Going Mobile: Traditional Challenges Associated with Mobile Device Collection

In our last post, we discussed notable case law rulings related to sanctions regarding mobile device data.

If you recall our very first post in this series, we provided three statistics that illustrate just how ubiquitous mobile devices are in our everyday lives. Here are two of them again:

• On average, people in the U.S. spend about 4 hours and 39 minutes daily on their mobile phones, excluding voice calls.
• Mobile devices account for 60.67% of website traffic.

Despite the ubiquity of mobile devices in our lives (including our work lives), many cases involving discovery of electronically stored information tend to exclude discovery of ESI from mobile devices. In eDiscovery Today’s 2024 State of the Industry Report, only 13.2% of corporate respondents said they have mobile device data in their cases all or most of the time, while three times as many respondents (39.5%) said they have mobile device data rarely or never in their cases.

Why isn’t mobile device data involved in more cases? Because collecting data from mobile devices has historically been time-consuming, convoluted and costly. Mobile device discovery has historically been so challenging that many parties in litigation agree up front not to pursue ESI from mobile devices – despite the potential existence of key communications in text and other messaging platforms. In this post, we will discuss the traditional challenges associated with mobile device collection.

Traditional Challenges Associated with Mobile Device Collection

To understand some of the challenges that have existed, it’s important to understand how the technology used to collect from mobile devices originated. In earlier days of “flip phones” (before the existence of smartphones and before the cloud became a significant method of backing up mobile device data), the technician would plug your old phone into a device to transfer your data from that phone to your new phone each time you changed phones. It would transfer your data, including contacts, messages, and media files. Because no cloud backup existed at the time, if you lost your phone, you lost your data.

As mobile devices evolved and the “smartphone” was reinvented with the introduction of the iPhone in 2007, collection of data from mobile devices didn’t change all that much. Even after Apple introduced iCloud in 2011 and created the ability for iPhone users to back up key data to the cloud, discovery of data from mobile devices has continued to employ a similar approach to the early days of mobile devices during the “flip phone” era – capture of the entire contents of the device as a forensic image.

While there are certainly cases where a forensic image (full file system) is warranted – such as criminal cases or civil cases where data from encrypted applications is relevant, historical location data is needed, or evidence of spoliation exists – the use of forensic imaging technology as a standard for collecting mobile device ESI has been time-consuming, convoluted, and costly. Because it captures the entire contents of the phone, there are also data privacy issues – especially for custodians who are using bring your own device (BYOD) devices or those with special confidentiality obligations such as lawyers and doctors.  Balancing these concerns with discovery preservation obligations can be daunting.

To avoid these time and cost challenges, the typical alternative for collecting data such as standard text messages was at the other end of the data collection spectrum: capturing selected screen shots of the desired data from the device. Of course, this approach doesn’t capture any metadata and is highly subject to evidence tampering, as we saw in the case Rossbach v. Montefiore Med. Ctr. (which we covered in the last post).

Common Types of Mobile Device Preservations in eDiscovery

It is important to determine upfront the type of preservation that is needed (or may be needed in the future). Typically, there are two types of collections methods to consider: a targeted collection or a full file system collection.  Both methods have their place in the legal system, but it is imperative that legal professionals understand the difference and when each is best used.

Full File System Collection

These collections are done using specialized software to circumvent security features that normally limit data preservation.  Full file system collections are most relevant to investigative matters.

Pros:

• Preserves all data accessible on the device
• Allows access into three-party and encrypted applications (WhatsApp, Telegram, Signal, TextNow, etc.)
• System artifacts – critical in demonstrating user interactions with the device such as wipe dates, logs showing missing native messages and calls, and which applications were being used at a particular time
• Location data – can confirm client was or was not at a specific location such as competitor’s place of business
• Limits the need to recollect data from the custodian as the case evolves

Cons:

• Collection will require onsite examiner or device sent to a laboratory for collection
• All data in the phone is collected which may cause privacy concerns with the client – can be minimized with specialized handling protocol.
• Some companies charge higher rates for full file system extractions

Target Collections

These collections limit the data being preserved and, in most cases, can be performed remotely. Targeted collections are most relevant to e-discovery matters where the facts are well known, and the chances of spoliation allegations are low.

Pros:

• Can be performed remotely (for some data)
• Can be limited by date, contact and data type filtering
• Custodian sees that only specific data is being pulled from the device
• Limits data needing to be reviewed

Cons:

• Validation, defensibility and forensic review of preserved data is limited
• Increases the need for pre-scoping collections
• Increases the chances of missed data
• Supported communications applications are very dependent on tool(s) being used (WhatsApp, Telegram, Signal, TextNow, etc.)
• Increased need for recollection when case scope changes which means the chance of data loss increases

Conclusion

Despite the importance of mobile device data, the traditional challenges associated with mobile device collection have encouraged parties in many cases to agree to refrain from collecting from these devices which in many cases is not the best decision. Proportionality, in terms of whether the benefit exceeds the burden, is always a primary consideration when discovering ESI from any device, including mobile devices.

However, there is hope! Next time, in our last post in the series, we will discuss recent technological advances in mobile device collection that can streamline the workflow considerably. In case you missed any part of this series, you can head back to the beginning of the series to explore how discovery of data from mobile devices has become more important, while also one of the most challenging forms of ESI to preserve and collect.

For more regarding Cimplifi forensics, collections and protocol capabilities, click here.