Challenges of Cloud Computing: Selected Qualitative Narrative Review and Ethical Analysis Studies

Introduction

Any theoretical framework for ethics is concerned with what is “good” and what is “right.” There are three leading schools of ethics (Murphy & Rocchi, 2021). Aristotle considered the way human beings live in order to achieve a life worth living. The focus is on habits that human beings can develop when making effort towards realization of their good, which Aristotle called Virtues. The second, Utilitarianism, results from Jeremy Bentham and John Stuart Mill, and the third is Deontological, as established by Immanuel Kant (Reynolds, 2019). Utilitarianism seeks the greatest good for the greatest number of people. This focuses on the consequences of human action, up to the point where undesirable actions can be considered “right” if they can finally achieve desirable outcomes. Utilitarianism has inspired many theoretical constructs in economics and law thus having an impact on economic and social life.

Cloud computing is currently prevalent in computer applications and computer science among both the commercial mainstream players and even among private computer users. It is viewed as innovative technology in the computer industry. It is soon expected to affect most aspects of computing. One main issue is privacy. Users store personal data in clouds. The users have no control over who accesses the data and under which usage rights. This can impact intellectual property as content can be spread among different jurisdictions leading to unanswered ethical and legal questions.

Methodology

A narrative review of 16 current publications on the ethics of cloud computing selected out of a total of 11,929 results from the ProQuest database was performed. The study highlighted three main developments in cloud computing that lend themselves to an ethical analysis: the shifting of control from users to third parties, data storage in multiple locations, and the interconnection of multiple information technology (IT) services.

This leads to two questions:

1. Is it ethical to engage in cloud computing data sharing and data storage among the providers and users of cloud services?

2. Are there examples in the discipline of the ethics of cloud computing that provide innovative suggestions on how to grapple with the ethical dilemma of cloud computing?

This study is organized into five sections starting with introduction to ethical inquiry and ending with conclusions that ethics is an integral component to orient cloud computing towards societal good.

Cloud Computing Background

Cloud computing is a reality today but also still an emerging technology. Recognition of ethical issues involved in technology can aid user acceptance for cloud computing. To define the context of ethical issues, a brief background to the historical origin, and the feature of the technology is covered to expose how and where the relevant ethical issues arise. The pioneers of the conception of cloud computing started in the 1960s with ARPANET and then the idea that future computing would be managed as a public utility like water or electricity (Timmermans, et al., 2010). There were many phases, such as grid and utility computing, application service provision (ASP) and software as a service (SaaS). Cloud computing moves computing and data away from desktop and portable PCs (laptops and tablets) into large data centers. Applications are delivered as a service over the internet to and from the actual cloud infrastructure. Users can access files, data, programs, and other services from a web browser via the Internet. These services are hosted by cloud service providers. A cost-effective way for an enterprise is to have scalable IT-enabled ranges of services (for example computational power, storage, and business applications) from the cloud rather than from on-premises equipment. Various cloud computing delivery formats are available from vendors. There are, for example, private cloud computing, and hybrid approaches. Familiar cloud applications include Gmail, Google Docs, X (formerly Twitter), and Facebook. Some industry leaders that offer cloud services are Google, Amazon, Microsoft, Sun, and IBM. Many software companies offer their software only via the cloud. Iconic cloud applications are webmail (e.g., Gmail) and medical practice and patient information systems including some government agencies’ information systems.

The various features of cloud computing need to be clarified. The White House in the U.S. encourages government agencies to use cloud services. Yet some other governments consider it unsuitable. A quote from a Dutch government official illustrates this disparity. “… And then there is cloud computing: Cooperating and sharing information through the internet … it is unfit for private or confidential information and not suitable for official business, for local or national government” (Timmermans, et al., 2010). The defining features of cloud computing that may raise ethical questions are as follows: resource/storage virtualization, scalability and elasticity, efficiency of resource sharing, usage optimization, ease of usage, fast information sharing and delivery and control, accessibility, and anonymity. The key features of cloud computing are captured by this quote: “Cloud computing uses internet technologies to offer scalable and elastic services that can be metered by use and are more cost effective partially due to multi-tenancy efficiency benefits. Data is stored device and location independent making storage potentially more dependable and secure. Moreover, maintenance and security are outsourced to service providers increasing their efficiency and effectively through specialization and centralization” (Timmermans, et al., 2010).

Ethical Analysis of Cloud Computing

There are three main developments that are relevant in an ethical analysis: the shifting of control from users to third parties in the outsourcing and offshoring functionality to the cloud, data storage in multiple locations worldwide using many servers owned and administered by many different organizations, and the interconnection of multiple services, at different levels of functionality and different providers to produce a service to an end-user. The possible ethical issues are discussed under several concepts.

Control. Any information that would have been stored locally is stored in the cloud. Users have no control over computation and data. Unauthorized access, data corruption, infrastructure failure or unavailability are among the risks associated with the loss of direct control. It is nearly impossible to pin down which party is responsible if something goes wrong. There are no boundaries between systems and no security parameters. Accountability among organizations involved becomes unclear. It is difficult to ascribe consequences of actions to a single user or organization.

Problem of many hands. The problem of many hands involves a complex chain of events and systems where many involved may have a share in an action that results in undesirable consequences. As a result, no one in particular can be held responsible. Cloud computing uses a service-oriented architecture (SOA) where functionality consists of services which are combined to serve end users. The complex combination of cloud services can make it difficult to determine “who did what” in case something undesirable happens.

Self-determination. Information self-determination involves the right to exercise personal control over collection, use, and disclosure of personal data by others. Cloud service providers need to be open and accountable about their data management practices. This may require informed consent from individuals and providing credible access mechanisms.

Accountability. Users of the cloud should be able to check whether the cloud is performing as agreed. To practice accountability, recorded evidence is required. This raises a dilemma of tension between accountability and privacy.

Ownership. Free software advocates call cloud computing a “trap” that will take control and freedom away from users and force them into unnecessary dependency (Grimes et al., 2009). Cloud processes, besides data stored by users, generate metadata to improve accountability, to improve the services provided, and for other reasons like tracking performance or security. This personal information trail may be exploited and abused. Thus, there is little oversight on how such data in databases in the cloud may be accessed and used. It is also possible that information stored in the cloud has weaker privacy protection. Government agents and private litigants may be able to obtain information from the cloud more easily than from the owner or creator of the content. Increased cloud computing power may also make it easier for copyrighted material to be shared over the Internet in infringement of copyright.

Function creep. Data collected for a certain purpose may be used for a different purpose. Sensitive biometric data that is designed for a persons’ authentication system may end up being deemed as appropriate for use in a criminal investigation. This can become a danger of breaching the privacy of personal identification information (PII).

Monopoly and lock-in. Power centralization in cloud computing has led to only a handful of cloud service providers (Grimes et al., 2009). Autonomy of the users may be at stake. Concerns about monopolies must be considered. The other danger is user lock-in. Risks of unwanted dependency on cloud services may be increased by vendor lock-ins. “There is little on offer in the way of tools, procedures, or standard data formats, or service interfaces that could guarantee data, applications, and service portability” (Timmermans, et al., 2010). This can lead to the “Hotel California syndrome” where you check in but can never leave. This makes it hard for users to migrate to another provider or to revert to in-house IT. This introduces a dependency on a particular service provider.

Privacy. Data is stored in data centers in different countries around the world. How do these countries that house data centers address privacy? Consumers need to trust their cloud service providers so that certain personal information will not be exposed. Different service providers may have different data privacy policies. The consumer cannot be sure which services they are dealing with. A hosted application of one company can be built on a development framework of another. Thus, it will not always be clear what the user can expect from service providers in the cloud concerning privacy.

Privacy across cultural borders. In contrast to Western orientation, Eastern countries’ culture gives privacy partly a negative connotation (Capurro, 2005, 2014). They emphasize the concept of community. This is also true for African cultures. It is hoped that cloud computing may provide the infrastructure to communicate across cultural borders.

Cultural imperialism and dealing with diversity. The large corporations dominating cloud computing mainly come from the West, predominantly the U.S. “By mainly implementing Western values one-sidedly into cloud applications frameworks and its regulations, cloud computing may lead to increasing cultural homogenization, suppressing local cultures” (Timmermans, et al., 2010). As the web through cloud computing is going global, dealing with diversity ethically becomes urgent.

Ethics of Data in Cloud Computing

From the Kantian perspective, the lack of consent for the collection and use of data would be a clear violation of autonomy and contrary to Kant’s understanding of human beings as ends on themselves, never as means. From a Utilitarian perspective it would be difficult to calculate all the pros and cons of the uses of data. In relation to the Aristotle Virtue Ethics perspective, you would have to analyze and consider how a virtuous person could make the best possible use of data while becoming the best version of themselves (Murphy & Rocchi, 2021). Data ethics is now constituting itself as a new branch of applied ethics (Floridi & Taddeo, 2016) with tools related to the ethics of algorithms.

Data Ownership

Who owns the data? Many individual and corporate consumers outsource data storage to cloud services, whereby users can use the flexibility, and scalability of the cloud without purchasing standard software or hardware. Cloud service providers have the privilege to store and share the data of a multitude of users. The services provided are not uniform, and further, cloud services operate in a global context traversing national borders. Current legal provisions which are pertinent to national jurisdictions may not appropriately regulate cloud computing (Bartolini et al., 2018). Ownership of data is linked with respect for the fundamental dignity of the human person. This concerns the right to privacy and to the protection of personal data (Murphy & Rocchi, 2021). The European Data Protection Supervisor (EDPS) specifies four basic needs to protect human dignity and ethics: current regulations should be future oriented, accountability of those checking compliance should be enhanced by codes of conduct, corporate rules, and audits, and the computer engineering system should be respectful of human dignity, taking into account issues related to privacy. In addition, users need to be empowered. Typically, cloud service providers dominate the manipulation of the data generating and running the algorithm by optimizing data or statistical analysis. This involves service technology where cloud-based computing relies on the use of system-level and custom software agents to perform runtime monitoring to ensure elastic scaling and pay-for-use billing (Mahmood & Puttini, 2021, p. 111). All this can have implications in relation to data ownership. It is difficult to determine who owns any data on a cloud platform. Any data on a cloud platform is likely to have complicated ownership (Murphy & Rocchi, 2021).

Data Security and Privacy

Data security involves securing data from unauthorized access. This is a technical issue executed by cloud providers. In the internetworked cloud scenario, the strength depends on the weakest actor as a breach may impact all users. Ethical issues arise concerning the responsibility of the cloud service providers to secure data for multitudes of users. Security measures depend on the delivery model e.g., software as a Service (SaaS), platform as a service (PaaS) which involves building applications on top of the platform. The data processes involve: Create, Store, Use, Share, Archive, and Destroy. The residual physical representation of data remains after it has been “deleted.” In addition, providers are expected to provide these properties: Integrity- not manipulated or deleted without authorization, Confidentiality- not revealed to unauthorized parties, and Availability- intact, can be used or recovered if needed. Effective management of integrity, confidentiality, and availability can increase trust in the cloud system. Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively (Sun et al., 2014). Data in the cloud is viewed as too mobile, too promiscuous, and too often subject to inappropriate use or abuse (Murphy & Rocchi, 2021). It is desirable that cloud service providers should work to ensure that data is “live” only when the user is “live” on the network.

The Ethics of Providers of Cloud Computing Services

Different stakeholders in cloud computing have different vested interests in cloud computing. They consequently encounter various kinds of ethical issues. Cloud computing service providers provide virtual hardware, software, infrastructure, and other related services. A cloud user needs to surrender control of the data they input in the system on the basis that users can trust the system. Trust is therefore essential. A code of ethics which needs to be enforced beyond country borders is necessary.

Codes of Ethics for Cloud Computing: Promoting Trust

Cloud computing is a fast-changing emerging technology. It is difficult to update standards through certifications, audits, and renewed contractual clauses and corporate rules to build robust trust. Then again, there is a feeling that too many regulations in the industry will shackle progress. This then requires robust ethics to keep pace with the developments in the sector. The International Federation for Information Processing (IFIP), consisting of more than 50 global ICT groups, asserts that enhanced ethics in cloud computing would result in improved products and services, improved workplace behaviors, and improved overall quality. One way is to build a culture of trust and introduce codes of ethics specific to cloud computing (Kouatli, 2016). Codes of ethics, together with codes of conduct which provide guidelines to individual behavior, are both desirable (Whitehouse et al., 2016). Codes of conduct may be viewed as influenced by Deontological Ethics which focuses on imperatives that are constant in time. The codes also focus on balancing stakeholders’ concerns, and in so doing have some utilitarianism components. They also illustrate Thomas Hobbes, espousal of contracts (Reynolds, 2017). Codes have the potential of straddling across national borders, across different jurisdictions and cultural norms. These codes need to be flexible but specific enough to be actionable. Finally, in regard to codes of conduct, they are viewed as necessary but not sufficient in a changing organizational culture (Webley & Werner, 2008).

Green and Sustainable Cloud Computing

This concerns societal interest in protecting the environment. The term “green” has also been linked to a new term “greenwashing.” Greenwashing refers to marketing cloud computing as environmentally friendly, when no substantial effort has been made to make it so. Greenwashing to its extreme extents to attempts to make something that is environmentally damaging appear to be environmentally friendly. It is suggested that new technology like cloud computing provides opportunities to reduce energy costs and combat global warming (Scott & Watson, 2012). The belief is that energy/resources consumption by centralized data storage is less than half that required by traditional decentralized systems. However, large cloud data centers require about the same amount of energy as the aviation industry. This is a “dark” side to cloud computing. While most climate change activists are currently focused on limiting emissions from other sectors, such as the auto, aviation, and energy sectors, the cloud computing industry may be on track to generate more carbon emissions than all these other sectors combined. This requires paying more attention to the “green” issue as cloud computing develops further (Mahan, 2023).

Concentration of Power and Oligopolies in the Cloud Computing Industry

Cloud computing has accelerated the pace of the global world. However, the concentration of cloud computers in the hands of a small number of providers is akin to an “oligopolistic” market. One issue of such markets is the power of setting prices (Timmermans, et al., 2010). Reports are that more than 38% of data centers were in the U.S. in 2019. Amazon, Microsoft, Google, Alibaba, and Oracle are the most dominant companies. These companies have strategies of information about consumers which provides them with a competitive advantage. Ethical issues in such arena regard the (un)fair treatment of the weaker party (Murphy & Rocchi, 2021). Cloud providers can establish terms and conditions that violate the rights of users who are forced to accept them to access the service. This concentration of power is never to the satisfaction of the majority (Utilitarianism) nor to the respect of established rules (Deontological Ethics) (Murphy & Rocchi, 2021). This dominance also leads to cultural homogenization (Timmermans, et al., 2010). Cloud computing needs to deal with global cultural diversity in an ethical manner. It appears as if western cultural perspectives will dominate into the future.

The Ethics of Cloud Computing Users

Users are the main stakeholders but at the same time, the most vulnerable. These consumers also produce content; usually called prosumers (Murphy & Rocchi, 2021). Users need epistemic virtue and must act in a knowledgeable way (De Bruin et al., 2017). Users need to be intellectually impartial, sober, and courageous. Intellectual sobriety means users “resist the overly enthusiastic adoption of beliefs about either the pros or cons of cloud computing” (Murphy & Rocchi, 2021).

Conclusions

The ethical issues of cloud computing are related to three categories: data, providers, and users. With reference to data, the issues identified and discussed deal with ownership, security, and privacy. It is suggested to do more investigation on the relevance of a Socratic notion of responsibility that is dialogic and that transcends the Anglo-American culture concept of responsibility that is rooted in a role-based duty. This will allow all stakeholders to see people and consider them as people and not as sets of data. With reference to ethical issues related to providers: codes of ethics, green and sustainable cloud computing, and concentration of power were examined. These ethical issues are similar to governance issues in other sectors. As regards the ethical issues concerning users, individual empowerment, and epistemic virtue (capacity and desire for knowledge and truth about cloud computing) were explored. Further research is desirable in the ethical analysis of cloud computing using, for example, Aristotelian ethics to expound further on questions of human beings. This paper indicates that ethics is an integral component to orient cloud computing towards societal good into the future.