Just How Private are Lotus Notes Private Items?
Lotus Notes Private Items, Read Receipts and Encryption
Following on from my colleague Twan’s brilliant blog on Private Items in Outlook / Exchange, (see here -> https://neroblanco.co.uk/2015/08/how-private-are-private-items-in-exchange/ ) we thought we would put together a similar one on Lotus Notes.
My colleague Neil Langston already touched on parts of this with his equally brilliant Blog on detecting Private Folders ( https://neroblanco.co.uk/2014/06/detecting-private-folders-targeted-communications/ )
At the end of the day, Lotus Notes items are often simply controlled by a binary field value that toggles it on or off. Most seasoned Notes Admins can get around Prevent Copy, Private Item and Read Receipts. Quite likely any savvy experienced Notes user could get around it as well.
These features should definitely not be considered “Secure, Compliant or Confidential” features. Lotus Notes Encryption on the other had is indeed what it says on the tin, however it still allows the recipient far too much leeway to circumvent the sender’s intent. The recipient of an encrypted Lotus Notes email can simply decrypt it, or forward it on unencrypted.
Read Receipts
First up let’s look at Read Receipts. Natively in Lotus Notes there is no way for a Recipient to know that the Sender hand put a Read Receipt on the email, nor is there any easy way for the Recipient to stop the Receipt being returned.
Adding a Read Receipt to an email is easy. Simply select Delivery Options.
You*can* also set it for ALL emails in your Mailfile Preferences…
When the recipient sees the email in their inbox they are none the wiser, and when they open it they are oblivious to the Receipt being sent… unless they view the status bar observantly in their Notes Client
·
Or if they are running in Local / Offline / Island mode, in which case the Read Receipt to be sent will sit in their local mail.box until they re-connect to the network and the mail is sent via their Replicator page. This can be seen before it is sent and could be deleted by the user.
So, what can we do to get around this…
Well, we can add a Column into the Inbox older view, so we can see at a glance:
We simply add the following formula to the Column Value:
@If(ReturnReceipt=”1″ & $KeepPrivate = “1”; 92; ReturnReceipt=”1″; 123; $KeepPrivate = “1”; 62; @IsAvailable($title); 91; “”)
Note the “Blue Envelope” Icon
Then we add a button to the Action Bar of the Inbox Folder to strip it off:
Finally, we add a little bit of code on to the Query Open Document design element of the Inbox Folder, so that when we open the email we are prompted whether we want to send a Read Receipt or not.
@If(@IsAvailable(ReturnReceipt);
@If(ReturnReceipt = “1”;
@If(@Prompt([YesNo];”Send Return
Receipt?”; “The Sender has requested a Return Receipt for this
email. Do you wish to send a Return Receipt?”);
@SetField(“ReturnReceipt”;”1″);
@SetField(“ReturnReceipt”;”0″));
“”);
“”)
Prevent Copy, Forward or Print
Again, as above very easy for the Sender to enable this feature to “Protect” their email using the Delivery Options button from the Action bar.
When the recipient Opens the email, the Print Options have been removed (CTRL+P also does not work as a keyboard shortcut) and when trying to Reply with History or Forward you get this message:
You cannot forward or otherwise copy the contents of this document. This document is set to prohibit copying and duplicating.
So, what can we do to get around this…
Again, our Column from above warns us if the email has been “protected”
We can simply use the “Unprotect” Button that we have added to the Action Bar.
What magic does it do? Not much… it simply Deletes the Field $KeepPrivate and voila we can Print, Forward and Reply with History.
FIELD $KeepPrivate := @DeleteField;
“”
Before | After |
Mark as Private
This feature is only available on Calendar Items in Lotus Notes, there is no opportunity on the email form.
It is enabled right on the Appointment Form.
In the Calendar view a small padlock is available.
Invite |
Open the Item |
Any Delegate only sees this:
Mark as NOT Private..
So, how do we unmark it from being Private? Well simply put, IF the field $PublicAccess is present, then it is not private. Thus, we just add it 🙂
Create a Simple Notes Agent in your Mailfile or on the Icon Bar with the following code:
Field $PublicAccess:=”1″;
In the Calendar item it now looks like this:
Now when Dan Carter Opens Richie’s Calendar he sees this:
Private Folders
Private Folders are a bit of legacy Notes things mainly used in the R4.5 – R5 era. Private Folders are only visible by the User that created them.
Whilst you *can* still create them, it is not a common thing anymore. You may still see them in old mailfiles for users that have been in the organisation a long time, or more likely in Shared Mailboxes / Mail-In Databases that are used by multiple people that have again been around for a long time.. In later versions, you actually have to dig around to create them now.
Here is what they look like:
The thing is that while the Folder itself is Private, denoted by a Grey Folder – or in later Notes versions a small grey padlock – rather than a traditional Yellow one, the emails contained inside them are not Private and are simply visible in the All Documents View anyway!
When Dan opens up my mail file as a delegate, he can’t see the folder, but he can easily see the email.
Neil’s blog here again on detecting them: https://neroblanco.co.uk/2014/06/detecting-private-folders-targeted-communications/
There is some code around to convert Private Folders back to Shared. Again we at Nero Blanco have more advanced code and have in fact worked out a way to get the Server to do this on the back-end rather than user interaction being required.
A user can do this themselves by creating a second “normal” folder, say called My Folder 2, move the items to that Folder. Delete the Private Folder, and rename the new folder back to the old Private one.
Notes Encryption
Like the others above, Lotus Notes Encryption is an email Option.
In this screenshot we have enabled everything! (Other than S/MIME interaction…)
The recipient sees the email like this:
However, decryption is only a few clicks away… You do need some more advanced skills to create a LotusScript Agent to decrypt emails, but the code is readily available and in fact IBM make it available.
http://www-01.ibm.com/support/docview.wss?uid=swg21110567
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21089495
Note, there are far more mature and robust LotusScript Agents available that do a better job than the IBM one above. We ourselves have a far more optimised version we use during migrations.
Quite often it is used in Migrations from Lotus Notes to Exchange where users would rather be able to see the content of their emails in Outlook, than not at all, or have to refer back to Lotus Notes all the time.
Interestingly just Forwarding the email you can remove the encryption there and then, or if you send to a Recipient external to your organizations Domino Domain, you cannot (Lotus Notes) encrypt the email anyway. For this you need a S/MIME Certificate for yourself and the recipient. And that’s a whole other Blog topic on how to set that up in Notes!!
Conclusion
As you can clearly see, although Notes has some nice features, they are able to be circumvented with relative ease – unlike Microsoft Exchange’s Information Rights Management tied Active Directory Rights Management Server.
So “Just How Private are Lotus Notes Private Items?” – not very!