Let's Build a Responsible Cyber Society




This TOI report does not seem to have a basis

A front-page report appeared today (April 8, 2009) in Times of India (Bangalore-India )  titled "E Mail Providers will need to have servers in India". The report credited to a reporter by name Vinay Madhav made further comments which appear to have arised on a wrong analysis of the provisions and have the effect of misleading the public. Hence this clarification.

Presently the amendments have been passed by the Parliament and gazetted. The rules are under formation. We donot know if the report is based on any leak from the Ministry about the proposed rules or simply a speculation of the media to spread misinformation about the amendments as what TOI had done earlier. (Refer article: Please do not try to manipulate public opinion with planted stories )

The report suggests that the amendments require Indian nationals to be provided e-mail addresses only in the .in domain and hence there will be a need for consumers to change their e-mail IDs consequent to the new regulations.

The amendments have prescribed

a) Intermediaries need to retain data as may be prescribed for designated periods. (We may recall that on April 6th, UK also notified a similar data retention guideline)

b) Intermediaries need to submit "Traffic data" when called for by a designated agency.

c) Intermediaries need to follow "Reasonable Security Practices" as may be prescribed

d) Intermediaries need to exercise "Due Diligence" in providing their services

There is no specific recommendation that the e-mail servers have to be in India even though this may be contemplated as part of the rules to be notified. Even the IT Vision document of BJP has indicated its desire to encourage hosting services to be run from India as a part of moving the business into India for its economic benefit.

Even if the servers are located in India, there is no reason why the users need to be compelled to change their e-mail addresses. e-mail identities are as important as domain name identities and people have built them over time. Many have also obtained digital signature certificates tagged to the respective e-mail IDs. Hence if there is any crazy idea of "Only .in addresses to be used by Indian Citizens", it needs to be nipped in the bud. To the best of my knowledge, the persons framing the rules are not so naive as to prescribe such a condition.

Presently public in India have invested more than Rs 100 crores in digital signatures and a majority of them are on gmail.com addresses. If these are made "illegal" there will be a loss of RS 100 crores to the Indian public and I am sure that Ministry of Communications and Information Technology will take this into account while framing the rules.

It is true that if the servers are located in India, the law enforcement may have better monitoring over them.  In fact ITA 2008 enables the Government to intercept, monitor, decrypt messages or even block websites. As it happened in the case of Blackberry case, law enforcement is worried about terrorists hiding their nefarious activities under the "Privacy Protection" measures undertaken by the e-mail/mobile service providers. Such monitoring would be easy if the servers are situated in India.

 In fact, in recent days, Yahoo and Google are both hiding the IP address of senders of e-mail and providing their own proxy addresses. As a result, the law enforcement has to every time demand IP address details from the e-mail service providers to assist in their investigation or intelligence activities. There is a loss of time in the process and the delay only assists criminals. Hence location of servers in India is desirable from law enforcement view. This however does not require change of e-mail address.

There is no doubt that there are Civil Liberty concerns on the powers conferred on the Government agencies by the amendments. But this unfortunately is a trend all over the world and electronic surveillance is part of Government functions even in USA, UK, Australia or elsewhere. In the current era of terrorist threats, it is necessary for the law enforcement to be given enough powers. ITA 2008 has done just that.

If abuse of these powers have to be prevented, we need a "Netizen Rights Commission" or "Netizen Protection Advisory Group".

In summary, we can say that the amendments donot propose that Indians need to give up their .com e-mail addresses and switch to .in addresses. Hence concern on this appears to be misplaced.

I would like the media to focus more on the "Safeguards" that ITA 2008 has suggested under Sections 69, 69A and 69B rather than focusing only on the difficulties of the "Intermediaries".



April 08, 2009