Analysts: Windows Vista's Metadata Poses Security Risk
The problem, said Gartner analysts Michael Silver and Neil MacDonald, isn't in Vista's search function directly. Rather, the search feature will tempt users to add information to files' metadata to augment searching, and the operating system won't ship with rights management tools to make sure that confidential data isn't packaged with documents.
Metadata is best known to Office users, where it packages revision marks, comments, deleted text, and the like.
"The issue isn't the existence of metadata," wrote Silver and MacDonald in the research note. "The issue is the inadvertent disclosure of metadata as data files leave the user's machine. PC users typically don't understand that the metadata is part of the content of the document."
Accidental and embarrassing (or more than embarrassing) disclosures of Office metadata have been going on for years. In one recent incident, The New England Journal of Medicine said that data that might have linked Merck's Vioxx to an increase in heart attacks was deleted from a study published in 2000; the deletions were spotted by reviewing the document's metadata.
Although metadata isn't a Microsoft-only issue -- "many file formats contain embedded metadata," noted Silver and MacDonald -- Vista will boost its use, since the upcoming operating system will use keywords buried in a file's metadata to create "virtual" folders that organize data, a technique already in use by Apple Computer Inc.'s Mac OS X 10.4 operating system.
Silver and MacDonald took Microsoft to task for not designing metadata management and protection into Vista.
"Microsoft could have used some form of digital rights management technology to control who sees metadata," the pair wrote. "Instead [it chose to] use pre-established fields and did not architect the product to properly safeguard metadata." The analysts aren't surprised by Microsoft's omission. The Redmond, Wash.-based developer, for example, only offered a metadata scrubber in July, 2004, and then provided a basic tool that lets users only eliminate all metadata, not selected pieces.
Vista is to include a metadata removal tool of its own, Silver and MacDonald noted, but like the Office 2003/XP utility, it demands that users create copies of files to preserve a file with the metadata. That, they said, still leaves open the possibility of users e-mailing or posting the wrong version of the file.
The next edition of Microsoft Office, for now code-named Office 12, will also have a meta scrubber, dubbed "Document Inspector." That tool's interface, however, will differ from Vista's, and still requires a second copy of the file.
"With Microsoft's increased emphasis on security and privacy, the issues in Windows Vista should have been addressed deep within the OS during development, not with a tool that requires users to remember to remove or not remove metadata as appropriate," the Gartner analysts wrote.
Don't expect an integrated rights management solution from Microsoft that accounts for metadata before the next iteration of Windows, late 2009 at the earliest, the pair wrote.
Enterprises thinking of deploying Windows Vista should set a strategy before rolling out the OS, wrote Silver and MacDonald. Such plans could include requiring documents created in Office and sent outside the company to be converted to PDF or Microsoft's XPS formats; educating users to strip out metadata when appropriate; and/or deploying third-party technologies tools.
"In Microsoft's determined effort to ship Windows Vista in 2006, there is a cost; it has not adequately addressed the issue of metadata management. You must have a plan and policy for addressing metadata in place before deploying Vista," they concluded.