Table 1.2 summarizes both effective and ineffective countermeasures for dealing with metadata. Covering text or diagrams or reducing images usually does not work against a savvy reader. Sanitizing a doc-ument, however, through a series of steps, we will look at shortly. The four other effective approaches are as follows:
1. Use the Microsoft add-in program, “Remove Hidden Data” (RHD).
2. Use the MS Office document’s drop-down menu “Tools/Op-tions/Security/Privacy Options” to alert the author or user to metadata problems in the document.
Figure 1.4: Hiding a Cell in Excel
3. Employ Appligent’s PDF utility to ensure unwanted metadata does not pass through to the published document from the PDF original.
4. Use Antiword or Catdoc for MS Word files on Linux and Unix machines.
Locate RHD’s description on Microsoft’s Knowledge Base (Refer-ence 834427 at http://support.microsoft.com/kb/834427). This pro-gram works on individual files or on multiple files. Collaboration features like Track Changes, Comments, and Send for Review will not
Table 1-2: Controlling Metadata
Technique Description Effectiveness
Covering text or diagrams
Blackening or whitening with a rectangle sensitive data or text in a document.
Usually not effective.
Reduce the image to point where it is not visible.
See the steps in Table 1-3. Quite effective.
Use “Remove
Check the “Privacy Options” to warn about metadata.
Effective in alerting author or user to problems.
PDF Utility Appligent has redaction utilities for PDF documents.
work after the user or author applies RHD. So, use RHD only after the drafting process is complete. Microsoft states that RHD can remove:
• Comments
• Previous Authors and Editors
• User Name
• Personal Summary Information
• Revisions
• Deleted Text
• Visual Basic Macros
• Merge ID Numbers (See check box “C” below.)
• Routing Slips
• E-mail Headers
• Scenario Comments
• Unique Identifiers
Use the drop-down menu for “Tools” in the document’s toolbar.
Select “Options” and click on the tab “Security.” (See Figure 1.5.) Under
“Privacy Options” the following check boxes are available:
[A.] “Remove personal information from file properties on save”
[B.] “Warn before printing, saving or sending a file that contains tracked changes or comments”
[C.] “Store random number to improve merge accuracy”
[D.] “Make hidden markup visible when opening or saving”
These security options act as a first line of defense against metadata passing unnoticed into a published document. Items A, B, and D are self-explanatory and need to be checked so that they will be active. Item C, if unchecked, will not store GUIDs (Generated Unique Identifiers [numbers]) when doing document merges. GUIDs, although useful in temporarily tracking merge documents, can identify the computer used to create the document if left stored on the machine. If you wish your computer to remain anonymous in the published document, uncheck this feature.
Appligent’s family of PDF redaction tools is quite effective in re-moving metadata from PDF files. (PDF files are a type of universal doc-ument format that permits the docdoc-uments being read on any computer that has an Adobe® PDF document reader on the machine.) Redax 4.0 automatically removes any document metadata and even marks up sen-sitive visible data like social security numbers, zip codes, and telephone numbers. Unlike conventional blackening or whitening of sensitive text,
Redax’s process is inexpugnable. Someone cannot just change the cov-ering color to see the underlying text. So, the tool is excellent for redact-ing documents pursuant to Freedom of Information Act (FOIA) or Open Records requests. Appligent has an excellent white paper on their site, “The Case for Content Security,” at http://www.appligent.com/
docs/tech/contentSecurity.pdf if one desires more background on the redaction process.
Antiword and Catdoc offer some relief to Linux and Unix users. If they use Microsoft Office applications, these tools render documents into text free of metadata. Antiword is a free MS Word reader that has
Figure 1.5: Tools/Options/Security
versions for Linux, RISC OS, Free BSD, Be OS, Mac OS X, and vari-ous flavors of Unix systems. Catdoc is an MS Word reader that extracts out text from the formatted MS Word document. Its cousins, which are xls2csv and catppt, create the same capability for Excel and PowerPoint documents respectively.
Sanitizing a document through a series of manual steps rounds out the discussion of countermeasures. These steps are from a National Security Agency (NSA) publication, “Redacting with Confidence: How to Safely Publish Sanitized Reports Converted from Word to PDF.” Protecting documents for dissemination from inadvertent metadata requires vigi-lance. Nothing can replace your own visual examining of the final public document. Careful review of a lengthy document may require several sets of eyes, and while initially this process may seem unduly tedious, remember that you and your team are being digital sleuths. Try thinking of the digital document as something to attack. View it as a spy would do. (See “Being a Metadata Sleuth” at the end of the chapter.)
Please refer to Table 1.3 during this commentary. The first step is to create a new copy of the document. Then make sure the “Track Changes”
feature is turned off. (You do not want to add any more metadata to the document.) Review the document and delete sensitive data or content.
Replace deleted items such as graphics, tables, paragraphs, and text boxes with rectangles containing meaningless data like 1’s and 0’s. (If pursuant to a FOIA or Open Records request, then do this procedure to show the items and areas redacted.) DO NOT simply cover the area by using a dark color or by whitening the text. DELETE all the text or graphics, and then replace the missing area with the meaningless data.
Review the redacted copy again for any possible oversights. Have other authorized persons double-check your work. Then, select all the document contents and paste them into a virgin, blank MS Word doc-ument. This step is very important. It minimizes the amount of meta-data in the MS Word document that you plan to convert into a PDF document. Review the document again. Then, ensure that Adobe PDF conversion settings are correct by having unchecked the options: “Con-vert Document Information” and “Attach Source File.” If the document passes all the inspections and these PDF conversion settings guarantee that metadata will not pass through, then convert the MS Word docu-ment to PDF format. Finally, do an inspection of the PDF file to make sure no undesired data is either viewable or searchable. Run some test searches within the PDF document using key words or phrases you
redacted to make sure you have a clean public document for dissemi-nation. Also inspect the “Properties” of the PDF file.
MICROSOFT’S ONLINE HELP WITH