Can anyone doubt the changes wrought by the modern “smart” cellphone? My new home sits at the corner of one-way streets in New Orleans, my porch a few feet from motorists. At my former NOLA home, my porch faced cars stopped for a street light. From my vantage points, I saw drivers looking at their phones, some so engrossed they failed to move when they could. Phones impact how traffic progresses through controlled intersections in every community. We are slow-moving zombies in cars.
Distracted driving has eclipsed speeding and drunken driving as the leading cause of motor vehicle collisions. Walking into fixed objects while texting is reportedly the most common reason young people visit emergency rooms today. Instances of “distracted walking” injury have doubled every year since 2006. Doing the math, 250 ER visits in 2006 are over half a million ER visits today, because we walk into poles, doors and parked cars while texting.
Look around you. CAUTION: This will entail looking up from your phone. How many are using their phones? At a concert, how many are experiencing it through the lens of their cell phone cameras? How many selfies? How many texts? How many apps?
Lately I’ve begun asking CLE attendees how many are never more than an arm’s length from their phones 24/7. A majority raise their hands. These are tech-wary lawyers, and most are Boomers, not Millennials.
Smart phones have changed us. Litigants are at a turning point in meeting e-discovery duties, and lawyers ignore this sea change at peril. The “legal industry” has chosen self-deception when it comes to mobile devices. It’s a lie in line with corporate bottom lines, and it once found support in the e-discovery case law and rules of procedure. But, no more.
Today, if you fail to advise clients to preserve relevant and unique mobile data when under a preservation duty, you’re committing malpractice.
Yes, I used the “M” word, and not lightly.
I wouldn’t have called it malpractice a few years ago. But two things have changed, and we can’t hide our heads in the sand. These are paradigm shifts.
The two things are, first, the data on phones and tablets is not just a copy of information held elsewhere. It’s unique, and often relevant, probative evidence. Second, the locking down of phone content has driven the preservation of mobile content from the esoteric realm of computer forensics to the readily accessible world of apps and backups. These developments mean that, notwithstanding the outdated rationales lawyers trot out for ignoring mobile, the time has come to accept that mobile is routinely within the scope of preservation obligations.
Too, lawyers need to stop treating mobile devices like biohazards and realize that there are easy, low-cost ways to preserve relevant mobile content without taking phones away from users. Because it’s easy and cheap to preserve it, mobile content is accessible, and its preservation, when potentially relevant, is proportionate under the Rules.
That’s a strong stand, and one some will angrily reject. I get where they’re coming from. It was wonderful to be able to ignore mobile in e-discovery. Mobile was a black hole. It wasn’t just that you had to hire technical experts to use expensive tools to preserve the contents of phones, it was like pulling teeth to get users to let loose of their devices for the hours or days it took to collect them. Even when they did hand them over, more than a few users claimed to have entered the wrong password too many times and “accidentally” wiped the contents of the phone. “Oops. My bad.”
If that never happened to one of your clients, it may be because your client wasn’t preserving phone data, indulging in the assumption that whatever they’d glean from the phone would be collected elsewhere. They deemed mobile redundant.
Lecturing about mobile and IoT in D.C. last year, an associate from a megafirm confided to me that his firm routinely advised all its litigation clients that they need not preserve the content of mobile devices because “all the relevant content would be duplicated on the servers.” I asked if the firm had ever tested its advice against the relevant data to determine if there was truth in what they were telling clients. He admitted they never had, and offered that they’d never do so. The firm didn’t want to know the facts because the fairy tale of “replicated elsewhere” was what the client wanted to hear.
Is it a fairy tale? I have my own views based on my own comparisons of mobile content versus other collected sources. What I see demonstrates that the claim that what’s relevant on a phone is preserved elsewhere is a whopper. I am routinely finding examples of relevant data stored on mobile devices that is not found among the other sources of data routinely preserved in e-discovery. The replication fairy tale is a relic of a bygone era of Blackberry Enterprise Servers and phones with lower IQs than the brilliant devices now our constant companions and confidantes.
But, I’m not asking you (or courts) to take my word for it. Test it yourself.
If you’re going to tell the tale, then get some metrics to make it plausible. Use sampling. Process the phones of a few key custodians and compare all the potentially relevant items collected from their mobile devices against the other sources collected for the sampled custodians. What’s the differential? Is the unique evidence from the mobile device probative and material?
I’ve done that, and so I know replication is a fairy tale. If you want to claim it’s true for your client in your case, how about putting some facts to work? Bear the burden of proof, or start bearing the onus of truth. When you have the facts, you’ll have to let loose of the legend and preserve relevant mobile content.
That’s the bad news for those who would prefer to ignore mobile. But take heart, as that will seem like great news compared to the next development. Yet, there’s a silver lining. Mobile preservation’s become quick, cheap and easy.
A few years ago, mobile phones shared some of the characteristics of personal computers in that they held latent data that could be recovered using specialized tools sold for princely sums by a couple of shadowy tech companies. So, the preservation of mobile devices slipped into the shadows, too. Phones and tablets were forensic evidence, and only forensic examiners could collect their contents.
Although users used mobile devices all day, the contents of mobile devices were dubbed “not reasonably accessible.” It was too costly and burdensome to preserve a phone. Good thing, because users were holding onto their phones tighter than Willie Nelson clutches a bong Donald Trump grabs a pu LIFE ITSELF. Users protested, “the mobile phone is the only way the kids’ school can reach me in an emergency, and I can’t use another phone because everyone texts now, and WHO REMEMBERS PHONE NUMBERS ANYMORE?”
So, the next altered paradigm: In e-discovery today, the forensic-level preservation of phones—the sort geared to deleted content and forensic artifacts—is a fool’s errand. As the public learned from the FBI’s tussle with Apple over unlocking the iPhones of the San Bernardino terrorists, modern smart phones are locked down hard. Content is encrypted and even the keys to access the encrypted content are themselves encrypted. Phone forensics isn’t what it used to be. More and more, we can’t get to that cornucopia of recoverable forensically-significant data.
At the same time, it’s quick, easy and free for a user to generate a full, unencrypted backup of a phone without surrendering possession. The user can even place the backup in a designated location for safekeeping by counsel or IT. Will this be a “forensic image” of the contents? Strictly speaking, no. But as the phone manufacturers tighten their security, “forensic imaging” becomes less and less likely to yield up content of the sort encompassed by a routine e-discovery preservation obligation. Not every case is a job for C.S.I.—and I say that as someone who makes a living through computer forensics.
I grant that a full unencrypted backup of an iPhone isn’t going to encompass all the data that might be gleaned by a pull-out-all-stops forensic preservation of the phone. But so what? As my corporate colleagues love to say, “the standard for ESI preservation isn’t perfect.” I always agree adding, “but it isn’t lousy either.” Preserving by backup isn’t perfect; but, it isn’t lousy. I’ve come to regard it as sufficient and proportionate. It’s good enough, and in most cases, darn good.
I think this is important. It’s a game changer for what most litigants are doing today. In a view I hope will come to be shared by all who think it through—preservation of mobile device content must become a standard component of a competent preservation effort except where the mobile content can be shown to be beyond scope. Mobile content has become so relevant and unique, and the ability to preserve it so undemanding, that the standard must be preservation.
In a future post, I’ll lay out the steps to make mobile preservation part of routine preservation workflows and facilitate custodial-initiated preservation of mobile device content. I’ll also talk about why it’s defensible, proportionate and amenable to targeted processing when it’s time to move from preservation to production.
Always interested in your comments, too!
Pingback: A New Paradigm in Mobile Device Preservation | Ball in your Court
Matthew Golab said:
Fascinating insights as always, Craig. In addition, there is the geospatial metadata from apps on mobile devices – coupled with time.
LikeLike
Pingback: A New Paradigm in Mobile Device Preservation | @ComplexD
realrecords said:
In preparing my upcoming presentation on proportionality, I have become more convinced than ever that, when considering primary and secondary sources of potentially relevant data, mobile sources (especially phones) no longer belong in that ‘secondary’ source category; and that data more often than not is part of initial discovery, not proportional or periphery data down the road. Attorneys are best advised to ensure their client preserves mobile data immediately in anticipation of litigation.
LikeLike
Greg Buckles said:
Seems that we keep encountering the same counsel giving advice to our clients. I have learned the hard way to always ask “Are mobile devices outside the scope of this engagement?” When they say yes, I put that ‘exclusion per client’s request’ in my SOW so that I have documentation when it comes up later. Bravo for the unfiltered perspective.
LikeLiked by 1 person
craigball said:
Smart. That’s got to be better for business than ‘exclusion per counsel’s incompetence. ‘ Thank you. I always value your perspective.
LikeLike
Doug Austin said:
Thanks for the post, Craig! As I’m sure you know, we covered a case just today where the judge recommended dismissal of the case after the plaintiff erased and reset her iPhone 6 hours before turning it over to her attorney to be sent for forensic examination. Naturally, she claimed not to know what happened. 😉 Because we use our mobile devices so much these days, the amount of ESI generated on them that never gets replicated to other sources is only growing.
LikeLike
Jeff Kerr said:
Great post, Craig. Can’t wait to see the strategies you recommend in the follow up post. A few years ago I was using iExplorer to extract data cheaply from my clients’ iPhones.
LikeLike
Vik said:
Great Write Up Craig! Looking forward to next version – Thanks
LikeLike
Pingback: A Duty to Preserve Mobile Data – YES! | jimsmithlitigenv
Martin Mayne said:
Great post, Craig! This thinking causes trouble outside of the litigation context as well. I had to convince inside counsel in a data breach investigation recently that it was a bad idea to “hold off for now” looking at mobile device data. What’s one of the first places you’d want to look for data leaks?
LikeLike
craigball said:
Thanks for the insight, Martin. It’s the Streetlight Effect: the proclivity to look for something where it’s easiest to do so, even if it’s not the most likely place to find what you seek. I’m more forgiving of that behavior when it comes to processing and review of mobile data simply because, in the e-discovery context, the tools, services and education to make mobile content routinely available in a legal review workflow have yet to keep pace with the importance and ubiquity of the data. It’s not intrinsically a hard problem to solve. A solution is deferred by virtue of all those who prefer to pretend the content is cumulative and peripheral. Preservation is easy and cheap now; hence, it can no longer be ignored.
LikeLike
Josiah Ulfers said:
Text messages are the big example of data stored on a phone and generally not on a server. (Though people tend to think the carrier keeps a copy, thanks, television.)
I entirely agree that the forensic image approach to phones is too difficult for most purposes, but I’m not so sure about how easy the alternatives are. Creating a backup is one thing, presenting the data in a useful format is another.
Sure, you can extract messages from an iCloud backup, but Apple doesn’t provide a supported way to do it, so you’re at the mercy of third-party programs of questionable quality.
Android is substantially more varied, but at something like 80% worldwide market share, it can’t be ignored. Google provides cloud backup for Android apps, but limited to a fairly low per-app size limit. Manufacturers can offer custom backup software, but, in the general case, a full backup is a daunting task for non-technical users. Also, apps can opt-out of backups.
Small plug: I am the author of Legal Text Collector, an Android app for do-it-yourself text message collections.
LikeLike
craigball said:
Between the plug for a product and the misinformation about backing up a phone being a “daunting task,” I almost didn’t authorize this comment. Notwithstanding, thank you for weighing in. “Creating a backup is one thing, presenting the data in a useful format is another.” Yes, exactly. The first addresses preservation, the topic of this post. Presentation (a/k/a processing, review and production) is another thing for another post, and it does present special challenges attributable to a dearth of effort directed to tools and training. The preservation duty exists precedent to and (largely) independent of the duty to review and produce data in discovery. The former is a more-encompassing duty and the failure to meet it can serve to destroy the ability to meet the latter duties when and if they arise.
I am most exercised at your proposition that the failure of Apple to support text message export leaves parties “at the mercy of third-party programs of questionable quality.” I assume you are excluding your own product in that merciless description. All e-discovery leaves parties “at the mercy” of third-party software. What are Cellebrite, Law, Nuix, Relativity, XRY, iConect, Exterro, etc. but third-party programs and platforms? Your proposition seems to be that, since the OS providers offer little or nothing for evidence collection and processing (let’s leave O365 aside for now), then turning to third-party tools that enable evidence preservation and presentation isn’t appropriate. I respectfully disagree. The legal system cannot wait for Apple and Microsoft to deem it profitable enough to offer robust solutions to problems lawyers face today. A multibillion dollar e-discovery industry exists in proof of same.
Thank you for your contribution to the tool set. Even if it may be unstable or might be “of questionable quality,” it’s better than pretending the messages aren’t there or will miraculously turn up somewhere else.
LikeLike
Josiah Ulfers said:
I apologize for being unclear. By “daunting” I only meant that there are a wide variety of ways to backup an Android phone and what works for one won’t necessarily work for another model, carrier, or app configuration. It’s hard, therefore, to say in a general-purpose way, “Here’s the correct way to do it…”
LikeLike
craigball said:
Thanks for the clarification. If I seemed unduly defensive, it’s because I encounter too many lawyers (not you) using FUD to excuse their clients’ failures to meet preservation duties. What I advocate is not hard or costly. It just serves some’ agendae to cast it that way.
LikeLike
Greg Kelley said:
Great article, Craig, but I believe you are off in two areas. First, the days of deleted content are definitely not over. Certainly with file system encryption you are not going to get deleted files. But much of the data on phones is stored in databases, quite often SQLite. You can definitely recover relevant deleted content from there. Second, the simple making of a backup of a phone really only works in the iPhone world. When it comes to Android, the backup apps out there often miss a good amount of data, including text messages.
LikeLike
craigball said:
Both fair points, Greg. Still, a backup of apps tends to preserve the SQLite databases, so that data isn’t necessarily lost. As well, I was careful to note that I was speaking to the preservaion duties as they exist in the run-of-the-mill e-discovery matter, not a forensic investigation of spoliation. There indeed remain forensic avenues to explore notwithstanding encryption and other challenges; yet, we must be careful not to lump the ability to recover forensic artifacts using specialized skills and tools with the baseline obligations of preservation in e-discovery. In discussing a lawyer’s duties, I hope it was clear I was addressing only the latter here.
Insofar as Android, I acknowledge the differences in texts, geolocation and other data. But, noting that a preservation method will not get everything ignores the reality that the alternative is rarely forensic imaging but, far more commonly, doing nothing in the way of mobile preservation. Once more, I don’t accept that lousy is the alternative to perfect when we define a party’s obligation to preserve relevant and unique information. Thanks for weighing in.
LikeLike
Greg Kelley said:
I completely agree that lousy is not the alternative to perfect. And I’m not campaigning for everything to be collected, but if your collection doesn’t have the necessary items (i.e. messages) what good is it? In my experience many legal or corporate don’t test out these procedures until it is too late and they realize they’ve missed the most important items. I just wanted to caution that with mobile devices it is often not as easy as what you describe above.
LikeLike
craigball said:
Dear Greg, Thanks once again for sharing your expertise. I have to push back because, when an expert like you expresses a view like “it’s often not as easy as you describe,” lawyers use that (or anything really) as an excuse to do nothing. You and I are looking through different ends of the telescope. I see the push to do nothing. So, I vehemently disagree with you when you suggest that making a routine backup of the contents of either an iOS or Android device is difficult. It is not; in fact, the ease with which it can be done is a selling point of their ecosystems. You are saying that obtaining a backup that has the full panoply of data on the device is difficult. That is, a “perfect” backup is difficult, particularly in the Android environment. Agreed, but if we then abide preserving no relevant, unique mobile content pending a perfect backup solution, we play into the dingbat rationale of those who prefer to do nothing to preserve such content.
For example, no iOS (Apple) backup preserves e-mail messages stored on the device. Mail store discontinuity is huge. Yet, does that suggest no preservation is required because the locally-stored e-mail won’t be preserved in the backup, though tons of other relevant content will be preserved by backup? I hope we can agree that, if you can’t keep both baby AND bathwater, you should keep the baby, not discard both.
My point is that we must consider more than just the inevitable shortcomings of one or another preservation technique; we must as well consider what will done instead. Let’s not equip legal and corporate with the excuse of, “we would have missed some important items, so we preserved nothing at all on the phones.” That’s what most do now when it comes to mobile.
If the tech-savvy don’t stand together on the core issue of compulsory preservation of relevant, unique data by best reasonable means, we will certainly fail collectively. Thanks.
LikeLike
Greg Kelley said:
First, I would never suggest anything other than the iOS backup on the iPhone, because that is all there is. Second, I find it disingenuous and self serving to spend more money on motion practice to not do something than it would cost to do it the right way. The right way is not to just have any person perform a backup. Having “anyone” back up or handle data on a cell phone is the same mindset that companies have when they leave their IT security to “just someone”. Certainly one does not have to get everything, but you better know what you are and are not getting and how to handle it. Many would argue that the legal process itself isn’t a reasonable and unburdensome process. Why should they impose that requirement on other resources that interface with the process?
LikeLike
craigball said:
Dear Greg, I lost your point in the last response and want to make sure we are not arguing at cross-purposes. You sound like you are arguing forensics when you speak of the “right way” To reiterate, the most common approach addressed to preservation of mobile content in e-discovery is to pretend there is no discoverable evidence on the device. Again, I am talking about e-discovery practice NOT forensic practice. Perhaps the two should converge, but they do not.
It strikes me as neither practical nor economically feasible to expect there are a sufficient number of qualified forensic examiners with proper tools and training to undertake routine preservation of all implicated mobile devices. Certainly, there is no budget for same in many cases where the duty to preserve attaches. I don’t know what you think I am advocating here. Whether we like it or not, the bulk of ESI preservation efforts are custodial-directed holds. I don’t suggest just “anyone” perform the mobile backup. I suggest the custodian who uses the phone undertake the preservation with specific instructions and guidance on how to configure the process and, as warranted, sequester the backup data. My observations apply to the customary legal hold procedures counsel are obliged to advise clients to undertake.
Apart from hisring someone like me or you to grab the data on the phone (which is not an affordable or scalable approach in most cases), you don’t say how you would solve the problem more effectively and practically than the practices I propose. Don’t just attack the legal system as unreasonable and burdensome. I acknowledge its flaws. Please posit a better, more practical and affordable solution than mine.
LikeLike
Greg Kelley said:
So you are saying that a $1000-$1500 cost to preserve and provide the data from a phone is not practical or affordable? Understand that is the typical price for one phone, not multiple. And I do realize that a lot of ESI preservation efforts are custodial-directed, but that doesn’t make it a good option or an option that should be promoted.
LikeLike
craigball said:
Yes, that is what I am saying in the particular context in which I said it. The unit cost isn’t the sole concern. Cost must be weighed according to scale and proportionality concerns. The biggest issue is the ability to secure acess to the device, because to do so deprives the user of something they are loathe to relinquish for more than a few minutes, if that. Another concern is logistics. It takes time and physical access with specialized tools to acquire the device “your” way. A company may have field reps in all fifty states, and the obligation to preserve for anticipated litigation doesn’t just ooze into place at one’s convenience. A party has to move diligently to get a hold in place, especially for volatile relevant sources. Will a company need to identify competent examiners in all jurisdictions and negotiate acquisition with each? Overnighting the phone is a non-starter, and remote acquisition deprives the user of access, too (albeit they can sit with the device while it is acquired, though they can’t use it or go anywhere with the phone while they observe the process).
So, yes, the one-off preservation of a phone when forensic acquisition is required may or may not be affordable at $1000-$1500. I have no dog in that fight right now. I can say it’s not scalable in e-discovery, and it’s not something users will abide. I said this in the post; but, it appears I made the point badly. I may have to do it again.
LikeLike
Greg Kelley said:
Remote acquisitions are very common and while it may deprive the individual of using the phone for a period of time, technically they are depriving themselves of that while they hunt through it for relevant messages or other data. Furthermore, if someone is involved in a legal matter, aren’t they going to be deprived of time and their device for other things such as meeting with an attorney, taking part in a deposition, etc? However, in some circumstances the remote preservation can be accomplished with cloud backups which can be done while the phone is in use. Agreed that having competent examiners in all jurisdictions is impractical, and I never suggested it.
LikeLike
craigball said:
Like my smartest law students, Greg, you keep trying to change the hypothetical! In this preservation model, there is no hunting for relevant messages. The user doesn’t “decide” what content to preserve. There is no targeted collection, no processing, no review, no discovery…yet. It is simply preservation in anticipation of litigation per a preservation directive.
Most data preserved in anticipation of litigation is not ultimately used. Litigation doesn’t always follow. Cases get resolved before discovery. The preservation net is broader than the collection scope. Etc. Etc.
A cloud backup could be a solution in the limited number of cases where the items preserved by cloud backup are all that may reasonably expected to be relevant. But, at least with iCloud, the online backup is markedly incomplete and fully encrypted, limiting its utility and the tools that can be used to parse the data when needed. I have pragmatic reasons to prefer the more complete and unencrypted iTunes backup; but, the precise means of backup isn’t set in stone. The key point is that backup is the way to go: custodially-initiated, users keeps their devices at all times, no technicians need be hired and the process is quickly and infinitely scalable, to name just a few advantages.
There are compromises attendant to this low-cost process. These compromises stem from those who compare the process to the (largely non-existent) ideal of “forensic” preservation. Instead, the process should be compared to the reality of near-total abrogation of responsibility and inaction that characterizes preservation of mobile data today. We shouldn’t lick our lips waiting for the huge spike in business attendant to preserving phones. Ultimately, one-off preservation with a Cellebrite (or similar) device is not the primary way that mobile data is going to be preserved for legal matters.
LikeLike
William Kellermann said:
Two nits to pick. I was hoping the pronouncement of “Malpractice” was followed up by a cite to a case where some hapless lawyer was sued for bad advice. Alas and alack, merely hyperbole. Granted, necessary and well intentioned hyperbole.
On a more serious note, I think a discussion of Enterprise Mobile Management (EMM) tools is in order. Especially where a company supplies EMM to partition personal from company data to support IG, data privacy and data security initiatives. Properly configured EMM solutions do ensure company data lives on the server, and not the device. Moreover they supply a means to capture behind-the-firewall communications data (think Jabber) that is often ignored as well.
Last, I have been using tethered backups to preserve mobile data for years (since 2008). Write an iTunes or other backup of the iOS or Android device to the corporate laptop and image the laptop. Everything is preserved in one place. Even works for the archaic iPod.
LikeLike
realrecords said:
William,
Not to jump the gun on Craig and his possible response, but I agree with your comment on EMM tools/methods, especially if they are specified, such as Mobile Device Management (MDM); Mobile Application Management (MAM); Mobile Information Management (MIM); and Mobile Content Management (MCM). Each of these options provide a particular method to manage or control business information on mobile devices; I believe they should be evaluated by not only the company’s IT group, but in conjunction with RM and Legal, for all the obvious reasons.
Aaron Taylor
LikeLike
craigball said:
Dear Bill, Thank you for the nits! I take some umbrage at your labeling my views–born of experience and study–as “hyperbole,” as that disparages them as “exaggerated statements or claims not meant to be taken literally.” I meant what I offered quite literally, and I was not exaggerating the obligation, the problem or the ease with which they can be addressed. There are many reasons why we do not see reported legal malpractice decisions growing out of e-discovery even though we see such malpractice with some frequency. I would ask you instead, how many cases involve derelictions in preservation are due in whole or part to lawyers unskilled and unschooled in e-discovery? In instances where the loss of mobile content is at issue, how many involved lawyers who acted diligently to seek to effectuate preservation of that content?
I laid out my opinion. If you generously deem me an expert, then call it an expert opinion. It wasn’t being said by others, and not because it’s not accurate or well-supported by the evidence and good sense. Just not by copious legal precedent. There will never be copious legal precedent on legal malpractice. There never has been all that much. It is our game, our field and our ball, after all.
I don’t share your admiration of EMM tools from the standpoint of preservation, especially when it comes to text messages and beyond-the-firewall communications. I think EMM is a good practice and serves to add some heft to an argument that relevant business data is less likely to be found on the device. But here again, where are the metrics when it comes to text, apps and geolocation data, just to name a few potentially relevant sources that often fall afield of EMM? Show me the metrics!!! 😉
Your preservation solution of longstanding is certainly defensible but, I’m loathe to laud whole drive PC imaging as the go-to preservation method in e-discovery. It’s a very good one, no doubt, and my personal go-to method most often; but, it isn’t the only one nor the most cost-effective at scale. Thanks again for the nits.
LikeLike
William Kellermann said:
Malpractice has a certain, specific connotation that couples incompetence with harm. And it presupposes that the common lawyer would advise differently or better. Part of the ongoing problem with eDiscovery “malpractice” is the “mediocrity” defense. Moreover, I have found that when you say the “M” word, a certain class of lawyers, who are in my opinion the offending class, often tune out altogether.
I think where we do agree is at the level of competence. Not advising a client to preserve mobile device data, where that data is unique, relevant and proportional is incompetence.
Whether or not EMM tools are wholly sufficient begs the question. The existence of EMM tools and representations about them undercuts the discussion of whether or not the device itself must be preserved. It also adjusts the analysis of proportionality. As you say in your post, a backup is not going to get everything. EMM tools should get what you want in terms of the company’s obligation to preserve and produce, and not commingle that information with personal, private information of the user. All of these points have a place in a proportionality analysis.
If you don’t want to image the whole drive, just make sure the mobile device backup is captured in Crashplan, Time Machine or whatever else you are using to back up or collect that device. I’ve found remote, FTK images are the most cost effective way to preserve and collect laptop or desktop data where those devices aren’t backed up routinely or sufficiently for the discovery purpose.
Moreover, a laptop is as much a mobile device as anything – heck, the lines between laptop, tablet, phablet and smartphone are essentially non-existent, with one caveat. The fundamental difference is when the device is intended and used as a viewer of data held somewhere else, whether the cloud or on premise behind the corporate firewall. Understanding that difference is to me the real measure of competence. It’s not the media (PDF, DOCX, MIME, MMS, SMS, etc.) or the device, but the content that counts.
LikeLike
craigball said:
Well said. And agree the lines blur. My phone holds 6,000 times as much data byte-wise than my first PC with a hard drive.
LikeLike
Pingback: Custodian-Directed Preservation of iPhone Content: Simple. Scalable. Proportional. | Ball in your Court