E-mails are important mode of communications these
days. With the increasing webspace most of us also store crucial
data, information and documents in our e-mail accounts. Obviously the
access to these information and documents is available to the e-mail
service providers and the law enforcement agencies of the countries
where such e-mail service providers are located. This access can be
legal as well as illegal though unlawful
e-surveillance and eavesdropping methods.
Indian government has been struggling long to
formulate and implement the e-mail
policy of India. This is important for India as sensitive
documents cannot be transferred out of India as per Indian laws like
Public Records
Act, 1993. Even Delhi High Court is analysing
the e-mail policy of India and has shown its displeasure over slow
action on the part of Indian government in this regard.
The Delhi High Court has also directed central
government to issue
notification regarding electronic signature under Information
Technology Act 2000. An advisory
by Maharashtra Government to use official e-mails has already
been issued.
DeitY has already issued policy documents in this
regard. These include email
services and usage policies of Government of India (PDF), NIC
policy on format of e-mail address (PDF), password
policy of Government of India (PDF), security
policy for users by Government of India (PDF) and service
level agreement by Government of India (PDF).
Now its has been reported that Indian government has
decided to ban the use of Gmail or any other private email for
official communication across all its organisations, and make it
mandatory for them to migrate to email services provided by the
National Informatics Centre (NIC). This is a good step in the right
direction and Perry4Law
Organisation (P4LO) welcomes this move.
As per the e-mail policy of Indian government,
notified on February 18, each employee of the government of India or
any state/UT government staff using e-mail services of GoI will be
provided two e-mail IDs, one based on designation for use in official
communication and the other based on name for both official and
personal communication. Not only will the employees be barred from
using email services provided by any other service provider for
official communication, but they also cannot provide details of the
GoI email account to private e-mail service providers.
P4LO believes that this is a significant policy
decision as it would allow not only keeping the government documents
within Indian territories but would also help in cyber security
initiatives. If details of the GoI email accounts are not made
public, there are much lesser chances of spam, spear phishing, cyber
attacks through malicious links, etc.
As per the email policy notified by the department
of electronics and IT (DeitY), forwarding of email from the official
GoI ID to the official’s personal ID outside the GoI e-mail service
will not be allowed. Though official email ID provided can be used to
communicate with any other user, whether private or public, the users
must exercise due discretion on the contents being sent as part of
the email.
For emails deemed as classified or sensitive, the
policy mandates use of digital signature certificate and encryption.
This would increase the authenticity and integrity of e-mail
communications using digital signature certificate and encryption. It
would also means that any eavesdropping or e-surveillance would not
be easy as the contents of the e-mail would not be in plain text but
in encrypted format.
The user will have to update their current mobile
numbers under their personal profile. The phone number will be used
as alternative means to reach the user and send alerts. In case a
user ID is compromised and this impacts a large user base or data
security of the deployment, the NIC shall reset the password of the
user ID without prior notice to the user. In normal circumstances,
where the compromise of an email user ID is detected, an SMS alert
will be sent to the user with details of the action to be taken by
him/her. If no action is initiated after five such alerts, the NIC
would reserve the right to reset the password. Auto-save of password
in the government email service will not be permitted due to security
reasons.
The email policy lists the examples of
“inappropriate use of the email service”, including in it the
creation and exchange of harassing, obscene or threatening emails;
transmission of emails involving language derogatory to religion,
caste or ethnicity; unauthorized exchange of confidential
information; distribution of anonymous emails from another officer’s
ID; masking of identity of the sender of email and willful
transmission of an email containing a computer virus.
The NIC will maintain email logs for all user IDs
for two years. Any security incident, or an adverse event that can
impact availability, integrity, confidentiality of government data,
must immediately be reported to the computer emergency response team
(CERT-IN).
In case of a threat to security of the government
service, the NIC may de-activate or suspend the email ID used to
impact the service. The security audit of NIC email services and
other organizations maintaining their own mail service shall be
conducted periodically by an organization approved by the department
of electronics and IT.
Source: Global
Techno Legal News And Views.