Social Media Content (SMC) is a rich source of evidence. Photos and posts shed light on claims of disability and damages, establish malicious intent and support challenges to parental fitness–to say nothing of criminals who post selfies at crime scenes or holding stolen goods, drugs and weapons. SMC may expose propensity to violence, hate speech, racial animus, misogyny or mental instability (even at the highest levels of government). SMC is increasingly a medium for business messaging and the primary channel for cross-border communications. In short, SMC and messaging are heirs-apparent to e-mail in their importance to e-discovery.
Competence demands swift identification and preservation of SMC.
Screen shots of SMC are notoriously unreliable, tedious to collect and inherently unsearchable. Applications like X1 Social Discovery and service providers like Hanzo can help with SMC preservation; but frequently the task demands little technical savvy and no specialized tools. Major SMC sites offer straightforward ways users can access and download their content. Armed with a client’s login credentials, lawyers, too, can undertake the ministerial task of preserving SMC without greater risk of becoming a witness than if they’d photocopied paper records.
Collecting your Client’s SMC
Collecting SMC is a two-step process of requesting the data followed by downloading. Minutes to hours or longer may elapse between a request and download availability. Having your client handle collection weakens the chain of custody; so, instruct the client to forward download links to you or your designee for collection. Better yet, do it all yourself.
Obtain your client’s user ID and password for each account and written consent to collect. Instruct your client to change account passwords for your use, re-enabling customary passwords following collection. Clients may need to temporarily disable two-factor account security. Download data promptly as downloads are available briefly.
Collection Steps for Seven Social Media Sites
Facebook: After login, go to Settings>Your Facebook Information>Download Your Information. Select the data and date ranges to collect (e.g., Posts, Messages, Photos, Comments, Friends, etc.). Facebook will e-mail the account holder when the data is ready for download (from the Available Copies tab on the user’s Download Your Information page). Facebook also offers an Access Your Information link for review before download.
Twitter: After login, go to Settings and Privacy>Your Twitter Data>Download Your Twitter Data. Re-enter the password and choose Request Archive. Twitter will e-mail the account holder when a compressed file holding the data is ready for download. Twitter permits one archive retrieval a month.
Google: Go to https://accounts.google.com, select Use Another Account and login to client’s account. Choose Data and Personalization>Download Your Data. Select data to include (be sure your client has expressly authorized collection) and the archival format (e.g., zip). Google will e-mail the account holder when a compressed file holding the data is ready for download.
Instagram: Login and go to the user’s profile. Select the gear icon (Settings), then Privacy and Security>Request Download. The data will be in JSON format inside a compressed file. Once decompressed, it can be viewed using any free online JSON parser.
LinkedIn: Login and select Me>Settings and Privacy. Under the Privacy tab, choose Getting a Copy of Your Data and the specific data sought. If uncertain, choose Download Larger Data Archive. Click Request Archive.
Snapchat: Login at https://accounts.snapchat.com and select My Data>Submit Request.
Tumblr: Login and select Account>Settings>Privacy>Request Privacy Data. The downloaded data will be in a compressed file in JSON format.
Review and Authentication
SMC is often voluminous and encoded in unfamiliar formats like JSON. So, as with other information collected in e-discovery, the competent way to index, search, review and tag electronic evidence is by use of e-discovery review tools, e.g., Relativity, iConect Xera, Logikcull, Everlaw, Exterro, Insight, CloudNine, Disco, NextPoint, Ipro, Lexbe, Z-Discovery, Ringtail, etc., etc., etc.
Though not essential, it’s prudent to calculate a hash value for preserved SMC to demonstrate its integrity. See, e.g., FRE 902(13) and (14). A hash value is a digital fingerprint of data. If the hash value obtained when the data was collected matches the hash value when used, the data is demonstrably unchanged. Many hashing tools can be downloaded online at no cost.
Caveat: There are no “guest passes” to social media accounts. When you log in as the account holder, you stand in the account holder’s shoes. Keep good records of access and note what you did while logged in. Likewise, never seek or consent to access an opponent’s social media account using opponent’s credentials or you open yourself up to claims that you added or altered content.
Josh Headley @ Lighthouse said:
Great post, Craig. With SMC, I’ve found it necessary to collect from multiple sources and cross-verify for each platform. For example, downloading my Facebook Messenger chats directly from FB results in, say, 100 conversations. I download the same data using Forensics Tool A and get 96. I use Tool B and get 102. Tool A missed some conversations, but has great reporting output that’s easily run through to review; Tool B stinks at reporting, but it captured more data. Hmmm.
Since the major SMC providers are continually downgrading what’s available through their public API, many tools are resorting to what amounts to “fancy screen captures” that can automatically “scroll and expand” to capture all the visible content (posts and comments). Although you get limited structured metadata using this method, the attorneys like it because it “looks just like the Timeline looked on Facebook,” for example. But, you cannot get a list of users who “liked” any given post.
We usually collect each account using multiple tools so that we satisfy the “what it looked like online” crowd as well as the “what about the metadata?” folks.
One source you could lump in here as well is Slack. Although it’s primarily targeted to businesses as a collaboration platform, my experience is that there’s just as much “social” going on in Slack channels as there is on Facebook. Slack can be exported to JSON (without attachments) by an admin with only a few mouse clicks directly from the Slack UI. There are several online and offline tools for converting that JSON into something more readily usable for e-discovery digest, and my primary go-to is Logikcull. Enterprise Grid customers of Slack can also connect “cloud to cloud” to a number of 3rd party governance and e-discovery providers such as Onna to facilitate search and export of Slack conversations in a usable manner.
The tough part, as you note, isn’t really with the *collection* of SMC any more – – it’s figuring out a method to prepare this “not email” evidence for mass e-discovery review and production. A combo of tools, scripts, and workflows, although not elegant, can bridge that gap. Thanks for the article Craig, interesting read as always!
LikeLike
Smitha said:
Interesting read!
LikeLike
Martin Flavell said:
Hi, thanks for sharing the info, great post as always! Also, it is highly beneficial to preserve the social media content and website pages is to save through “WARC- WebARChive format” as it displays web page mockups created by initially-saved web crawls, and it can precisely capture how the website looked at a point in time, including all the working links, videos, and dynamic elements.
LikeLike