The cyberspace environment of India is passing through a transformation stage. The Central Government is presently working on the formulation of the e-mail policy of India. It is contemplating banning private e-mail service providers like G-mail and Yahoo for government communication purposes. However, G-mail must be banned in India for even private communications as it abets and encourages the commission of cyber crimes in India.
Now even States have taken notice of this situation and they have started working in this direction. An Advisory by Maharashtra Government to use Official E-Mails, Indian Cloud Based Services, Routing Traffic through NIXI and Section 43A Compliance Check (PDF) has been issued. The advisory has drawn the attention of various stakeholders towards the process of keeping of Indian data outside the country that is easily accessible to external Governments and their corporate sector.
DIT in its communication to all departments from time to time, has instructed them to host their websites only on servers located within India. Any website hosting must also comply with CERT-IN guidelines for web security and go through periodic security audits. Guidelines for Indian Government Websites (GIGW) specify that all government websites must use .gov.in or .nic.in domain names. They should NOT USE any other domain names such as .com, .org, .org.in, etc.
Section 4 of the Public Record Acts, 1993 states that “no person shall take or cause to be taken out of India any public records without the prior approval of the Central Government; provided that no such prior approval shall be required if any public records are taken or sent out of India for any official purpose”.
There have been incidents in recent times, about hackers breaking into government websites e.g. very recently social justice website was hacked, and it was found that this website developed and maintained by a private company was running from the United States. Hackers not only deface the government websites, but also tend to steal/ manipulate valuable data and even insert malicious content and/ or redirect visitor traffic to malicious websites. In case of information leak or hacking of server hosted abroad, there are difficulties investigating the case as Indian laws are difficult to be applied on those agencies.
Considering these issues, it is hereby re-iterated that all websites and Applications of State Government Departments and all Directorates, Corporations, Public Undertakings under them, should be hosted within India and preferably on Government owned servers in State Data Centre or NIC data centres or on servers collocated in Tier 3 data centres in India.
Regarding the e-mail usage, it has been observed that many Government employees use private (i.e. publicly available) email IDs such as Gmail, Yahoo, Hotmail. Several senior Government officials in Maharashtra Government have their Gmail/Yahoo/Hotmail IDs listed in Government portals as their official e-mail. Through use of such e-mail system, sensitive Government data is being transmitted and stored on private servers outside the country. This is clear violation of section 4 of the Public Records Act, 1993, and various other instructions as listed in previous paragraphs.
Various Government agencies have been raising concerns over use of e-mail services provided by foreign firms which have their servers located in overseas locations (or non-traceable locations), thus making it difficult to track any misuse or leakages. Department of Electronics and Information Technology, Government of India is drafting a policy on e-mail usage in government offices and departments, which will be released very soon. In light of all above, all departments are hereby requested that preferably only government provided email IDs, from servers within India, he used for official communication by all government employees. You may contact NIC or DIT or MahaOnline for the same. When Govt. Of India issues any instructions in this regard, they will be brought to the notice of all departments for strict compliance
While using Gmail, Yahoo, Skype, Evernote, iPad Notes, Google Drive, SkyDrive, Google Docs, Ofﬁce 365, Dropbox, Amazon cloud, Facebook, Twitter, YouTube, Google Maps etc. same precautions as above would apply regarding sensitive government data or citizen data.
SDC hosted in Mumbai is connected to National Internet Exchange of India (NIXI) exchange point at Navi Mumbai. This ensures that domestic Internet packets mostly remain with India. Whenever any department/ corporation etc. is hosting a website outside the SDC, or purchasing bandwidth for various locations, it should be ensured that the concerned data centre/ISP is connected to nearby NIXI nodes.
Not only security of data, but keeping Citizen’s private data secure is also important. Failure to protect sensitive data attracts provisions of Section 43A of Information Technology Act 2000, as amended in 2008. Section 3 of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 20 11 notiﬁed by Govt. Of India on 11th April 2011 deﬁnes SPD (Sensitive Personal Data), while Section 8 of these Rules deﬁnes Reasonable Security Practices and Procedures. Hence it is advisable that whenever any Department is collecting or keeping Citizen data, Section 43A compliance Audit should be got done. It is also necessary that appropriate NDA(Non-Disclosure Agreement) is signed with the vendors as well all their employees designing/ developing/ implementing/ maintaining the software, hardware, network, bandwidth etc.
As mandated in eGovernance Policy of Government of Maharashta, standards in eGovernance are of a high priority activity. Standards will ensure sharing of information through seamless interoperability of data across e-Governance applications. eGovernance Policy also mandates use of open standards in all e-Governance projects in the state. In view of the above, ensure that all the existing and new e—Governance projects, right from the conceptualization and design stage, should adhere to the listed Technical Standards in Interoperability framework document and other eGovernance standards published by GOI from time to time.
YAll administrative units within the government departments, divisional and district offices, directorates, state public undertakings, corporations etc. must comply with this Advisory.