Friday, February 10, 2006

Hidden Data Haunting Computer Users

When the New England Journal of Medicine used a word-processing function to reveal that Merck had deleted study data about Vioxx and heart attacks, the pharmaceutical giant joined a long line of organizations bitten by information lurking in electronic files.
It's happened to organizations from the Pentagon to the British prime minister's office.
Each time, making minor electronic adjustments to documents aired juicy details not meant for public disclosure -- such as the true author of a file or sensitive data hacked from a final draft.
The pitfalls of such hidden "metadata" have long been known in computer-savvy circles, but these high-profile leaks are driving new efforts to keep a lid on metadata. So sensitive is the topic for the U.S. government that the National Security Agency released guidance in December on how agencies can properly redact reports.
For the corporate world, several companies are finding success in selling tools to automatically scan for and remove metadata.
Metadata is data about data. A word-processing document, for instance, has metadata on who authored it, when someone saved it and what that person did to it. Microsoft's Word program has a "track changes" feature that preserves a file's original text and shows another person's edits. All that is metadata.
This information is designed to stick around because it can help people organize their files and collaborate with one another.
But because it doesn't show up when a document is printed and doesn't appear on screen in normal settings, it's easy to forget about.
Fears about the hazards of metadata led Microsoft to pull back on a planned feature in Vista, the upcoming Windows operating system. Originally, Vista was going to let users drag and drop files into spots on the desktop in order to label documents with personalized categories.
But Vista testers told Microsoft it might become "a little too easy" to apply the categories and have them stick permanently to the document, said Mike Burk, a Windows product manager. That could get ugly if a file labeled "projects I hate" were e-mailed to a boss.
Meanwhile, the next generation of Microsoft's widely used Office software, which includes Word, Excel and PowerPoint, will make it simpler to strip metadata from files before they are disseminated.
Even so, Gartner analyst Michael Silver says the problem will remain -- metadata will exist in documents unless users make a point of getting rid of it.
"It's still a manual process. It's still something you have to remember to do," Silver said. "Any time you're relying on the user to remember something, there's a good chance that they'll forget."
The Pentagon had a hidden-data episode last May. Before posting a report in Adobe Systems' Portable Document Format about a U.S. soldier who had accidentally killed an Italian secret service agent in Iraq, officials covered up classified information with black bars.
But there's a difference between covering and deleting information. Readers simply uncloaked the text by cutting it from under the black and pasting it elsewhere.
Automated tools to help protect against metadata releases have existed for a while, but they are beginning to see wider use. For example, Workshare sells a product called Trace that scans documents for metadata and ranks the findings by risk level. For most of Workshare's six years in existence, the company's customers were primarily lawyers, who are particularly sensitive about client information escaping to the opposing side.
But in the past year, Workshare has seen business expand to 60 percent of the Fortune 1000, said CEO Joe Fantuzzi. Revenue has surpassed $25 million, and Fantuzzi believes metadata protection is on the verge of being a must-have for corporate technology buyers.
Richard Smith, a computer privacy expert at Boston Software Forensics, mined metadata to determine who in the British prime minister's office worked on a 2003 dossier on Iraq.
Even in a world more attuned to the perils of metadata, however, Smith doesn't think the material will dry up.
"There are simply too many people who work in governments around the world, and there is no way to educate them all about metadata," he wrote in an e-mail. "I expect to see a steady stream of slip-ups in the future."

0 Comments:

Post a Comment

<< Home