Indian Government Wakes Up to Risk of Hotmail, Gmail

Indian Government Wakes Up to Risk of Hotmail, Gmail is an NDTV news report published on 8 December 2013, sourced from AFP. An identical version of this wire report was also carried by Deccan Chronicle around the same period, reflecting the common syndication of the article across Indian news outlets. The report notes that a large proportion of Indian government officials relied on private email services such as Gmail and Hotmail for office communication despite security concerns, prompting plans for a government email policy in the wake of Edward Snowden’s NSA surveillance revelations. It includes expert commentary from Sunil Abraham on the vulnerabilities of US-based email platforms and the risks associated with proposed centralised government email systems.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: NDTV
📅 Date:: 8 December 2013
📄 Type:: Investigative Report
📰 Newspaper Link:: Read Online

Full Text

New Delhi: Worried by US spying revelations, India has begun drawing up a new email policy to help secure government communications, but the man responsible for drafting the rules still regularly uses Hotmail.

Like many of his peers in ministries across New Delhi, IT Minister Kapil Sibal's office recently sent an email inviting journalists to the launch of his new personal website using the free email service.

Others, including senior foreign ministry officials, the information and broadcasting minister and the health ministry secretary, also use Gmail, Hotmail or Yahoo instead of their government accounts.

When asked why he continued to use his Hotmail for official use, Mr Sibal declined to comment, but a senior bureaucrat in his ministry admitted that he personally preferred Gmail because it is "just a lot easier".

"We keep moving, get different designations, go different places and with that, our emails change. You lose contacts and important emails, which you don't need to worry about with a Gmail account," the bureaucrat told AFP.

"To be honest, the quality of our official mail isn't that great yet. It still needs some work," he added on condition of anonymity.

Security concerns

IT security expert Sunil Abraham said the use of Gmail and the like was highly risky since the American services had their servers in the US and the National Security Agency has been known to tap into their database systems.

It is unclear how many state and federal public workers actively use popular email services for office, but some of the estimates are startling.

"As much as 90 per cent of government officials use private email (services) for official use... that's because their official email is not as stable or speedy," said Abraham, executive director of the Bangalore-based Centre for Internet and Society.

In September Sibal's ministry announced a new "Email Policy of the Government of India" in the wake of spying allegations about the NSA revealed by former NSA contractor Edward Snowden.

NSA's tentacles not only crept into the Indian embassy in Washington and its UN office in New York, but also accessed email and chat messenger contact lists of hundreds of millions of ordinary citizens worldwide, according to media reports.

During a single day last year, the NSA's Special Source Operations branch collected 444,743 email address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, The Washington Post said, according to an internal NSA presentation.

The $11 million Indian project aims to bring some five million public employees onto the government's email domain powered by the National Informatics Centre (NIC) as early as mid-December.

It is awaiting clearances and suggestions from all ministries before the proposal goes to the cabinet this month.

J. Satyanarayana, secretary of the department of electronics and IT, dismissed claims that the policy was too late and was a response to the Snowden scandal.

"The policy is not a reaction to any global spying revelations, it was already in the works. It is just a mere coincidence that both came around the same time," he said.

Fresh doubts

Some cyber security experts say bringing millions aboard a centralised server could make a hacker's job easier, with all critical government information available on a single platform.

More than 11,000 Indian websites were hacked or defaced between May and August this year, with a large number of attacks on the ".in" domain whose servers are in India, the Times of India reported last month.

"Making the use of a centralised government server is not the best way to proceed. Having everything on one platform makes it even more vulnerable to cyber-attacks and hacking," said Abraham.

"It also brings about new worries of the NIC becoming the local snoop."

Some also predict that the ambitious policy would eventually fizzle out for lack of attention from ministers and bureaucrats, who work in government offices where stacks of yellowing files and papers are still a common sight.

"It's sad but most of these officials don't understand much about technology, so mastering email is something that is miles and miles away," said Vijay Mukhi, a Mumbai-based cyber security expert.

"These guys saw all the snooping news and suddenly they woke up and said 'let's make an email policy'. Enforcing this is not possible on a practical basis."

The IT ministry also plans to conduct workshops to teach employees about email security such as when to change passwords and user names and how to use email.

"Every employee should know how, what and when critical data can be vulnerable... with most work still done on paper, it is important to know the nitty-gritty of using email," Satyanarayana said.

Context and Background

This investigation captured a moment when India’s digital governance contradictions became impossible to ignore. Edward Snowden’s June 2013 revelations about NSA surveillance programmes—including PRISM’s direct access to servers operated by major US technology companies—created acute embarrassment for governments worldwide that had entrusted sensitive communications to American platforms. Yet India’s response revealed not just belated recognition of foreign intelligence risks but fundamental failures in domestic digital infrastructure.

The detail that IT Minister Kapil Sibal, responsible for drafting India’s email security policy, himself used Hotmail for official communications exemplified institutional dysfunction. This wasn’t mere hypocrisy but reflected a systemic problem: government email infrastructure was sufficiently unreliable that even ministers tasked with securing it preferred foreign commercial alternatives. The anonymous bureaucrat’s candid admission that official email systems were inferior in quality, stability and speed suggested years of underinvestment in digital infrastructure whilst simultaneously expanding e-governance initiatives.

Sunil Abraham’s estimate that 90 per cent of government officials used private email services for official work indicated that India’s sovereignty concerns operated selectively. Policymakers expressed alarm about NSA access to US company servers yet appeared unconcerned about the routine exposure of government communications to foreign jurisdiction and commercial data mining. The Snowden documents showing NSA collection of hundreds of thousands of contact lists daily from Gmail, Hotmail and Yahoo demonstrated that this wasn’t theoretical risk but documented reality.

Abraham’s dual concerns about the proposed solution proved prescient. Centralising five million government employees onto NIC servers addressed foreign surveillance risks but created new vulnerabilities. A single compromised platform would expose the entire government’s communications rather than requiring attackers to breach multiple systems. The recent record of over 11,000 Indian websites hacked between May and August 2013 suggested domestic servers faced substantial threats that centralisation might amplify rather than mitigate.

The “local snoop” concern highlighted another dimension. Moving from US platforms accessible to NSA to Indian platforms controlled by NIC didn’t eliminate surveillance risks but shifted them. Without robust legal frameworks constraining government access to citizen communications, centralised email infrastructure could enable domestic surveillance as readily as dispersed foreign platforms enabled foreign intelligence gathering. Trading one surveillance risk for another represented questionable progress.

The cultural context mattered considerably. Cyber security expert Vijay Mukhi’s observation about officials working amidst “stacks of yellowing files” pointed to deeper tensions between India’s paper-based administrative culture and digital governance ambitions. Expecting rapid adoption of secure email practices in offices where physical files remained dominant workflows appeared optimistic at best. The planned workshops on basic email security—teaching officials when to change passwords—revealed how preliminary the digital literacy challenges were.

The policy’s framing as coincidentally timed rather than Snowden-prompted undermined its credibility. Claiming the September 2013 announcement bore no relation to revelations from June 2013 strained belief, particularly when the policy explicitly aimed to address communications security following those exact revelations. This rhetorical distancing suggested officials remained uncomfortable acknowledging that external events had exposed domestic vulnerabilities requiring urgent remediation.