If Aristotle, Bentham or Kant were alive today, they would probably study the manner in which human beings deal with the vast amounts of data currently collected, stored and managed via the cloud. Each would likely promote a different perspective in relation to the best way of dealing with data ethics
. Herschel and Miori conducted such an exercise and effectively analysed the ethics pertaining to data according to selected perspectives, including Virtue Ethics
, Deontological Ethics
and Utilitarianism
(Herschel and Miori
2017). They highlight how, from a Kantian perspective, the lack of consent for the collection and use of data would be a clear violation of autonomy, and contrary to Kant’s understanding of human beings always as ends in themselves, never as means. They also argue that, from a Utilitarian perspective, the analysis of the ethics of data would be very difficult to perform. They assert that it would be particularly difficult to calculate in a unitary way all the pros and cons of the use of data, and of the ultimate beneficiaries of data usage. In relation to the perspective of Virtue Ethics
, this task does not seem to be any easier, given that a Virtue Ethics
-based ethical analysis would need to consider how a virtuous person could make the best possible use of data while becoming the best version of themselves.
It would seem that the task of a comprehensive ethical analysis using prominent ethical approaches is particularly difficult, to the point that “data ethics
” is now constituting itself as a new branch of applied ethics (Floridi and Taddeo
2016), which is developing its own language and tools, highly correlated with the ethics of algorithms (Mittelstadt et al.
2016). The analysis conducted in this growing—but still very young—field can be applied,
mutatis mutandis, to the ethics of data in cloud computing. However, the contributions examined in this section make use of a more legalistic framework, strongly influenced by abundant studies in relation to data ownership
, and data safety and privacy
. As a result, this section offers an overview of these areas related to the ethics of data in cloud computing, which, in the future, will need to incorporate more explicit ethical considerations.
6.3.1.1 Data Ownership
When an individual or a business uses a cloud computing-based platform, it may be asked “who owns the data”? Can this data be considered as private property, or does the mere fact of using a cloud computing platform mean that this data automatically may belong to another party?
The majority of individual and corporate consumers outsource data storage to cloud services, whereby users can use the flexibility and scalability of the cloud without purchasing standalone software or hardware. These are owned and maintained by various service providers whose overall remit is to store and share the data of a multitude of users. However, these service providers do not provide a uniform service. Further, cloud computing services typically traverse national borders, operating in a global context. This global and international cloud computing environment presents difficulties for regulating in such a context. In practice, national laws and regulations may not always align seamlessly into the international domain. As a result, it is becoming apparent that current legal provisions, which are largely pertinent to national jurisdictions, may not appropriately regulate for the cloud (Bartolini et al.
2018). As a consequence, the relevance of ethics is increasingly debated in relation to a potentially essential role regarding the ‘outsourced’ and international exchange of data in the cloud.
Indeed, the ownership of data and the respect of the right of this particular kind of property is essentially linked with the respect of the fundamental dignity of the human person. The European Data Protection Supervisor (EDPS), an independent institution of the European Union, clearly affirms that human dignity
is at the heart of digital ethics: ‘the dignity of the human person is not only a fundamental right in itself but also is a foundation for subsequent freedoms and rights, including the rights to privacy
and to the protection of personal data’ (European Data Protection Supervisor
2015, p. 12). This authority specifically refers to cloud computing as one of the technologies that needs to carefully address the protection of data stored in cloud based systems, especially in an age when people are requested to upload their data from many and different instances in order to access even services related to basic needs. The EDPS also states that human dignity
and ethics can be protected only in so far as the following four pillars are established: current regulation should be future-oriented; accountability of those in charge of checking compliance with internal policies and general regulation should be enhanced by codes of conduct, corporate rules and audits; the computer engineering system should be respectful of human dignity
, structurally taking into account issues related to privacy
; final users need to be empowered (Sect.
6.3.3 will address this last point more in-depth).
It is intended that these pillars should be applied to cloud computing, especially because issues pertaining to data ownership
in the cloud environment may not be clearcut (Al-Khouri
2012; Grimes et al.
2009). Indeed, ownership of data is dependent on the nature of the data owned and where and/or how it was created. Some data is created by the user before uploading to the cloud while other data may be created on the cloud platform (e.g. statistical data). The service provider’s terms of services can vary and may grant ownership of such data to the provider or to the public domain i.e. the mere uploading of content to the cloud may erode the user’s ownership entitlements to the data (Al-Khouri
2012).
In addition, the arrangement and structuring of data on the cloud may be dominated by the service provider rather than the user and this manipulation of the data, e.g. generating and running algorithms while optimising data or generating statistical analysis, can have implications in relation to ownership. Ultimately, it is difficult to determine who actually owns this optimized data as any data on a cloud platform is likely to have complicated ownership (Cavoukian
2008).
6.3.1.2 Data Security and Privacy
Data security in the context of cloud computing refers to securing data from unauthorised access and is largely a technical issue which providers must implement and maintain (Zissis and Lekkas
2012). Firdhous et al. (
2012) discuss the importance of the security issue in specific relation to cloud computing. The complex interconnection of multiple services by a series of different providers for ever increasing numbers of users generates a myriad of issues in relation to the security of users’ data. In reality, the strength of the cloud correlates with the security strength, or otherwise, of its weakest actor and a breach or an unauthorised access may effectively impact all users (Ali et al.
2015).
Data security may be regarded as an ethical issue because of the responsibility of those in charge of data collection, storage and usage towards the multi-stakeholder environment involved in the cloud environment. The concept of responsibility has a strong ethical connotation when it needs to go beyond what is prescribed by existing laws, leaving to the willingness of individuals and companies the duty to respect the rights of the owners of the data. Each of the abovementioned ethical theories would agree with the suggestion that data security concurs to the good of data security concurs to the good of society (when data is not related to illegal or unethical issues). This is evidenced more widely in the context of regulation, where various legislative provisions pertaining to data issues in the complex cloud environment have been readily introduced. This highlights that it is relatively more straightforward in some instances to identify a shared legal minimum requirement with regard to data security.
Ethical issues related to data security, when data is not collected, stored and managed by the same entity, are particularly significant. Within the overall cloud context, data security is effectively outsourced to service providers. Security measures adopted are dependent on the delivery models e.g. for SaaS models (i.e. Software-as-a-Service), users depend entirely on service providers to prevent multiple users viewing each other’s data, while in PaaS models (i.e. Platform-as-a-Service), providers may assign some security elements to those charged with building applications on top of the platform (Subashini and Kavitha
2011). Reed et al. (
2011) highlight six areas of focus in relation to the lifecycle data in the cloud, ‘Create’, ‘Store’, ‘Use’, ‘Share’, ‘Archive’ and ‘Destroy’ and assert that data security measures must be implemented at all stages. The importance of security measures in relation to ‘data remanence’, the ‘residual physical representation of the data after it has been deleted’ is also detailed (Kumar et al.
2018, p. 693).
In addition, consumers expect providers to facilitate key data properties: ‘integrity
’, ‘confidentiality
’, and ‘availability
’ (Izang et al.
2017; Kumar et al.
2018; Sun et al.
2014; Tanenbaum and van Steen
2016; Zissis and Lekkas
2012). Integrity
of data assumes a confidence that the data has not been manipulated or deleted by unauthorised actors; confidentiality
assumes data has not been revealed to unauthorised parties and availability
assumes the data is intact and that users can use or recover it as needed. The maintenance of these three properties requires service providers to carefully monitor access and authorisation in respect of all cloud components and may also require linkages to or some supervisory element of third party mechanisms, along with some ongoing verification of the integrity
of the data (Bowers et al.
2009; Schiffman et al.
2010). Effective management of all three properties can help to increase overall trust
in the system (see below Sect.
6.3.2.1).
The integrity, confidentiality and availability of data is also an essential component of the perception of data security from the point of the users of cloud computing services; this perception is what is characterized as data privacy.
Early concerns regarding privacy
issues linked to storing and sharing content online have been somewhat sidelined as the usability and convenience of such systems have proved very attractive in the marketplace (Constantine
2012). However, notwithstanding the wider debate in relation to the moral justification of a right to privacy, the privacy debate in the context of technological innovations is topical (Constantine
2012; Nissenbaum
2009,
2011; Timmermans et al.
2010; van den Hoven
2008).
Privacy is ‘the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively’ (Sun et al.
2014, p. 6). In many societies, legislation and regulation require compliance such that personally identifiable information is appropriately managed (e.g. European Commission
2018; US Government
1986). In turn,
data privacy is concerned with the proper handling of data and issues such as consent, notice and compliance with legislation and regulations are dominant (The Centre for Information Policy Leadership
2018). Service providers are thereby challenged with operating services which afford privacy, comply with legal requirements and also balance usability (Stark and Tierney
2014).
In relation to the cloud specifically, Whitworth and de Moor (
2003) highlighted conflicts between data privacy and usability at an earlier point. While many of these have subsequently been addressed (Pearson et al.
2009), Stark and Tierney (
2014) contend that data in the cloud is ‘still too mobile, too “promiscuous” and too often subject to inappropriate use or abuse’ (Stark and Tierney
2014, p. 6). They acknowledge that in today’s technological society, user autonomy and empowerment must be maximized, but argue that the “safety” of data should not be compromised and highlight mechanisms such as encryption which are widely used to foster privacy within information flows. They also assert that providers must work to ensure data is “live” only when the user is “live” on the network: they stress that the “liveness” of data online, linked to the ‘input of the live user, ties decisions about stored online data to an individual’ (
2014, p. 6). Stark and Tierney (
2014) also detail cases where service providers track user information and use this for their own benefit and that of third parties, without the explicit permission or knowledge of users, highlighting that service providers may readily access user data and may also release such data to external agencies.
However, recent governmental policy decisions incorporate focus on such matters e.g. the UK Government’s Data Ethics Framework ‘sets out clear principles for how data should be used…It will help [organisations] maximise the value of data whilst also setting the highest standards for transparency and accountability when building or buying new data technology’ (The Centre for Information Policy Leadership
2018, p. 19). This framework for data ethics
is in line with the fact that ‘the principle that personal data should be processed only in ways compatible with the specific purpose(s) for which they were collected is essential to respecting individuals’ legitimate expectations’ (European Data Protection Supervisor
2015, p. 10), thus confirming the idea that regulation should be ethically aware and informed, so that a human-centric use of data would be the only viable possibility.