Four ethical issues that arise when storing electronic information are confidentiality, integrity, ownership, and accountability. These issues have been around for decades. They were even brought to life in the 1995 film, The Net (Winkler, 1995). In this story, many people have their identities reconfigured online by an unknown group of assailants. This leads to many life-altering and life-threatening situations for the actors, including one character who took his own life due to his medical records being compromised and altered, though he was unaware this was the case. This seemed far-fetched back then. Now, it is all too possible, and indeed probable. These issues are especially important to grasp in this new world of cloud storage.
There is an inherent human sense that any personally identifiable information (PII) that is entered into a website will be forever safe from prying eyes. Many, if not most, people would like to think that the companies who own the sites have in mind the confidentiality of the information entered therein. It must be realized by the customer that those companies might not necessarily have the same ideals nor the ability to uphold those standards. This is especially true when given the fact that, to save money, the website owner is probably subscribing to public cloud storage. In such a setup, the original PII is ultimately stored with a third-party vendor who stores the PII offsite from the company (Kamara and Lauter, 2010). This arrangement might do well for the company, but it opens the door to many concerns for the customer.
There is an understanding that the data will be kept secure from cyber breaches, but there is no true knowledge of who has access to the vendor’s storage. The vendor certainly has more than one or two employees who themselves require access to the cloud storage for numerous reasons. It should be understood that no one outside of the vendor probably knows who those employees are and what is their current and future state of mind. The vendor might not even know. This means that, given the simple fact that cloud storage needs maintenance, there are people who have access to PII stored in the cloud. This by itself might negate confidentiality.
When there is an issue with confidentiality of information, there can shortly follow the issue of integrity of data. If someone has access to data, that person can make changes. This statement takes into account that the person who has access knows how to make changes to that material. As shown in The Net (Winkler, 1995), this type of attack has been evident for many decades and it is very effective in being disruptive to anyone whose PII has been affected. One might say that cloud storage personnel have assigned roles that prevent the kind of access necessary to make changes. It stands to reason that some personnel have roles that authorize requisite access to make changes. The human element is intrinsic to the cloud, and as long as this is the case, there will always be a concern that the integrity of personal information is at stake.
Overriding issues of cloud storage are the issues of ownership and accountability. If a customer enters personal information into a company’s website, does that truly mean that the customer no longer owns this information? Companies might claim that they own the data due to the “terms and conditions” that the customer had to agree to. These terms and conditions and privacy statements authorize companies to use the material in any way conceivable. These provisions allow companies to openly use cloud storage without the authorization of the customer to whom the PII is attached. When the company subscribes to public cloud storage, that issue is compounded. Now, the third-party vendor who owns the cloud storage can claim ownership of the data based on the contractual agreement between the company and the vendor. This allows the vendor to use, however; they see fit through the agreement, the PII that was originally owned only by the person that it identified. So, what happens if the vendor runs out of physical space and that vendor makes an agreement with another cloud storage enterprise? This is feasible though probably not optimal and it adds another layer of ownership since agreements between cloud vendors will probably include the use of the stored information. This scenario does not only affect ownership but it affects accountability.
Though many regulations cover the storage and use of PII, few specifically identify cloud storage. FedRAMP specifically targets cloud storage providers, but the program only focuses on those providers who want to store data for the federal government (Program Basics | FedRAMP.gov, n.d.). Various international organizations have adopted regulations for cloud storage (Phillips, 2018). Some of these rules are widely adopted by cloud storage providers, but there is nothing requiring companies to be a part of these organizations nor follow their rules. There are laws such as HIPAA that require specific information to be handled in certain ways, but those laws are specific to different industries and types of information (Mishevska, 2022). It appears that, reasonably, the only written rules that govern who has accountability for personal information specifically in cloud storage are the terms and conditions and privacy policies created by companies and agreed to by customers and a minute amount of state laws that are aimed at consumers. Take into account that there can be numerous companies with access to the original information and the endless supply of regulations that touch cloud storage as a matter of subject and therein lies an accountability disaster. It would be wise to create one definitive regulation specifically aimed at cloud storage and the companies that use it and the providers of it. Until that point, only the courts and the court of public opinion hold specific entities accountable.
Kamara, S., Lauter, K. (2010). Cryptographic Cloud Storage. In: Sion, R., et al. Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6054. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14992-4_13
Mishevska, J. (2022, May 23). U.S. Data Privacy Laws in 2022 [A Guide to Online Privacy Laws]. Cloudwards. https://www.cloudwards.net/us-data-privacy-laws/
Phillips, C. (2018, March 8). 7 of the Most Significant Cloud Compliance Regulations. Charles Phillips. https://charlesphillips.me/7-significant-cloud-compliance-regulations/
Program Basics | FedRAMP.gov. (n.d.). Www.fedramp.gov. https://www.fedramp.gov/program-basics/
Winkler, Irwin (1995, July 28). The Net [Movie The Net]. Columbia Pictures.