Digital Sovereignty or Surrender? Modi Govt's Zoho Shift is a Troubling Step Backwards

The unheralded migration of over 12 lakh Central government email accounts, including those of the Prime Minister's Office (PMO), and other union ministers from the government’s own National Informatics Centre (NIC) system to a platform run by the private, Chennai-headquartered company Zoho, is not a victory for the 'Swadeshi movement' and 'digital sovereignty' as the government claims. A closer look at this transfer of critical national digital infrastructure raises profound questions regardless of the company’s indigenous roots.

A critical examination of this action reveals that it is not a simple tech upgrade but rather a fundamental policy decision that surrenders a core sovereign function to a commercial entity. It implicitly declares the government's own premier technology institution as incapable. From a tech policy research perspective, it is not an achievement of  sovereignty, but looks like a sophisticated form of surrender.

NIC's Capability: Sidelined, Not Strengthened

Since it’s establishment in 1976, ​the NIC has been the technological spine of the Indian government, responsible for maintaining the national portal of India, and everything from foundational infrastructure to the execution of large-scale e-governance projects. It has been the default custodian of India’s digital assets.

Nevertheless, the email system of NIC was reportedly not competent with the modern office suits like Microsoft 365, Google Workspace, or the Zoho Office Suit. The NIC system was falling short on features, usability, and scalability. The logical, self-reliant path, at the golden jubilee year (2026) of NIC, would have been massive and targeted investment in modernising its core email platform and developing an in-house government office suite instead of signing a seven-year contract with a private player. This isn't just a contract; it is a message that the NIC, despite decades of service and its security mandate, was deemed incapable of evolving its own mail service to meet contemporary needs. It's a vote of no confidence that will have lasting repercussions on the morale and strategic importance of the NIC.

Imagine a different path: a national mission to transform the NIC. A massive injection of funds, a mandate to attract top-tier talent, and a directive to build a world-class, secure communication suite for the Indian government, perhaps built upon a transparent, auditable open-source framework. Such a project would have created a genuine sovereign asset – a platform whose code, infrastructure, and future roadmap were entirely under state control. It would have built invaluable institutional capacity for the future.

The Paradox of Banning Open Source

Perhaps the most bewildering justification offered for this migration is the claim from a senior official that Zoho’s suite has been activated to “ensure that government employees do not use open source applications.”  This statement is not merely counterintuitive, it represents a profound misunderstanding of modern digital security.

Globally, governments are moving towards Open Source Software (OSS) for their most critical functions, not away from it. The logic is irrefutable. Proprietary software, like that offered by Zoho, Microsoft, or Google, is a "black box." The user, even a government, cannot see the source code and must blindly trust the vendor's security claims. Open-source software, by contrast, is transparent. Its code is available for anyone to inspect, which allows national security bodies like CERT-In to conduct deep, independent audits to search for vulnerabilities or hidden backdoors.

This is why the French Gendarmerie successfully migrated tens of thousands of computers to a Linux-based operating system and LibreOffice, saving millions and gaining complete control over their digital tools. It's why Brazil has built extensive public-sector systems on open-source foundations. Even within India, states like Kerala have championed Free and Open Source Software (FOSS) for years through projects like IT@School, recognising its power to build local capacity and break free from vendor lock-in.

For the Indian government to now position open source as a security threat and a closed-source proprietary suite as the solution is a deeply regressive step. It substitutes one form of vendor dependency (foreign) for another (domestic), all while rejecting the single most powerful tool for ensuring auditable, transparent security.

Confusing 'Indian' with 'Sovereign'

The government is actively confusing the public by promoting a fundamental logical fallacy: that the simple act of choosing an 'Indian' company is the same as achieving national 'sovereignty'.

Zoho is undoubtedly a national champion and a testament to Indian innovation – but it is a private, for-profit corporation with obligations to its business strategy and stakeholders. On the other hand a state institution like the NIC, whatever its flaws, operates under a single mandate: the national interest.

The complete transfer of the email infrastructure of the Indian government to a private entity fundamentally alters the locus of control. In the digital world, the concept of sovereignty is not about the passport of the vendor, it's about power and control over your own systems. Now, the security of cabinet notes, diplomatic cables, and sensitive policy documents depends not on direct state control, but on the terms of a commercial contract and the security architecture of a private firm, with a black box algorithm!

This critical difference – relying on a corporate promise versus a verifiable guarantee – is not just theoretical. It was laid bare when the founder of Zoho, Sridhar Vembu, was questioned on X about the privacy features of his messaging app, Arattai. On October 10, he said:

“Our entire SAS business is based on the trust that we DO NOT access customer data and we do not use it for selling stuff to them. End-to-end encryption is a technical feature and that is coming. Trust is far far more precious and we are earning that trust daily in the global market. We will continue to fulfil that trust of every user of our product everywhere.”

This "philosophy first, technology second" approach is precisely where the problem lies for critics. In stark contrast, former IAS officer K.B.S. Sidhu's position is that when it comes to sensitive national data, trust cannot be a mere promise; it must be a verifiable, technological guarantee. He rightly frames robust features like end-to-end encryption and independent audits not as future upgrades, but as non-negotiable prerequisites. The conflict reveals a fundamental divide: one side offers trust based on a corporate promise, while the other demands trust based on auditable proof.

On a fun note, in proprietary software, the titles 'Administrator' and 'Security Auditor' are essentially myths. These so-called experts can't change or even audit the hidden code. They don't administer a system; they merely manage the settings given to them by the real administrators: the developers, like Zoho, in this case.

More Slogan Than Strategy

In an almost curated manner, several Union ministers, including the Union home minister, announced their switch to Zoho mail. This drama created an official halo around a single private vendor. This is compounded by the fact that Zoho’s founder Sridhar Vembu was appointed to the National Security Advisory Board in 2021. Though no misconduct is suggested, such close ties between the government's primary communications provider and national security leadership demand full transparency to ensure public confidence.

Why was the NIC considered a lost cause, unworthy of reform and modernisation? On what grounds does the government claim a proprietary black box offers superior security to a transparent, state-owned system? Where is the contract? Where are the independent security audits from CERT-In that we are told to trust?

Without these answers, the grand pronouncements of "Swadeshi innovation" and "digital sovereignty" feel less like a national strategy and more like a cheap marketing slogan. This wasn't a bold step into a self-reliant future. It was a blind leap of faith, and in the process, we may have just handed over the keys to our own digital kingdom.

This deal may be done, but the questions it raises cannot be swept under the rug. This is a defining moment for Digital India, yet it was decided behind closed doors, away from any meaningful public debate. The Indian public and their elected representatives deserve straight answers.

Arun Kumar P.K. is a researcher at the Safar Foundation, Kolkata. He posts on X @akpk_in.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.