Over the past few years, Signal has been one of the fastest-growing new communication platforms in the world. As of the end of 2021, it had more than 40 million monthly active users, and many of them are using it for both private and professional communications. As adoption and use has increased, so has the frequency with which Signal has been identified as a source of relevant communications that must be identified, preserved, and collected to fulfill litigation duties, compliance duties, and other recordkeeping obligations. Government agencies have recently placed special emphasis on the importance of organizations accounting for all communication channels in use by their employees, particularly encrypted or ephemeral channels like Signal. For legal practitioners – especially those working in a highly-regulated industry like financial services, becoming familiar with Signal and with discovery from it is no longer optional.
Signal is a free and open-source encrypted messaging and voice calling app developed by the Signal Foundation and Signal Messenger LLC. In addition to messaging and voice calling, Signal also includes features such as group chat, multimedia sharing, and support for various types of emojis and stickers. The app is designed to be secure, private, and reliable, with a focus on protecting users’ privacy. It is available for iOS, Android, and desktop platforms, and it is widely regarded as one of the best options for secure and private communication. One of the key features of Signal is its end-to-end encryption, which ensures that messages and calls are securely transmitted and can only be accessed by the sender and the intended recipient. Moreover, Signal does not store user data on its servers, meaning that the app’s developers cannot access the content of messages or calls. The app also includes several other security and privacy features, including the ability to set messages to automatically delete after a certain amount of time (“disappearing messages,” a.k.a. ephemeral messages), and the ability to unsend messages by deleting them from recipients’ devices (“delete for everyone”).
Signal Collection Challenges
Signal’s focus on privacy and security means that it poses a variety of challenges as a discovery source. As noted above, Signal does not store any user data on their servers beyond general account information, and on mobile devices, Signal application data is stored in an encrypted database which is not typically available from iOS or Android backups. Most collections of ESI from mobile devices using mobile forensics tools will not include Signal data. Signal data can be extracted from mobile devices only in the event a full file system extraction can be obtained. For iOS devices, this type of extraction is generally possible with older iPhone models (iPhone X and below) using the checkm8 method, which is an exploit that temporarily allows low-level root access to the device. For Android devices, this type of extraction is possible if the device has been rooted. Gaining root access to an Android device, however, carries the risk of permanent data loss, so unless the device has been previously rooted by the user, it is not typically a viable option. Likewise, obtaining a full file system extraction from iOS devices newer than iPhone X is often not possible.3 Frequently, the only method to capture Signal is manually, by using built-in screen recording features and/or screen sharing via apps such as Zoom to take screen captures while scrolling through each relevant conversation and expanding the contents along the way.
Signal Post-Collection Steps
After manual collection via screen captures, additional steps are required to render the collected materials searchable and sortable alongside other collected materials:
- First, if only screen recording was used, still frames must be extracted from the recording.
- Second, a quality control review must be performed to ensure the screen captures have captured complete, continuous threads.
- Third, the collected screen captures must be run through Optical Character Recognition (OCR) to make the contents of each screen capture searchable.
- Fourth, the captured communications must be unitized into complete conversations to create discrete documents for each.
- Finally, metadata must also be recorded for each conversation, including chat/group name, chat participants, chat timing (start, end, duration), and disappearing message timer setting.
After these steps are completed, it is possible to load the collected conversations into a review database for review alongside other collected materials and, potentially, production.
When thinking through the potential sources of relevant materials for litigation, investigation, or compliance, it’s important to find out if your employees (or your client’s employees) are making use of Signal. If so, it will be important to focus on that source right away, both because the potential for relevant communications to be lost is high due to its ephemeral messaging options, and because you will want to allow extra time for the more complex collection and preservation process required.
About the authors
Matthew Verga, Esq. | Director of Education
Matthew Verga is an attorney, consultant, and eDiscovery expert proficient at leveraging his legal experience, technical knowledge, and communication skills to make complex eDiscovery topics accessible to diverse audiences. A sixteen-year industry veteran, Matthew has mastered every phase of the EDRM and worked at every level, from the project trenches to enterprise program design. As Director of Education for Consilio, he leverages this background to produce engaging educational content to empower practitioners at all levels with knowledge they can use to improve their projects, their careers, and their organizations.
Mike Gutierrez | Director, Forensic Services
Mike Gutierrez serves as a Director of Forensic Services for Consilio. He has been involved in the legal technology industry since 2000, filling many different roles including e-discovery lifecycle management, digital forensic investigations, electronic data processing, operations management, software training and technical support. Mike’s expertise lies in digital forensic consulting, investigations, and data collections. He regularly serves as a digital forensic expert, providing testimony and expert reports on a regular basis. Mike also specializes in assessing new and evolving technologies and developing forensically sound procedures for data preservation, collection, and processing. He holds the industry certification of Certified Computer Examiner (CCE).