Is Gmail an Intelligent option?
Recent news reports showing that the National Intelligence Agency is using a Gmail ID to solicit public assistance (in the course of active investigations related to the Hyderabad bomb blasts of February 21st) exposes the callous attitude of our authorities towards national security and in particular data security norms.?
It also raises serious questions about our government’s ability and willingness to protect sensitive information (see “NIA’s Cyber Blunder: Uses Gmail ID to ask for info on Hyderabad Blasts” by D Raza, Firstpost.com, April 4, 2013).The advertisement, which was carried in several national dailies - in addition to a physical address and telephone number provides a gmail ID ([email protected]) to which people can send information (the advertisement can be viewed at http://www.nia.gov.in/writereaddata/Reward_18032013.pdf)
It appears baffling that one of the premier intelligence gathering and investigative agencies of our country, involved in the investigation of several serious offences including terrorist attacks, is willing to entrust security of data it has collected (that too pertaining to an active investigation) to an American company despite the fact that similar services could quite easily be provided by the National Informatics Centre. The fact that the NIA quite clearly considers the services of a private internet service provider to be more secure or convenient to use than services provided by the designated public authorities (NIC) is extremely troublesome and throws into doubt the claims of data security made in relation to numerous other e-governance projects such as the UID on which the government has spent huge amounts of money.
Gmail of course is a service provided by Google, a company headquartered in the USA and that has in the course of various separate legal proceedings in India insisted that it is not amenable to the jurisdiction of the Indian state (in the context of having to take down material that was purportedly illegal under Indian laws).
Any information sent through or to a gmail address will reside on the servers owned by Google which could theoretically be located anywhere in the world (but are most likely in the United States and are definitely not in India).
The problem is compounded by the fact that American law (and that of several countries including India) requires service providers (such as Google) to provide information to various federal and law enforcement agencies upon request. Indian intelligence data is therefore freely accessible to American authorities, and often without any warrant requirements.
This latest incident is merely another in a series that can only lead one to conclude either that the relevant authorities are ignorant of the issues involved or (less likely) that there is some greater nefarious design in place. Note that the Aadhaar project is contracted to receive technical support from L-1 Identity Solutions (now MorphoTrust USA), a well-known defence contractor; that contracts have also been awarded to Accenture Services Pvt. Ltd., which works with the U.S. Homeland Security; and Ernst & Young, to install the UIDAI’s Central ID Data Repository (see “Questions for Mr. Nilekani” by SG Vombatkere, The Hindu, February 6, 2013). Various police departments / police stations also use gmail IDs to send and receive email (including official documents such as notices).
The aforementioned use of foreign service providers by UIDAI was defended primarily on the grounds that the data stored with the foreign companies would not be their property (see “Aadhar is Transparent and Accountable” by RS Sharma, The Hindu, March 20, 2013) – but this misses the point. When required by American law to act in a particular way (say with regard to divulging confidential and non-proprietary information) none of these companies can afford not to comply irrespective of any contractual provisions with the Indian government (in what is for them is purely a commercial exchange with the Indian government).
The fears that information will be divulged is not unrealistic or paranoid – American privacy laws were drastically changed post 9/11, notably through the PATRIOT Act to ensure that American law enforcement agencies could have access to private data stored by American companies. Legislation such as CALEA ensures that Internet service providers have in place measures to enable the interception and retention of communications. The use of such provisions has continued unabated (and has in the past lead to diplomatic rows between the EU and the US as the EU has not been shy of divulging its fears on data security), and in fact reports suggest there has been an increase in the use of the infamous National Security Letters (NSL) mechanism – which requires information to be divulged upon fear of sanction and at the same time penalizes you for disclosing that you even received an NSL request. The possibility of America enacting the Cyber Intelligence Sharing and Protection Act (CISPA), which greatly enhances the exceptions to privacy in American law, should also give our government food for thought.
The lack of thought before blindly entrusting data to American companies can also be contrasted with the approach towards foreign telecommunication manufacturers and in particular those from China. The Government is in fact planning to set up a Telecom Security Directorate as well as Centralized Monitoring System to ensure that equipment imported from China does not contain physical bugs (that could compromise national security for instance by recording data that passes through them). For some reason the Government deems a physical hack by a foreign company far more problematic than handing over sensitive and personal data to them!
Another equally problematic aspect of state authorities using a gmail address is that such an address can be created by any person and does not come with any identifier showing it to be a government authorized agency. Incidents of people creating fake online identities of government authorities are not unknown (see “NIA’s Cyber Blunder: Uses Gmail ID to ask for info on Hyderabad Blasts” by D Raza, Firstpost.com, April 4, 2013). Given that police authorities have also been known to use Gmail ID’s – there is a very real possibility of abuse and misuse by creating fake Gmail identities purporting to be an intelligence agency or police department.
It is unknown if state authorities are resorting to private email providers out of a lack of trust in the security of the NICs servers, unavailability of email addresses or some other technical reason – but the Indian government must seriously consider completely barring such practices that could seriously compromise national security as well as the information security of its citizens.
Disclaimer: The views expressed here are the author's personal views, and do not necessarily represent the views of Newsclick
Get the latest reports & analysis with people's perspective on Protests, movements & deep analytical videos, discussions of the current affairs in your Telegram app. Subscribe to NewsClick's Telegram channel & get Real-Time updates on stories, as they get published on our website.