The 3BView Point

SWISS red-faced over metadata information left in press release

2009-10-29T19:53:00.004Z

Whatever your view on where we are on the economic road to recovery (or not) no business can afford any tarnish to its external image. As reported in the Guardian this week Swiss International Air Lines Ltd has a red face and a tarnish to its image in Canada at least due to an inadvertent link of metadata.

SWISS, as they refer to themselves in the press release, included review comments in the document that they sent out. Although the press release might be 'boring,' as reported by the Guardian, it provides a salutary lesson on how features that are useful in the review stage of a document can be a danger if they are not managed correctly when completing the final version that will be sent out.

The file, comments and all, can be found on the Guardian website.

Companies need to remember that converting a document to PDF alone does not protect them from leakage of confidential or embarrassing information via metadata. Although I was not personally sent the press release, and it is not obvious from the posting on the Guardian site, I would say that the release was sent in PDF. Take a look at the other metadata in the PDF file and see what you think (PDF Producer: produced on a Mac, author: initials in this instance, and so on).

This is the perfect example of why it is so important to ensure you have a system in place to automatically remove the metadata information within a document. While the data contained in this file wasn’t damaging to the company, it was definitely embarrassing. Had the data been company private, this could have been a very different situation for them. Make sure your company and your data is protected.

Only a week left for the Survey on Mobile Device Usage

2009-10-16T15:30:00.002+01:00

We are delighted with the number of participants who have already completed the 3BView Survey on Mobile Device Usage and Document Security over the last two weeks. The results are already looking very interesting.

With just one week left until this survey closes (end of day EDT 23rd October), if you have not yet contributed then your participation would be very welcome. Please access at http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C

The survey focuses on access to, and usage of, business applications from mobile devices, with particular focus on the risks associated with information contained within document metadata when using these applications.

We will be publishing summary results on our website, with full results available to survey participants, who will also will be entered into a draw to win an upgraded phone of their choice – either a Blackberry Storm 9530 or an iPhone 3GS 32GB.

3BView Surveys the Legal Market on Mobile Device Usage and Document Security

2009-10-02T12:16:00.003+01:00

Following on from my post last week, we at 3BView are conducting a survey on the usage of mobile devices in the day-to-day practice by legal practictioners around the world. The survey focuses on access to, and usage of, business applications from mobile devices in particular access to documents and risks associated with information contained within document metadata via such applications.

We will be publishing summary results on our website, with full results available to survey partcipants. Survey participants also will be entered into a drawing to win an upgraded phone of their choice – either a Blackberry Storm 9530 or an iPhone 3GS 32GB.

Access the survey at http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C from now until Otober 23, 2009.

More details can be found here.

The Risks and Benefits of Mobile Computing

2009-09-25T13:01:00.006+01:00

More and more solo and small firm practitioners are making the most of the advancement in technology to practice law using mobile devices and remote applications. The launch over the last few months of the latest iPhone and Blackberry Storm has been another leap forward in enabling technology.

Not only does mobile technology assist attorneys in managing their client base, it also helps in lowering their business overhead. Mobile devices enable attorneys to work from anywhere. The term ‘Mobile Attorney,’ while meaning a specialization in the past, now relates to the practice of using mobile technology to conduct business.

One of the key aspects of the Mobile Attorney is that they no longer just have a laptop running Microsoft Windows. They are now accessing their email, documents and other business applications via webmail, mobile enabled Document Management Systems (DMS) and a broad array of devices such as Blackberry, iPhone, PDAs, NetBooks and Apple Macs.

But, this brings up an interesting fact. While being a Mobile Attorney has many significant benefits, it does introduce new security risks, especially where the firm's security tools, such as their metadata removal application, is limited to a desktop tool. The Mobile Attorney using the web, DMS or mobile device does not have access to these tools and so fall foul of what I refer to as 'the mobile security gap'. If you are a Mobile Attorney – are you aware of these risks and are you doing anything to make sure you and your data is protected?

PDF documents and metadata - some examples

2009-02-28T16:55:00.004Z

Before I do a deeper dive into what metadata a PDF document contains, let's take a look at what must have been the main headline hitting example in 2008 of sensitive information being discovered within PDF metadata.

I am referring to the situation Google found themselves in with a submission they made, supposedly anonymously, to the Australian Competition and Consumer Commission regarding eBay and their proposal to force their users to use PayPal. After speculation on many blogs about the author of the anonymous submission one Dave Bromage took a look at the metadata in the PDF document and let the world know who it was. Despite the submission being replaced with a new version without the revealing metadata the word was out. I won’t comment on the reasons why this was at least embarrassing to Google (this is one report that gives the details as well as showing the metadata contents), but will add that there was an additional chuckle in the techie community that the metadata also showed that the document had not been created using Google’s own word processing app, one being The Register. My main comment is that this unintentional leakage of information involved a regulator as well as embarrassment at the very least to the originator (author and company).

The submission also had masked what would have been visible text about the submitter within the document. However the PDF did not have any security applied to it so it was very easy to copy that area of the document and paste it into another text processor to see the underlying information. Facebook/ConnectU have just this month fallen foul for the same reason. Numerous other examples in this area, GE and the US Justice Department being a couple of examples from 2008. If you want to mask visible text at the very least add security settings to the PDFs that you generate to disallow copying and pasting of text. Also look at redacting software which fully removes and masks text whilst retaining the layout in the PDF document.

I am sure it is pure coincidence that one of the other headlines in 2008 around information garnered from PDF metadata also involved Google, but from the other side of the fence. As reported here metadata in a PDF version of a lobbying letter from the Corn Farmers to Congress linked, albeit tentatively, the author back to some of Google’s political adversaries.

The lesson from these examples is that you should not assume that converting and sending/publishing a PDF removes metadata that could contain sensitive information.

It might have been quiet on this blog for a while but elsewhere...

2008-10-31T11:10:00.004Z

I know, I know, it has been a long while since I last posted to this blog! Thank you to all of you who have been checking in regularly.

It has been a busy six months both in terms of data loss instances and also for 3BView. In the case of the latter we have gained great new customers and partners in the intervening time ... you'll be able to find out more about some of them on our website - a new improved version of which is going live next week.

On the former: well watch this space. Many things to blog about, and I will be doing just that over the coming weeks.

Good eWeek article on DLP

2008-03-18T13:50:00.002Z

EWeek has an interesting article comparing Database Activity Monitoring (DAM) with Data Leak Prevention (DLP).

In the article, Paul Proctor, a Gartner analyst who’s tracked this area for a while, says: “"Most every security monitoring technology would benefit from DLP content awareness, which is the ability to recognize sensitive content on the fly.” Yep, I’d agree with that.

California Bar Journal reviews legal metadata position

2008-02-28T17:46:00.000Z

The California Bar Journal, in this article, presents an excellent round-up of the problems for lawyers, including the myth that PDF documents are safe from metadata leaks, and the latest legal position in the US. Worth reading.

Eli Lilly’s lawyers accidentally emails confidential info to New York Times

2008-02-18T10:45:00.000Z

We’ve been here before, but this is a corker. All the pieces of a classic ILP mistake: the $1bn lawsuit, the external law firm accidentally emailing confidential information to the wrong person, and the fact that the wrong person happened to be a New York Times reporter. Oops.

Law firms, get yourself some ILP tools now, before it’s you!

Scottish council caught out by tracked changes

2008-01-30T11:19:00.000Z

It’s that old classic: sending out a Word document with information you really, really don’t want to reveal left in tracked changes.

This time the metadata culprit is Aberdeenshire County Council, which managed to send out a report on waste management, containing incriminating details of problems in tracked changes that hadn’t made it into the final report.

Even worse than the information revealed is the inference that the council had covered up the information it didn’t like on the problems – and the press has certainly taken this line.

That Jeremy Clarkson story

2008-01-19T08:45:00.000Z

I know I’m coming a little late to this story and there’s been a lot of debate about it. In case you’ve not read about this: the UK TV presenter Jeremy Clarkson published his bank details in a newspaper column, in which he claimed the furore about lost personal details from the HRMC was a fuss about nothing. Of course, a kind soul promptly used the details to set up a direct debit payment from Clarkson’s account to a charity.

On reflection, you could argue that in fact the system works – the UK’s direct debit scheme provides safeguards to protect the consumer, and to refund any disputed money. In this kind of situation, no doubt Clarkson is covered financially.

But you could imagine a consumer being less than happy if, say, the money taken out of their account meant they went overdrawn, other payments bounced, and they then had to sort out the unholy mess.

And Clarkson himself says he only discovers the loss when he read his bank statement – how many people do that every month? And would they notice the loss if it was £50 not £500?

For me, it does highlight two important issues: firstly, the context in which personal data is used is important. As many commentators have said, Clarkson only divulged information that we give to anyone whenever we give them a cheque. But, he did so in a highly public way. “Security by obscurity” has long been a facet of protecting data, and shouldn’t be forgotten when risk is being assessed.

The second key point is that it’s much, much easier to not leak data in the first place, than to deal with the consequences even if there is no nominal financial risk. As I mentioned, the UK’s banks guarantee to refund any money that a consumer loses due to a mistake with a direct debit. In practice, I imagine it’s still a difficult process to go through, and can cause much inconvenience. It’s the same with any company’s data – you might theoretically not have any negative consequences of a leak, but managing the process when information goes missing can be time-consuming and costly.

Frank Abagnale tells the inside story on IT security

2008-01-11T09:13:00.000Z

You might know him best from the Spielberg film “Catch Me If You Can”, but former fraudster Frank Abagnale has spent the last 30 years working with the FBI on improving security, and more recently this has included a big element of IT security.

There’s a good Q&A with him at ComputerWorld that’s worth reading, as he makes some interesting points about IT and financial security – not least that the internal threat to companies is more significant than external hackers.

Two good articles on security: user behaviour and balancing risk

2008-01-07T18:32:00.000Z

Happy New Year! This seems a good opportunity to mention two good articles I read last year, but didn’t blog on at the time.

Firstly, Network World ran an article by Michael Osterman in June based on a survey of user behaviour. It’s short and to the point, but contains useful gems like the fact that 71% of users check work-related email from home on their own computer. Certainly confirms for me that we’re on the right lines to put our ILP protection on the email server, not on the desktop – if you’ve got server-based protection, you’re covered regardless of which PC is used.

Then this article in APC magazine contains some interesting views from Microsoft on why the security threat is often “overblown”, and how you need to balance the cost of a security measure against the perceived risk and the cost of any security problems that may arise. It’s common sense really, but worth remembering, and I’d add the point that you need to think about how long a solution may take before it’s up and running effectively; sometimes the simple and fast solutions are the best.

US legal position on metadata still unclear

2007-12-27T18:11:00.000Z

As far as I can work out, the position in the US on the legal status of metadata is still being sorted out. Have a look at this good review of recent “ethics opinions” in The New York Law Journal – there still seems to be plenty of conflicting views.

The article concludes with good advice: check your local rules and case law, and use metadata scrubbing tools to remove metadata from documents you send (where this is permissible).

One day we’ll have clarity, no doubt.

PR agencies leaking data as much as the rest of us

2007-12-15T17:06:00.000Z

Love or hate them, PR agencies are part of today’s business world. They do have a riskier position than most in the looking foolish stakes, though, as they are in frequent contact with journalists who will generally grab any opportunity they can to wind up their PR colleagues.

The latest one is a delightful example on Valleywag, the Silicon Valley gossip site – just look at all those tracked changes that were left in the email to the journalist from the PR.

But wait: it gets better. The PR sent an email threatening legal action if her original email wasn’t removed. Guess what? Valleywag ran that email too.

Another day, another data breach

2007-12-13T20:26:00.000Z

Amazing how many of these stories are coming out now in the UK about public sector data breaches, as public attention is so focussed on it at the moment.

This week, a healthcare trust managed to email a spreadsheet containing personal financial details of 1,800 employees to four medical organisations. Surely they’ve got ILP tools to stop them doing this? Maybe not…

The gory details are in the BBC’s report here.

New Scientist covers ILP

2007-12-10T15:03:00.000Z

Well, nice to get some recognition for our area of technology in this article in New Scientist (subscription required, but you can read the first couple of paragraphs for free anyway).

To summarise the key points anyway: researchers at the Air Force Institute of Technology, Ohio are developing software to analyse the text of outgoing emails in companies, and flag the senders as “alienated” or “having clandestine, sensitive interests”. Sounds like what we’re doing at 3BView but it’s interesting stuff… there’s more here (New Scientist’s press release about their article).

Scottish politician in donations row due to metadata

2007-12-04T09:16:00.000Z

UK readers will be familiar with the row about dodgy political donations that’s currently surrounding the Labour party. It was perhaps only a matter of time before metadata gave someone’s secrets away – as it has a habit of doing in political rows.

Well, it happened this weekend – the Sunday Herald newspaper printed allegations that Scottish Labour chief Wendy Alexander was aware of the potentially dodgy nature of a donation weeks before she had claimed to be. The smoking gun? Metadata in a Word document showed the date it had been saved (November 5^th) and that the username was her husband’s.

The row is all over the press now, and Alexander may end up having to resign, or even being prosecuted under the UK’s election finance laws. It’s becoming almost commonplace to see these metadata leaks pop up in political rows, and I’m sure the more clued-up journalists check the properties and tracked changes on every Word document they get hold of! Remember PDF documents aren’t normally safe either unless you’ve taken the right steps to make them secure.

Former DuPont scientist jailed for information theft

2007-11-29T09:36:00.000Z

Gary Min, a former DuPont scientist, has just been jailed for 18 months for stealing confidential information. He downloaded 22,000 abstracts and 16,000 full-text documents over a five-month period before leaving the company. He subsequently uploaded 180 of these DuPont documents onto a corporate laptop from his new employer, Victrex, a competitor of DuPont. The information was valued at over $400million.

Apparently most of these documents were unrelated to his job at DuPont. You have to wonder why it took DuPont so long to spot this pattern and report him to the FBI, and why he had access to so much information.

It’s not quite on the scale of the UK’s HMRC fiasco, but it raises a similar question: why do employees get access to such a large quantity of information that’s not related to their jobs?

You can’t steal what isn’t there

2007-11-21T17:40:00.000Z

Yesterday’s story on the loss of 25 million child benefit records reminded me about the loss of more than 45 million customer records stolen from TJX, the parent company of retailer T.J. Maxx. The article, a while back, in Information Week describes it as the “largest breach of customer data”.

An interesting article, but the key point is right at the end: “With any luck, the TJX Effect will teach retailers this basic lesson: Thieves can't steal sensitive customer data if retailers aren't storing it.”

But governments have to store sensitive data -- they really do need to get things sorted, or the trust of the public will be lost forever.

The HMRC leak – unbelievable

2007-11-20T16:25:00.000Z

Really, words fail me. I’ve just watched on TV the UK chancellor Alistair Darling tell the House of Commons that this massive data leak (25 million people’s bank details etc) is due to HMRC staff not following procedures. Pardon me? Apparently it was sent via unrecorded post on unencrypted CDs.

Liberal Democrat acting leader Vince Cable asked why the data was posted on CDs and why HMRC didn’t have an electronic means of sending the information securely. He’s got a point.

I’m sure we’ll learn more soon.

AT&T lawsuits rumbling on

2007-11-20T12:43:00.000Z

AT&T is one of the highest profile companies that’s been publicly identified as having committed an ILP faux pas – letting the cat out of the bag about alleged collusion with the US government in alleged illegal wiretapping (the lawsuits are still going on – so I’m going to use the word ‘alleged’ as often as I can just in case).

They must be regretting this a LOT! There’s an interesting article in the Guardian about this case and the general topic of privacy and how it’s changing in the electronic world.

The customer is always wrong

2007-11-16T13:10:00.000Z

Perhaps it’s stating the obvious, but good to have confirmation from high-paid consultants: Deloitte’s recent report says that people are the biggest security risk for financial institutions.

Well, they actually say it’s customers, and the report raises good questions about how far banks should go in being responsible for customers’ IT security, and points out that the financial institution must manage its third-party relationships or take the blame when things go wrong.

Out-law.com has a good write-up, including a link to the original report.

Google adds outbound email security features

2007-11-13T09:06:00.000Z

Since they bought Postini recently, Google hasn’t wasted any time adding their email security features to Google Apps (even if it’s only on the “Premier Edition” so far).

The press release from Google says the new features will “Centrally manage all outbound content policy, including adding footers to every message based on business policy rules, blocking messages with specific keywords or attachments, and preventing emails with sensitive company information from being sent.”

I had a dig around the Google page linked to from the press release, and the Postini pages it directed me too, and couldn’t find anything too specific about the outbound email filtering it mentioned, but it’s encouraging for those of us at the ILP coalface that the behemoth of Google is recognising the need for ILP tools. Will be interested to see how it works…

UK House of Lords attacks government response to cybercrime report

2007-10-31T13:14:00.000Z

Disappointing news this week about the UK government’s poor response to the House of Lords Science and Technology Committee report on Internet security (which originally came out in August).

The Lords committee has criticised the government in no uncertain terms - the Earl of Erroll, a member of the committee, said, “Unfortunately, the government dismissed every recommendation out of hand, and their approach seems to solely consist of putting their head in the sand."

The report was also criticised by Richard Clayton in a pretty strongly-worded post on his blog. Clayton was involved in assisting the Lords committee.

Ho hum, back to the coal face.