The perils of document metadata
Best Practices, Email, Risk Management June 18th, 2007A recent blog entry on the e-Discovery Team blog reminded me of this topic. The post talks about the dangers of exposing confidential metadata embedded in Office documents.
“For instance, a Word document containing secret comments they added, then hid, and then forgot to delete or “scrub” before production. “
The case discussed, focuses on a particular incident when classified information hidden as metadata within a PowerPoint presentation was inadvertently leaked by The Office of the Director of National Intelligence (”DNI”) when the document was published to a public website. Whoever put the document on the web didn’t realize that there was secret information hidden beneath.
Metadata can be very useful when applied in the right context – within the enterprise for searching and context tagging for example. However, extra caution should be taken when sending documents in their native format to external recipients. You don’t have to be a spy to get in trouble for leaking confidential data. Besides the possible embarrassment, a business relationship can be severely damaged if unintended information gets in the wrong hands.
For years, I have been making a habit of examining the metadata of any Office document I send or receive. I have found other customer references, templates used by one law firm with another firms name all over it and worse a sales quote that contained a hidden markup of a prior proposal for another client with better terms.
Here are some of the data fields that are stored in Office documents:
- Your name
- Your initials
- Your company or organization name
- The name of your computer
- The name of the network server or hard disk on which you saved the document
- Other file properties and summary information
- Nonvisible portions of Object Linking and Embedding (OLE) objects
- The names of previous document authors
- Document revisions
- Document versions
- Template information
- Hidden text
- Comments
- Macros
- Hyperlinks
- Routing information
So how do you avoid getting in trouble? The safest solution is not to send native Office documents. If you must send the document in the original format, refer to this Microsoft knowledge base article for information on how to remove the metadata. Newer versions of Office have a removal tool already built-in, or you can download this tool directly from the Microsoft website. There are also a number of third party solution available.
Technorati Tags: hidden metadata, office metdata, email, electronic discovery, metadata, data leakage
If you are new here, you may want to subscribe to my RSS feed. An RSS Subscription will deliver new Blog posts automatically to your computer.
Thanks for visiting!
June 19th, 2007 at 9:47 am
Why worry about what is in a document when you can send it encrypted and be assured that the person you sent it to got it. As a member of an organization http://www.safekey.net that developed a solution to minimize this worry. We send all types of documents to the person(s) we want to with NO prying eyes, no webservers and no emailers.
June 20th, 2007 at 11:45 am
Encryption and DRM of documents will only prevent unauthorized access. It doesn’t protect people from making mistakes, like sending the wrong document. Remember, in most cases people simply don’t realize or forget about the hidden metadata that is contained within office documents.
Encryption won’t solve that, since the recipient was entitled to view the content just not the hidden stuff.