Thursday, June 10, 2010

India Should Not Use SaaS For Crucial Governmental Functions

Software as a Service (SaaS) is in media reports for long. SaaS is a web-based version of proprietary software that performs computing on its servers on behalf of the client. Cloud computing is one of the most famous forms of SaaS. It is projected as a panacea for many infrastructure related problems and cost saving. While cloud computing has considerable cost benefits but it has drawbacks as well.

Richard Stallman, the founder of Free Software Foundation, says that on the Internet, proprietary software isn't the only way to lose your freedom. SaaS is another way to let someone else has power over your computing. He totally rejects the idea of cloud computing and opines that the real meaning of “cloud computing” is to suggest a devil-may-care approach towards your computing. It says, “Don't ask questions, just trust every business without hesitation. Don't worry about who controls your computing or who holds your data. Don't check for a hook hidden inside our service before you swallow it.” In other words, cloud computing means think like a moron.

There are many security and regulatory factors that must be complied with by SaaS and cloud computing before their deployment in India. Out of these I would presently like to stress upon three aspects alone. These are Security and Privacy, Compliance, and Legal or Contractual Issues.

As far as Security and Privacy is concerned, India has a very weak cyber security and no dedicated privacy law. Even there is no dedicated data protection law in India. The data of end users and governmental agencies is not safe in the absence of these essential regulations that the government of India is willingly not interested in enacting.

As far as Compliance aspect is concerned, that is an alien concept in India. For instance, the Aadhar project of India/UID project, National Intelligence Grid (NATGRID) project of India, etc all are running in India even in the absence of any legislation ensuring proper safeguards. When there is no legislation even for the most basic projects like Aadhar and Natgrid, there is no question of compliance in India. Outsourcers and foreign clients, keep this in mind while sending your crucial details and data to India.

Finally, the Legal and Contractual issues also cannot provide much protection against illegal and negligent data sharing and data thefts in India. The sole cyber law of India is enacted in the form of Information Technology Act, 2000 (IT Act 2000). Cyber crimes like cracking, data theft, privacy violation, etc are all bailable leaving much room for commission of these crimes.

India should not use SaaS and Cloud Computing for governmental purposes in the absence of strong cyber law and cyber security. As Stallman says, in the meantime, if a company invites you to use its server to do your own computing tasks, don't yield; don't use SaaS. Use a real computer and keep your data there. Do your work with your own copy of a free program, for your freedom's sake.