Retracing your data steps
Suddenly we have something new to worry about and it's called metadata, says Mick Jones
Metadata is everything but content. It's data about data: not the message but what's wrapped around it. Every time you email, make a mobile phone call or send a document electronically, you leave a footprint, which consists of metadata and varies depending on communication type.
Sending an email will expose, among other things:
- the sender's name, email and IP address
- the recipient's name and email address
- some server transfer information, and the date, time and timezone
- the unique identifier of the email and related email
- the mail client login records with IP address
- mail client header formats, priority and categories; and
- subject of email, status and read receipt request.
Making a mobile phone call will expose every caller's folder, plus the unique serial numbers of phones involved, the time and the duration of the call, and the location of each participant telephone calling card numbers. You can imagine what happens when you stray online to search on Google or use social media. You can restrict some of this data by, for example, not allowing your phone to pass on location information; some you cannot. But you obviously have an internet policy in your organisation. Don't you?
Concerns are not new. Oracle published a White Paper about this problem in March 2007 (The Risks of Metadata and Hidden Information - Analysis of Microsoft Office Files from the Web Sites of the Fortune 100). However, the issue has come to the fore again with headlines such as 'NSA stores metadata of millions of web users for up to a year, secret files show' (the Guardian, 30 September 2013). The article says that the National Security Agency is storing the online metadata of millions of internet users for up to a year, regardless of whether or not they are persons of interest to the agency. This was revealed by the recent leak of top secret documents.
Considered thought
Should these headlines worry us? Yes and no. Such stories are alarming and the danger is that they induce either paranoia or complacency, never considered thought. What we must consider is the metadata we as commercial organisations generate and the risk of disclosing something that may lead to a security risk or result in unintended data release. An example of the former is exposing a network path via attachments to an email and the latter could be exposing previous versions of a document via tracked changes.
Your IT department must know the answers to five high-level questions about metadata identified in the Oracle White Paper. Ask yourself whether it is acceptable to distribute the following data types, not via hacking but through the normal course of business.
1. Documents containing comments and tracked changes - such data may contain embarrassing observations about proposals.
2. Documents including hidden, deleted or obsolete text. Again, the final document is the result of a process and you may not want to expose the steps along the way.
3. IT infrastructure information such as server names, paths, and database names - exposing such information could lead to weakness in security.
4. Documents containing employee identifiable information - you don't want details of employees who are not the main contact being exposed.
5. Documents relating to proposals, legal agreements, presentations and White Papers. In short, any employee modifiable document that might be shared with partners, prospects or customers.
A few of us take precautions to inspect content of the main document, be it email, letter or proposal. The imperative now is of course compliance and many firms run software to search for key words or text strings. Content checking is normal. However, consideration should be given to whether or not the same software can be used to highlight problems with metadata.
Metadata exposure is just another risk to manage. The problem is that managing it means understanding it. Therefore, you should know the risks and how they can be mitigated then balance the cost of mitigation, both financially and in terms of process.
Mick Jones is managing director of thewealthworks
He writes a regular blog about technology for Private Client Adviser