E-mails are important mode of communications these days. With the increasing webspace most of us also store crucial data, information and documents in our e-mail accounts. Obviously the access to these information and documents is available to the e-mail service providers and the law enforcement agencies of the countries where such e-mail service providers are located. This access can be legal as well as illegal though unlawful e-surveillance and eavesdropping methods.
Indian government has been struggling long to formulate and implement the e-mail policy of India. This is important for India as sensitive documents cannot be transferred out of India as per Indian laws like Public Records Act, 1993. Even Delhi High Court is analysing the e-mail policy of India and has shown its displeasure over slow action on the part of Indian government in this regard.
The Delhi High Court has also directed central government to issue notification regarding electronic signature under Information Technology Act 2000. An advisory by Maharashtra Government to use official e-mails has already been issued.
DeitY has already issued policy documents in this regard. These include email services and usage policies of Government of India (PDF), NIC policy on format of e-mail address (PDF), password policy of Government of India (PDF), security policy for users by Government of India (PDF) and service level agreement by Government of India (PDF).
Now its has been reported that Indian government has decided to ban the use of Gmail or any other private email for official communication across all its organisations, and make it mandatory for them to migrate to email services provided by the National Informatics Centre (NIC). This is a good step in the right direction and Perry4Law Organisation (P4LO) welcomes this move.
As per the e-mail policy of Indian government, notified on February 18, each employee of the government of India or any state/UT government staff using e-mail services of GoI will be provided two e-mail IDs, one based on designation for use in official communication and the other based on name for both official and personal communication. Not only will the employees be barred from using email services provided by any other service provider for official communication, but they also cannot provide details of the GoI email account to private e-mail service providers.
P4LO believes that this is a significant policy decision as it would allow not only keeping the government documents within Indian territories but would also help in cyber security initiatives. If details of the GoI email accounts are not made public, there are much lesser chances of spam, spear phishing, cyber attacks through malicious links, etc.
As per the email policy notified by the department of electronics and IT (DeitY), forwarding of email from the official GoI ID to the official’s personal ID outside the GoI e-mail service will not be allowed. Though official email ID provided can be used to communicate with any other user, whether private or public, the users must exercise due discretion on the contents being sent as part of the email.
For emails deemed as classified or sensitive, the policy mandates use of digital signature certificate and encryption. This would increase the authenticity and integrity of e-mail communications using digital signature certificate and encryption. It would also means that any eavesdropping or e-surveillance would not be easy as the contents of the e-mail would not be in plain text but in encrypted format.
The user will have to update their current mobile numbers under their personal profile. The phone number will be used as alternative means to reach the user and send alerts. In case a user ID is compromised and this impacts a large user base or data security of the deployment, the NIC shall reset the password of the user ID without prior notice to the user. In normal circumstances, where the compromise of an email user ID is detected, an SMS alert will be sent to the user with details of the action to be taken by him/her. If no action is initiated after five such alerts, the NIC would reserve the right to reset the password. Auto-save of password in the government email service will not be permitted due to security reasons.
The email policy lists the examples of “inappropriate use of the email service”, including in it the creation and exchange of harassing, obscene or threatening emails; transmission of emails involving language derogatory to religion, caste or ethnicity; unauthorized exchange of confidential information; distribution of anonymous emails from another officer’s ID; masking of identity of the sender of email and willful transmission of an email containing a computer virus.
The NIC will maintain email logs for all user IDs for two years. Any security incident, or an adverse event that can impact availability, integrity, confidentiality of government data, must immediately be reported to the computer emergency response team (CERT-IN).
In case of a threat to security of the government service, the NIC may de-activate or suspend the email ID used to impact the service. The security audit of NIC email services and other organizations maintaining their own mail service shall be conducted periodically by an organization approved by the department of electronics and IT.