If you’re not paying attention to the metadata in your public files, you may be giving cybercriminals an open invitation to hack into your law firm’s servers. While cybercriminals use a number of methods to bypass law firms’ defenses, one common tactic is often overlooked by lawyers and law firm staff: extracting metadata stored on a firm’s published website documents and images.
Yes, uploading PDF documents and Powerpoint presentations can reveal a lot more to sophisticated cybercriminals than what’s visible to the naked eye. Yet, despite the dangers that metadata poses for attorneys, roughly two out of three solo practitioners and small firm attorneys do not use metadata removal software to clean up their documents, according to the ABA Techreport 2016.
The reason for this is damning. According to Sofia S. Lingos, Esq., Techreport contributor and managing attorney at Trident Legal, the “big issue” is that many attorneys are “unfamiliar with the existence of metadata.” Yet, attorneys who fail to perform proper due diligence with cleaning all files and images they share risk putting their sensitive data and even their reputations on the line.
So what is metadata, exactly? Metadata is information embedded within a document file that gives detailed information about the documents themselves, ranging from who made contributions to certain documents to what version of Microsoft Word was used in writing them.
Consider, for example, the most recent email you sent out from your personal or business account. In addition to containing the actual message you wrote and any files you attached, the email also contains hidden information such as what email client (i.e. Gmail, Outlook, or Thunderbird) you used and information regarding whether the email was successfully delivered. This information, which is all stored in a hidden section of your email called the email header, is considered metadata, and a cybercriminal with access to your emails and email headers can extract enough information to create a sophisticated picture of your communication habits and personal information.
To see this in action, try using MIT’s Immersion metadata tool with your email account and see what results it generates about you and your email habits. Using such metadata analysis, it’s easy for someone to decode your networks and, perhaps, target you for fraud.
The legal profession is undoubtedly a writer’s profession, and because of this it’s also a document-centered one. In today’s world, most of those documents are digital. Unfortunately, word processors such as Microsoft Word, WordPerfect, or Apple Pages store information such as author and collaborator information, saved template information, revision and annotation histories, and even previous versions of the document.
Releasing a document with the metadata intact can be akin to releasing your personal, unedited notes, allowing recipients to see previous drafts. If a previously revised version of a document included a client’s social security number or a description of confidential trade secrets, for example, a cybercriminal, or anyone else, could be able to access and extract this information.
These documents can also store information that goes well beyond the direct contents of the document itself, such as the particular server or servers where the document is being stored, along with what version of the word processor you’re using. This information can also tip off a cybercriminal to look for vulnerabilities unique to the servers and programs you’re using and develop a tailored plan to attack your systems. In addition, any images that your firm shares on your website or social media accounts could also contain metadata related to the location of the photo and the device it was taken with, as well as information about all servers the image is hosted on.
To extract sensitive metadata from confidential documents, cybercriminals can use a number of sophisticated metadata parsing tools. This tutorial, for example, shows how hackers can use the free tool FOCA on website-hosted Word documents to extract sensitive metadata. According to the hackers:
This metadata can give us insight into such information as the users (could be critical in cracking passwords), operating system (exploits are OS-specific), email addresses (possibly for social engineering), the software used (once again, exploits are OS-, and more and more often, application-specific), and if we are really lucky, passwords.
Similar tools exist that allow hackers to scrape metadata from images and PDFs. Hackers armed with this information can then develop an effective cyberattack strategy against a target company, taking into account the various software and server vulnerabilities they uncovered after analyzing document and image metadata.
Lawyers’ treatment of metadata can also raise ethical concerns, in addition to the cybersecurity ones.
Attorneys are required to protect client confidences, including confidential information held in the metadata of their files. Each of the 18 state bar associations to have addressed the issue has concluded that attorneys must exercise reasonable care with regards to metadata. In Colorado, for example, it is a violation of an attorney’s ethical duties to fail to use reasonable care to ensure that metadata containing confidential information is not disclosed to a third party. Attorneys “may not limit the duty to exercise reasonable care […] by remaining ignorant of technology relating to metadata or failing to obtain competent computer support.”
Other states employ more gentle phrasing, requiring attorneys to stay “reasonably informed about the types of metadata that are included in electronic documents they generate” and “familiarize themselves sufficiently with the technological means to detect and remove, when necessary,” that metadata.
Interestingly, the American Bar Association is the sole outlier here. According to the ABA’s Standing Committee on Ethics and Professional Responsibility, attorneys have no explicit duty regarding metadata transmission. Presumably, though, an attorney’s general duties regarding confidentiality also apply to metadata.
Attorneys should also be aware of their responsibilities regarding metadata not just as senders but as possible recipients. Here, there is much less consensus. Several states allow attorneys to “mine” metadata, actively searching for confidential information in an opposing party’s files. Several prohibit it. States are also split, though to a less drastic degree, on whether attorneys must notify opposing counsel about the disclosure of confidential or privileged metadata. An overview of those opinions can be found here.
Of course, hackers don’t care about your ethical requirements. Thus, ABA ethics opinion or not, attorneys should take steps to prevent sensitive information from being revealed in document metadata. Fortunately, lawyers can take immediate steps to remove potentially sensitive metadata from any documents they save or work on.
Microsoft Word, for example, has a built-in metadata remover called Document Inspector that allows you to edit what metadata ends up stored in the final saved document.
Apple Pages users can use tools such as GraphicConverter for the same purpose, while lawyers using images on their website can also take steps by disabling automatic geotagging in photos they post from their smartphones.
Above all, however, it is crucial to make sure that you are properly handling client documents and data in a responsible manner.
This post was authored by Eric Pesale, the founder of Write For Law, who writes regularly about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is a graduate of New York Law School and the University of North Carolina at Chapel Hill, and recently passed the New York bar exam. Eric can be reached at firstname.lastname@example.org or on Twitter at @writeforlaw.