In 2006 came out a law that allowed lawyers to certify photocopies, recognize signatures and perform other legal acts usually reserved to notaries.
To obey the law, the Portuguese Bar Association (Ordem dos Advogados – OA) opened a new service in its portal (Web site) and hired us to implement it.
In this part of the portal, lawyers can register legal acts, which can list an unlimited number of intervenients and whether that act can be read publicly or not. The system generates automatic sequential numbering unique for each lawyer and if the act can be read publicly, a Web address anyone can use to read it.
Once again the focus was on ease of use and system security.
To allow for acts to list unlimited intervenients we used a Web 2.0 system where new intervenient lines can be added at user discretion.
On the other hand, to ensure private acts do remain private, the system always checks who is authenticated in the OA portal and if the act being read belongs to that lawyer or is public. If nobody is authenticated in the portal, only public acts can be read.
In other words, the system doesn't just assume that a user that doesn't receive the Web address to read a private act won't know how to change a public act's address to try and read the private act. "Security through obscurity" should always be a reinforcement of existing security and not a security method by itself.