Metadata returns to haunt careless companies

Hidden information in all types of file can be exposed and this puts businesses - and even the US military - at risk of revealing far too much

As businesses increasingly rely on e-mail as their primary form of communication, they run the risk of inadvertently exposing sensitive information hidden in their electronic documents.

Metadata - hidden but potentially threatening information residing in every form of content, from basic documents to spreadsheets to Web copy - is like a ghost that can come back to haunt the careless.

Unless this often confidential information is removed, it can be seen by unintended audiences.

Accounts of monumental metadata blunders - most recently by the United States military - prove the repercussions are often serious.

Last month, the US military released a censored version of a report on the shooting of Italian military intelligence officer Nicola Calipari in Iraq.

It was originally published as a portable document format (PDF) file with many portions blacked out.

But thanks to an Italian technology worker, the classified bits were uncovered and the information was made available online.

The worker simply cut and pasted the PDF document into a Word file, a step which revealed the identity of the US soldier who shot Calipari at a US roadblock in Baghdad and the extent of the insurgency against American forces in Iraq.

The information leak also showed how negligent the US military was in failing to strip the metadata from the PDF-based report.

In this era when one document contains multiple trackable versions, many companies remain unaware of the sensitive data their files contain, according to Andrew Pearson, executive vice-president and general manager for Asia-Pacific operations at document security software supplier Workshare.

'The number of people affected by an accidental slip of sensitive metadata is rapidly increasing, making content security a growing priority for content creators and IT teams alike,' he said.

Other recently reported metadata-related gaffes have involved the SCO Group, the British intelligence community and the California attorney-general's office.

Metadata continues to taint content and the reputations of those who create it, forcing companies and individuals to take action.

Mr Pearson said PDF files - based on the ubiquitous format for electronic document distribution invented by Adobe Systems - were not enough to remove risky information leaks; 'it only masks them'.

A report from research consultancy Vanson Bourne said there were increasing risks and liabilities faced by organisations when dealing with document review and exchange. This was because e-mail and Word, with millions of users worldwide, were the common tools used to create, amend and send business documents.

Philip Scorgie, chief information officer at law firm Deacons in Hong Kong, said: 'We all know about security issues such as viruses and internet abuse, but document security is a massive issue that many people are unaware of.'

A new study, involving 100 businesses and organisations in Beijing, Hong Kong and Singapore by independent research consultancy Loudhouse, found businesses in Asia had weak document integrity processes even though they placed significant importance on content security.

For example, twice as many (44 per cent) business professionals in Asia prefer on-screen document amendment and approval compared with the global average (22 per cent). This means business users in the region are more comfortable working with 'soft copy' documents.

Mr Pearson said without the correct processes in place this preference increased document content risk because soft copy amendment and approval created more metadata,

David Ellis, director of operations and partner at Hong Kong law firm Johnson Stokes & Master, said: 'We all love the idea of living in a paperless world, but we also need to be very aware of the dangers and security risks that lurk within alternatives to paper.'