The Malta Based And Malta Owned Company

Published Date: 02 Nov 2017

Introduction

The transition from a desktop to server software environment to then software as a service, also known as Cloud computing, is one of the most hyped and discussed inventions in today’s era. Cloud computing, is probably the hallmark and the biggest achievement in the history of computing in the last 20 years. Cloud computing is a collection of the computing services which are delivered as a service over the Internet, resulting with less software needed on the desktop computer. This increasingly allows one to use any computer to access their documents, e-mails, calendar, and pictures more easily because all of these are stored online and hence, can be securely accessed from any computer with an internet connection. Nowadays, vast amounts of data need to be constantly processed and it has become a necessity for companies to be able to access its data from everywhere and at anytime. The costs in providing such capabilities are substantial and once the company has invested in them, these must be fully utilized. If, for any instance, the investment is underutilized the company will not see a return on investment, hence, this will make it an inefficient investment. Cloud computing solves this underutilization and cost issues as it eases the burden on companies which do not want to invest in their IT infrastructure but still want to have a complete IT system by providing a complete email system together with calendar, document sharing and storage capabilities. Cloud computing also reduces the administration costs of having an IT department where an administrator or a number of administrators are employed. Cloud computing is centrally managed by the cloud provider which will take complete responsibility in managing your data, backups, applications, upgrades and security measures needed to keep your data safe and online. The general and essential characteristics which define Cloud computing are the following:

On Demand, customer controlled server that provides processing and storage as needed and automatic.

A broad availability of network access from any type of client.

Computing resources that are shared to serve all clients with different needs and different demands.

Computing capabilities that can be rapidly deployed and provisioned allowing the customer to use these capabilities according to his current needs.

A number of services which can be monitored and controlled by the end client using this service.

Using the scenario provided above, it will be assumed that the firm is an IT services company which has a successful track record and a diverse portfolio of clients ranging from financial companies to manufacturing ones. There are several facts which are identified about the company, these can be subdivided into several sub parts, mainly facts about the company itself and those which pertain to its environment. The first fact is that, the company operates in Malta therefore, it must conform to Malta’s and the European Union laws including the Data Protection ACT (Chapter 440) [1] . Another fact about the company in this scenario is that, the company is planning to upload and keep the business secrets which it holds, and the proprietary code which it has and designed over the past years on the cloud. It is assumed that the company operates in an IT services environment therefore; it must be highly competitive in order to continue to operate. By competitive, from a customer point of view, a company must give value for money, timeliness response to customer requests and confidentiality. One important fact which is derived from this statement is that the company stores personal and sensitive personal data about its clientele and which must be protected at all times. Apart from client’s data, the company also stores data about its employees and its financial transactions which also must be safeguarded. Another fact which directly affects the company is that the cloud provider namely Google, has also offered the use of its email and calendar services not just file storage. This fact does a lot of difference upon the company’s decision, as this might affect the company’s day-to-day operation of how it does the business.

The decision on whether to go on the cloud or not will affect a myriad number of persons which directly or indirectly, interact with the company’s business. The identified stakeholders in this scenario start from the top management, which includes the board of directors and CEO, which will have a final say on the outcome of the decision process. These have the right to expect employees to comply with the organization policies which will be made into force. The information and feasibility study will be provided by the Chief Ethical Officer. The Chief Ethical Officer is expected to produce good quality reports and a good feasibility study which, should reflect the current market practices and must be in line with the company’s strategy and vision. Apart from this he/she must discuss what other managers think and get feedback, this would help when drafting the guidelines. The departmental managers will be responsible that all the policies are respected by their employees and moreover that the policies which will be drafted leave a positive impact on their department. By positive impact, it is meant that a better work practise is made into force. One should not forget also the employees, which make up most of the company’s workforce. Employees are always affected by the company’s decision and they play an important role in the company’s business. They are expected to comply with the organizational policies which are put in place, and they also have the right to be treated fairly in their jobs and be properly compensated for their efforts. The other stakeholders are clients, competitors and partners. Clients are affected by the decision and vision which is adopted by the company. They have the right to get what they paid for and they expect a value for money service, therefore, they should always be respected because they are the business itself. Partners and creditors have the right to expect competent management and accurate reporting. Although competitors are working to take some share of your business one must not forget to play fair and be competitive by using good practises and avoid fraudulent ways to achieve a better market share.

Apart from working in an ethical way, respecting clients, employees, competitors and partners, the company must also adhere to laws which are enacted by the state where it operates. Failure to do so may lead to a tainted reputation which will automatically result in loss in business and possible police proceedings against the company. In this particular situation one must particularly abide to the Data Protection Law. In Chapter 440 in the Maltese Law the following is stated: "To make provision for the protection of individuals against the violation of their privacy by the processing of personal data and for matters connected therewith or ancillary thereto." This law aims to protect the individual’s personal information from being distributed against their explicit consent. Specifically it defines how and which data can be distributed.

For this company’s scenario, which is considering moving to Cloud computing, there are several parts in the Data Protection Act which are pertinent for safeguarding the company’s and clients’ interests. These are listed below:

"All reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed" [2] .

"Personal data may not be processed for purposes concerning direct marketing, if the data subject gives notice to the controller of personal data that he opposes such processing" [3] .

The following law is particularly important as it defines the right of access which the end user/client has: "The controller of personal data at the request of the data subject shall provide to the data subject without excessive delay an without expense, written information as to whether personal data concerning the data subject is processed: provided that a request by the data subject under this sub article shall only be made by the data subject at reasonable intervals." [4] .

Law 12 is of particular importance as it states that sensitive personal data cannot be processed without the explicit user consent. This will be pushed towards the policy where users will be prohibited to give their consent, as this may leak some unintended information about them.

The final two laws which are also pertinent to the scenario of Cloud computing are Law 26 which defines the security measures relating to processing and Law 27 which defines the transfer of data to a third country.

Although Cloud computing is both a technical and social world, it is still an emerging technology. It is not yet known for what it will be used in the near future and what its social, ethical, or legal consequences will be. At the same time, one should not wait until something happens because innovative products, especially in technology, should be adopted at their early stages due to the competitive edge they can provide.

Identifying ethical issues beforehand will save the time, money and effort, which would need to be spent later on in overcoming unseen problems. In a Cloud computing environment, several ethical issues have been identified. These are the following, which are explained further in the following pages:

Control and responsibility of the data.

Problem of many hands handling the data & diminished ability to locate faults.

Accountability to actions.

No control of network defences & no control on knowledge of data breaches.

Ownership & monopoly of data.

Control and responsibility of the data

Cloud computing leverages the costs and burden of having a complete infrastructure. This helps in reducing the costs, making the company more profitable and also enjoying the peace of mind that the cloud service provider has a Service Level Agreement (SLA) which it has to adhere to and is contractually obliged to meet. Any information that used to be stored physically on the local computer now is being stored on the cloud, thus the IT department/user does not have direct control on this data. The loss of control of the data becomes an issue when problems occur, such as data corruption, infrastructure failure or unavailability. Although one thinks that these problems never happen one should analyse the outages which Google suffered over the past years. For instance, on February 2009, Google’s email service, which at that time had over 100 million customers, suffered a complete world-wide shut down, limiting access to Gmail accounts for over two hours. On March 2009, Google’s email service went down again for an undisclosed number of users. Similar shutdowns of Gmail occurred in August 2008 and May 2009. The latest outage which started on the 11th April 2013 was reported by NBC news. At the time of writing this guideline it was reported that Gmail, Google Docs and Google Drive users are having trouble accessing their accounts and retrieving their data [5] . Data which is temporarily unavailable can easily be an issue for the company and can have serious consequences for the client, due to urgent work which cannot be executed because of the unavailability of the data. Apart from unavailability of data, another issue might occur as with what happened to Google Docs in March 2009 [6] , when a glitch allowed unauthorized shared access to certain documents stored online with Google Docs. This can also be a very serious issue, imagine a competitor getting hold of the company client list, this could result in clients being offered a more attractive package than what the company is currently offering.

Problem of many hands handling the data & diminished ability to locate faults

When a company runs its own network, their IT administration staffs tends to develop troubleshooting skills which provide the ability to locate and solve problems in a timely manner. Going to the Cloud, might involve an extra level of troubleshooting. Sometimes one cannot simply identify the root of problem resulting in a longer period to solve the problem itself resulting in more time lost to troubleshoot the issues. In the case of using Google Cloud, another potential is present; responsibilities are divided between the Cloud provider which is Google and the company itself. This leads to more problems when issues on the network occur. This may lead to the problem of many hands handling data in order to locate the problem, which result in data breaches and analysing confidential data. For example, when someone reports that he is having a problem with a document and a support ticket is opened with Google, the technical agent from Google might need to open the document itself to check if he can access it. If the problem is of a more serious nature, this might be escalated to Level 2 support or Level 3, each of them might need to access the document. Inadvertently each of the technical support will access the confidential data without the user consent.

Accountability to actions

The data, especially personal and sensitive data, which is going to be stored on the Cloud, should be properly managed. Accountability should be setup where the company can be provided with monthly reports on how data is accessed and who accessed this data. Such responsibility is being handed over to the cloud provider, as it is assumed that it is the cloud provider’s responsibility to control and be accountable to whom the data is presented. Apart from disclosing of data, if a problem happens with the system, the cloud provider should be accountable for any loss of data which might happen. Unfortunately Google doesn’t guarantee this. According to Google Terms of Service 14.3 C& D [7] 

"14.3 IN PARTICULAR, GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO YOU THAT:

(C) ANY INFORMATION OBTAINED BY YOU AS A RESULT OF YOUR USE OF THE SERVICES WILL BE ACCURATE OR RELIABLE, AND

(D) THAT DEFECTS IN THE OPERATION OR FUNCTIONALITY OF ANY SOFTWARE PROVIDED TO YOU AS PART OF THE SERVICES WILL BE CORRECTED."

This in fact discourages that any personal data and sensitive personal data should be stored on the Google Cloud services because Google won’t be accountable to any faults on their system.

No control of network defences & no control on knowledge of data breaches

When a company sets up its internal network, it can control and it is generally aware of the possible breaches which can take place. Nowadays, companies can perform a scan monitor and resolve security issues such as possible breaches or possible attacks. Such systems are already available such as Intrusion Prevention Systems (IPS) which monitor the company network for possible attacks, mitigate and resolve any open caveats. Unfortunately, cloud providers do not usually provide information on how data is protected or how a network is monitored. Apart from this, no one really knows the security standards which they adopt. Google’s terms of use doesn’t comment on these issues and its privacy policy offers no particular information into what Google really does:

"We work hard to protect Google and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular:

We encrypt many of our services using SSL.

We offer you two step verification when you access your Google Account, and a Safe Browsing feature in Google Chrome.

We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.

We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations." [8] 

Apart from not disclosing how Google is protecting its network it also does not provide any information related to breaches or possible ones. If the cloud provider is located in a country that has not yet enacted a law, in case of a breach the provider is not bound to disclose the entity and the complete list of files affected by the breach. In the case of the company in the scenario, this could be a critical situation because the passwords of the clients are accessed by hackers and the company is not aware of it. If the company would be aware of such breaches it could attempt to change the passwords in order to minimize the risks of breaches into their client systems.

Ownership and Monopoly of Data

Placing client confidential data on the cloud means moving a copy of such data outside the company on a network and storage which is not maintained by the company, but is controlled and maintained by the third party and potentially multiple third parties. With such setup, data sanitization becomes a problem. By data sanitization we expect that the data is cleaned and no traces are found on the storage or temporary storage which the cloud provider uses. For example, in Google Terms of Service there is no mention on data sanitization or any measures which Google takes in order to completely destroy any confidential data. The confidential data which is placed on the cloud and consequently, removed by the client’s request. By placing such data on the cloud several issues arise:

Termination of contract from client side: If the company decides to stop the contract with Google, will Google destroy the data from its servers and storage? Unfortunately, Google does not provide any information on what happens to the data. Therefore, it might be the case that Google keeps that data making it their property.

Termination of contract from Google side: As written in Google’s terms and conditions below, Google does not warrant that the provisioning of service is guaranteed and it is nowhere mentioned that upon termination of the contract disk and storage sanitization will be done. This leads to the risk that the client’s data and personal and sensitive data can still be accessed as it has not been deleted from the cloud provider storage.

"Google may also stop providing Services to you, or add or create new limits to our Services at any time.

We believe that you own your data and preserving your access to such data is important. If we discontinue a Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Service. " [9] 

Failure of cloud’s storage Media: It has become a general practice that hardware equipment comes with a 3 year warranty. This implies that upon failure of OEM hardware the client must ship back the hardware in order to be replaced under warranty. In our case when hardware failures occur, does the cloud provider send back the faulty equipment to the manufacturer? If so, it is highly unlikely that an effort is made in order to completely eradicate the data which is written on the hardware, especially on hard drives. This can become an issue if the faulty equipment is then refurbished and sourced back to another client. It might be the case that the client can extract the original data which is unknowingly contained in the hardware, thus leaking any personal information or confidential data which is stored within the refurbished drive.

Retirement of servers: Because of today’s advancement it has become customary that servers are retired upon reaching a pre-defined lifetime. In this case will the cloud provider erase all the data which is contained on it before placing the retired equipment on the market? Unfortunately, this can be a serious issue as personal data and confidential data can be easily accessed if the data has not been properly sanitized.

Identifying the facts is only the preliminary stage in preventing ethical issues from occurring or trying to mitigate them. The facts are fed in ethical theories, which are the foundation of ethical analysis, as they provide a guide to make a decision on the ethical issues identified. One may find a number of theories, each of them emphasize and highlight different reasoning aspects, such as predicting the outcome if one approach is used. [1] For the given scenario, Rule Consequentialism is thought to be best suited. Rule Consequentialism branches out from the general Consequentialism which is the class of normative ethical theories. Rule Consequentialism states that the consequences of one’s action are the basis for the decision to be taken and if it is right to do or not and the more good consequences an act produces, the better is the act. Thus from a Consequentialist approach, an ethical act is one that will produce a positive consequence. Rule Consequentialism defines that an act is ethically correct not only on the goodness of the consequences but on whether or not it is in accordance with the defined rules which has been selected for its good consequences. [2] Professor Douglas W. Portmore defines Rule Consequentialism in two possible ways:

"The Compliance Formulation: An Act is morally permissible if and only if it allowed by the code of rules, which if generally complied with, would produce the most good.

The Internalization Formulation: An act is morally permissible if and only it is allowed but the code of rules whose internalization by the vast majority would produce the most good. " [3]

Using the Rule Consequentialism coupled up with the known facts and with the stakeholders, several guidelines for using Cloud computing services namely Gmail, Google Docs, Google storage are drafted in the policy below:

The use of Cloud computing services are only authorized in accordance of the guidelines defined below. The guidelines are drafted in order to be compliant with current laws specifically privacy ones.

Control of Data

In order to control the data which is placed on the cloud, users are requested to consult the type of documents which are allowed on the cloud and those which are not allowed to be placed on the cloud. Such document types which should not be placed on the cloud are documents which contain client and employee personal information. Users are also asked not to place any documents which are directly related to clients, proposals or current projects on Google Drive. In order to facilitate this process, as per company’s policy every client will have a reference number associated with it. The list which contains the reference number with the client is stored on the local server. Therefore, before uploading the document, the employee must remove any details which relate to the client information and enter the reference number.

It is advised that documents are compiled using the word processor which is installed on every PC. Only documents related to procedures, internal tasks, job sheets and jobs done should be written using Google Doc. In accordance to this policy, users are also requested to use reference numbers in order to identify clients and it is not allowed to write an email including the names of the client whatsoever. Apart from this, the company reserves the right, to access, block and delete information from email accounts. The users are suggested to archive and keep a local copy of the emails which reside in their inbox. The users will be allocated drive storage on the main server where the archive can be stored so that it is backed up.

Employees are not allowed to keep any source code on the cloud. A special internal infrastructure is implemented in order to provide storage, and change control. Users are not encouraged to store their personal information on the cloud such as personal emails, pictures and other digital material. The company does not warrant that this information will be secure and in the case of data leakage the company assumes no responsibility to delete, or fix any issues which may arise within.

The consequence of such a move is that many files will be cluttered, or worse employees will see this as a difficult step and will not adhere to the company policy therefore, will not filter the documents prior to uploading them. They will not appreciate the fact that this is going to be done for the sake of securing the business but will see it as a burden added on to their work practises. Referencing a client by a serial number would be the most effective way to not provide any information in the case of data leak, however, if the document where the mapping is done gets leaked, this procedure will be compromised. The best solution is that this document is accessed only by a limited number of persons in order to control the information spread.

Problem of many hands

Users must report any problems arising from the use of Gmail, Google Drive and Google Docs directly to the CIO or company’s technical support in order resolve any technical issues. Users are not allowed to open any support tickets directly to Google, the CIO/Technical team will open and escalate the problem to Google. This will solve the problem of the users inadvertently contacting support where the problem might be coming from their computer and will solve the problem of having support from accessing documents without the need. On the other hand the consequence of adopting such a measure would be that users will lack the motivation of contacting the CIO/Technical support, reporting their problems, resulting in more damage to occur on their data/computers.

Accountability to actions

Every employee is accountable to his actions. Although control can be set in order to prevent any information leak, users still can put sensitive information on the cloud. Employees therefore, are informed that all emails and all documents may be checked from the internal technical department in order to assess the type and the data which is placed on the cloud. Employees are also advised that they are not allowed to subscribe to any additional services which might be offered by the cloud provider without an approval from the CIO or technical department. This is also applicable to any offers and users are not allowed to give their consent to any agreements which come with these services.

The consequence of such measure might de-motivate and make the user uncomfortable and not trusted. However, one should note that the employees should be informed why such measures are important for the company and for themselves.

The company is committed to keep sensitive information secure and prevent any information leak. In order to provide reassurance, the company’s management team will reach a confidentially agreement with the cloud service provider, where the latter provides a monthly reporting mechanisms and the assurance that the data is not migrated to other servers without the consent of the management. Also, the cloud provider must provide a signed agreement that the data which is uploaded from the company will not be used, reproduced or spread upon termination of contract if the company decides to stop the hosting contract.

Such agreement may not be available from the cloud service provider. In this case, a risk analysis should be made in order to analyze the possible consequences if a breach happens.

Conclusion

In order for the policy to be effective, it must be reviewed at predefined intervals. As previously mentioned, being aware that the ethical issues which are present in cloud computing are still being discovered one has to re-visit and constantly stay updated with all the policies which are written in order to comply with the current situation and with the current issues which are present in the system. Using a Consequentialist approach in the company in order to address these ethical issues might be the best approach, due to the rule of nature this theory has. However, the Consequentialism theory has both practical and moral problems. The main problem which presents itself while using cloud computing is, that it may be almost impossible to predict certain consequences following the act which is placed upon the respective issue. It is also very difficult to measure and compare the goodness of a consequence, for example, limiting users to what they upload on Google Drive may result in users ending up utilizing local storage where nothing is backed up just for the sake of being lazy instead of screening what is "good" for the cloud and what is not. Another difficulty which one faces is that that it is hard to measure and compare the goodness of the consequences, for instance, how bad is a consequence? Or how will that consequence affect the company in the near future?

In all cases and all theories the best solution would be that all the records which are going to be hosted on the cloud are identified. An agreement with the cloud provider is reached in order to asses any liabilities and warranties of such service.