Tech Wreck: A disaster waiting to happen?

India urgently needs a clear and unambigious IT usage policy, which has a transparent system of audit, accountability, redress and penalties covering all technology networks

At the end of August, The Economic Times reported that the “government will soon ask ‘all its employees to stop using Google’s gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyber-spying by the US’.” It further said that the government planned to issue a formal notification to over five lakh government employees, barring them from email service-providers, such as gmail, and to stick to email provided by the National Informatics Centre (NIC).

This was probably the best possible announcement for us Indians, even though it was promoted by fears of cyber-spying by the US and not about security and hygiene of our information technology (IT) networks. If you are wondering what I am complaining about this time, let me start with a few examples.

Many people have fallen for scam emails, purportedly from from governor Reserve Bank of India (RBI), Dr D Subbarao, informing them about the central bank’s plan to release fat sums of money to them on payment of a fee. The number of people who believed these emails was so large that RBI issued advertisements to educate people that it did not hold any money in ‘escrow’ accounts on behalf of individuals. Some of these emails came from an ID that read [email protected] making them seem very authentic.

Last week, an income-tax assessment officer sent a wealthy individual a reminder to pay his advance tax in time. Such emails needlessly intimidate honest taxpayers. But this was all the more perplexing because the officer wanted payment details to be sent to his gmail ID. How should a sensible person react to this request? Prudence requires that you only take cognisance of letters, notices and circulars sent on official stationery with official email addresses. Ignoring a tax official’s email could be a problem; but, if the letter were fake, it would be even worse. Let’s not forget that very genuine-looking fake letters have been sent out from the Securities & Exchange Board of India (SEBI) office a few years ago in the Pyramid Saimira case.

These worries are not new. A little digging revealed a post on Taxindiaonline dated 20 August 2010 which discussed a complaint about how senior officials and commissioners of the central excise and customs department were seeking responses on their personal email identities instead of secure official IDs. Taxindiaonline said that it had, indeed, taken up the matter ‘several times’ but officials responded that the government-provided official emails did not have many of the features of gmail and yahoo. Taxindiaonline, while asking whether government business should run through private, unsecured mail servers, was, however, more focused on ‘national pride’ rather than IT security. Two years later, officials continue to use free email from US technology giants.

In January 2013, the technology magazine Dataquest had a detailed report on the absence of an IT usage policy for government communications. It pointed out how a high court summons to Haryana bureaucrats led to the framing of an official IT email policy in that state, but the use of gmail and yahoo IDs remained rampant. According to Dataquest “contact email ids of government body officials listed on the website’s beta version reveals at least one-sixth of them being Gmail/Yahoo ids.” Isn’t it astonishing that, despite India’s much-touted IT prowess and the government’s rushing to mandate e-filing of taxes and other statutory reports, the government itself has no policy in place on the use of official email? In fact, we learn that many government officials are forced to use their private email IDs because the NIC (nic ids) has simply not allocated emails IDs to all officials.

The lackadaisical attitude to this important security issue extends to several other email systems as well. In the example that I quoted above, I am happy to report that a senior secretary in the finance ministry said that he will “look into the issue of personal emails being used by tax officials.” We are not sure whether this will lead to an actual directive, or whether the secretary was made to understand all the problems with the turgid NIC system which compels officials to use private email.

Interestingly, the government has detailed guidelines for the creation of government websites which has the following objectives: to maximise productivity, prevent risks to network security and performance; protect the privacy, confidentiality and security of government’s information; promote public trust in the government’s use of information and technology assets and increase adherence to government information and technology-related legislation, policies and standards. In most countries, such guidelines also mandate the use of government email IDs that, too, from a government network while dealing with outside networks. This does not seem to be the case in India.

Moreover, such IT guidelines ought to cover government reporting systems that are contracted out to private companies as well. However, the mess created by India’s two IT giants in the handover of MCA21, a reporting and compliance system of the ministry of company affairs (MCA) suggests that there are either no clear rules and guidelines or, if they exist, we are so overawed by names like Infosys and Tata Consultancy Services (TCS) that the rulebook was forgotten.

Seven years after TCS built and operated MCA21 fairly smoothly, it lost a bid to Infosys for managing the system. This was in early 2013. Ever since, the system has never quite worked. In June this year, Infosys and MCA declared that the many problems with the system had been fixed and conducted a series of stakeholder meetings across the country to declare that all was well with MCA21. But, in September, over 1,000 harried chartered accountants and company secretaries started an online petition to draw attention to the issue and force the government to act. When Moneylife published these details, Infosys provided a detailed action plan and also blamed TCS for its poor initial design. Stunningly, TCS has not denied the allegations, while Infosys is unable to say why it did not note or highlight the many issues when it took over the system after an elaborate handover.

The chaos in the issue of Aadhaar numbers was significantly worse. Mercifully, a Supreme Court stay order on 23 September 2013 could result in a dispassionate assessment of the messy data collection, security systems of the Unique Identity Development Authority of India (UIDAI). Until now, the UIDAI has simply ignored all complaints about lost Aadhaar numbers, issue of UID to illegal migrants, mistakes in the Aadhaar letter as well as the security of data. One Moneylife reader tells us, “I was astonished when I opened Aadhaar card in PDF format (I did not receive physical copy). The email address used to digitally sign the PDF file was a address! Such is the negligence of the implementation.”

Most of the arrogance and arbitrariness, as well as the lavish budget of the UIDAI, was built around the persona of Nandan Nilekani, former managing director of Infosys, who was seen as the tech messiah who would deliver economic benefits to India’s underprivileged. Such was the myth built about Mr Nilekani, that nobody questioned the trampling of our fundamental rights in the process of converting an allegedly voluntary system into a mandatory one by linking it to State benefits, including salaries, subsidies and registration of births, marriages and school admissions.

India urgently needs a clear and unambiguous IT usage policy which has a transparent system of audit, accountability, redress and penalties, which cover all technology networks in the country. But that, too, is not enough. We need it to be managed by truly qualified technology experts, who have the ability to stay ahead of sophisticated hackers, in order to ensure the security of systems. Unfortunately, while India is rushing to embrace and mandate technology, the lack of attention to security and regulation could lead us to a right royal mess.

Sucheta Dalal is the managing editor of Moneylife. She was awarded the Padma Shri in 2006 for her outstanding contribution to journalism. She can be reached at [email protected]

Hemant K Chitale
10 years ago
It is truly shocking that gmail / yahoo ids are used. It is inexcusable.

Hemant K Chitale
Rajesh Kothari
10 years ago
Lot is to be done while implementing web based applications by government agencies. For example, try to make TDS payment using NSDL's website. You encounter an invalid SSL certificate error. This is because SSL certificate was issued to another NSDL site. On Income tax website, when you file your Income tax return signed digitally, you get error that application is not trusted. This is because Income tax department has not used code-signer certificate to sign it's java application. Such basic security measures are not resorted to, making every citizen vulnerable to cyber attack. I'm planning to write blog on all such security failures with screen shots.
Rajesh Kothari
Replied to Rajesh Kothari comment 10 years ago
One more issue: Income-tax Orders sent by CPC (which are digitally signed by the ITOs) are not having date/time stamp on the PDF files. It may seem trivial issue, but it is not. It is going against normal rules of communication. It is like sending printed orders without any date on the order. In fact, it is compulsory to write date and place on any official communication. So, not having date and time stamp on the file is not acceptable.
suresh purohit
10 years ago
While your concern about IT security is well placed the views on Nandan Nilekani seem a bit colored. was bureaucracy not to be blamed for it also? What is wrong with ADHAR A universal identity for an Indian? All schemes need expenses why single this out?
Ramesh Iyer
10 years ago
The poor and arbitrary IT Usage Policy of the Govt of India reflects the intellectual bankruptcy of its top officials. I wonder why it chose to have email IDs on GMail for official purposes, when NIC could provide the same to eligible employees over a secure VPN connection (to avoid the public Internet for security reasons). While everyone tom-toms about India's IT prowess, it's e-governance projects are hardly impressive and effective. The govt must move as many services to e-governance platforms as possible, to enforce transparency in governance, as well as reduce human interventions which are the root cause of all corruption in govt corridors.
Besides this, the Govt of India must also ensure that all sensitive facilities like the armed forces, scientific institutions like BARC, etc. are kept out of public access. Even before the Snowden controversy about the NSA in USA snooping on all countries, China was known to hack into many countries's IT networks to steal information and spy on govt projects. This is why USA has banned Huawei and some other Chinese firms from supplying equipment to the US, as these firms are believed to plant spyware into their devices to steal sensitive information from host systems.
Rakesh Tripathi
Replied to Ramesh Iyer comment 10 years ago
Couldn't agree more !
uttamkumar dubey
10 years ago
Not only IT usage policy, GOI lacks in all sense of governance, accountability and responsibility.

All govt initiatives are half-hearted and leaky.

Unless govt takes due interest in the protection of Citizen right and Consumer rights, Nothing can be changed.
Pls. donate your votes if you support my cause!!!
10 years ago
All indian companies do not put processes in place before embracing technology. One should be clear of what processes will happen online & what will happen offline.
On the information security front we are reactive by nature hence its upto us as individuals to be accountable & expect the least from the government. Even the best of the banks have built systems which are theft proof despite charging the depositor heavy sums in the form of charges.
10 years ago
Simply using email ids from NIC will not help. The infrastructure of NIC leaves a lot to be desired.

The security features (not the privacy features) of mainstream email services are much better than the one's hosted on NIC.

If we do decide to go the NIC way, we need to add manpower to strengthen it. We are learn a bit on this from the Chinese who have technically skilled people on the government payroll. And above all these projects should be done inhouse instead of outsourcing them to IT bluechips.
Free Helpline
Legal Credit