Working in the clouds: Societal concerns of cloud computing
Robert J. Vroman
www.Robert-Vroman.com
Colorado State University
In partial fulfillment of the requirements of
JTC 413 – New Communication Technologies and Society
Fall 2010
David Fry, PhD(c)
Abstract
Cloud computing and the delivery of computer services utilizing a utility model may very well be the next step in the evolution of computer use. The widespread use of photo sharing sites, web based e-mail services, and social networking sites illustrates just how commonplace these
services have become. However several aspects of cloud computing must be considered before it can become as commonplace as electricity in the home. This paper will introduce the concept of cloud computing, as well as its advantages, and then explore the societal concerns associated with it such as reliability, safety, data longevity and portability, and privacy.
Introduction
Cloud computing is considered by many to be the way of the computing future. The concept of cloud computing, and more importantly the delivery of computer services in a utility model is not new. As early as the 1960’s visionaries such as McCarthy and Kleinrock, and more recently Carr, predicted the time when computer services would be delivered to the home much like electricity, water, and other commonplace utilities (Carr, 2009; Kleinrock, 2005; Pallis, 2010). In 2010 society is on the cusp of an explosion of cloud computing as technology allows for the creation of needed infrastructure to support this model.
While there are several stated advantages in moving computing activities from a locally hosted machine or network to (a) remote location(s), as described by Ellul there will always be unexpected ramifications to technology. The reality of cloud computing has brought along with it several unexpected or unanticipated effects, questions, and concerns. These range from legal concerns such as questions pertaining to the Fourth Amendment, governing legal statutes in countries outside the United States (U. S.), security issues, and accessibility issues. This paper will introduce the concept of cloud computing and its advantages, and present a discussion of the societal concerns of this new and evolving technology.
Cloud Computing
Utilities such as electricity, water, and telephony have long been delivered to households, thereby providing people access to these services without each of them having to individually create their own systems of production or delivery. In this system the customer, or end user, only pays for the amount of service they actually used. This can be best exemplified by the electric meter on most U.S. residences and businesses which measures how much electricity is
used each month, and a bill for that amount is sent to the party financially responsible for that delivery.
As the need for computer services has all but become a staple and requirement in the modern day the provision of computer services can be accomplished in a similar manner, including the pay for use model seen with other utilities. In this model the actual computer(s), much like the electric generator for the power company, is at a remote location from the site of service. Through the use of network connections, virtual machines, and the like, the end user connects to the computer through a remote terminal where they can access and create files, utilize software, and perform any other function currently performed on a local machine. The difference however is that the local machine is little more than a monitor and the necessary hardware for connecting to the computer. All programs, files, and processing activity takes place at the site of the computer being accessed rather than locally at the site of use. (Martin, 2010)
When end users access the computer(s) that make up the cloud it may be a single computer, hundreds of computers, or thousands of computers at a single or various geographic locations. Hosting computer services at these large data centers, managed by third parties, allows for data and program access from any point in the world as opposed to having to be at the actual machine the information is stored on. The typical computer user likely already takes advantage of the cloud concept through the use of services such as YouTube, Google Docs, Google Mail (Gmail), Facebook, or any other number on online services which store data, allow for data retrieval, or allow for online file creation. This system ensures information may be available at any time from any location (Buyya, Yeo, Venugopal, Broberg, & Brandic, 2009). In fact
according to one survey 69% of U.S. residents currently use cloud computing services for e-mail, photo storage, and file creation (Gross, 2008).
Lesser known, yet widely available public cloud computing systems include the Amazon Elastic Compute Cloud (EC2) along with their Simple Storage Service (S3), Google’s App Engine, Microsoft Azure, and Aneka. Unlike the afore mentioned services, these true clouds allow users to create virtual machines that not only store and retrieve data, but also store and run the applications required to manipulate the data (Armbrust, et. al, 2010; Buyya, Yeo,
Venugopal, Broberg, & Brandic, 2009).
Advantages
There are several advantages to cloud computing that make it a very attractive prospect. For those who provide such services there is the opportunity for a constant revenue stream, while there is the possibility for cost savings for the end user. Rather than purchasing and maintaining costly computer systems and networks that may need to be upgraded on a regular basis,
consumers can simply pay for the time they utilize the computers within the data center, the amount of data storage space utilized, and any fees associated with the uploading and
downloading of data. In most instances the costs associated with cloud computing are less than the cost of performing the same processes with in-house equipment (Armbrust, et. al, 2010; Buyya, Yeo, Venugopal, Broberg, & Brandic, 2009). This ability to save costs is not only important in light of recent economic times, but may also help companies meet the accepted standard that unless its primary business is IT, the costs associated with maintaining computer hardware, software, and networks should be less than 20% of its overhead (Vouk, 2008).
One of the biggest fears of any computer user is a hard drive crash. In this case years of important, and possibly irreplaceable, data can be lost in a millisecond. Even when the system is backed up on a regular basis there may be data loss between backups, in addition to the time and
loss of productivity associated with restoring the data from the archives. The use of many
computers to create a cloud offers reliability and redundancy. Not only will the failure of the end users computer not have any effect on the data or application stored in the data center, but the information is likely stored on several computers, therefore the failure of one computer at the data center does not result in the loss of information or the loss of productivity. Furthermore the responsibility of backing up the cloud computers falls within the realm of the provider rather than the end user (Buyya, Yeo, Venugopal, Broberg, & Brandic, 2009).
The ability to increase or decrease needed computing power and storage space when needed is a significant advantage of utilizing cloud services for computer operations. When utilizing in-house networks an individual or company must plan for any perceived increases in computing needs. This not only results in increased expense for purchasing any needed
equipment, but also requires time and planning to ensure the equipment is in place before the demand is present. If demand should then drop the user is left with a financial obligation that is no longer meeting a need. This concept is likely seen at play on picture sharing sites just after major holidays when there is a large increase in uploads as compared to other times of the year, or following an event that draws great public interest.
The elasticity and scalability of cloud computing can account for these changes in demand. When the consumer requires more computing power or storage space the cloud can immediately dedicate more computers at the data center to that need. When there is a decreased need there are less cloud resources utilized by the customer. With the pay-for-what-is-used utility model consumers can reduce their overall costs by up-scaling and downscaling their use as needed. This ability also allows for faster computing speed. The cost is no different to have one computer working for 10 hours, or 10 computers for 1 hour; however the increased productivity
may be of great benefit (Armbrust, et. al, 2010; Buyya, Yeo, Venugopal, Broberg, & Brandic, 2009).
There are several examples of this elasticity and scalability that fully support the concept of cloud computing and its advantages. When the New York Times decided to place 11 million archived articles online in the form of PDFs they found it would have taken 14 years to
accomplish using their own servers. Instead they used Amazon’s EC2 and S3 services and the process only took one day costing $240 (Gottfrid, 2007; Weinberg, 2008). Similarly when Animoto (http://animoto.com) became available on Facebook the amount of servers needed by Animoto increased from 50 to 3,500 in only three days. Ultimately the demand reduced after the initial spike in interest from their newfound exposure via Facebook (Armbrust, et. al, 2010).
In both of these situations the purchase and maintenance of new equipment to handle temporary increases in need would not have been a wise fiscal decision. On the other hand the inability for each company to handle the increase in traffic could have resulted in customer dissatisfaction and loss. To this end the scalability and elasticity was the perfect solution, allowing for increases and decreases in need as demand required, with minimal cost to the company.
Societal Concerns
While there may be several advantages of cloud computing, that does not mean this concept and technology is without questions, issues, and concerns. For this model of computing services to be attractive to consumers they must feel it is a reliable system that will allow access to data whenever needed (Armbrust et al, 2010; Vouk, 2008). The ability for a cloud provider to guarantee there will be no down-time within their data centers is unfeasible. As a result there is
the risk to the consumer that they will not be able to access their data at all times. Although reliability has increased with changes in technology, failures do occur and have affected the major service providers including Amazon and Google (Armbrust et al, 2010; Claburn, 2008).
According to Buyya et al (2009) service level agreements (SLA) can be drafted to address quality of service (QoS) issues. However it can reasonably be argued that these
agreements will do little to resolve the frustration experienced by consumers if they are unable to access their data when needed. Such concerns are likely to deter end users from becoming
completely dependent upon cloud services, but rather to use them for periodic increases in demand that their own networks and machines cannot compensate for.
Reliability could also extend to the ability of uncorrupted data transfer between the user and the cloud. One only needs to think of other telecommunication technologies, such as cellular telephony service, in which interruptions in service occur. Take for example the dropped phone call. In this situation it is fairly easy to redial the person you were calling and resume your conversation where you left off without a significant loss of data. In this situation the provider of service maintains no liability for the loss of service or the result of that loss. Take for example the excerpt below from the at&t service agreement, which is emphasized in the agreement in all capital letters.
“We do not guarantee you uninterrupted service or coverage. We cannot assure you that if you place a 911 call you will be found. Airtime and other service charges apply to all calls, including involuntarily terminated calls. At&t makes no warranty, express or implied, of merchantability or fitness for a particular purpose, suitability, accuracy, security, or performance regarding any services, software or goods, and in no event shall
at&t be liable, whether or not due to its own negligence” (At&t customer service agreement, n.d.).
Current telecommunications policy allows for such disclaimers of liability by service providers; however the liability of cloud providers is not clear as these issues are not currently addressed in policy or law (Martin, 2010). This creates questions that must be answered before consumers may become completely comfortable with cloud computing. What if data is corrupted in transfer, or does not make it to the data center? Who is liable in this situation? Current law indicates it is possible for there to be no liability for the provider. Perhaps this could be addressed in the SLA, but without incentive or legal obligation providers may be unlikely to accept such liability. Such uncertainness may ward off potential customers who would prefer to maintain their own systems if for no other reason than to ensure the integrity of the system and of data transfer.
Along the lines of reliability in access and uncorrupted data transfer is the need for ensuring the safety and security of any data contained within the cloud providers system. As a result of being in the medical field this author deals with the issue of sensitive and federally protected information on a daily basis. On in house networks it can be protected and access can be restricted to only those who have a valid reason to view patient information. Once it is on a third party network though can this be guaranteed? There are questions surrounding who actually owns the information placed in a cloud, the customer/creator or the provider. Can providers use customer data as they see fit? These questions have to be answered. It has been argued, and supported in court decisions, that once someone makes information available on remote servers, such as e-mail or data, that they have given up their right to an expectation of privacy of that
information (Wells, 2009). This may make many companies leery of placing sensitive information, trade secrets, or other such information on a cloud based system.
Even though the cloud provider may not itself access the private data stored on its system, there is always the ability of hackers, or an unscrupulous employee, to access the data. Another concern might be the physical data storage devices themselves (Armbrust et al, 2010). When the customer is in control of the storage medium they can make sure they are destroyed, subject to proper wiping techniques, or simply locked away when upgrading to newer and larger disks. What guarantees are there that the cloud provider will follow these same policies? Even if these issues are addressed in the SLA mistakes or oversights are always possible. Most people are familiar with stories of boxes of files of personal information being found in the garbage due to improper disposal, physical storage media can encounter the same fate. As with the other concerns surrounding cloud computing security and reliability, these issues must be addressed to the satisfaction of the customer for the business model to be appealing.
A final aspect of data security is in the longevity and portability of the information stored at the cloud provider (Brodkin, July 2, 2008). Currently formats are proprietary and there is no accepted standard for how cloud providers establish their service (Armbrust et al, 2009). This raises significant concerns for the consumer. What if they wanted to change providers for any reason? What would the difficulty be in transferring the data from one provider to another? Once a provider has been chosen is the customer locked in with that provider due to the proprietary nature of data storage and formatting? Would they be subject to arbitrary price increases with no chance of market forces dictating price due to the lack of options? What if the provider were to go out of business? Would there be any liability, or any responsibility for returning the data to the customer?
This has in fact already happened. In 2008 the online storage service, The Linkup, went out of business after losing up to 45% of the data it was storing for 20,000 paying customers (Brodkin, August 11, 2008). Unlike the temporary outages mentioned earlier in this paper, this was a permanent data loss. Of the 55% of the data that was salvaged, many customers were still not able to transfer their files off the system before it shut down, and in reality no one knows how much data was lost due to the closure of the service. Much of this data loss, either actually lost in the system, or intact data that was not accessible by customers, is a direct result of the proprietary nature of cloud computing systems. The Linkup was created as the result of a series of mergers, corporate splits, and corporate relationships. By the end of these changes The Linkup was actually storing data on another company’s server; however there was incompatibility between the two services and data migration became problematic. This resulted in both the loss of, and the inability to access, data by customers. While each blamed the other, the end result was that the customers were the losers.
Such an event, and the possibility of future events, underscores one of the dangers of placing all data in the cloud. Once the data is out of the customers control there is truly no way to know where it has gone, where it is stored, who is storing it, or how it can be retrieved if there is a failure. Even though an individual or company may have contracted company X for service, it is quite possible that company Y is actually storing the data. In this case who is liable, the customer, company X, or company Y?
The simple action of placing all one’s data in the cloud breaks one of the single most important rules in computing, to never allow there to be a single point of failure. However, if the need exists to maintain all data, files, and applications on local machines to ensure their safety, then one of the biggest advantages of cloud computing is lost, the lack of need to maintain
equipment, servers, and the network infrastructure to perform daily computing requirements. If the customer needs to maintain such equipment anyway, they will likely not have the incentive to pay the cloud provider to do the same thing. Without reasonable guarantees of data longevity, safety, and portability, cloud computing may be seen as an adjunct to in-house systems for short term intensive needs as opposed to a long term solution.
What is probably the biggest concern for most potential cloud users is privacy (Gross, 2008). Due to a variety of conflicting court decisions and reversals, it is still unclear whether e-mail is considered to have a reasonable expectation of privacy and is protected under the Fourth Amendment. Furthermore existing laws, the Electronic Communications Privacy Act, allow, upon a court order, internet service providers to release any and all electronic data stored by a customer for more than 180 days without notifying that customer. Other court decisions have determined that releasing information to a third party, such as banks, eliminates all expectations of privacy (Wells, 2009; Ma 2009). Not only are there no current laws addressing information stored in the cloud, existing precedent provides little protection for data when it comes to privacy. Adding to the question of a reasonable expectation of privacy is that the customer may truly be unaware of what is being stored on their own computer, perhaps creating an expectation of privacy, and what is being stored on the cloud where that expectation may not legally exist.
Fourth Amendment issues aside, one must consider the events of September 11th, 2001 and the long lasting effects in terms of privacy laws, most notably the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (US PATRIOT Act). The provisions of this law have had far reaching effects by further allowing the use of national security letters, rather than search warrants, to obtain information about
has increased exponentially since the enactment of the PATRIOT act, 8,500 in all the years prior to the passage of the act, and 143,074 between 2003 and 2005 (Gorham-Oscilowski & Jaeger, 2008). There are already known instances in which telecommunications companies have indeed shared data and information with governmental agencies based on the use of national security letters that included both records and wire tapping requests (Associated Press, 2007). These types of instances may only further steer people away from cloud computing based on the unknown aspects of their individual or corporate privacy, as opposed to what is stored on local machines and networks.
The PATRIOT act has not only had national effects, but also international ramifications. One aspect of cloud computing that is unique is the fact that one does not know where data is stored geographically. In this instance there are questions pertaining to whose laws govern the use and access to the data. Is it the country of origin, the country in which the service provider is based, the country in which the customer is located, or the country where the servers are
physically located? Each country has different laws pertaining to the ability to use and access data, and due to the newness of cloud technology these questions have not been answered.
As a case in point Lakehead University in Thunder Bay Ontario chose to utilize the Google cloud service rather than replace an aging computer system. While this resulted in significant financial savings for the university, no cost vs. millions of dollars to replace the system, it has resulted in a conflict of laws between two countries. Because the servers are based in the U.S. it is reasonable to assume that the PATRIOT act can be used to access the
information stored there. Canada on the other hand has strict privacy laws that do not have the latitude of the PATRIOT act. Faculty members at the university are concerned about academic freedom and the potential for a foreign government, the U.S. in this case, reviewing their files
and work (Avery, 2008). Essentially due to technology and the use of cloud computing, citizens of a country may suddenly find themselves applicable to the laws of a foreign country, or under investigation by a foreign country, that they have not even stepped foot into.
Conclusion
Cloud computing is a fascinating concept with endless potential. The ability for individuals and companies to have a common site for file storage, applications, and all other computing needs is very convenient. Suddenly there is not the issue of having a file or program on a separate computer from the one you are physically located at, this can all be accessed from any location at any time. Additionally the ability to expand storage space and computing power temporarily or permanently with minimal cost or overhead is very appealing.
There are however several valid concerns relating to cloud computing. Data security, longevity, access, and privacy are some of the more prevalent ones, but only the tip of the iceberg. The potential for unrestricted access, or loss of privacy of data, may very well keep several potential users away from the cloud. The fear that the cloud provider may go out of business taking all of the customer’s data with them, or the use of proprietary formatting may be another deterring factor. There are several questions that have yet to be answered, particularly in the legal realm before this can happen. Many of these will have to be addressed with changes in current laws that were written for a technological society long before current technological ability, and many of these concepts were not even considered at the time.
In reality the reality of cloud computing and the delivery of computer services as a utility is likely inevitable. However until these issues and concerns are addressed its growth will be slow before becoming as commonplace as electricity in the household.
References
Armbrust, M., Fox, A., Zaharia, M., Griffith, R., Joseph, A., Katz, R., et al. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50-58.
Associated Press. (2007, October 16). Telecoms won't talk about surveillance - Politics - White House - msnbc.com. Breaking News, Weather, Business, Health, Entertainment, Sports,
Politics, Travel, Science, Technology, Local, US & World News- msnbc.com. Retrieved
November 14, 2010, from http://www.msnbc.msn.com/id/21322332
At&t Wireless Customer Agreement. (n.d.). At&T Wireless. Retrieved November 19, 2010, from
www.wireless.att.com/cell-phone-service/legal/index.jsp?q_termsKey=wirelessCustomerAgreement&q_termsName=Wire less%20Customer%20Agreemen
Avery, S. (2008, March 24). Patriot act haunts Google service. The Globe and Mail. Retrieved November 18, 2010, from http://www.theglobeandmail.com/
Brodkin, J. (2008, August 11). Loss of customer data spurs closure of online storage service 'The Linkup'. Network World. Retrieved November 18, 2010, from
http://www.networkworld.com/news/2008/081108-linkup-failure.html
Brodkin, J. (2008, July 2). Gartner: Seven cloud-computing security risks. InfoWorld. Retrieved November 18, 2010, from http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
Buyya, R., Yeo, C., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platformsL Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25, 599-616.
Carr, N. (2009). The big switch: rewiring the world, from Edison to Google. New York: W. W. Norton & Co.
Claburn, T. (2008, July 21). Amazon S3 crash raises doubts among cloud customers. Information Week. Retrieved November 19, 2010, from
http://www.informationweek.com/story/showArticle.jhtml?articleID=20940012
Gorham-Oscilowski, U., & Jaeger, P. (2008). National security letters, the USA PATRIOT act, and the constitution: The tensions between national security and civil rights. Government Information Quarterly, 25, 625-644.
Gottfrid, D. (2007, November 1). Self-service, prorated supercomputing fun!. Code - Open Blog
- NYTimes.com. Retrieved November 22, 2010, from
http://open.blogs.nytimes.com/2007/11/01/self-service-prorated-super-computing-fun/ Gross, G. (2008). Cloud computing may draw government action. InfoWorld. Retrieved
November 10, 2010, from http://www.infoworld.com/d/security-central/cloud-computing-may-draw-government-action-825
Kleinrock, L. (2005). A vision for the internet. ST Journal of Research, 2(1), 4-5.
Ma, W. (2009, October 1). Google's gdrive (and its ad potential) raise privacy concerns. Popular
Mechanics. Retrieved November 14, 2010, from
http://www.popularmechanics.com/technology/gadgets/news/4234444
Martin, T. (2010, May 14). Hey! you! get off of my cloud: Defining and protecting the metes and
bounds of privacy, security, and property in cloud computing. Unpublished manuscript,
Southern Methodist University, Dedman School of Law. Retrieved November 16, 2010, from http://works.bepress.com/timothy_martin/3/
Pallis, G. (2010). Cloud computing: The new frontier of internet computing. Internet computing,
14(5), 70-73.
Vouk, M. (2008) Cloud computing – Issues, research, and implementations. In V. Luzar-Stiffler, V. Dobric, & Z. Bekic (Eds.), Proceedings of the ITI 2008 30th International Conference
on Information Technology Interfaces, Croatia, 31-40
Weinberg, N. (2008). Cloudy picture for cloud computing. Network World, 25(19), 19-20. Wells, R. (2009). The fog of cloud computing: Fourth Amendment issues raised by the blurring
