Glyphward

eDiscovery AI · Legal · Litigation document review

Prompt injection in eDiscovery AI — Relativity, DISCO, Everlaw, and the adversarial opposing-party document risk

eDiscovery AI platforms deploy vision-language models and OCR pipelines to review massive volumes of scanned documents produced by opposing parties: deposition exhibits, scanned contract images, fax records, printed email chains re-scanned as PDFs, and physical correspondence digitised for production. Relativity RelativityOne, DISCO AI, Everlaw, Logikcull, Nuix, Luminance, and Kira all incorporate AI-assisted document coding that classifies documents for privilege, responsiveness, and relevancy — significantly reducing the human review hours required in large-scale litigation. The adversarial attack surface in eDiscovery is uniquely high-stakes compared with almost any other AI document pipeline: opposing parties have a direct, concrete, financially motivated incentive to manipulate the outcome of AI-assisted review. A producing party that manipulates the AI’s privilege coding on its own documents controls what the receiving party’s counsel sees. A party that manipulates responsiveness scoring reduces the volume of relevant documents surfaced to opposing counsel. A seller in an M&A transaction who manipulates AI due diligence analysis controls what risks the buyer’s counsel extracts from the data room. Unlike consumer spam or phishing scenarios where the attacker is anonymous and external, eDiscovery adversarial injection is performed by known counterparties with direct stakes in the litigation outcome and direct custody of the produced documents before they enter the receiving party’s review platform. No eDiscovery platform currently applies adversarial image detection before documents enter the AI review layer. Glyphward’s legal AI scanner provides the pre-ingestion multimodal scan gate that closes this gap.

TL;DR

eDiscovery AI processes scanned opposing-party documents through VLMs for privilege and responsiveness coding. Opposing parties control those document images before production and have direct incentive to manipulate AI review outcomes. Scan every page image extracted from produced document PDFs with POST https://glyphward.com/v1/scan before documents enter the review platform. Reject images with score >= 65 and flag for human review. Free tier — 10 scans/day, no card required.

Four multimodal injection surfaces in eDiscovery AI

1. Opposing-party produced scanned documents with adversarial OCR overlays. When opposing counsel produces a document set in response to a discovery request, the production set routinely includes scanned physical documents: printed emails, fax transmissions, physical correspondence, executed contract originals, and paper exhibits that have been digitised at the producing party’s direction. The producing party controls these document images before they are delivered to the receiving party’s counsel and loaded into the eDiscovery review platform. An adversarially crafted scanned document contains invisible typographic injection text — embedded at low opacity or in a colour channel imperceptible to human reviewers but detectable by the VLM performing AI-assisted coding — that instructs the AI to classify the document as non-responsive or as outside the privilege waiver scope. Because the producing party controls the physical document scanning process, they control the image content of every scanned page in the production set. This is not a hypothetical attack requiring sophisticated technical resources: it requires only that the producing party add an adversarial layer to the document image before scanning, a process that can be automated across an entire production set. The receiving party’s counsel loads the production set into Relativity or DISCO, runs AI-assisted first-pass coding, and receives privilege and responsiveness designations that have been influenced by the producing party before a single human reviewer examines the document. Text-only prompt injection scanners do not detect this class of attack; the payload is in the image pixel layer, invisible to OCR text extraction.

2. AI-assisted privilege review manipulation via watermark and letterhead injection. Law firm letterhead and company watermarks appear as image elements on a large proportion of produced documents: engagement letters, advice memoranda, executed agreements, and formal correspondence. These image elements are present on documents that are otherwise highly sensitive for privilege review — a legal opinion letter on firm letterhead is exactly the category of document most likely to be reviewed by AI privilege classification. An adversarial payload embedded in the law firm letterhead graphic or the company watermark on a produced document can cause the VLM performing AI-assisted privilege review to misclassify the document: marking a genuinely privileged communication as non-privileged (expanding the producing party’s disclosure obligations) or, more strategically, marking a non-privileged document as privileged (withholding it from production). Privilege determinations made by AI review platforms carry significant legal weight in large-scale litigation — a privilege log generated by AI-assisted review is regularly used as a basis for clawback assertions and contested privilege challenges. Adversarial manipulation of privilege AI through letterhead pixel payloads is invisible to the human privilege reviewer examining the document; they see the letterhead as expected and have no signal that the AI’s coding decision was influenced by a pixel-level payload in the image element.

3. Third-party data room documents in M&A due diligence eDiscovery. M&A transactions increasingly use AI-assisted due diligence platforms — Kira, Luminance, and eDiscovery tools adapted for deal review — to analyse the target company’s document production in a virtual data room. The target company (seller) loads the data room documents and therefore controls the content of every document before the buyer’s counsel accesses the data room. The seller has a direct financial incentive to influence what risks and liabilities the buyer’s AI due diligence analysis extracts from the data room. Adversarial payloads in scanned exhibits, PDF appendices, and image-heavy diligence documents — board presentations in image format, scanned regulatory filings, photo-scanned executed agreements — can cause the due diligence AI to underreport identified contractual risks, omit flagged litigation exposure, or generate more favourable summaries of regulatory compliance status than the document content warrants. Unlike litigation document review where a human reviewing team examines a statistically significant sample of AI-coded documents, M&A due diligence AI review is often run on tight deal timelines with compressed human review capacity; the AI output carries proportionally more weight in the buyer’s risk assessment. Adversarial manipulation of due diligence AI through document image payloads targets the highest-stakes document review context in transactional practice.

4. Expert witness image exhibits and demonstrative evidence. Expert witnesses in technical and scientific litigation submit PDF exhibits containing charts, diagrams, schematic images, and demonstrative figures as part of their expert reports. Opposing expert witnesses — whose exhibits will be reviewed by the receiving party’s AI-assisted document review platform — control the content of every diagram and chart image in their submitted PDF exhibits before those exhibits enter the opposing party’s review platform. An adversarial payload embedded in a technical diagram or graph image in an expert exhibit can cause the AI reviewing that exhibit to generate a summary, extract findings, or classify the exhibit content in ways that misrepresent what the chart or diagram actually shows. In technical patent litigation, product liability cases, and regulatory enforcement actions, expert exhibit AI review is used to rapidly classify and summarise large volumes of technical evidence; adversarial manipulation of the AI’s reading of a key technical diagram in an expert report is an attack on the evidentiary record itself. The Glyphward pre-scan applied to every page image extracted from produced expert PDFs detects adversarial payloads in diagram and chart images before they reach the AI review layer.

Integration: eDiscovery document ingestion with Glyphward pre-scan

import base64
import hashlib
import io
import requests
from datetime import datetime, timezone

import fitz  # PyMuPDF

GLYPHWARD_KEY = "<your-glyphward-api-key>"
GLYPHWARD_THRESHOLD = 65


def scan_produced_document(
    pdf_bytes: bytes,
    bates_number: str,
    producing_party: str,
    matter_id: str,
) -> dict:
    """
    Scan all page images extracted from a produced document PDF before the
    document enters the eDiscovery AI review platform (Relativity, DISCO,
    Everlaw, etc.).

    Returns a per-document audit log entry linking each page scan_id to the
    document Bates number. Raises on adversarial detection so the document
    is quarantined before ingestion.
    """
    doc = fitz.open(stream=pdf_bytes, filetype="pdf")
    doc_hash = hashlib.sha256(pdf_bytes).hexdigest()

    audit_entry = {
        "bates_number": bates_number,
        "producing_party": producing_party,
        "matter_id": matter_id,
        "document_sha256": doc_hash,
        "page_count": len(doc),
        "scanned_at": datetime.now(timezone.utc).isoformat(),
        "pages": [],
        "document_status": "clean_passed",
    }

    for page_index, page in enumerate(doc):
        # Render page to a PNG image at 150 DPI — sufficient for adversarial detection
        pix = page.get_pixmap(dpi=150)
        page_bytes = pix.tobytes("png")
        encoded = base64.b64encode(page_bytes).decode()
        page_hash = hashlib.sha256(page_bytes).hexdigest()

        scan_resp = requests.post(
            "https://glyphward.com/v1/scan",
            headers={"Authorization": f"Bearer {GLYPHWARD_KEY}"},
            json={"image": encoded},
            timeout=8,
        )

        page_record = {
            "page_number": page_index + 1,
            "page_sha256": page_hash,
            "scan_id": None,
            "scan_score": None,
            "page_status": None,
        }

        if scan_resp.status_code != 200:
            # Fail-closed: scan unavailability -> quarantine document, do not ingest
            page_record["page_status"] = "scan_error_quarantined"
            audit_entry["pages"].append(page_record)
            audit_entry["document_status"] = "quarantined_scan_error"
            persist_ediscovery_audit(audit_entry)
            raise RuntimeError(
                f"Glyphward scan unavailable — document {bates_number} page "
                f"{page_index + 1} quarantined; do not ingest into review platform"
            )

        scan = scan_resp.json()
        page_record["scan_id"] = scan["scan_id"]
        page_record["scan_score"] = scan["score"]

        if scan["score"] >= GLYPHWARD_THRESHOLD:
            page_record["page_status"] = "adversarial_blocked"
            audit_entry["pages"].append(page_record)
            audit_entry["document_status"] = "adversarial_blocked"
            persist_ediscovery_audit(audit_entry)
            # Flag for litigation hold and notify review supervisor
            trigger_ediscovery_alert(
                bates_number=bates_number,
                producing_party=producing_party,
                matter_id=matter_id,
                page_number=page_index + 1,
                scan_id=scan["scan_id"],
                score=scan["score"],
            )
            raise ValueError(
                f"Adversarial payload detected in produced document {bates_number} "
                f"page {page_index + 1}: producing_party={producing_party} "
                f"score={scan['score']} scan_id={scan['scan_id']} — "
                f"document quarantined; do not ingest"
            )

        page_record["page_status"] = "clean_passed"
        audit_entry["pages"].append(page_record)

    doc.close()
    persist_ediscovery_audit(audit_entry)
    return audit_entry


def persist_ediscovery_audit(entry: dict):
    # Write to append-only audit table; link scan_id to Bates number for
    # chain-of-custody records and potential motion practice evidence
    pass


def trigger_ediscovery_alert(
    bates_number: str,
    producing_party: str,
    matter_id: str,
    page_number: int,
    scan_id: str,
    score: float,
):
    # Notify review supervisor and outside counsel; consider sanctions motion
    pass

Persist every audit_entry to an append-only audit table, linking each page’s scan_id to its Bates number. This creates a chain-of-custody record establishing that every produced document was adversarial-content-checked before it entered the AI review layer — an important record if adversarial manipulation is later alleged in motion practice or sanctions proceedings. For Relativity deployments, integrate the pre-scan gate into the document ingestion processing set before the AI-assisted coding job runs. For DISCO and Everlaw, apply the scan at the bulk upload step using the platform’s pre-processing API hooks. Get early access

Coverage matrix

Mitigation layer Privilege coding manipulation Responsiveness injection Data room due diligence injection Expert exhibit adversarial payload
Text-only privilege review AI No — analyses extracted text; adversarial payload is in the image pixel layer, invisible to text extraction No — same limitation; image-layer injection passes through text extraction unchanged No No
Format validation and deduplication No — validates document format and hash uniqueness; does not inspect image pixel content for adversarial structure No No — deduplication detects identical documents; adversarially modified images are unique and pass dedup checks No
TIFF/image-only document OCR extraction No — OCR reads typographic text; adversarial payloads are designed to be legible to VLMs but not rendered as extractable text characters by standard OCR No No Partial — may extract some visible text from exhibits; adversarial payloads in diagram/chart images with no text layer are not detected
Glyphward pre-ingestion multimodal scan Yes — page-by-page scan before AI coding; adversarial privilege manipulation payloads blocked at ingestion Yes — pre-ingestion scan detects responsiveness injection payloads in scanned opposing-party documents Yes — data room document images scanned before due diligence AI analysis; adversarial payloads in seller-controlled documents blocked Yes — expert exhibit PDF page images scanned; adversarial payloads in diagram and chart images detected before AI review

Related questions

Do opposing parties actually have incentive to manipulate eDiscovery AI systems?

Yes — and the incentive is more concrete and direct than in almost any other AI application context. In active litigation, the producing party has a stake in controlling what the receiving party’s AI-assisted review surfaces. Privilege coding determines which documents the receiving party sees; responsiveness coding determines which documents enter the review set; relevancy scoring determines which documents receive human attention. A producing party that can cause the AI to misclassify even a small percentage of highly relevant documents as non-responsive, or that can suppress privilege waiver findings by manipulating the AI’s privilege coding, has a real, case-outcome-altering advantage. The producing party controls all scanned documents before they are delivered; the technical barrier to adversarial image injection is low; and the forensic detectability of a pixel-level payload in a produced document image is near zero without a dedicated adversarial detection scan. This is exactly the combination of high incentive, low technical barrier, and low detection risk that characterises exploited attack surfaces in practice.

Which eDiscovery platforms are most exposed to multimodal prompt injection?

Any eDiscovery platform that applies AI-assisted coding (privilege classification, responsiveness coding, issue tagging, relevancy scoring) to scanned document images is exposed. Relativity RelativityOne with AI-assisted review (Relativity aiR), DISCO AI with its AI-assisted document review, Everlaw with AI-assisted coding, Luminance (which applies machine learning to all document images including scanned exhibits), Nuix with its image classification capabilities, and Kira in M&A due diligence contexts are all platforms where the VLM or ML document review layer processes image inputs from opposing-party-controlled document sets. Logikcull and similar cloud review platforms that apply automatic classification to uploaded document sets are also exposed whenever scanned documents from external parties enter the system. The common factor is not the specific platform but the pattern: AI-assisted review applied to images from a party with an incentive to manipulate the AI’s output.

How does this relate to attorney professional-responsibility requirements?

ABA Model Rule 1.1 (Competence) as amended with the technology competence obligation requires attorneys to understand the benefits and risks of technology used in legal practice. When outside counsel or in-house legal operations teams deploy AI-assisted eDiscovery review on production sets received from opposing parties, competent practice requires understanding that those production sets contain image inputs from a party with an adverse interest — and that AI-assisted review of those inputs carries an adversarial manipulation risk that text-based security controls do not address. Rule 1.6 (Confidentiality of Information) and Rule 5.1/5.3 (Supervisory Responsibility) create obligations around supervising AI tools used in client matters. If AI-assisted privilege review is compromised by an adversarial document image that causes a privileged document to be produced to opposing counsel, the producing law firm may face professional responsibility exposure for an inadvertent disclosure caused by a failure to apply reasonable security measures to the AI review process. The Glyphward pre-ingestion scan is a specific, auditable security control that demonstrates reasonable precautions were taken.

Can adversarial document injection be detected in existing eDiscovery workflows?

Not with current standard eDiscovery tools. Existing quality-control workflows in eDiscovery — statistical sampling of AI-coded documents for human review accuracy checks, privilege log review, and near-duplicate analysis — are designed to catch errors in AI coding caused by model uncertainty, training data gaps, or genuinely ambiguous documents. These QC workflows compare AI coding decisions to human reviewer judgement on a sample of documents. An adversarial document injection that successfully manipulates the AI coding of a specific document will produce a confident, consistent AI coding result — one that passes QC sampling precisely because the AI is giving a definitive (but adversarially manipulated) answer. A human QC reviewer examining the document in question sees the expected document content (the adversarial payload is invisible to humans) and concurs with the AI’s coding decision. Standard eDiscovery QC workflows have no mechanism for detecting this class of attack. Pre-ingestion adversarial image scanning — applied to every document image before it enters the AI review layer — is the only control that detects adversarial payloads at the point where they can still be acted on.

Further reading