December 22, 2005 3:41 PM PST

Watch out with metadata in Vista, analysts warn

Windows Vista will improve search functionality on a PC by letting users tag files with metadata, but those tags could cause unwanted and embarrassing information disclosure, Gartner analysts have warned.

Search and organization capabilities are among the primary features of Windows Vista, the successor to Windows XP due out late in 2006. While building those features, Microsoft is not paying enough attention to managing the descriptive information, or metadata, that users can add to files to make it easier to find and organize data on a PC, according to Gartner.

"This opens up the possibility of the inadvertent disclosure of this metadata to other users inside and outside of your organization," Gartner analysts Michael Silver and Neil MacDonald wrote in a research note published on Thursday.

For example, a user might use "good customers" and "bad customers" as keywords on contract files. If such a contract is sent to the customer with the keyword still attached, it could cause embarrassment or even loss of business, the analysts wrote.

Microsoft will provide a simple metadata removal tool with Windows Vista, but that's not good enough, according to Gartner. "If I rely on the user to remove metadata, a lot of that metadata is inevitably going to get through," Silver said in an interview. "It really needs to be automated."

Microsoft is concerned about user privacy and security, said Michael Burk, a product manager for Windows Vista. "Microsoft has listened to our customers and is implementing the usage of metadata throughout the system to give users breakthrough ways of managing and searching for their files while protecting user privacy," Burk said in a statement provided by Microsoft's public-relations agency.

Inadvertent disclosure of metadata has embarrassed businesses and government in the past with high-profile leaks of secrets. In Word documents, for example, metadata is used to track changes. Last year a gaffe by Linux nemesis The SCO Group revealed which companies it had considered filing lawsuits against.

More recently, pharmaceutical giant Merck was put in the hot seat because of changes made to a document regarding Vioxx. There have also been document data leaks at the White House, the Pentagon, the United Nations and others, according to a compilation by Workshare, a maker of software that strips metadata out of files.

With the increased use of metadata in Windows Vista, Microsoft is heightening the problem, Silver said. "Instead of trying to shore up metadata, which has been lacking for a long time, they are adding yet another way to assign metadata, forget about it and send it to somebody else," he said.

Microsoft should have designed metadata management and protection tools into Windows Vista, but it has not, the analysts said. "With Microsoft's increased emphasis on security and privacy, the issues in Windows Vista should have been addressed deep within the OS during development," according to the Gartner report.

Before adopting Windows Vista, organizations must have a plan and policy for addressing metadata, Gartner advises. Companies that are sensitive about exposure could purchase third party tools to manage the extra data, the analysts suggest. "Taken to an extreme, you could avoid Windows Vista until the issue is addressed in an integrated fashion," they wrote.


Join the conversation!
Add your comment
More MS Innovation
Apple has been using metadata for what... a decade? Longer than
that even?
Oh well, it did take MS 11 years to catch up with Apple regarding
using long file names, so I guess I shouldn't be surprised.
Posted by GGGlen (491 comments )
Reply Link Flag
On Apple
I'll admit that Vista does seem to have a significant number of
features drawn directly from OS X. I myself am a Mac user all the
way. Let's not forget, however, that Spotlight in its current
implementation is, in my opinion, still weak and crippled.
Reasons why:
1) No complex searches through the Spotlight menu
2) Can't choose "Does not contain" in the finder searches (?!)
3) Sorts photos by date opened, not date taken
4) Sorts e-mails by date opened, not date received (who wants
to know when you last looked at it??)
4) Searching for (in)visibility is (still) broken
5) Can't search for e-mails in the Finder

That's not to say Apple's Spotlight is a complete disaster. I still
use it all the time. In addition, I'll agree that it's taken MS a long
time, but at the moment it appears that their use of metadata in
terms of searching, with the ability to even tag your own files
with new metadata tags, is far more elegant than Apple's.

Apple still has the chance to make it up and more, however,
since by the time Vista comes out we'll have 10.5 "Leopard"
Posted by iKenny (98 comments )
Link Flag
Everyone has been using metadata
for quite a while. MS, Apple, Adobe. Both MS and Apple are just expanding its ease and use.
Sorry fan boy, no 'innovation' or lead by Apple here. 'guess I shouldn't be surprised' you wouldn't know that
Posted by catchall (245 comments )
Link Flag
Yes, but...
Why didn't these genious analysts warn all Apple users, make a front page headline and sensationalize the story?

While both Apple and MS need better tools to perhaps prompt the user with the metadata attached to a file when they try and email or copy the file, most users would ignore it anyway.

In the end this story is another piece of anti-MS journalism, combined with the idea that people shouldn't (or can't) take responsibility for their own actions and security of their data.

The industry can do better in providing users with data, but when the masses don't know or understand why stripping the metadata is important what are vendors to do?

My 2 cents...
Posted by (12 comments )
Link Flag
Damned if you do, damned if you don't.
Microsoft, like Apple, has been using metadata for years. In Vista they've simply given the user a different way of adding/removing metadata. What Gartner wants is confusing at best, ill thought out and defeats the purpose of metadata.

Gartner wants the removal of metadata automated. That's idiotic.

In the company I work for, we want metadata automaticially inserted into documents and we encourage users to add more. If MS followed Gartners advice, the metadata would automaticially removed, making content management and indexing a nightmare.

Microsfot has provided a tool to remove metadata. Thats what we want. What we don't want is another feature that assumes we want a task done and then does automaticially. Leave those choices to us.

Merck and SCO apparently left the tracking changes feature of Word untouched. If they had read up on tracking changes, they would have been able to prevent anyone else from seeing the changes or not track the changes at all. This has less to do with metadata, then it does with user education. Or as they say in manufacturing, "operator error". Note also that tracking changes if off by default, you have to turn it on.

Gartner's advice (or is it the unamed analysts advice), to "avoid Windows Vista until the issue is addressed in an integrated fashion," is absolutely absurd and shows further compounds a poorly researched article.
Posted by robertcampbell2 (103 comments )
Reply Link Flag
Is the new trend to criticize Microsoft for not bundling enough with Windows? The critics really need to stick to a consistent argument. I'm sure Google would be happy to provide some advanced tools for searching and manipulating metadata, but according to the author of this article, Microsoft should preempt that.
Posted by just_some_guy (231 comments )
Link Flag
Metadata is there for reason: it's useful. Yes, it could be embarrassing if released, but it's useful. Stripping out ALL metadata (via automation) is just not a realistic option. On the other hand, how can a "tool" knows what metadata should be strip out and what should remain? Only a human can make that kind of decision. But then again, humans are an absent-minded lot. So, dammed if you, damned if you don't.

The only realistic way to deal with this problem is a good metadata policy, that is strictly enforced. This will reduce, but 100% prevent, embarassing disclosures.
Posted by thanhvn (51 comments )
Link Flag
Ease of use the biggest threat to security.
Ease of use has always been the biggest threat to system and personal data security. This is hardly very different.
Posted by zaznet (1138 comments )
Reply Link Flag
Excessive complexity is the second biggest threay
When you make things to complex to use, the users find ways around the complexity. The key is to find a balance between ease of use and complexity but since some users are more savvy than others you've got to be able to move the balance point to match the user. That's never easy.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.