Protect your company from the risks of metadata shadows

May 11, 2016


Metadata represents the context generated by and/or surrounding all digital communications, or the traces left by digital data during its processing and digital existence.

Since it may be construed as a digital halo that reflects the characteristics of the user data, metadata can be used for determining the initial bits of information even though they are no longer directly accessible for the observant (or intruding) factor or  were never accessible per se.

Metadata and cyber-security

Protecting metadata is part of the privacy protection field. Because unauthorized access to metadata is often a preliminary to data breaching, cyber-security measures include metadata protection as an extra precautionary measure.

Companies and digital users may have been in the past unaware of the risks hidden in neglecting their digital traces, but nowadays it is clear that this type of information is highly prone to ongoing intrusions and in most of the cases precedes further security incidents.

Internet providers may also find themselves in situations where users’ metadata requests come from government agencies or law enforcement entities. The content requests, for example, are clearly regulated under the U.S. law, while the non-content requests may be surrounded by a certain ambiguity. Metadata’s sensitivity degree may not be the same (this source makes the distinction between transactional records and identifying information), but the lack of comprehensive regulations concerning this non-content digital traces, as well as its sub-types, is equally problematic.

What accessing someone’s metadata represents

If some still find it hard to imagine the value metadata holds, perhaps the example of it being similar to the addressed envelope that contains your correspondence might help. The actual envelope content is inaccessible, yet the sender and the recipient inscribed on the envelope may present some degree of interest for third-party prying eyes that know what to look for. Nevertheless, any third party needs to get hold of the envelope in order to be able to process your communication operations. Discarding the envelope randomly in the digital environment or simply forgetting that it may provide certain details on your whereabouts and actions to whomever might be curious is no cyber-aware option.

Accessing someone’s metadata brings about higher risks once the technology progresses – simply by pinpointing a few landmarks and details on a person, a malicious entity may feed enough information to an algorithm to determine quite a lot on their target.

Social engineering for example, another notorious tool employed by hackers, can very well build upon just a few ‘envelope’ details and form its deceiving web around the target. The possibilities of employing data obtained this way are not limited to just a few options, just like the capabilities of today’s software are not limited, but expanding.

Accessing someone’s metadata may represent obtaining the crucial piece of information bigger actions need. It definitely represents trespassing into the protected privacy area and it may easily become harmful for the person to whom the data belongs.

Protecting metadata for individual users

Once individuals become privacy-aware in what their metadata is concerned, they might choose to employ the few tools at their disposal, all coming with a higher degree of online anonymity.

Privacy International recommends approaching the metadata issue with encryption tools:

  • Navigating the web via the TOR network usually ensures a medium to high level of data and metadata protection for random users (users whose “adversaries” do not employ in turn sophisticated tracking methods, since we have all seen that TOR in not impenetrable);
  • A medium level of metadata privacy is ensured by the use of proxies and virtual private networks (VPNs); it is however strongly recommended that users familiarize themselves with these tools, otherwise they might continue exposing their digital traces even when employing VPNs and proxies;
  • The best solution would be combining the available solutions so as the user data would not flow via only one of the above, otherwise the uni-channel traffic might also be associated with the real life identity of one particular user.

Protecting metadata for companies

In the case of companies that want to control their metadata exposure and increase their privacy protection, the available methods have to raise to the big data challenge.

A complete procedure includes these steps:

  • Determining a metadata awareness attitude inside the company (informing the key people on the risks and mechanisms);
  • Employing third-party management software and preventive metadata scrubbing procedures;
  • Employing a company level standard strategy to ensure your employees continuously support the “clean and protect” policy.

There are specially tailored tools that organizations can acquire and use – peer-to-peer encoding software would be one instance of privacy enhancer. The Pretty Good Privacy (PGP) tool (Symantec) for example makes sure your content goes around safely encrypted. However, the metadata necessitates a different level of protection, at the protocols level, the kind STARTTLS aims to provide.

Although the specialists agree that removing company metadata is a must, a simple overall solution seems to be absent. Either the cyber-security provider that handles the organization digital presence and privacy takes care of this vulnerabilities, or punctual solutions are employed when the volume of work does not exceed the powers of such step-by-step measures.

For example, there are a few instructions available online on how to check exactly what metadata bits your office documents contain. Depending on the software you use for your work documents and electronic correspondence, you might want to check if there are any particular precautions your company or employees could take in limiting the metadata exposure.