Watch out with metadata in Vista, analysts warn

Windows Vista will improve search functionality on a PC by letting users tag files with metadata, but those tags could cause unwanted and embarrassing information disclosure, Gartner analysts have warned.

Search and organization capabilities are among the primary features of Windows Vista, the successor to Windows XP due out late in 2006. While building those features, Microsoft is not paying enough attention to managing the descriptive information, or metadata, that users can add to files to make it easier to find and organize data on a PC, according to Gartner.

"This opens up the possibility of the inadvertent disclosure of this metadata to other users inside and outside of your organization," Gartner analysts Michael Silver and Neil MacDonald wrote in a research note published on Thursday.

For example, a user might use "good customers" and "bad customers" as keywords on contract files. If such a contract is sent to the customer with the keyword still attached, it could cause embarrassment or even loss of business, the analysts wrote.

Microsoft will provide a simple metadata removal tool with Windows Vista, but that's not good enough, according to Gartner. "If I rely on the user to remove metadata, a lot of that metadata is inevitably going to get through," Silver said in an interview. "It really needs to be automated."

Microsoft is concerned about user privacy and security, said Michael Burk, a product manager for Windows Vista. "Microsoft has listened to our customers and is implementing the usage of metadata throughout the system to give users breakthrough ways of managing and searching for their files while protecting user privacy," Burk said in a statement provided by Microsoft's public-relations agency.

Inadvertent disclosure of metadata has embarrassed businesses and government in the past with high-profile leaks of secrets. In Word documents, for example, metadata is used to track changes. Last year a gaffe by Linux nemesis The SCO Group revealed which companies it had considered filing lawsuits against.

More recently, pharmaceutical giant Merck was put in the hot seat because of changes made to a document regarding Vioxx. There have also been document data leaks at the White House, the Pentagon, the United Nations and others, according to a compilation by Workshare, a maker of software that strips metadata out of files.

With the increased use of metadata in Windows Vista, Microsoft is heightening the problem, Silver said. "Instead of trying to shore up metadata, which has been lacking for a long time, they are adding yet another way to assign metadata, forget about it and send it to somebody else," he said.

Microsoft should have designed metadata management and protection tools into Windows Vista, but it has not, the analysts said. "With Microsoft's increased emphasis on security and privacy, the issues in Windows Vista should have been addressed deep within the OS during development," according to the Gartner report.

Before adopting Windows Vista, organizations must have a plan and policy for addressing metadata, Gartner advises. Companies that are sensitive about exposure could purchase third party tools to manage the extra data, the analysts suggest. "Taken to an extreme, you could avoid Windows Vista until the issue is addressed in an integrated fashion," they wrote.

[GGGlen]

More MS Innovation

Apple has been using metadata for what... a decade? Longer than
that even?
Oh well, it did take MS 11 years to catch up with Apple regarding
using long file names, so I guess I shouldn't be surprised.

[robertcampbell2]

Damned if you do, damned if you don't.

Microsoft, like Apple, has been using metadata for years. In Vista they've simply given the user a different way of adding/removing metadata. What Gartner wants is confusing at best, ill thought out and defeats the purpose of metadata.

Gartner wants the removal of metadata automated. That's idiotic.

In the company I work for, we want metadata automaticially inserted into documents and we encourage users to add more. If MS followed Gartners advice, the metadata would automaticially removed, making content management and indexing a nightmare.

Microsfot has provided a tool to remove metadata. Thats what we want. What we don't want is another feature that assumes we want a task done and then does automaticially. Leave those choices to us.

Merck and SCO apparently left the tracking changes feature of Word untouched. If they had read up on tracking changes, they would have been able to prevent anyone else from seeing the changes or not track the changes at all. This has less to do with metadata, then it does with user education. Or as they say in manufacturing, "operator error". Note also that tracking changes if off by default, you have to turn it on.


Gartner's advice (or is it the unamed analysts advice), to "avoid Windows Vista until the issue is addressed in an integrated fashion," is absolutely absurd and shows further compounds a poorly researched article.

[zaznet]

Ease of use the biggest threat to security.

Ease of use has always been the biggest threat to system and personal data security. This is hardly very different.