Thought for the day: The metadata detectives

Audit trails from documents you created can expose far more than you intended, says Andrew Pearson.

New Asset  
Audit trails from documents you created can expose far more than you intended, says Andrew Pearson.




Last week saw further intrigue surrounding the government's pre-war "dodgy dossier" on the threat posed by Iraq.

By investigating author histories and document changes, four members of the government's Communications Information Centre were identified as contributors to the dossier amid various claims of foul play.

Though the nature of its involvement may be innocent, the government suffered because the audit trail exposed "hidden" details of an already sensitive document, via information published on its public website.

Every time a document is created in Microsoft Office, metadata that tracks author, machine, product versions, amendments and more is added. When multiple authors work on a document, an audit trail builds up showing who wrote what, and when. As documents are sent back and forth this metadata increases the risk that sensitive information, not intended for the outside world, could be made public.

Something like over 100 million people use Microsoft Office and about 20 million of them are "heavy document users", who work on lengthy, business-critical documents where many contributors are involved. These are usually contracts, tenders or reports, and all can contain sensitive corporate information. Inadvertent distribution of potentially sensitive document metadata is a common cause of embarrassing and costly leaks.

Global companies have been guilty of putting documents online that could be brought to life to find all the historical amendments. Imagine the harm this can cause for some business, especially in the legal, finance and pharmaceutical industries? What if you disclose negative comments about yourself, or compromise a negotiating position? It could be equivalent to listening to a confidential meeting.

Despite worrying examples of document metadata "outings", people working together on documents is unlikely to stop. Companies must set up the correct processes and software to avoid inadvertent disclosure of sensitive information. The slate has to be wiped clean before the document leaves the enterprise.

Businesses have made huge steps towards increasing the security of company information, especially with the pervasive exchange of documents via e-mail. Encryption and password protection are the norm.

Document metadata, however is an Achilles heel of risk. It is often overlooked as a corporate vulnerability, yet something as simple as a Word document can bare all to the outside world if not managed correctly.

Defining what is or is not a "dodgy dossier" is a matter of politics. But maintaining professional standards of collaboration and information exchange is a business issue that we should all be sensitive to.

What do you think?

Is your metadata protected?  Tell us in an e-mail >> reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.

Andrew Pearson is executive vice-president of Workshare

Read more on PC hardware