Metadata – the Dangers of Sharing
By Graeme McFarlane and Ryan Copeland
The last time you sent an email attaching an electronic document such as a Word file, pdf, or jpeg, did you consider what you might be transmitting along with it? If not, you may have unwittingly transferred hidden information, known as metadata, that could come back to haunt you.
Embedded metadata in a document can contain your full name, your company’s name, and your device’s serial numbers. Other more mundane, but no less salient, bits of metadata may include the date the file was created, when it was last modified, the changes that were made to the document over time, the names of all the different people who contributed to it, what applications or appliances were used to create the file, and so on.
Email metadata is also an important area of concern. This metadata includes where the email came from, to whom it went, the server path, and the date it was sent or received. If your company is sued, the discovery process will likely require production of emails within your system. While metadata may be of some limited benefit to those who create documents, it can also reveal information that you may not want disclosed. Examples for email include, when a particular note was sent or received, or even who received it as a blind copy.
What’s the big deal? Well, that depends.
If history is any guide, most of the metadata that is transferred around the internet will essentially be ignored. However, disinterest is not always pervasive, and there have been a number of large and very public metadata gaffes. One occurred when the United Nations issued a long-awaited report on Syria’s suspected involvement in the assassination of Lebanon’s former prime minister. It was a damning report for Syria by any standard, but recipients of a version of the report were able to track the editing changes, which included the deletion of names of officials allegedly involved in the plot, including the Syrian president’s brother and brother-in-law.
How could this play out in the human resources context? Consider a termination letter emailed to the departing employee as a Word document. In the letter, the company alleges cause and refuses to provide reasonable notice of termination. However, unbeknownst to the company, the track change and comment information is still embedded in the document. Upon reviewing this metadata, the ex-employee learns that the company is actually bluffing, and moreover, she learns that the company is willing to spend $45,000 to make the problem go away. Odds are that this employee will be disinclined to leave without a fight.
So how do you determine what metadata is stored in a file, and perhaps more importantly, how do you prevent such information from being transferred? In Microsoft Word, for example, you can view some metadata by clicking on File, then Properties. This will show such information as author, company, save history, how long the document was edited, and so on. Similar tasks can be performed for pdf or jpeg files, whether it be through the program used to view the document (i.e. Adobe Acrobat) or the computer’s operating system. Unfortunately, some types of metadata require special software to access or manage.
Thankfully, you can take certain steps to avoid the unwanted transfer of metadata. In Microsoft Word, you can automatically remove certain metadata when saving. To enable this feature, go to Tools, click Options, click Security, and under the Privacy section enable “remove personal information from file properties on save”. In this section, you can also request to be warned before printing, saving or sending a file that contains tracked changes or comments.
Another option is to save the Word document as a pdf. This will strip out most metadata, and for this reason many experts recommend that all documents be converted to pdf prior to sending outside your company. An added advantage of pdf documents is that you can limit how they can be accessed, used, copied or printed. However, it must be remembered that pdf files always contain certain metadata, including basic information such as the name of the person who created the file, creation date, and the file’s location.
These tips are just the basics, and taking the time to understand the creation, management, and transfer of metadata can be well worth the effort. Otherwise, you may be responsible for an unwanted or embarrassing disclosure of confidential information, which could lead to legal liability.
Graeme McFarlane is a partner and Ryan Copeland an associate at Roper Greyell LLP, a firm focused on partnering with companies to find solutions to workplace legal issues.
(PeopleTalk: Summer 2010)