Google Docs hit the consumer market in 2010, providing one of the first widely available web collaboration platforms that allowed multiple people to work on the same document simultaneously. The eDJ Group team monitored the slow adoption of GSuite by corporations and wondered when the use of web collaboration tech would seriously impact significant #eDiscovery collections. It took the Pandemic and Microsoft SharePoint-OneDrive(SPOD) sharing to move this collaboratively created content into the mainstream ESI. The next generation of dynamic components include MSFT Loop with .Fluid components and Google Smart Canvas with smart chips. These new apps/components free collaboration ‘documents’ from their origination locations and radically expand the context, audience and reach of documents. In a practical forensic sense, they make it very difficult to reconstruct the who, when and where behind a potential piece of evidence. My question is whether they disrupt the very concept of a custodian to document relationship.

Review teams and counsel have long struggled to untangle contract, presentation or report versions. “Microsoft has no memory” is one of my stock phrases when clients wrestle with complex enterprise preservation scenarios. Now we have to try to determine who ‘owns’ a table or document that literally hundreds or thousands of users had access and edit rights to after it has been shared out via Teams channels, email, chat or other internal/external publication channels. Without a single, clear custodian for ESI, how do we authenticate it for admission as evidence? What if versioning was not enabled and no legal hold kept all the changes?

SharePoint administrators can enable the site level “SharePoint Viewers” feature to get some of that history. I am betting that information derives from the activity logs which are only retained for a year by default. Microsoft’s Advanced eDiscovery (AED) now allows investigators to run searches on these activity logs and export the results. Suddenly corporate eDiscovery is starting to resemble my early forensics days parsing logs, slack files and such to reconstruct questions like who deleted a document. The good news is that MSFT .Fluid files are included in the list of discoverable Teams content. We may not know where that component has gone or whom edited it, but we can preserve and collect it. As a good friend recently commented, “One of the first controls in every standard is to know about every authorized and unauthorized application on your system.” I extend that sound advice to include the requirement for practical preservation, collection and analysis of ESI associated with that application before it is allowed in your environment. So peers out there experimenting with MSFT Loop (@JasonVelasco), Google Workspace Smart Canvas or other new collaboration ESI should test before putting into critical use.

Greg Buckles wants your feedback, questions or project inquiries at Contact him directly for a free 15 minute ‘Good Karma’ call. He solves problems and creates eDiscovery solutions for enterprise and law firm clients.

Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment or advice. Greg is no longer a journalist and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being published. Do you want to share your own perspective? Greg is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations. 


See Greg’s latest pic on Instagram.

5 1 vote
Article Rating