Ethics And Professional Issues For Computing

Published Date: 02 Nov 2017

Cloud Services

Ethics and Professional Issues for Computing

Daniel Attard : 297980(M)

Introduction

A Malta-owned semi-conductor company based in Malta which employs hundreds of employees, and is one of the top exporting companies within the island, is considering making use of Google Storage (Google Cloud Storage, 2012) to store its data, which varies from company documents, project code, both personal data and sensitive personal data of employees including those employed with a sub-contractor offering services within the company. Data stored will also include material suppliers, billing information and the customer details that may have purchased the end product. Together with data storage facility, Google has also offered the use of applications, to name a few the possibilities for the use of their shared calendar, shared docs, Google App Engine (Google Apps, 2012), Google Cloud Print that enables any application (desktop, web and mobile) on any device to print to any printer (Goole Cloud Print, 2012), and Google Mail to be used as an email facility (Google Apps, 2012). As a result the company would be seeking in taking advantage of the benefits of using cloud service that include cost saving, agility and flexibility. Beside this the company would profit from latest technological equipment which would otherwise be outside the budget range if implemented locally. The cloud makes it easy to increase computing performance when needed for particular computer intensive projects and reduced when not needed on project termination. Fear of losing data is no longer an issue if a computer crashes, documents hosted in the cloud will always exist as long as the cloud providers performs regular backups.

Facts

Any serious examination of cloud computing must deal, is the type of data that will be stored on the cloud and who will be affected by the change. Various levels of confidentiality must be taken into consideration; one of the most important is each employee’s sensitive data that include any type of police conduct records that are obtained legitimately from the employee when applying for the job; medical records that are also obtained by the consent of the employee. Salary, bonuses, allowances and benefits may be considered to be personal data together with any other information about an employee, such as next of kin and bank details. One consideration to take into account would be, who would be responsible to check what information tagged as sensitive or personal is being stored, and the training required for being eligible for such a position.

Information regarding suppliers supplying material to the company which can vary from raw material, consumables, office equipment and shop floor machinery. Such information includes tenders and email correspondence. Details of those sub-contracting entities such as canteen contractors, cleaning services contractors and other third party employees involved within the company. Information may vary from winning offers, contract duration and subsidies offered.

Data stored will possibly be company secrets such as project plans, software code, any designs of particular products where research and development has been implemented within the company or which was outsourced from third parties. Contact details of valuable customers or potential clients, easier accessed from any peripheral such as tablets, laptops and smart phone, from anywhere which will only require an internet connection.

An issue to consider is what contingency to apply if the cloud service is un-reachable. During the implementation of this report, Google was affected by a down time of a couple of hours on Wednesday 17th April with a number of Google products affected (iidrn.com, 2013). Thus one has to consider the consequences that a company making use of its service has to face.

In essence necessary precautions must be taken in order to keep all employee confidences when making use of cloud services. Complying with such an obligation can vary, and is dependent of the service being provided, with particular attention to whether the information stored is encrypted, whether the customer [1] will be informed if a third-party asks to access the stored information. In addition, an important aspect is whether the cloud customer will have access to his data in case the Cloud Service Provider (CSP) decides to close down its business for various reasons, such as bankruptcy.

Stakeholders

A stakeholder can be seen as any entity, a group of people or any other organisation that has an interest or concern within the organisation. An important process used by the company is that of stakeholder engagement and involvement, which enables better understanding the perspective and priorities of external entities that are affected by the company activities and to involve them into the decision making processes (Friedman & Miles, 2006).

Employees are a key element in almost every company, employees within the company are spread in different sections and departments such as; marketing department, accounts and finance, purchasing department who’s interest is make the best deals with other entities, information technology (IT) department, human resource (HR) that has the role in safeguarding employee rights, planning department, plant facilities, research and development department, and quality control (QC) department together with other departments involved in the various sections of the production lines. Company doctor and nurses that regularly keep files up-to-date with employee health records.

Apart from those entities mentioned earlier, i.e. suppliers and contractors other entities exist; trade unions who work to oversee that the workers job position is safe. The Cloud Service Provider can be said to be the main stakeholder, that is who will be offering the cloud service, but so is also the Internet Service Provider (ISP) who will benefit from the increase in internet bandwidth because of the demand of higher network traffic. The owners and shareholders of the company, whose interest is to ensure that a profit is being made and that the company stands in its market position. Funders and investors are key stakeholders, in that; in many instances the effort would not be possible without their financial support, their interest being in the increase of the share they have.

The government is also seen to be one of the stakeholders, whose interest is in people employment, where every employee is usually a tax payer and the more employees that are employed in the country the more revenue from taxes and national insurances is made, and not forgetting the fact that the government is also taking his share when it comes to value added tax and duty tax on the hardware and software although some of the taxes paid are refundable for the company, the government may still make good use of it until refunded. Entities like police officers, judges and lawyers whose role is to ensure that laws are not infringed, are considered as stakeholders.

Privacy Regulations

The wide gauge distribution of cloud computing services may elicit a number of data protection threats, primarily a lack of control over private and personal data as well as not enough information by whom, when and how the data is being managed. Privacy in the United States (US) is dispersed among various different sectors specific laws (Sarathy & Robertson, 2003). The approach concerning the European Union (EU) is different when concerning legislation, as it favours the participation among businesses and governments as opposed by the US self-regulation approach (Movius & Krup, 2009) (Ruiter & Warnier, 2011). The Data protection Directive which was implemented in October 1995 (EU Directive, 1995), main purpose was to complement the privacy laws that existed in the different member states of the EU and to provide a common standard on privacy protection (EU Directive, 1995) (Birnhack, 2008) (Ruiter & Warnier, 2011). Article 29, Working Party of the opinion on Cloud computing examines the issues associated with "the sharing of resources with other parties and the lack of transparency of an outsourcing chain consisting of multiple processors and subcontractors, the unavailability of a common global data portability framework and uncertainty with regard to the admissibility of the transfer of personal data to cloud providers established outside of the European Economic Area (EEA)" (Directive 95/46/EC of the European Parliament, 2012). Directive 95/46/EC addresses personal data, where personal data is defined as any information relating to an identified or identifiable person that can be identified either directly or indirectly particularly by reference of an identification number such as national insurance number or identity card number or any other factors such as economic or cultural identity (EU Directive, 1995). Article 29 also states that owners of the data must be informed who processes their data and the purpose for what, so that the owners will be able to exercise the privileges afforded to them (Directive 95/46/EC of the European Parliament, 2012).

Directive 95/46/EC was emended with the determination of safeguarding the privacy of the EU inhabitants and to integrate dissimilar privacy legislation of EU member states. Several ways exist in complying with this directive, and European based organisations should follow its principals (Ruiter & Warnier, 2011). Organisations outside the EU may opt to use the so called Safe Harbor Agreement which is a streamlined process for US organisations to comply with Directive 95/46/EC.

From a European point of view, US views privacy rights quite differently than the EU, they think of privacy in different ways. The US does not provide adequate privacy protection, preventing transfers of data between the countries. This problem was addressed by the EU commission and the US department of commerce where they negotiated the Safe Harbor agreement (Fromholz, 2000) (Bull, 2001).

Privacy Policy

Privacy policy is a legal document or a report that discloses some or all of the ways a party acquires, makes use of and manages customer’s data, which can be anything that can be used to identify a person. Google’s privacy policy states that Google may collect information about users from the services they offer, on how they are used by individuals (Google Policies & Principles, 2012). Logs about how the service provided was used, telephone logs such as duration and the other party number. The Internet Protocol (IP) address is also mentioned, with which a country and Internet Service Provider (ISP) can be easily identified (Google Policies & Principles, 2012). One issue that an employee might point out would be that Google will know everything of what the individual is doing, how long he has been doing it and track his movements.

Privacy Issues for Cloud Service Providers

The physical location of an organisation’s Cloud Computing enterprise is an important characteristic. Usually a CSP hosts an organisation’s Cloud Computing entity in a remote location, rather than where the organisation is registered (Jaeger, Lin, Grimes, & Simmons., 2009). As most CSP’s offer the ability to dynamically reconfigure computing resources on the client’s demand, and in cases where a CSP fails to provide this demand, the CSP may be forced to outsource organisational data to a different CSP (Ruiter & Warnier, 2011). In doing this the chances are in the increase probability of breaching the related privacy issues stated earlier in this report.

As an example one might consider, is that some laws apply to a specific area, such as the Health Insurance Portability and Accountability Act (HIPAA) for the health sector. When companies store health related information regarding their employees, means that the company might have to comply with HIPAA even though if they are not operating in that market (Health Information Privacy, n.d.).

Legal Compliance

Neither CSP’s services nor their use may violate laws, morals, social values or ethics and this is guaranteed by the concept of compliance. Laws applicable to renting or lending also apply for cloud computing services, where the geographical location of the CSP and where their repositories reside is significant in determining which of the laws apply to the data stored. As identified earlier, data stored is usually replicated on different servers around the world either temporarily or permanently and therefore might be subject to different privacy laws.

Data Protection

Any entity processing personal data must comply with data protection principles, that maybe in some cases legally enforceable. It is important that all principles are satisfied and conforming with one or more does not exempt the entity from complying with the rest.

When it comes to data protection cloud services pose numerous data protection risks for both parties. There may exists possibilities that a customer finds it difficult to effectively check if the provider is handled with compliance to law procedures (ENISA, 2013).

Data Protection Act

The data protection act as amended by the Maltese law which was brought into force on the 15th of July 2003, states that "To make provision for the protection of individuals against the violation of their privacy by the processing of personal data and for matters connected therewith or ancillary thereto" (Data Protection Act, 2003). The act was introduced in order to render the Maltese law compatible with Directive 95/46/EC mentioned above, even though Malta was still not a member of the EU (Privireal, 2005).

The applicability of this act as stated in Part II are intended for the processing of personal data, either as a whole or as a part, by computerised means where such personal data forms part of any structured set of personal data which is accessible according to some particular conditions, whether distributed on a functional or geographical basis or whether centralised or decentralised (Data Protection Act, 2003).

When it comes to sensitive personal data, as denoted in Part III, articles 12 & 13, sensitive personal data can be processed only if the person to whom the personal data relates has given the consent or has made the data available to public and the appropriate precautions are adopted when processing such sensitive information (Data Protection Act, 2003). According to article 25 as denoted in Part VI, personal data may only be processed by specific entities in accordance with instructions from a controller, unless an entity is obliged to do so by law (Data Protection Act, 2003). It is also essential that personal data is accurate and up-to-date while at the same time it is not kept for longer than it is necessary.

As addressed earlier in above a CSP may store or transfer data to another country rather the country registered in. Article 27 in Part VI denotes that the third country to which the data is transferred must guarantee an adequate level of protection, and it is the Commissioners [2] role to decide whether the mentioned country ensures an adequate level of protection (Data Protection Act, 2003).

Terms of Service

Terms of service (TOS) are rules that an entity must agree to abide with, in order to make use of a service. TOS agreements are mostly used for legal purposes by service providers that store user’s personal information.

Service Level Agreements

A service level agreement (SLA) is an agreement between a service provider and a consumer level related service (quality of service). Such an agreement can be reached by both parties signing a formal and legally binding contract and better referred as an operation level agreement (OLA). The SLA denotes a reciprocal agreement with respect to security, responsibilities, guarantees and priorities with the addition of metrics such as response times and availability of the service with minimum downtime as possible (Baun, Nimis, & Tai, 2001).

Google Cloud platform Terms of Service

The signing of an agreement with another party means that all TOS have been agreed upon. It is important that any entity agreeing to a condition must adhere to it else various consequences can be faced. In this section a number of conditions related to Google Cloud will be identified.

Condition 2.6 "Modifications" Google states that "Google may make commercially reasonable Updates to the Services from time to time. If Google makes a material change to the Services, Google will inform Customer, provided that Customer has subscribed with Google to be informed about such change" (Google, 2012). One must consider the fact that if the implemented change or changes were large, how would employees deal with it, complaints may arise especially with data entry personnel with lower than standard computer literacy, finding it difficult to stick to the changes implemented by the CSP to continue with their usual routine and being able to produce the same amount of work.

Although conditions 16 and 17 state that if a customer is paying for a service, he may select where his data is permanently stored either in the US or in the EU, but conditions 16.2 and 17.2 "Transient Storage" Google brings the fact that "data may be stored transiently or cached in any country in which Google or its agents maintain facilities before reaching permanent storage" (Google Cloud Storage TOS, 2012). These conditions do not point out for how long the data takes to reach a permanent storage or if the user is notified if his data is not stored in a permanent place. A stakeholder might come out with a question like; is information related to me stored in a safe place?

Ethical Issues

Ethics can be defined as the rules of conduct in human action (Dictionary.com, 2013), while computer ethics are a set of moral principles that control the use of computers (TechTerms.com, 2013). New technologies may often bring new technical glitches, and new ethical challenges. The chances are that external threats evolve much faster than the safeguards against them, and this because of the rapid evolution in communication technologies (Trope & Ray, 2010).

The degree by which cloud computing affects human rights depends on the range of services the providers offer. Although the underlying idea of cloud computing dates back the early 1950’s (Strachey, 1959) recent technologies, high speed networks and larger data storage facilities have aided a shift from traditional computing methods to the use of cloud computing, where more businesses are making use of cloud services. Numerous issues of ethics can arise from the expansion of cloud computing, with its growth starting to dominate some aspects of the internet.  One significant concern that needs to be evaluated, is that cloud computing makes it possible for companies or individuals to access other people's information and personal details, without that person essentially knowing that their information is being accessed.

Ethical Theory

In a consequentialist approach one has to take into consideration how the consequences of an action will affect all the involved parties. According to consequentialism [3] , the right thing do is to promote what is good, thus a morally right action can be assumed to be an action which produces good consequences (Lillehammer, 2011) (Sinnott-Armstrong, 2012).

One type of consequentialism is utilitarianism [4] , which can either be act utilitarianism known also as act consequentialism. Focusing on concerns and considering as many people as possible when attempting to take a decision, can be seen to be the asset of utilitarian ethics. In circumstances of developing principles for cloud computing, utilitarian analysis entails us to consider all affected parties (K.W. Miller, 2010). In an article Miller writes that "Utilitarian’s would want a standards body with a broad range of stakeholders. They would discourage any attempts at packing a standards body to gain an unfair advantage for any one company or small group of stakeholders to the detriment of the majority of stakeholders" (K.W. Miller, 2010). Another consequentialist approach to consider is rule utilitarianism also defined as rule consequentialism, in that it differs from the former, where it clenches that the rightness of an act does not depend on the goodness of its consequences, but on whether or not it is in accordance with some definite rules, that have been designated for its good consequences (Portmore, 2013).

Considering a utilitarian approach would attain to an ethical dilemma taking into account all stakeholders in a particular situation as well as the alternative action and its consequences. One dilemma that one might consider is the issue of privacy and portability. Taking a particular situation that almost all employees will be making use of the cloud to store work related information, they might be happy that they can get access to such information easier from almost anywhere (i.e. portability). But they might not be aware or not consider the fact that even their personal information mentioned earlier will be stored in the cloud and all the possible consequences related to privacy and security.

The advantage of using a consequential approach is that an individual can estimate equivalent results and use a point classification to ascertain which choice is more favourable for the most individuals (Rainbow, 2002). However future prediction when using such an approach can be a weakness point, which may lead to unpredicted results (Rainbow, 2002). The effects of a decision taken might have a virtually indefinite sequence of other consequences in the future (Frost, 2004).

Making use of Cloud Services

As with almost everything there could be both advantages and disadvantages, and this does not exclude the use of cloud services. below are some of the benefits and drawbacks when coming to the use of cloud services.

Benefits

If used properly and to the extent required, making use of cloud services can vastly benefit almost all type of businesses.

Costs – No need to have expensive and latest hardware on the market, less power consumption and minimize the costs for software licences.

Storage – Almost unlimited storage, storage space can be bought as per the required needs (pay for what you use)

Backup and Recovery – No more backups needed on external media, while recovery is easier as several versions of document history is effortlessly accessible.

Portability – Once connected to a network, availability to cloud services is easy from everywhere.

Updates – Immediate access to updates is available and there is no need to deploy on all computers in the premises.

Area – Gain space, as there will be more room available if computer hardware are hosted somewhere else.

Drawbacks

The drawbacks that might arise with the use of cloud services are listed below;

Security – One major issue of using cloud services is that of security issues, as mentioned earlier personal and sensitive data will be possibly available to third-parties.

Availability – One issue that cannot be controlled is the availability of the service, as the cloud service has to make use of another party that is the internet service provider, if this provider fails to provide service for different reasons, access to the cloud might be difficult. Another issue might be that the CSP itself fails to offer the service because of unexpected downtime.

Return of information – There might be the case in future requirements to shift from one CSP to another, and this will result in having to shift all the information, sometimes not possible to just transfer information as procedures and standards might be different. Besides this, additional training would be required for the employees so to get used to the possibly different features of the new applications offered by the new CSP.

Updates – As it is the CSP that decides to perform updates it might be the case that the customer will dislike and prefer how it was before.

Consequences and Side-Effects

When considering a large number of stakeholders it is more difficult to satisfy every individual, there will always be someone that will criticise the decision taken.

The mostly affected sources of the decision taken will be those supplying computer hardware and the software vendors as they might see a drop in sales and maintenance agreements. The IT department would be one of the most affected departments, facing a reduction in responsibilities, which include hardware maintenance, server backups and software installations, which means a possible reduction in head count. One problem that may arise might be that certain support will not be available onsite when needed by internal employees spread into the various departments.

Purchasing employees would also face a small decrease in their responsibilities when it comes in dealing with various vendors regarding IT infrastructure to obtain good and fair deals on the items. The HR department might be affected as personal data of employees will not only be stored locally on the servers or on standalone computers, but will be spread in various locations around the globe.

On the other hand those stakeholders that will benefit most from the decision taken are those that are benefiting more from the profits made by the company. Although the case might be that those entities may not like the fact that information considered as private related to the company is stored on the cloud. Another consideration to evaluate is that of information that can be retrieved easily from almost every portable device such as smart-phones, , if these peripherals are stolen or lost those gaining possession of them might have access to company information, if no necessary precautions have been taken to secure the device.

Finally bearing in mind the fact that most users who make use of a computer for their daily work do not actually care where to store work related information and what programs they make use of as long as it produces the expected results, but if they are aware of how cloud services manipulate information they might not like the fact that information related to them can be exposed to third-parties, which can be legally be disclosed if required by law as specified in Act 7.3 of Google agreement (Google Apps, 2012).

One possible issue to consider is what actions would be taken on individuals and maybe the company itself if an employee is being investigated for storing illegal content on the cloud, which can vary from racism related material to pornographic material. After all, Cloud Services is not that private; some years back Eric Schmidt Google CEO said "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place" (HuffPost, 2013) (Register, 2013).

Evaluation

Making a stakeholder happy with a decision does not mean that others will be happy with such a decision. When considering businesses seeking to make use of Cloud Services it is important to take into consideration all the facts and the stakeholders involved. If one evaluates the case that a company seeking to reduce IT costs, there will be some factors that require more attention such as what to store and where to store, especially private and personal information of other parties involved. As Cloud services is a way of delivering computing resources and not a technology per se, reduction of costs in certain areas is somewhat difficult.

While considering a consequentialist approach, and assuming that the majority of the stakeholders involved are happy with making use of Cloud Services, it is important not to forget that certain laws and rules may apply, which if underestimated and making the majority happy now with a decision can be detrimental in future. As stakeholder privacy is one of the major concerns, one most not only consider an act consequentialist approach but also a rule consequentialist one, as at the end of the day it is the latter that takes as a whole that morally correct actions convey good consequences for all those involved.

Conclusion

From my point of view, the demand for Cloud Services has increased in the last couple of years, and more individuals and companies are pursuing a way to make use of it. When it comes to make use of such a service I still don’t want to risk to store personal information but I won’t mind storing other information that is useful for me but makes no sense to others gaining access to such information. When it comes to cloud applications such as word-processing or spreadsheet I find them useful especially considering the fact they are free and that for minor use they are quite powerful. When considering to store information related to others I do not like it, as on the same issue I won’t be happy if someone else stores information about me, especially now after evaluating the various policies and conditions that apply to Cloud Services which I never taught of.