This might be a little sudden but today I would like to discuss deeply the security of Lotus Notes platform. I would like to show that I'm one of Lotus Notes experts by writing this kind of technical essays from time to time. I wrote 'deeply' discuss' but if you have several years experience of Notes database development, you should easily recognize the limitation of Lotus Notes anonymity. So please don't have too much expectation for this essay. The theme is the confidentiality of Notes databases. I would like to discuss by using as few technical terms as possible.

First of all, I would like to clear up the misunderstanding that many people seem to have about the security functionalities of Lotus Notes. It is true that Notes is said to have sophisticated security functionalities but its security functionality is not to 'restrict' access but to 'control' access. The advantage of Notes security exists not in prevent people from accessing information but in having people access information.

The biggest reason for this advantage is that it is indispensable for Lotus Notes platform to identify who uses Notes. In principle Notes can't ensure the anonymity just like web systems. Lotus Notes platform is constructed based on the idea that first it recognizes who uses Notes and then it controls how much information each of the users can access. Notes must recognize who each user is before it ensures the security of information stored in it.

Therefore Lotus Notes can't control the access level regarding anonymous users because the anonymous users can't use Notes from the beginning (I would like to exclude the web applications running on Domino server since they are not Notes applications but web applications that happen to use Notes for the platform). On the contrary we can never ensure the anonymity of the users who once logged-on Lotus Notes by using Notes ID file. Therefore it is impossible by definition to develop the client-server applications that requires anonymity of users, such as anonymous questionnaire system.

Before discussing why the anonymous questionnaire system can't be developed on Lotus Notes platform, we would like to show that the anonymous questionnaire systems are meaningless even when we use the web platform. If the anonymity of answerers is really ensured, we can't prevent one and the same person from answering many times to the same questionnaire. If the number of answerers is large enough, e.g. thousand or tens of thousands of people, then the result of anonymous questionnaires still have some validity for the purpose of knowing the overall tendency of answerers. But when there are only hundreds of answerers, the result of anonymous questionnaires mean almost nothing if you can't ensure that nobody answers twice.

Let's go back to our main theme. Why is it impossible to develop client-server type anonymous questionnaire on Lotus Notes platform? In order to answer this question, it would be better to start from thinking about what kind of access level should be given to the answerers? As you know, there are seven access levels in Lotus Notes; Administrator, Designer, Editor, Author, Reader, Depositor and No Access.

When you develop questionnaire system on Lotus Notes, Depositor will immediately come to the mind of Notes developers. Depositor is the lowest access level for creating a new document in Notes databases. But our purpose is to ensure the anonymity of answerers. Therefore we have to consider how to eliminate the user name from the documents created by each answerer.

One way to realize this is as follows. Start a program just before the answerer saves his document, this program eliminates the user name from the document and then saves it. Instead of the user name of those who actually created the answer, you can put the user name of administrator of the database or any other user names or role names.

But this way has two shortcomings. Firstly the users can't save an unfinished document. Depositor can't edit even the document they created for themselves once he saves it. This is the specification of Lotus Notes. Secondly one and the same person can answer many times. If we eliminate the user name of the document Author before the document is saved, we can't identify any more who created which document. So one and the same person can make another document freely. If we consider these two shortcomings, it is inappropriate to give the answerers 'Depositor' level.

If we can't use Depositor level, how about Author level which is the next higher access level? By the way, Editor level is out of the question because the users with Editor level can edit even the documents created by other users. And the higher levels, such as Designer and Administrator, are also out of the question. Designer can even change the design of the Notes database and Administrator can even change the access level of every user. We can conclude that Author level is the only alternative for developing the anonymous questionnaire system on Lotus Notes platform.

Now let's check whether or not we can realize the anonymous questionnaire by giving Author level to the answerers. First of all, we would like to check whether we can clear up the two shortcomings mentioned above in the case of Depositor. The first shortcoming is that we can't save unfinished documents. As we described above, we have to eliminate the user name of the person who created the document before saving it in order to ensure the anonymity of the created document. But one we eliminate the user name of document creator, we can't identify who created which document any more and nobody can't continue editing the document he created before. So we must wait for eliminating the user name of the document creator until the creator decides, "now it's finished!"

Therefore it is inevitable that the user name of the document creator is written on each questionnaire answer until the document creator decides it is finished. We can't ensure the anonymity of questionnaire answers until each of them is finished and saved by its creator. If we prepare an action button called 'Finished' or something and clicking on it triggers a program that erases the user name of creator from the document, we can ensure the anonymity of the questionnaire answerers after they are finished. Here is one limitation of Notes anonymity because we can't ensure the anonymity while the document is not finished yet. We have to put up with this for the moment.

Next we would like to check whether or not we can clear up the second shortcoming, i.e. whether or not we can prevent one and the same person from creating more than two documents in the questionnaire database. As we described above, if we give Author level to the answerers, we can prevent double answers until the answerer finishes his answer. But once he finishes the answer and a program automatically eliminates the user name of the creator from the document, unfortunately the same person can create another answer in the same questionnaire database. This is a problem. How can we solve this?

There is only one countermeasure to solve this problem. It is that we generate another document separately from the answer just after the answer is finished and saved by the creator. When the answerer clicks on the 'Finished' button, an automatically started program will eliminate the user name of the creator from the answer document and at the same time, the program will create another document on which the user name of the creator is written down. We would like to call this another document 'user information document'. By doing this, even when one and the same person tries to create another answer to this questionnaire, we can check if this person has already answered by browsing the overview of 'user information documents'. If you find the same user name among the already created 'user information documents', the user already answered to the questionnaire and can't create another answer document.

Now it seems we've made it. We successfully made an anonymous questionnaire database with Lotus Notes by giving Author level to the answerers. You might think so up to this point. But if you are a half-experienced Notes developer, you miss one critical security hole.

First of all, giving Author level access right to all answerers means that every answerer can look into the unfinished answers created by other answers. When the finished answer documents are concerned, every answerer can also look into all of them even though you can't find the user name of the creator on it. If you would like to eliminate this security hole, you have to write a program for the 'PostOpen' event of the answer data document and the program should check if the user name of the person who tries to open the document is the same as that of the person who are editing it (as we are now talking about the unfinished answer documents, you can always find the user name of the creator on the document).

In addition, there is a much more serious security hole. When you have 'Author' level access right, you can copy or replicate the whole database on your own local hard disk. As you know, the access control list loses its control when a Notes database is copied locally. This means that you can look into not only the unfinished answer documents but also the finished documents. This local copy functionality is sometimes overlooked and turns into a security hole of Notes databases. Only by looking at this local copy or replication functionality, you can clearly see that Lotus Notes puts much more stress upon information sharing than the restriction of information access. The software called 'groupware' is in principle intended to make information flow not to restrict the access to information. It is natural that the groupware functionalities put stress on information sharing rather than information security.

Let's go back to the security holes of Notes questionnaire database. Even if you can look into not only the unfinished answer documents but also the finished answer documents, you can't find the user name of the creator yet on the finished answer documents because we eliminate the user name of the creator with an automatically started program. So it seems that we have achieved the anonymity as long as the finished answer documents are concerned. However, there is still one security hole. As we described, in order to realize both the anonymity of answers and the prevention of double answers by one and the same person, we had to generate 'user information document' at the same time when the answer document is finished (when 'Finished' button is clicked by the answerer). The 'user information document' is created at the same time when the answer document is finished. That's because if there is a time lag between finishing the answer document and generating 'user information document', one and the same person can create another answer document during the time lag. So the 'user information document' must be created exactly at the same time when the answer document is finished and saved.

And on the 'user information document' we have the user name of the person who has just finished the answer document which is saved at the same time. If we don't have the user name on the 'user information document', we can't check whether or not the person has already answered to the questionnaire. If you are a good guesser, you may already have found the last security hole of this questionnaire database. The security hole exists in the simultaneity of generating 'user information document' and finishing the answer document. This simultaneity means that, if you crosscheck the last modified date and time of these two documents, you can relate one 'user information document' to one answer document exactly. As you know, on all the documents in the Notes database the last updated date and time are forcibly inscribed. The last updated date can be read by an ordinary user operation, just click on the property action button which you can find on the left top corner of Notes client window.

You might say, "then we can hide the document view from ordinary users." But this is impossible. The users with Author level access right can find out all the views by executing 'Searching unread documents'. You execute this functionality from the Notes menu (click 'Edit' and then 'Select unread documents'), open two or three unread documents and then close the unread documents with Escape key. Now you can see the default navigation screen of Notes that shows all the document views. Now you can freely browse the finished and unfinished answer documents and if you have enough time to check the last updated date and time of each document, you can identify who created which answer document. To do these operations, you don't need any additional functionality, e.g. Domino Designer Client. All ordinary Notes users can take advantage of these security holes just with the ordinary Notes Client. In addition, there is no hidden functionality all through these operations. Making local replication, clicking on the property action button, clicking on the Notes menu, all these things are quite normal Notes operations.

Our argument was a little bit complicated. It might be hard for those who have no experience of developing Notes databases to follow this argument. But from the beginning, Lotus Notes is not qualified to ensure the anonymity of data. That's because the information security of Lotus Notes is realized by making every user named. For the purpose of realizing both the anonymity of data and its confidentiality, Lotus Notes is totally a wrong tool.

If we continue this argument further, it is impossible by definition to realize both anonymity and prevention of double vote in one and the same system. This can be easily understood when you think about elections. The elections have exactly the same requirements as our anonymous questionnaire system because they require both the anonymity of vote and the prevention of double vote. In order to realize these two at the same time, we can rely only on physically handing one ballot paper over to each voter. Even when the election is computerized in the future, physical entities, such as IC cards necessary for voting via the Internet or admission tickets necessary for entering computerized balloting places, must be physically handed over to each voter. In addition, such physical entities must not be copied easily. The elections teach us the impossibility of realizing both anonymity and singleness of vote in one and the same system. We always need a physical media to ensure both of them.

In a word, Lotus Notes can't realize the anonymous questionnaire system by definition. If you think about how Lotus Notes was born, you can easily see that it is simply impossible. Lotus Notes can ensure the information security only when the users are not anonymous.