India urgently needs a clear and unambigious IT usage policy, which has a transparent system of audit, accountability, redress and penalties covering all technology networks
At the end of August, The Economic Times reported that the “government will soon ask ‘all its employees to stop using Google’s gmail for official communication, a move intended to increase security of confidential government information after revelations of 
widespread cyber-spying by the US’.” It further said that the government planned to issue a formal notification to over five lakh government employees, barring them from email service-providers, such as gmail, and to stick to email provided by the National Informatics Centre (NIC).
This was probably the best possible announcement for us Indians, even though it was promoted by fears of cyber-spying by the US and not about security and hygiene of our information technology (IT) networks. If you are wondering what I am complaining about this time, let me start with a few examples.
• Many people have fallen for scam emails, purportedly from from governor Reserve Bank of India (RBI), Dr D Subbarao, informing them about the central bank’s plan to release fat sums of money to them on payment of a fee. The number of people who believed these emails was so large that RBI issued advertisements to educate people that it did not hold any money in ‘escrow’ accounts on behalf of individuals. Some of these emails came from an ID that read [email protected] making them seem very authentic.
• Last week, an income-tax assessment officer sent a wealthy individual a reminder to pay his advance tax in time. Such emails needlessly intimidate honest taxpayers. But this was all the more perplexing because the officer wanted payment details to be sent to his gmail ID. How should a sensible person react to this request? Prudence requires that you only take cognisance of letters, notices and circulars sent on official stationery with official email addresses. Ignoring a tax official’s email could be a problem; but, if the letter were fake, it would be even worse. Let’s not forget that very genuine-looking fake letters have been sent out from the Securities & Exchange Board of India (SEBI) office a few years ago in the Pyramid Saimira case.
• These worries are not new. A little digging revealed a post on Taxindiaonline dated 20 August 2010 which discussed a complaint about how senior officials and commissioners of the central excise and customs department were seeking responses on their personal email identities instead of secure official IDs. Taxindiaonline said that it had, indeed, taken up the matter ‘several times’ but officials responded that the government-provided official emails did not have many of the features of gmail and yahoo. Taxindiaonline, while asking whether government business should run through private, unsecured mail servers, was, however, more focused on ‘national pride’ rather than IT security. Two years later, officials continue to use free email from US technology giants.
• In January 2013, the technology magazine Dataquest had a detailed report on the absence of an IT usage policy for government communications. It pointed out how a high court summons to Haryana bureaucrats led to the framing of an official IT email policy in that state, but the use of gmail and yahoo IDs remained rampant. According to Dataquest “contact email ids of government body officials listed on the website data.gov.in’s beta version reveals at least one-sixth of them being Gmail/Yahoo ids.” Isn’t it astonishing that, despite India’s much-touted IT prowess and the government’s rushing to mandate e-filing of taxes and other statutory reports, the government itself has no policy in place on the use of official email? In fact, we learn that many government officials are forced to use their private email IDs because the NIC (nic ids) has simply not allocated emails IDs to all officials.
The lackadaisical attitude to this important security issue extends to several other email systems as well. In the example that I quoted above, I am happy to report that a senior secretary in the finance ministry said that he will “look into the issue of personal emails being used by tax officials.” We are not sure whether this will lead to an actual directive, or whether the secretary was made to understand all the problems with the turgid NIC system which compels officials to use private email.
Interestingly, the government has detailed guidelines for the creation of government websites which has the following objectives: to maximise productivity, prevent risks to network security and performance; protect the privacy, confidentiality and security of 
government’s information; promote public trust in the government’s use of information and technology assets and increase adherence to government information and technology-related legislation, policies and standards. In most countries, such guidelines also mandate the use of government email IDs that, too, from a government network while dealing with outside networks. This does not seem to be the case in India.
Moreover, such IT guidelines ought to cover government reporting systems that are contracted out to private companies as well. However, the mess created by India’s two IT giants in the handover of MCA21, a reporting and compliance system of the ministry of company affairs (MCA) suggests that there are either no clear rules and guidelines or, if they exist, we are so overawed by names like Infosys and Tata Consultancy Services (TCS) that the rulebook was forgotten.
Seven years after TCS built and operated MCA21 fairly smoothly, it lost a bid to Infosys for managing the system. This was in early 2013. Ever since, the system has never quite worked. In June this year, Infosys and MCA declared that the many problems with the system had been fixed and conducted a series of stakeholder meetings across the country to declare that all was well with MCA21. But, in September, over 1,000 harried chartered accountants and company secretaries started an online petition to draw attention to the issue and force the government to act. When Moneylife published these details, Infosys provided a detailed action plan and also blamed TCS for its poor initial design. Stunningly, TCS has not denied the allegations, while Infosys is unable to say why it did not note or highlight the many issues when it took over the system after an elaborate handover.
The chaos in the issue of Aadhaar numbers was significantly worse. Mercifully, a Supreme Court stay order on 23 September 2013 could result in a dispassionate assessment of the messy data collection, security systems of the Unique Identity Development Authority of India (UIDAI). Until now, the UIDAI has simply ignored all complaints about lost Aadhaar numbers, issue of UID to illegal migrants, mistakes in the Aadhaar letter as well as the security of data. One Moneylife reader tells us, “I was astonished when I opened Aadhaar card in PDF format (I did not receive physical copy). The email address used to digitally sign the PDF file was a @gmail.com address! Such is the negligence of the implementation.”
Most of the arrogance and arbitrariness, as well as the lavish budget of the UIDAI, was built around the persona of Nandan Nilekani, former managing director of Infosys, who was seen as the tech messiah who would deliver economic benefits to India’s underprivileged. Such was the myth built about Mr Nilekani, that nobody questioned the trampling of our fundamental rights in the process of converting an allegedly voluntary system into a mandatory one by linking it to State benefits, including salaries, subsidies and registration of births, marriages and school admissions.
India urgently needs a clear and unambiguous IT usage policy which has a transparent system of audit, accountability, redress and penalties, which cover all technology networks in the country. But that, too, is not enough. We need it to be managed by truly qualified technology experts, who have the ability to stay ahead of sophisticated hackers, in order to ensure the security of systems. Unfortunately, while India is rushing to embrace and mandate technology, the lack of attention to security and regulation could lead us to a right royal mess.
Sucheta Dalal is the managing editor of Moneylife. She was awarded the Padma Shri in 2006 for her outstanding contribution to journalism. She can be reached at [email protected]
Inside story of the National Stock Exchange’s amazing success, leading to hubris, regulatory capture and algo scam
Fiercely independent and pro-consumer information on personal finance.
1-year online access to the magazine articles published during the subscription period.
Access is given for all articles published during the week (starting Monday) your subscription starts. For example, if you subscribe on Wednesday, you will have access to articles uploaded from Monday of that week.
This means access to other articles (outside the subscription period) are not included.
Articles outside the subscription period can be bought separately for a small price per article.
Fiercely independent and pro-consumer information on personal finance.
30-day online access to the magazine articles published during the subscription period.
Access is given for all articles published during the week (starting Monday) your subscription starts. For example, if you subscribe on Wednesday, you will have access to articles uploaded from Monday of that week.
This means access to other articles (outside the subscription period) are not included.
Articles outside the subscription period can be bought separately for a small price per article.
Fiercely independent and pro-consumer information on personal finance.
Complete access to Moneylife archives since inception ( till the date of your subscription )
Hemant K Chitale
Besides this, the Govt of India must also ensure that all sensitive facilities like the armed forces, scientific institutions like BARC, etc. are kept out of public access. Even before the Snowden controversy about the NSA in USA snooping on all countries, China was known to hack into many countries's IT networks to steal information and spy on govt projects. This is why USA has banned Huawei and some other Chinese firms from supplying equipment to the US, as these firms are believed to plant spyware into their devices to steal sensitive information from host systems.
All govt initiatives are half-hearted and leaky.
Unless govt takes due interest in the protection of Citizen right and Consumer rights, Nothing can be changed.
Pls. donate your votes if you support my cause!!! https://secure.avaaz.org/en/petition/Any_company_should_own_responsibility_and_accountability_for_their_products_and_Services/?pv=0
On the information security front we are reactive by nature hence its upto us as individuals to be accountable & expect the least from the government. Even the best of the banks have built systems which are theft proof despite charging the depositor heavy sums in the form of charges.
The security features (not the privacy features) of mainstream email services are much better than the one's hosted on NIC.
If we do decide to go the NIC way, we need to add manpower to strengthen it. We are learn a bit on this from the Chinese who have technically skilled people on the government payroll. And above all these projects should be done inhouse instead of outsourcing them to IT bluechips.