Roadmap about migration of public services into the cloudA step by step roadmap for Public Authorities to help them as they plan, determine effort and budget, select the appropriate services, make the required internal organisational changes and finally execute the migration into cloud.
The popularity of the “smart city” is growing as a route to city management. A key issue is that city municipalities operate in a legal context – they are data controllers for a good deal of citizen focused data, much of which is sensitive, personal and highly regulated. Minicipalities are also are trusted bodies, and citizens expect that their approach to data collection, retention, storage and sharing is in line with these responsibilities.
New technologies, particularly where they are being created by private sector businesses, look to build on the advantages of innovation, often ahead of the ethical framework. Cloud computing for example is a technical and social reality, and also an emerging technology which is rapidly expanding. When moving from traditional servers to a cloud paradigm, the technological foundations change as well as the implication regarding Ethical issues. For this, early recognition of ethical and related issues is essential. Timmermans, J et al, (2010) three areas of ethical concern are raised:
- The shifting of control from technology users to the third parties
- The storage of data in multiple physical locations
- The interconnection of multiple services
Through the identification of ethical issues arising from these new functionalities, it is possible to inform and raise awareness to vendors, users or system designers of ethical questions, in order for them to be proactive in assessing their role in specific implementations and uses. The main challenges from an ethical point of view are:
Control: Cloud computing entails the outsourcing of Information Communication Technologies (ICT) tasks to third party service providers (Haeberlen, 2010; Kandukuri and Rakshit, 2009). As such, information that once used to be stored in local premises is now stored in the cloud. Users therefore place data on machines that are not directly controllable and therefore renounce control these resources and data. As mentioned by Paquette (2010) risks associated with this change of control in cloud computing mainly rely in data corruption, infrastructure or system architecture failure or unavailability/outing and unauthorized access by third-parties. Ethical problems arise in times of disaster or simply if something goes wrong. In fact, it is hard to distinguish the entity that has originated the problem, to the point that, as mentioned by Haeberlen (2010), it is almost impossible to hold someone accountable and responsible for a problem in a dispute, when lacking strong supporting evidence. In addition, the de-parameterisation1 shadows the border of organizations IT infrastructure and consequently disguises their accountability.
Responsibility: Since responsibilities are divided between customer and provider of the service, neither is in position to address emerging problems (Haeberlen, 2010). In cloud computing a service delivered to a user depends on another system that also depends on other systems. A cloud service to the end-users may use service-oriented architecture (SOA) where functionalities aggregate services into larger applications. Once again, ethical problems arise in times of disaster or simply if something goes wrong. By having a highly multifaceted structure of cloud services, it is most certainly difficult to determine who is responsible in case of an undesirable event. This lead to a severe ethical problem called the “Problems of many hands”, that dictates that in a complex chain of systems where people a share in an action that leads to undesirable consequences, many people have also had the opportunity to prevent these consequences, and therefore no-one can be held responsible (Pieters and van Cleeff, 2009).
Accountability: Accountability is a concept with many different dimensions, but in its core meaning, accountability refers to the existence of a relationship whereby one entity has the ability to call upon another entity and demand an explanation and/or justification for its conduct (Alhadeff et al, 2012). In a de-parameterised world the border of an organization accountability blurs and becomes less evident. Personal data stored in the cloud should be managed accordingly, as not doing so would not be ethical by all persons involved in that process. Users of cloud should be empowered by being able to check whether the cloud is performing the agreed the provision of accountability transparency and clear allocation of responsibility, as when recorded, these elements can be used to decide who is responsible whenever a problem occurs or dispute arises. In 2010, the Article 29 Data Protection Working Party issued an Opinion on the principle of accountability in which it elaborated upon the possibility of including a general provision on accountability in the revised Data Protection Directive.
Ownership: The storing of data in different location premises also raises the question of who owns the data a user stores in the cloud. By doing so, the IT admins, engineers, and troubleshooting agents of a provider of cloud services all have access to this information (Murley, 2009). Moreover, the cloud also generates data itself for different purposes, such as providing accountability, improving services provided, or security performance or security. Digital interactions and tracks are thus being gathered together through unique identifiers and algorithms, which leaves a trail of personal information. There is an ethical duty to not access this information with harmful intent or reckless behaviour, either by providers or third-parties such as hackers (fraudulent use), or it may be accessed and used in ways that individuals did not envisioned. Also, information stored with a third party can be of easy access to Government agencies and private litigants more easily than from the original owner or creator of the content. This causes a severe ethical issue has to whether it righteous or not to do so, even by Public Authorities figures. Ownership problems also incur in situations related with infringements on copyrights, since access to massive computing storage, cloud services might facilitate sharing copyrighted material (Nelson, 2009).
Lock-in: According to Nelson (2009), if only a limited number of companies are able to achieve a dominant position in the market for cloud services due to economies of scale, this might lead to abuse user needs. Users would become dependent on certain cloud service providers, be it infrastructural or intermediaries. Several ethical risks might exist from these unwanted dependencies on cloud service providers and vendor lock-ins. With little emphasis on interfaces that guarantee data and service portability users may face difficulties migrating from one provider to another or to migrate their data and services back to an in-house IT environment. Similarly, if a service provider ends its operation in the market, not along the data privacy that will be mentioned at a later stage, the possibility to migrate data must be possible. Ethically, such concerns are of vital importance and must be tackled in order to introduce independence from a particular cloud providers and vice versa.
Legal: Providers also need to take into account the laws a specific country follows in terms of data privacy. It is ethically correct to respect customers’ laws and companies should might store data in jurisdictions that may not respect the rights of their users and customers. Favourable privacy laws represent important challenges that need to be faced ethically.
Privacy: As stated above, many companies providing cloud services collect data, much of it consists of sensitive personal information, which is then stored in data centres in countries around the world. Whenever ethical issues arise concerning information about persons they are typically cast in terms of privacy (Stahl, et al, 2010). Privacy aims to constrain access to certain types of personal data and prevent persons to acquire and use information about other persons. Consumers need to trust their cloud provider that certain personal information will not be exposed, as according to their terms that have been previously accepted by the users.
A THREE STEPS ETHICS STRATEGY
A recommended ethical issues strategy is based on the following three tasks:
- Proactivity: It is urgent that all parties involved in cloud computing are proactive, in order to anticipate unforeseeable consequences. Players shoul never use uncertainty to refrain from designing and providing services that invite moral sound use and inhibit undesirable or controversial actions. It is thus recommended as ethical for Cloud providers to have a Terms and Conditions available and for users to know Terms and Conditions of providers.
- Regulations and policies: All technology should be subject to regulation arrangements at least just enough to have innovation leading towards the benefit of society and not enough to have it limit innovation. In any case, regulations can have ethics integrated into technological development and use. It is vital that governance arrangements are more conducive to the inclusion of ethics, including regulations for private companies, which are usually much less subject to ethics-related oversight and more towards profit generation. Such regulations will adapt as cloud computing evolves, similar to what happened with labour law year ago. In the latter case, it is important to remember the core definition of corporate responsibility and follow policies defined by the European Union, such as the ISO26000.
- Responsible Research and Innovation: Responsible Research and Innovation (RRI) has a particular importance since it can be defined as an inclusive approach to Research & Innovation (R&I), aiming at better aligning both the process and outcomes of R&I with the values, needs, and expectations of the society, notably through reinforcing public engagement, open access, gender dimension, ethical issues, and (formal and informal science) education.