Watch out with metadata in Vista, analysts warn
Microsoft Vista will let users tag files with metadata, but that could cause embarrassing data disclosure, Gartner says.
Search and organization capabilities are among the primary features of Windows Vista, the successor to Windows XP due out late in 2006. While building those features, Microsoft is not paying enough attention to managing the descriptive information, or metadata, that users can add to files to make it easier to find and organize data on a PC, according to Gartner.
"This opens up the possibility of the inadvertent disclosure of this metadata to other users inside and outside of your organization," Gartner analysts Michael Silver and Neil MacDonald wrote in a research note published on Thursday.
For example, a user might use "good customers" and "bad customers" as keywords on contract files. If such a contract is sent to the customer with the keyword still attached, it could cause embarrassment or even loss of business, the analysts wrote.
Microsoft will provide a simple metadata removal tool with Windows Vista, but that's not good enough, according to Gartner. "If I rely on the user to remove metadata, a lot of that metadata is inevitably going to get through," Silver said in an interview. "It really needs to be automated."
Microsoft is concerned about user privacy and security, said Michael Burk, a product manager for Windows Vista. "Microsoft has listened to our customers and is implementing the usage of metadata throughout the system to give users breakthrough ways of managing and searching for their files while protecting user privacy," Burk said in a statement provided by Microsoft's public-relations agency.
Inadvertent disclosure of metadata has embarrassed businesses and government in the past with high-profile leaks of secrets. In Word documents, for example, metadata is used to track changes. Last year a gaffe by Linux nemesis The SCO Group revealed which companies it had considered filing lawsuits against.
More recently, pharmaceutical giant Merck was put in the hot seat because of changes made to a document regarding Vioxx. There have also been document data leaks at the White House, the Pentagon, the United Nations and others, according to a compilation by Workshare, a maker of software that strips metadata out of files.
With the increased use of metadata in Windows Vista, Microsoft is heightening the problem, Silver said. "Instead of trying to shore up metadata, which has been lacking for a long time, they are adding yet another way to assign metadata, forget about it and send it to somebody else," he said.
Microsoft should have designed metadata management and protection tools into Windows Vista, but it has not, the analysts said. "With Microsoft's increased emphasis on security and privacy, the issues in Windows Vista should have been addressed deep within the OS during development," according to the Gartner report.
Before adopting Windows Vista, organizations must have a plan and policy for addressing metadata, Gartner advises. Companies that are sensitive about exposure could purchase third party tools to manage the extra data, the analysts suggest. "Taken to an extreme, you could avoid Windows Vista until the issue is addressed in an integrated fashion," they wrote.