Government Orders Employees Not to Use Google Drive, VPNs: Details

A brand new authorities order prohibit staff from utilizing third-party, non-government cloud platforms together with Google Drive and Dropbox in addition to digital non-public community (VPN) providers together with NordVPN and ExpressVPN. The order handed by the National Informatics Centre (NIC) has been circulated to all ministries and departments and all authorities staff are required to adjust to the directive, Gadgets 360 has learnt. The new transfer by the federal government comes simply weeks after directing VPN service suppliers and information centre firms to retailer their consumer information for as much as 5 years.

Citing an elevated variety of cyberattacks and menace notion to the federal government, the 10-page doc seen by Gadgets 360 ordered staff to “not upload or save any internal, restricted, confidential government data or files on any non-government cloud service (ex: Google Drive, Dropbox, etc.).” The doc is titled “Cyber Security Guidelines for Government Employees.”

In addition to limiting staff from utilizing the favored cloud providers, the federal government instructed staff by its directive to not use any third-party anonymisation providers and VPNs, together with NordVPN, ExpressVPN, Tor, and proxies. Additionally, it directed the workforce to chorus from utilizing “unauthorised remote administration tools” resembling TeamViewer, AnyDesk, and Ammyy Admin, amongst others.

Government staff are additionally directed to not use any “external email services for official communication” and conduct “sensitive internal meetings and discussions” utilizing “unauthorised third-party video conferencing or collaboration tools.”

The authorities moreover ordered staff to not “use any external websites or cloud-based services for converting/ compressing a government document”. It additionally directed the workforce to not use “any external mobile app-based scanner services” together with CamScanner for “scanning internal government documents.

Notably, the government banned CamScanner in 2020 as a part of its initial move to restrict China-based apps in the country. Some government officials were, however, still being seen using the app for scanning physical copies of their official documents.

Alongside restricting the usage of certain apps, the government’s order also directed employees to not ‘jailbreak’ or ‘root’ their mobile phones.

The directive also ordered employees to take measures including the use of complex passwords as well as updating passwords once in 45 days and updating operating system and BIOS firmware with the latest updates and security patches.

“All authorities staff, together with short-term, contractual/ outsourced assets are required to strictly adhere to the rules talked about on this doc,” the order said. “Any non-compliance could also be acted upon by the respective CISOs/ division heads.”

The order was released on June 10 after a couple of revisions in the original draft made by the NIC. It included inputs from India’s Computer Emergency Response Team (CERT-In) and was approved by the Ministry of Electronics and Information Technology (MeitY) secretary.

Gadgets 360 has reached out to Google, Dropbox, and other entities to get their comments on the government’s directive. This article will be updated when the companies in question respond.

In late April, the CERT-In issued a directive to make its mandatory for VPN service providers, data centres, virtual private server (VPS) providers, and cloud service providers to keep user data for five years or even longer. The order will come into force from June 28.

As a result of that order, VPN service providers including NordVPN, ExpressVPN, and Surfshark have decided to remove their physical servers in the country as they follow no-log policies and are not technically capable of storing logs. The major VPN entities as well as some digital rights groups have also raised privacy concerns for users in storing their data.

Tech companies including Facebook and Google also warned that the rules made by CERT-In could create a frightening environment.