India has quietly shifted a core part of its digital administration—government email—from public infrastructure to a private cloud. Reports say around 12 lakh government email accounts have moved from NIC (National Informatics Centre) to Zoho Mail. While the familiar @gov.in and @nic.in addresses remain, the data now sits on Zoho’s private servers rather than government-run data centres.
On paper, it may seem like a small change, but in practice it is significant. For decades, NIC ran India’s digital backbone—email, e-Office, and domains—entirely under state control. Messages, logs, and audit trails stayed within government networks, routed through NICNET, India’s satellite-based system connecting ministries and state departments. With this migration, emails bound for @gov.in now flow through Zoho. The government no longer fully controls where its data lives, raising questions about auditability, transparency, and accountability.
Zoho Corporation, founded in 1996 by Sridhar Vembu and Tony Thomas, is a private company offering a full cloud stack, including mail, office apps, Customer Relationship Management, and collaboration tools. Reports indicate the migration comes with a seven-year hosting deal. Since Zoho is private, the data may sit outside the reach of the Right to Information (RTI) Act, adding a layer of opacity between citizens and official records—even though the government remains ultimately responsible.
Sridhar Vembu, Zoho’s founder and former CEO, is being celebrated as the face of “Swadeshi tech,” promoting rural-led innovation and serving on the National Security Advisory Board. In January 2025, he stepped down as CEO to focus on research and development, transitioning to Chief Scientist.
The government frames the shift to Zoho as a “Made in India” move, with IT Minister Ashwini Vaishnaw even announcing that his office had adopted Zoho as part of a “Swadeshi” drive. But technologists caution that ownership alone does not guarantee digital sovereignty—control, code, and servers still matter.
The move also clashes with India’s long-standing push for open source software- systems designed to be inspectable, modifiable, and shareable, keeping public technology transparent and vendor-neutral. Zoho, by contrast, is proprietary and closed, controlled by a single company, which critics argue undermines two decades of open digital policy.
This migration, critics warn, is more than just a change in email hosting; it signals a shift in India’s digital foundations, from open and accountable systems to ones increasingly managed behind private walls.
To understand the implications of this shift, Decode spoke with Anivar Aravind, a public interest technologist who has been a prominent voice on the policy and technical risks of large, single-vendor government adoptions. Aravind has played a key role in designing India’s core multilingual computing systems while helping build foundations for India’s GovTech, EdTech and CivicTech. He has long defended digital rights, resisted Aadhaar exclusion and fought for net neutrality.
In the interview, he breaks down how server migrations and vendor lock-in could shape the long-term digital sovereignty of the country. Here are the edited excerpts from the interview.
From your perspective, does this move to Zoho actually strengthen or weaken digital sovereignty?
I’ve spent much of my professional life in India’s public technology space, especially post 2005s and 2010s, when the foundations of Digital India were being shaped. Between 2006 and 2014, India built a coherent policy roadmap around openness and interoperability. We had the National e-Governance Plan (2006), the Policy on Open Standards for e-Governance (2010), the National Data Sharing and Accessibility Policy (2012), and the Policy on Adoption of Open Source Software (2014). These came out of collective work by technologists, the National Knowledge Commission, and public institutions that viewed technology as a civic instrument, not a corporate asset.
That was also the period when India invested in Indian language computing, open educational resources, and data-sharing infrastructure. The principle was simple: civic tech and GovTech should be inclusive, interoperable, and auditable.
What we are seeing now is the opposite. The rhetoric of “digital sovereignty” is being reframed as Swadeshi branding—patriotism deployed as a substitute for structural independence. A closed, proprietary cloud run by one private company cannot be called sovereign. True sovereignty means plural control, public verifiability, and open governance of the stack.
Why is relying on one private platform like Zoho a problem?
Early public digital systems were designed to prevent vendor lock-in. Interoperability, auditability, and portability were non-negotiable. Those principles are now being abandoned.
Mandating a single private platform for official communication or infrastructure reverses decades of open-technology progress. Systems that were modular and adaptive are replaced with closed pipelines that neither the state nor citizens can inspect or migrate from.
Future developers, researchers, and public institutions will inherit black boxes they cannot extend or reimplement. That dependency is not efficiency; it is fragility. Once data, workflows, and institutional memory are locked inside private systems, independent verification, migration, and auditing become nearly impossible. This is not a procurement shortcut; it is a long-term governance risk.
India already has policies mandating open standards and open source. Can’t they be enforced?
India’s open policy framework is comprehensive. The Policy on Open Standards (2010) and the Policy on Adoption of Open Source Software (2014) require government software and data to be inspectable, modifiable, and reusable without vendor lock-in. These are binding obligations.
The problem lies in enforcement, not policy. When MeitY, the Department of Higher Education, or other agencies bypass these rules, they violate free and open-source software (FOSS) principles and undermine digital sovereignty. NIC exists to host and maintain government systems in-house, keeping control in the public domain. Underfunding or outsourcing NIC operations weakens public capacity rather than creating space for privatisation.
Digital sovereignty cannot be achieved simply by labeling proprietary control as “national”. True sovereignty requires strict enforcement of open standards across all government IT projects, prioritising FOSS for core infrastructure, rebuilding in-house technical capacity to manage and evolve public systems, and ensuring public auditing and transparency to prevent creeping vendor lock-in.
The current trajectory reverses progress, moving from federated, inspectable systems toward opaque, centralised dependencies. This is a failure of institutional discipline, not policy design, and highlights the need to reclaim the public commons in digital governance.
What can policymakers do differently to truly achieve digital sovereignty?
India’s strength was always in building plural and interoperable ecosystems rather than concentrating everything under one company. FOSS principles require public code and public control.
The issue is internal disregard. MeitY or the Department of Higher Education bypassing open standards breaks the rules. NIC was created to host and maintain systems in-house, keeping governance infrastructure in the public domain. Underfunding, neglect, or outsourcing turns digital sovereignty into a label for private control.
Rebuilding public capacity is essential. Enforcement of open standards, mandatory adoption of FOSS, public auditing, and in-house system stewardship form the baseline. Current trends show a rollback from federated, transparent systems toward opaque, centralised vendor dependencies, reflecting institutional erosion rather than policy weakness.
Advertisement