Unit - VI

Security and Law, Internet Governance and E-Mail Policy

Write a short note on Indian Penal Code. – 5

 Section 406: Punishment for Criminal Breach of Trust
o In case any person, who has been entrusted with property, or with any power over
any property, dishonestly misappropriates the property, makes wrongful use of the
property, dishonestly disposes off that property, or induces any other person to do
so, such a person commits "criminal breach of trust". Under Section 406 of the
Indian Penal Code, whoever commits criminal breach of trust shall be punished
with imprisonment, which may extend to three years, or with a fine, or with both.
 Section 420: Cheating and Dishonestly Inducing Delivery of Property
o Section 420 of the Indian Penal Code (IPC) deals with cheating cases. Under the
section, whoever cheats and consequently dishonestly induces a person to deliver
any property (to any other person), or alter or destroy the whole or any part of a
valuable security, shall be punished with imprisonment, which may extend to
seven years, and shall also be liable to a fine.
=== * ===

Describe Information Technology act, 2000. – 5

The Information Technology (IT) Act, 2000 covers cyber and related information
technology laws in India. The IT Act has made amendments to the Indian Penal Code of
1860, the Indian Evidence Act of 1872, the Bankers' Books Evidence Act of 1891 and the
Reserve Bank of India Act of 1934, to update them with the provisions of the Act.
The information security issues under the IT Act are the following:

Section 43
According this IT Act, if a person without the permission of the person in charge of
the computer system, accesses, downloads any data, introduces virus or causes denial of
access, will be liable for a penalty of up to rupees 10 million.

Section 65: Tampering with Computer Source Code

This IT Act deals with the issue of tampering with computer science documents.
According to this Act, anyone who deliberate or purposely hides, destroys or alters any
computer source code or induces someone else to do shall be punishable with imprisonment
up to three years, or with fine, which may go up to two lakh rupees, or with both.

Section 66: Hacking

This IT Act deals with the issue of hacking. According to this Act, hacking is
committed if someone, with the intention of causing wrongful loss or damage (or with the

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 1

knowledge that such damage or loss is likely to result) to the public/any person, destroys/
deletes/alters any information residing in a computer resource, diminishing its value or
utility, or affects it injuriously by any means.
If a person commits hacking, he/she is liable to be punished with imprisonment up to
three years, or with a fine, which may go up to two lakh rupees, or with both.

Section 72: Breach of Confidentiality and Privacy

This IT Act relates to the disclosure of certain information by any persons who has
gained access to such information in pursuance of a power granted under the IT Act. In case
a person who has secured access to any electronic record, book register, correspondence,
information, document, or other material discloses any of these to any other person, he will
be punished with imprisonment for a term, which may extend to two years, or with a fine,
which may go to ten lakh rupees, or with both.
===*===
Explain the consumer protection act, 1986. OR
What is Consumer Protection Act and who can file a complaint?
Discuss Consumer Protection Act. – 5
Consumer Protection Act protects the consumers from exploitation and save them
from adulterated and substandard goods and deficient services. With regards to security,
consumers can file a complaint with the court for "deficiency of service" such as disclosing
proprietary information etc. without adequate authorization.
Consumer means any person who
 buys any goods for a consideration which has been paid or promised or partly paid and
partly promised or under any system of deferred payment and includes any user of such
goods other than the person who buys such goods for consideration paid or promised or
partly paid or partly promised or under any system of deferred payment when such use is
made with the approval of such person but does not include a person who obtains such
goods for resale or for any commercial purpose or
 hires or avails of any services for a consideration which has been paid or promised or
partly paid and partly promised or under any system of deferred payment and includes
any beneficiary of such services other than the person who "hires or avails" of the
services for consideration paid or promised, or partly paid and partly promised or under
any system of deferred payment, when such services are availed of with the approval of
the first mentioned person but does not include a person who avails of such services for
any commercial purposes.

Who Can File a Complaint?

 A consumer
 Any voluntary consumer Association registered under Act 1956 or the Companies
Act 1951 or any other law for the time being in force.

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 2

  The Central Government or any State Government.
 One or more consumers having the Same Interest.
 In case of death of consumer, his legal heir or representative
=== * ===

Discuss the constituents of consumer complaint and its stakeholders

What Constitutes a Complaint?
 If you have suffered loss or damage as a result of any unfair/restrictive trade
practices adopted by the trader.
 If the goods purchased suffers from any defect.
 If the services hired/availed of suffers from deficiencies in any respect
 If you have been charged a price in excess of the price displayed or fixed by or under
any law in force or agreed between the parties.
 If the goods purchased or services availed are hazardous to life and safety.

Relief Available to Consumers

 Removal of defects from the goods
 Replacement of the goods
 Refund of the price paid
 Award of compensation for the loss or injury suffered
 Removal of defects or deficiencies in the services
 Award for adequate costs
 To discontinue the unfair trade practice or restrictive trade practices
 To withdraw or hazardous goods from being offered to sale
 To issue corrective advertisement to neutralize the effect of misleading
advertisement
===*===
Discuss initiatives undertaken by government to upgrade security standards. – 10
Some of the initiatives undertaken by the Indian Ministry of Information Technology
to Upgrade Security Standards are:
 Standardization, Testing and Quality Certification (STQC) Directorate
 Computer Emergency Response Team (CERT)
 Information Security Technology Development Council (ISTDC)

Standardization, Testing and Quality Certification (STQC) Directorate:

 Indian government has set up the Standardization, Testing and Quality Certification
(STQC) Directorate under the Department of Information Technology (DIT), due to
the international demand that Indian firms should have an International Security
Standard Accreditation

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 3

  The Directorate has been able to set up to launch an independent third-party
certification scheme for the Information Security Management System as per BS
7799 Part 2,.
 The directorate also has achieved Information recognition in the form of accreditation
(from RvA, Netherlands.)
 The STQC Directorate provides services such as testing hardware and software
products, product certification, and also training personnel in quality and security
standards and processes.

Computer Emergency Response Team (CERT) :

The Indian Computer Emergency Response Team (CERT-In) was established by the
Department of Information Technology (DIT) to be part of the International CERT
Community.
CERT was set up to protect India’s IT assets against viruses and other security threats.
It performs the following functions.
 It serves as central point, responding to computer security incidents and providing a
reliable, trusted, 24-hours referral contact for emergencies.
 It disseminates best practices among System Administrators and Service Providers.
 It increases the awareness and understanding of information security and computer
security issues among the Indian cyber user community.
 It alerts the community regarding the latest security threats in the form of advisories,
vulnerability notes and incident notes.
 It serves as a coordinating centre among organizations, to solve computer security
problems.
 It establishes linkages with similar organizations in the international arena.
 It performs research and development activities in collaboration with premier
research and educational organizations regarding the security of existing systems and
evolving cyber security problems.

Information Security Technology Development Council (ISTDC)

The ministry has recently set up the Information Security Technology Development Council
(ISTDC).
The main objective of this program is to facilitate, coordinate and promote technological
advancements, and to respond to information security incidents, threats and attacks at the
national level.
ISTDC has been established for the following functions:
 To evaluate the cyber security project proposals received, and to provide
recommendations for further processing by DIT.
 To review on-going projects through monitoring committees and recommend any
modification in scope, funding, duration, additional inputs, termination, transfer of

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 4

 technology, etc.
 To recommend follow-up action on completed projects-transfer of technology,
initiation of next phase, etc.
 To form project review and steering groups of projects approved and funded by the
DIT
=== * ===
Explain Indian Copy Right Act – 10
As per the provisions of the Indian Copyright Act, any person who knowingly makes
use of an illegal copy of a computer program shall be punishable. According to Section 63 B,
copyright infringement attracts a minimum imprisonment of seven days. The Act further
provides for fines, which shall not be less than fifty thousand rupees, but may go up to
twenty lakh rupees, a jail term up to three years, or both.
Under Indian Law, computer programs have copyright protection but NO patent
protection. A software program is an algorithm and patent law does not protect algorithms.
The term ‘software’ includes computer programs, databases, computer files, preparatory
design material, and associated printed documentation such as users' manuals.

Source Code, Object Code and Copyright

World Intellectual Property Organization (WIPO) recommended in late 1970 that computer
software (object code and subject code) should be protected under the Copyright Acts.

Article 10 of the TRIPS Agreement

Computer programs shall be protected as literary works under the Berne Convention.
Compilations of data or other material, whether in machine readable or other form, which by
reason of the selection or arrangement of their content constitute intellectual property and
shall be protected as such.

Amendments in the Copyright Act

Earlier the copy right act has protect for computer programs(subject code as well as object
code), but amended act includes computer database also. Section 14 of the Copyright Act
defines "copyright". This section was also amended giving exclusive rights to the owners to
do or authorizing the doing among the other things to reproduce, sell, or rent a computer
database or a computer program.
===*===

List out the common computer crimes/ cyber crimes – 5

Most common crimes are:
 Introducing and attachment of virus program files to e-mails, software’s, programs
etc.
 Illegal access of private data, destroying or damaging or deleting already stored,

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 5

 existing programs and data
 Tampering source code, hacking and cyber pornography.
 IPR (Intellectual Property Rights) violations and Thefts.
 Copyright Infringements (violation)
 Cyber Fraud
 Harassment e-mail abuse, defamation Robbing money and forgery by announcing
bogus schemes on the Internet.
=== * ===

Describe network security aspects in E-Governance. – 5

Network Security Aspects in E-Governance
 E-governance is described as the use of Information and Communication
Technologies (ICT) to enhance information access and the delivery of government
services for the benefit of citizens, business partners, organization and government
functionaries.
 E-governance is a TOOL to ensure good governance;
 E-governance DOES NOT mean creation of computers and accessories; it is
basically a political decision which calls for discipline, attitudinal change in officers
and employees and massive government process re-engineering.
 Major concerns involved in e-governance projects are Network and information
security.
 In ICT, the lack of security measures may increase the problems like hacking, virus,
spamming, invasion, and privacy.
 Governments need to provide secure access to information, applications and services
via networks.
 The network, applications and processes must be reliable to ensure availability and
integrity of the e-government services.
=== * ===

Explain the purpose of email policy. – 5

Why do you need an E-mail policy?
A good e-mail policy will secure an organization in several ways.
 The e-mail policy helps prevent e-mail threats, since it makes your staff aware of the
corporate rules and guidelines, which if followed will protect your organization.
 An e-mail policy can help stop any misconduct at an early stage by asking employees
to come forward as soon as they receive an offensive e-mail.
 If you are going to use e-mail filtering software to check the contents of your
employee’s e-mails, it is essential to have an e-mail policy that states the possibility of
e-mail monitoring. If you do not have such policy you could be liable for privacy
violation.

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 6

 === * ===
Explain how an email system works with a diagram. – 10
 Every Internet mail user has a unique Internet e-mail address. This e-mail address is
in the format as: username@domainname
 It is not necessary for the send to know the hardware and software specification of
the recipient except receiver mail address.

Figure: Simplified model of an e-mail system.

 Following steps are involved in sending an e-mail message:
o Step 1: The sender composes the mail message using his mail client software.
A mail client allows a user to compose, edit and send the mail message.
Examples for mail clients software: Netscape Mail, Outlook Express.
o Step 2: After composing the mail message the user sends it to the recipient's
e-mail address. The message propagates across the Internet before it reaches
the mail server of the recipient. The domain name in the recipient's e-mail
address identifies his mail server and the username identifies the recipient on
the server. For example, pqr@xyz.com, here, the address of the mail server is
xyz.com and the username is pqr.
o Step 3: The recipient connects to his e-mail account on his mail server to read
the messages sent to him.
 The recipient also uses a mail client to receive, save and print mail messages.
o There is no direct link between the sender's computer and the recipient's mail
server.
o A mail message propagates across several networks on the Internet before it
reaches its destination.
=== * ===

Explain how you create an email policy for your organization. – 10

An E-mail policy should include all the DO's and DON’T’s concerning the
organization's e-mail system:
 E-mail Risks: The policy should list e-mail risks to make users aware of the potential
harmful effects of their actions. Advise users that sending an e-mail is like sending a
postcard.
 Best Practices: This should include e-mail etiquette and writing rules in order to
uphold the good reputation of the organization and to deliver quality customer

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 7

 service. Also include instructions on compressing attachments to save bandwidth.
 Personal Usage: The policy should state whether personal e-mails are accepted and
if so, to what extent. You can set limits on the amount of personal e-mails sent each
day, or you could require personal e-mails to be saved in a separate folder. In every
case, include examples and clear measures taken when these rules are breached.
 Wastage of Resources: Warn users that they are making use of the organization's e-
mail system and that they should not engage in non-business activities that
unnecessarily tie up network traffic. The policy must also cover the use of newsletters
and news groups for its subscription.
 Prohibited Content: The policy should expressly state that the e-mail system is not
to be used for the creation or distribution of any offensive, or disruptive messages.
Unlawful messages, such as copyright infringing e-mails should also be prohibited.
Include examples and clear measures taken when these rules are breached.
 Document Retention Policy: It is best to create a policy rule that dictates deletion of
e-mails after a certain amount of days. It is also good idea to provide an option to
save certain e-mails in a different folder to avoid deletion. If so, specify e-mails may
be saved and which must be deleted.
 Treatment of Confidential Data: This includes rules and guidelines on how
employees should deal with confidential information and trade secrets. Make
employees encrypt any confidential information that is sent via e-mail and change
passwords regularly. Also includes measures that will be taken if an employee is
found to be sending out confidential information unlawfully.
 E-mail Monitoring: If you are going to monitor your employees' e-mails, you must
state this in your e-mail policy. Warn that employees should have no expectation of
privacy in anything they create, store, send or receive on the organization's computer
system and that the organization may, but is not obliged to monitor messages without
prior notice.
=== * ===
List the email threats that an organization face. – 5
What are the e-mail Threats that Organization face?
1. Legal Liability: In most cases the employer is held responsible for all the
information transmitted on or from their systems. As a result, inappropriate e-mails
can result in multimillion dollar penalties. An organization can also be liable if one of
its employees sends an e-mail containing a virus.
2. Confidentiality Breaches: Most confidentiality breaches occur from within the
organization. These breaches can be accidental, for instance by selecting a wrong
contact in the To: field (in E-mail). However, confidentiality breaches can also be
intentional. Whether it is by mistake or on purpose, the result of the loss of
confidential data is the same.
3. Damage to Reputation: A badly written e-mail, or an e-mail containing

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 8

 unprofessional remarks will cause the recipient to have a bad impression of the
organization the sender is representing.
4. Lost Productivity: Lost productivity due to inappropriate use of an organization's e-
mail system is becoming a growing area of concern. A study says that employees
wastes their considerable amount of time in reading, sending personal emails. Along
with this, unwanted spam messages are a huge time waster.
5. Network Congestion and Down Time: Spam and personal (miss) use of e-mail can
cause organization's e-mail system to waste valuable bandwidth resources. Personal
e-mails cause network congestion since they are not only unnecessary, but tend to be
mailed to a large list of recipients and often include large attachments such as mp3,
executable or video files that users do not zip. If a virus hits the organization system
this can cause network congestion or even down time.
6. E-mail Retrieval on Court Order: E-mail records are increasingly used in lawsuits
since they tend to contain important evidence. If your company is ordered to search
all company e-mails for messages relating to particular person; the retrieval often
involves restoring thousands of e-mails on servers and result in slow and painful
searches. Worse still, the court could even confiscate your computers as evidence.
=== * ===

Describe Security monitoring tools. – 10

Security Monitoring Tools
 In an e-government project, a large amount of documentation is being done like
maintenance of land records, police records, court judgments and so on.
 Each department functions independently and has its own set of transactions to
undertake.
 As security measure is critical, so only authorized people get into the network and
access the information.
 An understanding of the security technology and the need for its implementation is
required for a safer and more secure IT environment in the country.
 Securing public data and ensuring security of the government websites are some
applications where security solutions or monitoring tools are required.
 Some common processes of those tools are:
1. Vulnerability Assessment
2. Security Policy Development
3. Wireless Network Analysis
4. Successful Identity Authentication

1. Vulnerability Assessment
Network and information security assessment services review all aspects of the data
and voice networks and provide recommendations to maximize security, reliability and

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 9

availability. Following can be deliverables:
 Identification of vulnerabilities that need to be immediately addressed.
 Verification of security products and features already in place.
 Prioritize security projects for future implementation.
 Assess the real-world threat to network assets.

2. Security Policy Development

 Any security policy must satisfy working objectives as well as the technical aspects
of securing e-governance information.
 The policies establish the rules and guidelines that system and network engineers can
use when deploying (installing) solutions.
o This policy would then guide how network engineers install and configure
firewalls, intrusion detection systems and other network equipment.
 Developing a useful, practical, and feasible network security policy documents can be
very time consuming.
 Some automatic tools can help any organization to develop and deploy a
comprehensive security policy.

3. Wireless Network Analysis

 Wireless networks are inexpensive, simple to deploy and can be helpful to provide e-
governance service in rural and remote areas.
 Unfortunately, wireless access points are designed for ease of use, not security.
 A through risk analysis provides an option for prioritizing and justifying future
security expenditures.
 Depending on the scope of the risk analysis, the project may involve assessing
sensitivity, criticality, threat, vulnerability, and susceptibility to penetration.

4. Successful Identity Authentication

 Internet is a standard medium for conducting operations in e-governance framework,
within and without organizations.
 E-mail is a quick, cheap and easy means of communication and also a potential threat
for employers.
 E-mail threats such as confidentiality breaches, legal liability, lost productivity and
damage to reputation cost companies crores of rupees each year.
 The steps are taken to protect a company from these threats.
o Create an e-mail usage policy.
o Make sure e-mail policy is actually implemented. This can be done by giving
regular trainings and by monitoring employees' e-mail using e-mail security
software.
=== * ===

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 10

Explain how to publish an E mail policy for an organization. – 5
Publishing the E-Mail Policy:
 The e-mail policy should be made available and easily accessible to all
employees.
 The policy should be included in employee handbooks and organization intranets.
 It is best to include the e-mail policy, or a short statement regarding the policy, in
employment contracts.
 The employee must acknowledge in writing that he/she is aware of the e-mail
policy and of the obligation to adhere to it.
 When the policy is updated a new copy can be circulated via e-mail as well as on
paper. Preferably have each new update signed by employees.
===*===

INTERNET GOVERNANCE
Governance of Internet can be categorized into four major areas.
1. The Infrastructure and Standardization
2. Legal
3. Economic
4. Development
1. The Infrastructure and Standardization: Standardization of the infrastructure at the
hardware level as well as at the software level is needed to enable the heterogeneous
technologies to work together. Telecommunication infrastructure, technical standards and
services (Internet Infrastructure), Transport Control Protocol/Internet Protocol (TCP/IP),
Root Server, Internet Service Providers (ISP), Internet Bandwidth Provider (IBP), Web
standards, Internet Security, encryption, spam.
2. Legal: Legal aspects involve issues such as legislation, social norms (customs), self-
regulation, jurisprudence, international regulation, jurisdiction, arbitration, trademark,
copyright, patents, cyber crimes, digital signature, privacy rights, data protection, and
Intellectual Property Rights (IPR).
3. Economic: Economic issues relate to e-commerce applications and are such as consumer
protection, taxation, customs, e-payment, e-banking, and e-money.
4. Development: [The Internet has grown for a long time without too much regulation.]
Defining protocols and standards had been for a long time the most developed regulatory
activity. [But as soon as business took its place the requirements changed.]
===*===
Why Securing e-Governance?
As India adopts e-governance with revenge, the need for Network and Information
security measures to protect vital data will be a major part of e-governance framework. The
security issue is to be addressed in the design of such framework. An e-governance project

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 11

needs a network to execute and project involves considerable amount of critical information
which needs security.
Government documents and other important material such as birth and death
registration, motor vehicle, license, land records, all of which have legal and legislative
nuances have to be protected from unauthorized uses. Hence, security is critical for their
successful implementation.
===*===
Security Measures and Threats in E-Governance
Security measures are required wherever "authenticity", "validity", and "legal rights"
of digital content have to be protected from repudiation. All digital content in form of
applications that need protection from tampering, vandalism (damage), decay and accident
need security.
The role of network or information security is vital in every application, which
collects or stores data, interacts with an outsider, carries some confidential information. For
example in e-governance framework central government can transfer a huge fund to state
government online. With the Information Technology (IT) Act 2000 coming into effect from
October 18, 2000, transaction on the Internet have got legal validity in India. This allows
users to pay their bills for utilities on the web. Online transactions and their users are at
higher risk of getting targeted by digital attacks.
The complex network and large size e-governance framework make it vulnerable for
the virus, spam and Trojan attacks. A lot of intrusion attempts can be there to crack the
security, in that network and information security is a greater challenge. In such a complex
environment, complete information security architecture is needed. The architecture need to
be further complemented with proper tools and solutions to keep itself away from any threat
both at the network level and at the host level.
When there was an intrusion (virus) at network or host level, it took a long time to
cure and huge loss of money can be there. There were some inherent vulnerabilities like web
defacements, stealing of information, etc.
===*===
 Electronic Mail
The original e-mail systems were built to allow a person to communicate with other
people; an individual created a message and specified other individuals as recipients. The e-
mail software transmitted a copy of the message to each recipient.
Now a day, the computer program can answer an e-mail message and send a reply.
Electronic Mailboxes and Addresses
The mailbox consists of a passive storage area (e.g., a file on disk). An electronic
mailbox is private – the permissions are set to allow the mail software to add an incoming
message to an arbitrary mailbox, but to deny anyone except the owner the right to examine or
remove messages. In most cases, an electronic mailbox is associated with a computer
account. Thus, a person who has multiple computer accounts can have multiple mailboxes.

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 12

 Each electronic mailbox is assigned a unique electronic mail address (e-mail address).
A full e-mail address contains two parts; the second specifies a computer and the first
specifies a mailbox on that computer. In the most widely used format, an "at sign - @"
separates the two components:
mailbox@computer
Where the mailbox is a string that denotes a user's mailbox, and computer is a string
that denotes the computer on which the mailbox is located (i.e., a domain name).
===*===
Mail Transfer
A user interacts with an e-mail interface program when composing or reading
messages. The underlying e-mail system contains a mail transfer program that handles the
details of sending a copy of a message to remote computer. When a user finishes composing
an outgoing message, the e-mail interface places the message in a queue that the mail transfer
program handles.
The mail transfer program waits for a message to be placed on its queue, and then
transfers a copy of the message to each recipient. Sending a copy to a remote user is more
complex. The mail transfer program becomes a client that contacts a server on the remote
machine. The client sends the message to the server, which places a copy of the message in
the recipient's mailbox.

Figure: The path of an e-mail message. The mail transfer program on the sender's computer
becomes a client of the remote mail server.
===*===
Internet Mail Protocols
Internet e-mail is based on standards known as mail protocols. Some of these
standards (mail Protocols) are:
 Simple Mail Transfer Protocol (SMTP)
 Post Office Protocol (POP)
 Internet Message Access Protocol (IMAP)
 Multipurpose Internet Mail Extensions (MIME)
The SMTP specifies how messages are sent on the Internet. POP and IMAP define
how mail clients can access messages on a mail server, and the MIME standard lets the mail

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 13

client understand different types of data such as graphics, video, application files and text
files.
These protocols are very important because, there are a number of mail clients
available in the market and each of them provides a different set of features. These help in
standardizing the process of exchanging mail protocols, you need not know which mail client
the recipient is using, what operating system he is using or what type of computer he is
using. You just have to know his e-mail address to send message to him.
===*===

1. The Simple Mail Transfer Protocol (SMTP)

 The TCP/IP protocol that supports electronic mail on the Internet is called Simple
Mail Transfer Protocol (SMTP).
 When a mail transfer program contacts a server on a remote machine, it forms a TCP
connection.
 SMTP provides for mail exchange between users on the same or different computers
and supports:
o Sending a single message to one or more recipients.
o Sending messages that include text, voice or graphics.
o Sending messages to users on networks outside the Internet.
 SMTP uses the ASCII character set for composing a message.
 An Internet mail message has two parts-a header and a body.
o The header of the message includes the address of the recipient, address of the
sender, subject and other information about the message such as date and time
when it was sent, type of mailing client the sender is using, etc.
o The body of the message contains the actual message.
 The SMTP protocol is used to transfer a message from the SMTP sender to the SMTP
receiver over a TCP connection.
 SMTP attempts to provide reliable operation but does not guarantee to recover from
lost messages. No end-to-end acknowledgement is used in SMTP. However, the
SMTP-based mail system is generally considered reliable.
 SMTP expects the destination host, the mail server receiving the mail, to be on-line
all the time; otherwise, a TCP connection cannot be established.
 Format of an E-mail Message:
Mail header as follows:
Message-ID: <1234,4567@ABC.com>
Date: Mon, 2 Oct 1998 17 : 30 : 10 + 0530
From: PQR@ABC.COM
X-Mailer: Mozilla 3.01
MIME-Version: 1.0
To: registrar@jp1.vsnl.net.in

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 14

 Subject: Request for extension of joining
<Body of the mail message>
XYZ
===*===
2. Post Office Protocol (POP)
 A Post Office Protocol is a Client Server protocol to retrieve messages from the mail
box.
 POP requires an additional server (POP Server) to run on the computer with the
mailbox. A user runs e-mail software that becomes a client of the POP server to
access the contents of the mailbox.
 The POP was developed for single user computers.
 There are three versions of this protocol: POP, POP2 and POP3.
 To search any mail, user has to download the mail from the server.

Figure 10.3: The path of e-mail when POP is used to access a mailbox.
From the figure, a computer that has a mailbox must run two servers. A conventional
mail server accepts incoming e-mail and stores it in the appropriate mailbox. The mail can
arrive either directly from the original sender or from a mail gateway. A POP server allows a
user on a remote machine to access the mailbox.
If user relies on dial up telephone connection, the modem can be attached to his
computer. To receive e-mail, the user forms a dialup connection either to the mailbox
computer or to some other computer on the Internet. Once the user connects to a computer on
the Internet, the user can run a POP client to contact the server and access e-mail.
===*===
Difference between E-mail Server (POP) and SMTP Server:
E-mail Server (POP) SMTP Server
1 POP server uses the POP protocol It uses the SMTP protocol
2 The POP server only allows a user to It accepts a message from an arbitrary sender
access the mailbox after the user enters
authentication information (e.g.,
password) messages

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 15

3 A POP server can provide information It can transfer only e-mail messages
about the mailbox contents
===*===
3. Internet Message Access Protocol (IMAP)
 IMAP is a used for retrieving e-mail messages.
 Developed at Stanford University(1986),
 The latest version is IMAP4.
 With IMAP4, one can search through e-mail messages for keywords while the
messages are still on mail server. It is not necessary to download before searching
operation.
 IMAP uses SMTP for communication between the e-mail client and the server.
===*===
4. Multipurpose Internet Mail Extension (MIME)
MIME is a protocol used to exchange e-mail messages containing non-textual data such as
graphics, sound and other multimedia files.
First non-text files (such as a spreadsheet, program file, graphics file or a sound file) are
encoded to textual form using MIME and then it can be sent using SMTP. The recipient can
then decode the MIME encoded data to the original non-text file. Most e-mail clients
(Netscape) automatically encode and decode the e-mail messages containing non-text data,
but some e-mail clients, which require you to encode data using an encoding utility such as
Info-X-Fer.
===*===

How do you create an E-mail Policy?

An E-mail policy should include all the do's and don'ts concerning the organization's
e-mail system:
1. E-mail Risks: The policy should list e-mail risks to make users aware of the potential
harmful effects of their actions. Advise users that sending an e-mail is like sending a
postcard.
2. Best Practices: This should include e-mail etiquette and writing rules in order to uphold
the good reputation of the organization and to deliver quality customer service. Also
include instructions on compressing attachments to save bandwidth.
3. Personal Usage: The policy should state whether personal e-mails are accepted and if so,
to what extent. You can set limits on the amount of personal e-mails sent each day, or
you could require personal e-mails to be saved in a separate folder. In every case, include
examples and clear measures taken when these rules are breached.
4. Wastage of Resources: Warn users that they are making use of the organization's e-mail
system and that they should not engage in non-business activities that unnecessarily tie
up network traffic. The policy must also cover the use of newsletters and news groups for
its subscription.

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 16

5. Prohibited Content: The policy should expressly state that the e-mail system is not to be
used for the creation or distribution of any offensive, or disruptive messages. Unlawful
messages, such as copyright infringing e-mails should also be prohibited. Include
examples and clear measures taken when these rules are breached.
6. Document Retention Policy: It is best to create a policy rule that dictates deletion of e-
mails after a certain amount of days. It is also good idea to provide an option to save
certain e-mails in a different folder to avoid deletion. If so, specify e-mails may be saved
and which must be deleted.
7. Treatment of Confidential Data: This includes rules and guidelines on how employees
should deal with confidential information and trade secrets. Make employees encrypt any
confidential information that is sent via e-mail and change passwords regularly. Also
includes measures that will be taken if an employee is found to be sending out
confidential information unlawfully.
8. E-mail Monitoring: If you are going to monitor your employees' e-mails, you must state
this in your e-mail policy. Warn that employees should have no expectation of privacy in
anything they create, store, send or receive on the organization's computer system and
that the organization may, but is not obliged to monitor messages without prior notice.
===*===
University E-Mail Policy
 This policy clarifies the applicability of law and of other university policies to
electronic mail.
 The university recognizes that principles of academic freedom and shared
governance, freedom of speech, and privacy of information hold important
implications for electronic mail and electronic mail services.
 This policy reflects these firmly-held principles within the context of the university's
legal and other obligations.
 The university encourages the use of electronic mail and respects the privacy of users.
 It does not routinely inspect, monitor, or disclose electronic mail without the holder's
consent. It does so, (i) when required by and consistent with law, (ii) when there is
substantiated reason to believe that violations of law or of university policies have
taken place.
Purpose of University E-Mail Policy
The purpose of this policy is to assure that:
1. The university community is informed about the applicability of policies and laws
to electronic mail.
2. Electronic mail services are used in compliance with those policies and laws.
3. Users of electronic mail services are informed about how concepts of privacy and
security apply to electronic mail, and
4. Disruptions to university electronic mail and other services, and activities are
minimized.

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 17

 Scope University E-Mail Policy is to apply to:
 All electronic mail systems and services provided or owned by the university; and
 All users, holders, and uses of university e-mail services; and
 All university e-mail records in the possession of university employees or other e-
mail users of electronic mail services provided by the university.
===*===
The conditions under which the university e-mail services are encouraged and allowed to
use are:
 Purpose: Electronic mail services are to be provided by the university organizational
units in support of teaching, research, and public service mission of the university,
and the administrative functions that support this mission.
 Users: Users of university electronic mail services are to be limited primarily to
university students, faculty, and staff for purposes that conform to the requirements of
this section.
 Non-competition: University electronic mail services shall not be provided to
individuals or organizations in competition with commercial services outside the
university.
 Restrictions: University electronic mail services may not be used for: unlawful
activities; commercial purposes, personal financial gain etc.
 Representation: Electronic mail users shall not give the impression that they are
representing, giving opinions, or otherwise making statements on behalf of the
university.
 False identity: University e-mail users shall not employ a false identity. E-mails
should not violate any law or any other university policy, and does not unreasonably
interfere with the administrative business of the university.
 Interference: University e-mail services shall not be used for purposes that could
reasonably be expected to cause, directly or indirectly, excessive strain on any
computing facilities, or unwarranted or unsolicited interference with others' use of e-
mail or e-mail systems.
 Personal use: University electronic mail services may be used for incidental personal
purposes provided that, in addition to the foregoing constraints and conditions.
===*===
Security and Confidentiality of University E-mail Services
 The university attempts to provide secure and reliable e-mail services.
 Operators of university electronic mail services are expected to follow sound
professional practices in providing for the security of electronic mail records, data,
application programs, and system programs under their control.
 Operators of e-mail services have no control over the security of e-mail that has been
downloaded to a user's computer. So, e-mail users should employ whatever
protections (such as passwords) are available to them as a protection measure.

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 18

  Users of electronic mail services should be aware that there may be back-up copies
that can be retrieved.
 Systems may be "backed-up" on a routine or occasional basis to protect system
reliability and integrity, and to prevent potential loss of data.
 The back-up process results in the copying of data onto storage media that may be
retained for periods of time and in locations unknown to the originator or recipient of
electronic mail.
 The practice and frequency of backups and the retention of back-up copies of e-mail
vary from system to system.
 Electronic mail users are encouraged to request information on the back-up practices
followed by the operators of university electronic mail services, and such operators
are required to provide such information upon request.
===*===
Campus Responsibilities and Discretion
 Chancellor/Vice Chancellor shall develop, maintain; and publish specific procedures
and practices that implement this policy and communicate its provisions to campus
users of university electronic mail services.
 Chancellor/Vice Chancellor shall decide whether to publish students' electronic mail
addresses as directory information.
 Chancellor/Vice Chancellor shall establish guidelines as to who may use campus
electronic mail services.
 Chancellor/Vice Chancellor shall establish regulations and procedures on actions to
be taken once an e-mail user's affiliation with the campus is terminated.
 Campus shall establish appropriate notification procedures regarding this policy to all
e-mail users.
 New users shall positively acknowledge receipt and understanding of the policy.
 Policy Notification and acknowledgment may be electronic to the extent that the e-
mail user's identity can be assured.
 Violations of university policies governing the use of university electronic mail
services may result in restriction of access to university information technology
resources.
 Disciplinary action including dismissal, may be applicable under other university
policies, guidelines, implementing procedures, or collective bargaining agreements.
===*===

UNIT-VI: Security and Law, Internet Governance and E-Mail Policy 19