Indian Government To Ban Use of US Email Services For Official Communications

hypnosec writes "The Government of India is planning to ban the use of U.S.-based email services like Gmail for official communications. It will soon send out a formal notification to it half-million officials across the country, asking them to use official email addresses and services provided by India's National Informatics Center. The move is intended to increase the security of confidential government data and protect it from overseas surveillance."

Not seeing a problem with that.

[Kenja]

Frankly, I dont think the US should use gMail etc for governmental communications either.

Re:Not seeing a problem with that.

What's the point? It's not like you can control which packets will and won't be routed through the US.
What they ought to be requiring is encryption, but we all know that's not going to happen.

Re:Not seeing a problem with that.

[ColdWetDog]

Nobody should use email for official anything.

Benjamin Franklin was right. It's the Post Office. I mean, does any email provider say they will deliver through rain, sleet, snow or hail? Do you see that on anybody's TOS? Given the uncertainties of the climate these days, you'd be a fool to do it any other way.

Besides, it will slow the government down. That's always a plus.

Re:Not seeing a problem with that.

[ZombieBraintrust]

American politicians use GMail because goverement accounts are archived and the contents are considered public property and not private communication.

Re:Not seeing a problem with that.

[Archangel+Michael]

And besides, if you're doing nefarious activities, you can avoid subpenas when you appear in front of Congress ... right Lois Learner?

Re:Not seeing a problem with that.

[atom1c]

Frankly, I dont think the US should use gMail etc for governmental communications either.

I whole-heartedly agree. Alas, I believe the US Gov't is being too lenient with their communications practices; unlike the 90's where only encrypted BlackBerrys were allowed, today everybody can use their Hotmail, Gmail, or Aol account to conduct official government business.

Instead, they should endorse Lavabit-type services and setup an outbound email transport for any public-private business... not go fully commercial without proper senses of security in place.

Re:Not seeing a problem with that.

[jellomizer]

Packet Sniffing is more of a cheap parlor trick then a good way to collect information.

For the most part our infrastructure has moved from Hubs to Switches so there are a lot less free packets bouncing around the net. Routers have gotten smarter and better so chances are it won't bother sending your packet around the world just just to go to your neighbors.

Re:Not seeing a problem with that.

[Ruprecht+the+Monkeyb]

Clearly you don't live in a large city in the U.S. where mail frequently disappears, often found months (or years) later in a dumpster or a postal workers basement. I'll take the same 99.99% delivery rate and the near-instant turnaround possible with email, thanks.

Re:Not seeing a problem with that.

[jeffmeden]

Packet Sniffing is more of a cheap parlor trick then a good way to collect information.

For the most part our infrastructure has moved from Hubs to Switches so there are a lot less free packets bouncing around the net. Routers have gotten smarter and better so chances are it won't bother sending your packet around the world just just to go to your neighbors.

Route poisoning would like to have a word with you. He is waiting in Room 641A.

Re:Not seeing a problem with that.

[EmperorArthur]

and?

It's perfectly possible to send E-Mail using SSL between servers. Google even prefers to do this. Use an HTTPS site as an E-Mail portal, and it won't matter if the communication is going through the US.

Unless the NSA has a copy of the site's key or has broken SSL crypto, they can log all the trafic they want. With perfect forward secrecy they can get the key latter, and still not know what's being said.

Note: I'm simplifying how SSL works for the sake of convenience.

Re:Not seeing a problem with that.

[gstoddart]

American politicians use GMail because goverement accounts are archived and the contents are considered public property and not private communication.

Ironic, since the NSA considers GMail to be public property and not private communication as well.

Re:Not seeing a problem with that.

[gstoddart]

Unless the NSA has a copy of the site's key or has broken SSL crypto, they can log all the trafic they want.

Um, no. If it's an American owned company (anywhere in the world), or a US based server .. the NSA can walk in and demand the key and the decrypted content.

The only way to (try to) keep data out of the hands of the NSA is to not have it in the hands of a US controlled company, and not on US soil.

Google, Microsoft, Yahoo, Facebook ... every single one of them is covered under the Patriot Act. And any and all data you put in their hands (and many other companies) should be assumed as either in the hands of the NSA, or theirs for the asking.

You don't need to break the crypto when you can threaten them at gun point.

Re:Not seeing a problem with that.

[Immerman]

I think the point is that if the source and destination endpoints are not under US control, and the communication channel between them is secure, then the NSA can watch the encrypted traffic flow through US-controlled nodes all they want without getting much information beyond mail server A transferred X bytes of data to mail server B.

Re:Not seeing a problem with that.

[thej1nx]

NICNET (http://www.nic.in) has long been used in India for government mails and official data. You literally have dedicated VSAT connections etc. to it in offices, and it is a separate network in itself.

The Indian army too for obvious reasons, just like its counterparts everywhere, maintains its own nationwide network, and does not allows internet connections to it.

All they are asking is, that officials use these network, which are NOT public, instead of allowing the data to pass over any backbone that US has control over. And thus no classified data is expected to ever hit any backbone that is in US control.

Re:Not seeing a problem with that.

[EmperorArthur]

Precisely. The other thing is "perfect forward secrecy." It's not perfect, but what it means is the key used to encrypt the traffic is randomly generated. Man in the middle attacks are still an issue, especially if people are dumb enough to use as US based cert authority, but the NSA can never decrypt the traffic after the fact. That still relies on the protocol being secure, and given the amount of money and talent the NSA is throwing at breaking it.... Well, there's a reason why even the US government uses a completely different network for classified info.

Keeping private information in house is almost always a good practice. The always is because it's possible to shift liability to third parties. I sure don't trust my security enough to handle storing Credit Card numbers, and it's cheaper to outsource it. That company even has insurance if they ever has a security breach.

Still, this isn't going to be a popular move in India. The number one reason why people use Gmail is how good it is. Unfortunately, nothing else has the capability that Gmail's labels do. Neither is their web interface as easy to use. Especially in search and creating filters. Seriously, try using Thunderbird and easily edit an E-Mail in multiple folders without it creating completely separate copies for each folder. It also beat the pants off the 7MB E-Mail limit my university had before letting Google handle E-Mail for them.

Indian govt is just jealous

[hsmith]

That they can't be the ones spying. Corrupt govt hating on another corrupt govt.

Re:Indian govt is just jealous

[oag2]

They're spying, too (http://www.wired.co.uk/news/archive/2013-07/11/blackberry-india)--they just want to be the only ones.

Protect from international surveillance

[fishwallop]

And centralize for national surveillance

Smoke screen

[nurb432]

Its not to 'protect the data' it's to get people to use services that they have direct access too.

Every government does this.

Missing the point

[elloGov]

USA's authoritarian, Orwellian stance is hurting American companies' ability to compete in the global market, domestic and international. It hurts the American economy.

Re:Missing the point

[gstoddart]

OK, so which couintry exactly would YOU trust to host your data and no spy on it.

If you are a government, YOU are the only ones you can trust to host your data.

If you are a company, YOU are the only ones you can trust to host your data.

Having another company or country host your data was NEVER a good idea, and some of us have been saying so for some time. But all of a sudden people are realizing just how bad of an idea that was, and they're pulling back from it.

Re:Missing the point

[gstoddart]

f I opened a small hardware shop on the corner of the street, and wanted to have an email address, do I hire a whole IT department to set up an email address for me?

You don't have to. But if you have someone else set it up for you and host it, you don't control it.

If you're willing to say "I don't care", then have at it and do it however you like.

If you decide that on principle, or because you have some specific need, that you aren't willing to have this ... then the only secure way is to host it your own damned self.

If you're an American company, well, the NSA can come into your shop and demand it anyway. If you're not an American company ... you need to make your own decision.

You can't trust the US based/owned company, and you need to decide how you feel about that. You can decide to do it anyway, or you can decide "fuck that", and kick the US company to the curb.

Nobody is saying you have to do anything, but you should at least be aware of what it is you're deciding and the risks involved.

To me, any foreign government using any form of cloud service from a US controlled company is stupid, because you've more or less given the NSA free run of your data.

But, make no mistake about it, as a direct consequence of the Patriot Act and this spying, foreign entities have zero basis to put any trust in a US based company hosting their data for them. Because, by US law, they simply can't be trusted, and you can't make them sign enough of a contract to change that -- because the Patriot Act is interpreted as trumping anything else.

Re:Missing the point

[93+Escort+Wagon]

It is an unfortunate truth that our government is more responsive to the desires and needs of our corporations than it is to the rights of our citizens.

Re:Missing the point

[gstoddart]

That's because corporations are now effectively 'citizens', and they contribute more to campaigns.

So their wishes matter more.

Re:Makes sense to me.... FTFY

[zlives]

This seems total sensible, after all if you let a foreign entity. on the cloud, run your email you don't really own the data and any data that you don't own is at risk. The real surprise is that it took the business world this long to realize.

And the backlash cometh

[cookYourDog]

Reap what you sow, Google. As an American, I can't wait until Startmail or another non-U.S. email provider provides a decent alternative. GMail's days are numbered for me.

Traitorous NSA

[TrumpetPower!]

Here we see the beginnings of real, hard evidence of just how disastrous the NSA's recent actions are to the best interests of the country.

It used to be that American IT companies were the gold standard, to the point that there almost wasn't even any pretense of competition. Google, IBM, Microsoft, Apple, Facebook -- American companies ruled the Internet.

And the NSA has turned that all to shit. Now, you'd have to be an idiot to trust any American company not to hand your data over to the NSA. And the NSA has most emphatically been demonstrated that it cannot, under any circumstances, be trusted with that data; just look at not only the overt corporate espionage, but the pervy stalking culture of the degenerates working there. Even if not for official policy directives, you can bet that some low-level flunky at the NSA will be placing insider trades based on what he reads in your executive's emails.

In other words, the NSA has utterly devastated the greatest industry the United States has ever created, and the very backbone of our economy. It's worse than if they had bombed all our ball bearing plants; infrastructure can be rebuilt, but trust? How the fuck are we supposed to rebuild that? ...and the corporate heads and legal departments wonder why they shouldn't have refused to play with the NSA and gone public at the first hint of this malfeasance, writs of classification be damned. Had Google insisted it be taken down swinging rather than play lapdog to the NSA, their brand would have been unimpeachable; rather, it is untouchable.

Cheers,

b&

Re:Traitorous NSA

[LordThyGod]

Here we see the beginnings of real, hard evidence of just how disastrous the NSA's recent actions are to the best interests of the country.

It used to be that American IT companies were the gold standard, to the point that there almost wasn't even any pretense of competition. Google, IBM, Microsoft, Apple, Facebook -- American companies ruled the Internet.

And the NSA has turned that all to shit. Now, you'd have to be an idiot to trust any American company not to hand your data over to the NSA. And the NSA has most emphatically been demonstrated that it cannot, under any circumstances, be trusted with that data; just look at not only the overt corporate espionage, but the pervy stalking culture of the degenerates working there. Even if not for official policy directives, you can bet that some low-level flunky at the NSA will be placing insider trades based on what he reads in your executive's emails.

In other words, the NSA has utterly devastated the greatest industry the United States has ever created, and the very backbone of our economy. It's worse than if they had bombed all our ball bearing plants; infrastructure can be rebuilt, but trust? How the fuck are we supposed to rebuild that? ...and the corporate heads and legal departments wonder why they shouldn't have refused to play with the NSA and gone public at the first hint of this malfeasance, writs of classification be damned. Had Google insisted it be taken down swinging rather than play lapdog to the NSA, their brand would have been unimpeachable; rather, it is untouchable.

Cheers,

b&

Exactly! Its not a done deal yet, but they are gutting a very significant industry. This is a very costly fuck up. It would be one thing if we knew the world was a *better* or safer place as a result, but I can't see how to draw that conclusion. Au contraire, they just spend a boatload of money, muddy the waters, and gut a vital industry. You can't believe anything the NSA says since being really good liars is a valued trade asset, and there is no real oversight.

Re:Traitorous NSA

[TrumpetPower!]

Whilst I certainly wouldn't disagree with you over the importance of encryption...well, put it this way: when was the last time you encrypted a letter you dropped in the mailbox?

The point is that it's about as much hassle for somebody at the post office to steam-open an envelope with nobody being none the wiser for it as it is for an ISP to snoop on people's mail.

People have historically been just fine with sending the most private of letters protected by nothing more than the seal of the envelope because the United States Postal Service has a well-deserved unimpeachable reputation for being the hardest of hard-cases about protecting the sanctity of the mail.

It's not surprising that people carried that same trust over to email; it's an almost instinctual conclusion to assume the one is every bit like the other save for the mechanisms of delivery.

And, had they done it right, Google could have earned the world's trust by self-policing with the same vigilance the USPS does.

But they blew it.

Royally, and spectacularly, they blew it.

But what remains most troubling about it is that it was an official government agency that twisted their arm, even if Google shouldn't have put up with the arm-twisting.

Cheers,

b&

Re:Traitorous NSA

[Ioldanach]

Whilst I certainly wouldn't disagree with you over the importance of encryption...well, put it this way: when was the last time you encrypted a letter you dropped in the mailbox?

The point is that it's about as much hassle for somebody at the post office to steam-open an envelope with nobody being none the wiser for it as it is for an ISP to snoop on people's mail.

...

It is just as much hassle to open a letter passing through the post office by steaming it open as it is for a lawyer somewhere to subpoena and get the contents of an email you sent through gmail.

However, it is much easier for the NSA to use their backdoor into gmail to make an automated request for all of a person's emails and all of the emails of everyone that emailed them and store that information. Even if they decide that they don't need that information, it will still get stored, and that stored information could be leaked. Just the other day we heard about how Snowden used the "brilliant" tactic of privilege elevation and masquerading as other users to get data. If the NSA's system is designed such that one person can do this, you can bet that there are plenty more who do it and put the information to their own use without feeling the need to go public with it.

As if that makes a difference.

[goffster]

The NSA has a lot fewer legal problems intercepting foreign mail than
it does domestic.

Only now, it simply means they wont have good spam filters,
and money will now be flowing out of india to nigeria $26,000,000 at a time.

Indian Central Monitoring System

[TheSync]

Of course India is setting up the Central Monitoring System (CMS) essentially India's version of PRISM:

Starting from this month, all telecommunications and Internet communications in India will be analysed by the government and its agencies. This means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities. This totalitarian type of surveillance will be incorporated in none other than the Central Monitoring System (CMS)...

...the CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau.... ...The Information Technology Amendment Act 2008 enables e-surveillance. The government plans to create a platform that will include all the service providers in Delhi, Haryana and Karnataka creating central and regional databases to help central and state level law enforcement agencies in interception and monitoring. Without any manual intervention from telecom service providers, CMS will equip government agencies with Direct Electronic Provisioning, filter and provide Call Data Records (CDR) analysis and data mining to identify the personal information and provide alerts of the target numbers.

The estimated cost of CMS is Rs. 4 billion. It will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Research and Analysis Wing (R&AW), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Central Board of Direct Taxes (CBDT), the Narcotics Control Bureau, and the Enforcement Directorate (ED). Last October, the NIA approached the Department of Telecom requesting for connection with the CMS to help it intercept phone calls and monitor social networking sites without the cooperation of telcos. NIA is currently monitoring eight out of 10,000 telephone lines and if connected with the CMS, NIA will also get access to e-mails and other social media platforms. Essentially, CMS will be converging all the interception lines at one location for Indian law enforcement agencies to access them.

Re:As a US based programmer

[jd.schmidt]

Actually no, GWB would only have been attacked by the Left for the most part, the Right mostly would have defended GWB for doing what was needed to protect our country. The response from the pro defense politicians is decidedly mute, they are simply choosing not to defend he President, at least not very much.

These intrusions by the NSA are a lot like things that have been going on all along (note I did not say it was good). Basically the opportunity for progress on this issue is precisely because Obama is the President, the Left is naturally suspicious of police and spying, while the Right is simply suspicious of Obama. (FYI, my favorite story about this is back when GWB was in power the Left would complain, what if someone you didnâ(TM)t like had this kind of power, and all too often the Right would reply, but I trust the people on power right nowâ¦)

Re:how many recipients are on gmail?

What contracts? The government of India already provides email addresses to their employees. They're saying "Hey, stupid employee, use this email, don't go off making a Gmail account for official business!"

Re:Interesting Headline

[ShanghaiBill]

So if you want to hide something you must be guilty?

If you are a government official in a democratic country, and you are trying to hide your official activities, then yes, it is a reasonable assumption that you are corrupt. With very few exceptions, government business should be conducted in public and transparently.

If the key signing authorities are compromised

[Marrow]

Doesnt that pretty much defeat SSL? And what on earth would make you believe that they weren't compromised.

Re:If the key signing authorities are compromised

[c0lo]

Doesnt that pretty much defeat SSL? And what on earth would make you believe that they weren't compromised.

I can create an uncompromised cert authority in the next 5 min on my laptop, and it would be effective for exchanging communication between us, if you choose to trust it.
And this should be enough as long as the emails are not stored in plain text on servers controlled by US companies. Which seems to me exactly what this ban is about, isn't it?

Re:If the key signing authorities are compromised

[whoever57]

I can create an uncompromised cert authority in the next 5 min on my laptop, and it would be effective for exchanging communication between us, if you choose to trust it.

The problem with this approach is that the other person has to stop accepting all other certificate authorities -- otherwise a man-in-the middle attack can be used if any of those certificate authorities can be abused by a government agency.

Re:how many recipients are on gmail?

[DexterIsADog]

Right, using an email provider that does not cooperate with the NSA will be less secure than using a U.S. provider who follows orders like a good doggie.

Email sucks ass

[WaffleMonster]

Of all the inherently useless and broken protocols in use today SMTP email takes the cake.

Anyone can impersonate anyone else with impunity. Phishing and PC zombification via Email is boundless.

Anyone can send you whatever useless garbage they want without your consent.

No useful security of any kind.

Inability to transmit large content and no way to facilitate realtime communication.

Message delivery is a crapshoot thanks to hapazard proliferation of automated filters with minds of their owns.

The failure of SMTP on all levels and massive operational costs it has incurred for administrators and users is mind boggling.