Do I Really Need a Metadata Scrubber?

February 27th, 2008

The California Bar Journal, a monthly newspaper for attorneys, had a recent update on laws regarding metadata, how to avoid disclosing it inadvertently to opposing sides in litigation, and what to do if someone sends you a document containing inadvertent disclosures.

There are a couple of items in it that might be surprising. Among these is that the California Supreme Court recently opined that if a lawyer receives a document from the opposite side and realizes that the document contains information in the metadata that could be detrimental, the lawyer has a duty to notify the other side of the disclosure.

The trick is that metadata is so pernicious that it’s almost impossible to get rid of without third-party tools. I once had a client that was the victim of “business plan theft”- someone else literally took the company’s business plan, changed the names and used it as its own. This was made crystal clear by the fact that the bottom of the plan had a Mail To hyperlink field. The thieves had typed a new address over my client’s text, but the hyperlink itself was unchanged. If one hovered over the link my client’s email address was still visible.

The more prosaic “forgot to removed tracked changes history” is an even easier way to reveal one’s intra-company discussions as well.

So the question is “who needs to scrub metadata”?

State and local Bar association opinions offer a pretty good answer. Lawyer conduct in litigation settings is highly regulated, and yet the bar associations are profoundly split on how to handle metadata. Some say that a lawyer needs to stop reading as soon as s/he finds confidential information (metadata) inadvertently disclosed, some say the lawyer need only notify the sender of the disclosure, and some say that the burden lies on the sender- leaving the recipient free to view, use and even actively mine metadata.

Taking this as a starting point, the clear answer is that once information has been disclosed it is in the open- at least in the vast majority of cases. So yes, if there is information to protect metadata scrubbers are valuable.

Microsoft has a tool called “Document Inspector” in Word, Excel and Power Point 2007 (not available in Mac Office 2008) that will make sure tracked changes are all removed from a document. Saving a document to pdf will have the same effect. I am told that third party tools such as Metadata Assistant and Workshare Protect do a more thorough job of identifying and removing undesired metadata, though I have not tried either of these products.

Most companies have good storage and backup policies to make sure data isn’t stolen lost in case of a catastrophic event. Metadata disclosure is probably more likely on a week-to-week basis (how many redlined documents do you work with regularly?) but gets less attention. As with most security measures, it probaby isn’t necessary in 99.99% of cases, but the 0.01% can be a killer.

Tags: ,
  • David

    I use a metadata scrubber for Microsoft Outlook named SendShield (http://www.sendshield.com). It's a free download since the product is sitll in beta… I've been referring it to a lot of friends who love it.

  • Thanks for the tip, David. “Automatic” checking is good. I'd check it out if I used a PC.

  • Thanks for the tip, David. “Automatic” checking is good. I'd check it out if I used a PC.