As this article and the associated Gibson Dunn report identify, authenticating collections from Facebook is a significant problem. There is a broad lack of understanding of the types of metadata available from social media platforms and the proper way to associate and handle that data.
Here are a few important tips:
1. Use the cloud to collect the cloud
Social media platforms are all cloud based. That’s the only way they work (just think about a scenario where everyone had to locally install YouTube… oh wait that was RealNetworks). The most efficient, forensically defensible method for getting data captured out of the cloud is to do it with the cloud. The data is never brought local, the potential for manipulation doesn’t exist, and there is an airtight chain of custody because it all happens programmatically. Let the computers do it. Cloud Preservation and a number of other less capable options exist.
Just as printing out email to review is not sufficient for digital discovery–bringing cloud data locally doesn’t pass muster.
2. When possible, the APIs represent the best available option
Not using the API (Application Programming Interface) to collect will be a sure path to a challenging chain of custody. It’s the first question anyone looking to challenge a collection would ask. “Did you use the API?” If you’d like to know more about API’s, let’s talk later, but make sure to use a tool that is using the API’s to capture data when it’s possible to do so.
3. Screengrabs Miss A Lot
Without a doubt, the most dangerous assumption is that taking a screen capture of a social media feed qualifies as a collection. Big error! Social media platforms (Facebook in particular) often filter, modify and repackage the content you are seeing at any given time. These platforms also make different objects available to a user at different times. Posts may be deleted with no history available, so the original screen grab cannot be authenticated (again, unless you go through the process of #1). It is not self-authenticating. There are substantial amounts of data available to an authenticated user session in social media including private messaging systems that resemble email.
It is technically impossible to screengrab a social media feed completely (see #1 and #2).
4. There is additional metadata
Ever seen a post that says “352 people also (liked, retweeted, +1) this post.” Those target links need to be clicked to expose the data of who commented and what they said. Each one of those comments and endorsements is a piece of metadata that needs to be kept in any legal context. Hashtags? Also metadata. Add in geo-location information and additional threads of the social graph that will be woven through and between these platforms.
The integration between these platforms is already astounding, and let’s remember these are relatively new platforms. A sophisticated, technology based approach– not printing them to images or a color printer– is the only forensically sound way to be certain all pieces of metadata are captured.
Hopefully these tips help ensure that the collected social media has been done so in way that can be authenticated in the emerging new world of social media eDiscovery.