a lawsuit go?

In the oft-cited Zubalake decision, the court found that a company employer
had a duty to preserve electronic records destroyed before an employee filed
the charge of discrimination that triggered a government investigation because
almost everyone with whom that employee worked anticipated she might bring a
lawsuit. That is, the court held that duty to preserve attached at the time
that litigation was “reasonably anticipated,” and that key company employees
anticipated litigation months before the employee filed a charge of
discrimination.

Boom. This case is pretty much already lost in those jurisdictions.

Problem #2 is what if the medium normally keeps no records. Again, if you did
it deliberately to avoid discoverability, you are already going to lose.

It's true that there is no general duty to preserve, but once that duty kicks
in, the fact that the medium is ephemeral is irrelevant. There is literally
nothing that prevents preservation of evidence here other than desire. They
could make records of conversations (screen grabs, what have you), they could
record the ephemeral keys and data (they have physical access), and they could
also tell people who they anticipate (above) to be involved in litigation to
not use such mediums, and in fact, pretty easily force compliance.

I'm aware of zero cases that have said "yeah, it sucks that you lost those
ephemeral messages", and plenty that have sanctioned as a result of failure to
save. See all the linked cases in
[https://www.lexology.com/library/detail.aspx?g=f47f71d2-281b...](https://www.lexology.com/library/detail.aspx?g=f47f71d2-281b-49c1-8bbc-f0a23a123c8a)

You should also realize that if these forms of communication become incredibly
common, the discovery rules will adapt.

They have adapted as texting and instant messaging became more common, they
will adapt as self-destructing messages become more common. That adaptation is
not going to be "self-destructing messages get a free pass", it's going to be
"you may be required to preserve keys"

~~~
codedokode
Honestly that makes no sense. Why should company management collect evidence
against themselves? That sounds like something that only exists in
dictatorship countries. Aren't you misunderstanding something?

And how are they supposed to record phone calls if they use "dumb" phones or
personal smartphones?

At least if I received such an order I would stop using anything that can be
saved (like email) and would discuss the problem only in person. Now go try to
prove anything.

I understand that the court can order to preserve existing records. But this
"reasonable anticipation" is clearly a gray area that can be interpreted any
way and allows to make anyone guilty.

~~~
DannyBee
This is a civil, not criminal, proceeding. You will be required to collect
evidence that may be against you. If you have done something criminal you can
try to claim fifth amendment privilege but then you are certainly going to
lose the civil lawsuit because that can be used against you there.

I understand the rules here quite well, being licensed in four states, many
federal courts, etc.

"And how are they supposed to record phone calls if they use "dumb" phones or
personal smartphones".

I said if they record, they would have to turn it over. Otherwise, yes, I will
subpoena the records, including any relevant records from personal phones, if
the relevant people use personal phones for business. I will then depose
people as to the content of those calls if they are possibly relevant. Most
will not lie. If they do it will go very badly for them.

Your plan of trying to hide stuff and lie in court is not going to go well for
you.

You seem to desire a very adversarial civil system. It is mostly existing to
resolve disputes. That requires getting all the evidence out on the table,
partially in the hopes that both parties then decide to resolve it themselves.
Which they mostly do.

~~~
codedokode
Thank you for the detailed explanation. But I cannot say that I like the
requirement that I have to keep the records that can be later misinterpreted
and used against me.

------
tonyztan
> "Richard Jacobs, a security analyst whom Uber fired in April and now
> consults for the company"

Why did Uber fire Jacobs and then hire him again, as a consultant?

------
dimpadumpa
Whats the point of crypting when workers read them anyway ?? Cmon, is this a
hoax or what ??

------
free2rhyme214
Snapchat offers E2E?

~~~
jayd16
If you think Snapchat is secure or unrecorded, I've got news for you.

~~~
Cshelton
This keeps going around but it's simply not true...

For snaps that are not saved, those are not retained on any server after their
expiration.

Why would snap spend the money and/or hold the liability of keeping expired
snaps stored... They know if it was all leaked they'd be done. And with the
number of daily snaps, that would add up storage costs real fast or no reason.

~~~
kodablah
> This keeps going around but it's simply not true

How do you know?

> Why would [...]

Because you can't think of a reason it must not be true? Or are you claiming
internal knowledge or taking the company's word for it? I don't know for sure
what's retained, and therefore I won't go around saying I know.

~~~
Analemma_
I'm half-joking here, but one reason we might know it isn't true is the
"argument from cash flow": Snap is still hemorrhaging money, to the
consternation of investors, mainly because they're paying astronomical sums to
Google for GCE hosting. Given the amount of data that passes through Snapchat
every day and the cost to host it, I can make a decent guess that they're not
hanging on to it, or else their infrastructure costs would be even greater.

~~~
user5994461
Their costs is already in the hundreds of million of dollars. They could hang
on to all videos with no issue whatsoever. That's financially easily doable
within their budget, and that's technically easily doable because google
storage will take any amount of TB thrown at it.

The only fair assumption is that they store all videos. Remember that they are
an ad business.

If it's too annoying, the wise decision would be to cut storage to only 1
month, or store only 1% of randomly selected videos. It will never be to stop
storing videos.

------
bkovacev
I'll probably get downvoted but is there a specific reason that _any_ uber
related story is _always_ in top 10? Can there be a day when there aren't any?

~~~
adjkant
You'll see that when notable stories stop hitting the news so frequently. I
think this complaint should be forwarded to Uber. Perhaps directly to the CEO
since you might get a big payday out of that.

~~~
bkovacev
I dislike them quite a bit honestly due to the way things have been developing
for a while, but it's getting tedious that every time I open HN all I see is
Uber.

~~~
adjkant
That's fair, but it doesn't mean it shouldn't be there. I think people feel
that way about a lot of things right now, like Trump on the news daily,
regardless of where you stand.

~~~
bkovacev
You're right, I wrote that in a selfish manner, sorry.

~~~
adjkant
No worries :) having news grind on you is normal for all of us, slip-ups
happen.

------
puppetmaster40
I recall a case where after a subpoena for records hard drives were wiped
clean and mobile phones where smashed with a hammer. So what is it, OK to
destroy or not as a legal precedent?

~~~
amiga-workbench
Oh, that was just extreme carelessness ;^)

------
pfarnsworth
In the broader picture, this seems pretty unreasonable. What if you used
iMessage in the context of your business, or if you communicated entirely over
the phone verbally? Is it fair to assume if there is no evidence of problems
that it was simply deleted, as the judge said? That's like trying to prove a
negative, is that really legal?

~~~
Analemma_
For iMessage specifically (which is not ephemeral), the judge would just order
you to unlock your phone and show the messages, or provide your iCloud
password, and jail you for contempt if you refused.

Sarbanes-Oxley requires corporate record-keeping and outlaws interference with
investigations. While it doesn't specifically mention ephemeral messaging, it
would seem to preclude its use in anything business-related. So it's not
"trying to prove a negative" so much as it seems to be saying these
applications are illegitimate for business use period.

~~~
1_2__4
This is not even a little bit true. What you're implying is that businesses
are required by law to keep all internal communications in case someday
there's litigation, and that is just flatly false.

Deleting data _once litigation has been initiated_ is tampering/obstruction.
Deleting data when not under litigation is the company's choice, with very few
exceptions. Many companies explicitly require all communication be ephemeral -
email, messaging, etc. it explicitly only preserved for X days and then
deleted entirely from all systems.

~~~
rosser
IANAL, but I'm pretty sure the laws around tampering with/destroying evidence
are crafted in such a way to make _knowingly_ destroying evidence _of a crime_
— even before that crime is under investigation — unambiguously illegal.

If not, that would be an oil-tanker sized loophole for avoiding prosecution,
and I don't think the folks crafting criminal evidentiary law were that dumb.

~~~
vkou
IANAL, but it is an oil-tanker-sized loophole - as is conducting all your
criminal dealings via in-person communications, instead of e-mail.

If you are under a litigation hold, you cannot delete any data. If you are not
under litigation hold, and your policy is that you shred all your records
every Friday at 3PM... The courts will not hold your lack of records against
you.

~~~
rosser
Litigation holds are a thing in _civil_ law. Evidentiary rules in criminal law
are, AFAIK, a different beast.

------
trhway
as companies are apparently persons, do they have the right against self-
incrimination and the right to remain silent?

~~~
rayiner
The Supreme Court has held that corporations don't have fifth amendment
rights. They have done so precisely because they've never categorically held
that "companies are ... persons," but rather have in various cases stamped out
attempts to infringe on personal rights just because those people happen to
act through a corporation.

------
kinkrtyavimoodh
Edit: For people bringing up Sarbanes-Oxley, I will paste a comment made by a
user in this thread
([https://news.ycombinator.com/item?id=15827298](https://news.ycombinator.com/item?id=15827298))

> "This is not even a little bit true. What you're implying is that businesses
> are required by law to keep all internal communications in case someday
> there's litigation, and that is just flatly false. Deleting data once
> litigation has been initiated is tampering/obstruction. Deleting data when
> not under litigation is the company's choice, with very few exceptions. Many
> companies explicitly require all communication be ephemeral - email,
> messaging, etc. it explicitly only preserved for X days and then deleted
> entirely from all systems."

"That they were so concerned about covering things up meant that they could
have known what they were doing was a crime"

When the government says "Only criminals want privacy. Why do you care about
privacy if you're doing nothing wrong", every one is up in arms (and rightly).
What happened now?

"However, companies have an obligation to preserve records that may be
reasonably seen as relevant to litigation. Chat logs that could help get to
the bottom of the trade secrets case are now inaccessible"

Why does someone automatically have a right to know what communication took
place just because that knowledge would help incriminate the communicator?

There seems to be a double standard in the community here when it comes to
privacy. Usually, everyone's all gung-ho about privacy and encrypted
communication and VPNs that don't keep logs. At that time, no one seems to be
concerned about who is using that encrypted channel and for what purpose. But
now suddenly Uber did it and it's bad?

~~~
throwaway613834
I don't know if this is the reasoning, but I don't see any immediate
contradictions in having different standards for individuals and corporations.

~~~
kinkrtyavimoodh
So if an organization says that its employees should always use an ephemeral
messaging service for communication, it's inherently in the cloud of
suspicion?

Because that seems tantamount to saying that literally any communication
between employees of the company (even verbal) must be recorded? What if all
this communication had happened between them in those 'long walks' they took
in San Francisco?

~~~
Analemma_
Yes. Sarbanes-Oxley requires business records to be kept for a reasonable
length of time, and with ephemeral messaging that is impossible. So it would
seem that these applications are illegal for business use by default.

