Understanding the Cloud: The Social Implications of Cloud Computing and the Need for Accountability
Five years ago, cloud computing was one of the top emerging new technologies, nowadays it is almost common place. This rapid introduction of cloud business models in our society coincides with critical questions on the cloud’s risks, such as security and privacy. Moreover, there seems to be an increased demand for accountable behaviour in the cloud. This paper explores how society understands the cloud, its related risks and the need for accountability in the cloud. This exploration provides insight in the social implications of cloud and future Internet services and the way cloud and accountability tools will be adopted in society.
KeywordsCloud computing Accountability Public understanding
Five years ago, cloud computing was one of the top emerging new technologies, similar to wireless power, 3-D printing and e-book readers . Currently cloud computing has gained momentum. Cloud storage has become the new standard for data sharing and storing for individual and business users (e.g. DropBox, Flickr, Google Drive, OpenDrive, JustCloud). This rapid introduction and implementation of cloud computing business models in our society, however, coincides with questions on the risks of cloud computing. Often uttered risks are the security, interoperability and reliability of cloud computing. These risks not only matter to cloud users, but might even matter to the public at large. This paper will focus on the public understanding of cloud computing, the public issues at hand and how the call for accountability in the cloud sector fits into this discussion.
Previous research on emerging new technologies has demonstrated that unfamiliarity with a technological phenomenon and related scientific, social and ethical uncertainties might give rise to public controversies [2, 3, 4]. The introduction of biotechnology is a point of example. “Cross-national stand-offs over the commercialization of genetically modified (GM) crops, the patenting of gene fragments and higher life forms, and the divergent policy regimes that have developed around research with embryonic stem cells give tangible evidence of the conflicts that can arise if tacit public expectations with respect to the management of biotechnology are not met” [2, p. 140]. Public resistance due to lack of understanding might thus effectively stall a new industry. Typically, these examples do not refer to innovations that are perceived as consumer goods but have an inherent public nature.
Despite being a consumer good the uncertainty surrounding cloud computing, in specific the cloud’s complex, ubiquitous and opaque nature, raises questions on the distribution of responsibilities as were it a public good . In fact, the inherent technological, cross-border and dynamic character of cloud computing raises special problems for its responsible governance. Think of the organized irresponsibility due to trans-boundary data transfers – as data storage is scattered all over the world and the relation between data-subjects, data-controllers and data-processors opaque, nobody feels -or is- responsible if things go wrong.
In order to deal with these uncertainties in the cloud ecosystem the notion of accountability is introduced. Accountability “broadly denotes the duty of an individual or organisation to answer someone in some way about how they have conducted their affairs” [6, p. 989]. The notion of accountability originates from the public sector and is related to good governance with main attributes as transparency, responsibility and responsiveness. Apparently, the market mechanism alone does not seem to have the ability to govern the cloud business model, vendor lock-in being a good example of this malfunction of the market mechanism. This introduction of accountability in cloud ecosystems is a wider established trend in the private sector . One might even speak of a culture of accountability; the patterns, traits, and products of accountability increasingly define current governance of the private sector.
However, a one on one transfer (of the use) of the accountability notion from the public to the private sector is unfitting. The demands within the private sector might be different. The experience with accountability as a governing notion in the public sector is high, yet its use in the private sector is relatively unknown and new especially in highly competitive markets like the IT sector. Therefore, we deem it relevant to explore how the accountability notion has been transferred from the public to the private sector, and whether this might imply some reconfiguration of its operationalization in practice. Subsequently, the introduction of accountability in the cloud ecosystem is a second point of interest in this paper, mainly in relation to the governance of new emerging technologies and the public understanding of cloud computing.
This paper explores how society understands the cloud, its related risks and the need for accountability in the cloud. Such an understanding provides insight in the social implications of cloud and future Internet services and the way cloud and accountability tools will be adopted in society. Our research can be positioned within the sociological sciences, combining the discipline of science, technology and society studies (STS) on public understanding of science and risk society with the discipline of public administration on good governance and accountability. Our research departs from the idea that public perceptions of emergent technologies, like cloud computing, have become increasingly important to understand. First, because cloud computing has a deep impact on the way our society is and will be organized. Second, because the Snowden files about the NSA and PRISM reveal governments control over our data. Both reasons might cause public debates that stall further development of cloud and future Internet services sector. This means that first an identification of areas of concern is needed. Knowing the actual public concerns about cloud computing and the development of future Internet services may be important, not only the general positive/negative attitude or disposition toward cloud computing . Insights in the public understanding of cloud computing will inform the discussion on the responsible governance of data in the cloud and the need for accountability. In our discussion of accountability we will take a public administration perspective, entailing governance as the creation of conditions for ordered rules and collective action . It is about understanding how people and technologies are able to steer one another to certain directions, in this case handling data in the cloud in a responsible and accountable way. Subsequently, there is a need for exploring why and how the notion of accountability has been transferred from the public to the private sector, in specific cloud computing sector.
This paper will start with outlining how governing the cloud and its risks currently are understood. This outline is followed by a theoretical exploration of the transfer of the accountability notion from the public to the private sector, specifically its operationalization within the cloud ecosystem. Next, a survey among the Dutch population provides empirical insights in the actual public understanding of cloud computing, related concerns and need for governance of data. In our analysis we will focus upon the meaning of the survey’s outcomes in light of the debate for eliciting the public’s concerns with respect to cloud computing and how to govern accountable behaviour in the cloud. Finally, the paper will evaluate the social implications of cloud computing and the need for accountability and accountability tools.
2 Cloud as Emerging Technology in Need of Responsible Governance
Governing innovation, in a modern technological culture in which the existence of uncertainty of scientific knowledge and related societal problems are key characteristics, requires a thorough understanding of the risks that come with innovation. Cloud computing is such an innovation that might be in need of responsible governance. In this section we explore the traditional approach to the cloud’s risks and risk perceptions, followed by a more publicly informed approach to governing innovation and risks.
2.1 Governing the Cloud via Risk Analysis and Management
While the cloud and future Internet creates new business opportunities it also creates a variety of new technical, organizational and regulatory “complexities” and risks. The traditional approach to understanding these complexities and risks is performing risk analysis and risk management. It focuses on identifying and assessing risks that can be captured in for example statistics due to the availability of scientific knowledge (data, information). The risk assessment aims to produce the best estimate of the physical harm that a risk source may induce . The typical risk management lifecycle involves risk assessment, setting policies to mitigate these risks, implementing controls and running systems in accordance with these controls, and monitoring and auditing to ensure risks are mitigated.
Accordingly, understanding the risks of using cloud services is a fundamental issue. Despite the non-contentious financial advantages cloud computing raises questions about security and privacy. For example, cloud users simply have to rely on and trust cloud vendors experience in dealing with security and intrusion detection systems . Most of the identified risks relate to security and privacy issues, for example: the way data operators handle and disclose provided data, subsequent data use by third parties, security of data provided, legality of cloud services usage, disruptions of cloud services, vendor lock-in, and violation of privacy laws by cloud service usage .
One of the main identified risks of cloud computing is its security. Aspects such as the lack of proper data and Virtual Machine (VM) segregation or jurisdiction concerns regarding data location are among the most regarded problems on this area. Other security concerns refer to the service-oriented architecture of cloud (the risks of various forms of attacks such as DOS, Man-in-the-Middle etc.) and multi-tenancy and the difficulties in isolation among tenants’ data . Despite these serious worries, the perception of security in cloud computing to be cautious has changed over the years. Moreover, the cloud does not necessarily offer less security than individuals can achieve on their own. In fact, the opposite can be argued since security is promoted as one of the cloud’s advantages. Mostly because knowledge and awareness on cloud technologies and mechanisms has increased. As an illustrative example, results from KPMG surveys regarding perception of cloud computing [14, 15], based on responses from more than 650 executives from different industries, show that while in 2011 security ranked as the top challenge, in 2013 it ranked third, after integration and transition challenges. Thus, one possible interpretation is that perception of security in the cloud of decision-makers has matured from initial fear and reluctance to increased confidence and willingness to integrate. Technical issues that hinder implementation and integration of cloud computing technologies into business have taken the lead role regarding executives concerns .
In order to cope with these security risks or to mitigate these risks, they first have to be made measurable. Risk then is “a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (1) the adverse impacts that would arise if the circumstance or event occurs; and (2) the likelihood of occurrence” . Accordingly, security risks are “categorised into policy and organizational risks, technical risks, legal risks and risks not specific to the cloud. The description of each risk includes risk levels (likelihood, impact), the comparison to the baseline (non-cloud solution), affected assets and exploited vulnerabilities” . Analysing these risks allows for the systematic use of information to identify sources and estimate risk. For example, the A4Cloud works on a systematic risk assessment model, including soft and hard trust measures, “to support the causal analysis of the emergence of specific threats (i.e. how threats exploit vulnerabilities and then affect assets or controls)” . The resulting risk models, sometimes combined with empirical evidence or experts’ judgments, support the assessment of risk in terms of likelihood and impact. After the identification of the risks, they are evaluated against established risk criteria; i.e. norms laid down by experts or in law. The comparison between the measured risks and risk criteria subsequently result in an identification of threats or risks that need to be dealt with and proposals of controls to be taken.
A second main risk relates to privacy. “Cloud computing is associated with a range of severe and complex privacy issues” . These issues for example refer to the appropriate collection, use and disclosure of data, safe storage and transmission of data, term of retention, and access to data. For sure, cloud computing’s omnipresent nature presses the most on these privacy issues; exposing data subjects and data processors to the diverse laws of multiple countries.
Currently, privacy issues mainly are dealt with via data protection law, such as the Data Protection Directive 95/46/EC. Although currently, there is no general EU legal requirement to conduct a Privacy Impact Assessment (PIA),1 the PIA is seen as one of the ways to identify, analyse and assess privacy risks. A PIA is “a methodology for assessing the impacts on privacy of a project, policy, programme, service, product or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise negative impacts” . A PIA is based on a risk-management approach. Similar to dealing with security risks, privacy risks are made measurable first. PIAs provide specific guidance on how to calculate and prioritise risks, choose appropriate ‘controls’ (risk mitigating measures) and assess the residual risks. However, “importantly, a PIA is not a single-shot exercise, but an on-going process from the time when a plan to process personal data is conceived throughout the entire processing. The PIA process incorporates a feedback loop, allowing to adjust both the IT-based product and the providing organisation’s internal procedures depending on the PIA results” .
Whereas the computer scientific approach focuses upon the automatic and systematic performance of a risk model, the PIA described from a legal viewpoint seems to emphasize the need for an iterative approach and a feedback loop. Nevertheless, for both approaches goes that the identified security and privacy risks and subsequent assessments tend to focus upon issues that can be made measurable or calculable and also provide some certainty with respect to the impact they have on an organization. It is this approach to risks, risk analysis and management that is debated from a STS-perspective, since a broader, more flexible and perhaps even evolutionary approach might be needed to grasp all issues related to cloud and future Internet services. It might be that the cloud’s risks are not only complex but also ambiguous in nature. This ambiguity entails “that there are different legitimate viewpoints from which to evaluate whether there are or could be adverse effects and whether these risks are tolerable or even acceptable” . Accordingly a greater understanding of the issues at play might be needed.
2.2 Responsible Governance of the Cloud and Public Concerns
Increasingly it is recognized that social, ethical and economic impacts have an important role in the assessment of innovations. Identifying what uncertainties exist, what the (potential) risks are, has become core business in the analysis and assessment of innovations . The research on the potential hazards and damages of the increased connectivity due to cloud computing is relatively young and the knowledge on risks is more uncertain as cloud computing is a complex, omnipresent and dynamic facilitator of the Network Society. Currently cost-benefit analysis and other positivist sciences seem to dominate the risk assessment plain. Consequently, societal and other values have less room for informing regulators in the responsible governance of innovations. When exploring the socio-economic landscape of cloud-computing it becomes obvious that concerns with respect to cloud computing not only are technical or simple problems. In fact, cloud computing: (a) is part of technological innovations that are fundamentally changing society, and (b) seems to have increased governments’ capability and actual conduct to control our data.
Cloud is Changing Society’s Organisation. With cloud computing the era of the network society and technological paradigm of informationalism seems to be ascertained. Early 21st century “is characterized by the explosion of portable machines that provide ubiquitous wireless communication and computing capacity. This enables social units (individuals or organizations) to interact anywhere, anytime, while relying on a support infrastructure that manages material resources in a distributed information power grid” . Cloud computing has further established this network society by significantly increasing the networking capacity of distributed processing and computing power. No longer is society limited by stand-alone machines, instead a global, digitized system of human-machine interaction is established .
In fact, the emergence of cloud computing is drastically changing the use of information technology; it is changing computing from a personal to a public utility. “Computing is being transformed to a model consisting of services that are commoditized and delivered in a manner similar to traditional utilities such as water, electricity, gas, and telephony. In such a model, users access services based on their requirements without regard to where the services are hosted or how they are delivered” . Nowadays, cloud computing has become a common delivery model for many business applications (e.g. office and messaging software, management software, accounting software, etc.). Moreover, cloud has changed the way these business applications are built and run; the hardware and software infrastructures are no longer within the company’s physical space (e.g. Salesforce). It is even possible to have the entire business infrastructure in the form of server and network resources, allowing for the availability of a private cloud and virtualized local network (e.g. Amazon Web Services or Windows Azure).
Accordingly our society’s organization has fundamentally changed towards the social structure of networks backed up by a new technological environment. For example, the increase in computing power in the human genome project already demonstrated how computing models and computing power coincide with scientific advancements in genetic engineering. Subsequently, what has been believed by many people to be the secrets of life now are being unravelled due to technological advancements that allow for a global networked community of various scientists (microbiologists, electrical engineers, etc.) and accompanying computing tools. Another example is the increased gap between the haves and have nots (or so-called digital divide), and subsequent exclusion of certain parts of population due to lack of access to cloud computing models. According to Castells “The network society works on the basis of a binary logic of inclusion/exclusion, whose boundaries change over time, both with the changes in the networks’ programs and with the conditions of performance of these programs” . Not being connected or being in the right networks simply means that people might be excluded from relevant and/or powerful networks. Although many people are not included in these networks, they are affected by the processes that take place in these global networks. Cloud computing thus has far-reaching consequences for society’s organization.
Cloud and Governmental Access to Data. Controversies like the Snowden files reporting on the NSA and PRISM have fuelled public discussions on privacy, data protection and have increased the public call for transparency and accountability of governments and cloud service providers in their handling of personal information . In fact, the Snowden files have changed the landscape “by single handedly unveiling a major problem with the way we store and share files”. More specifically, Snowden “has exposed one of the largest issues involved with trusting all of our valuable information to the cloud — security” . Whereas in the past the public did not perceive controlling their data in the cloud as an urgent matter, the PRISM controversy and increased attention to privacy of personal information likely changed the public’s focus. Cloud computing creates an easier and much more manageable target from a threat-economics perspective to attack for well-equipped adversaries like nation states: data from millions of individuals located in a handful of data centres. Subsequently, individual cloud consumers’ perceptions of risk seem more related to the ability to control one’s information in the cloud and transparency, then related to, for example, technical risks.
Public Concerns and Cloud Adoption. Despite its widely spread use by individuals and businesses, the notion of cloud computing or the cloud remains for many an unfamiliar concept. The public at large stores its data in the cloud, but has great difficulties understanding what such data storage actually entails, what the cloud is and what implications this might have. Nevertheless, we expect to remain in control of our data. Exactly this unfamiliarity and uncertainty with cloud computing might hamper its further development and requires further understanding of public concerns.
Cloud consumers’ understanding of the cloud is an important aspect in adoption of the cloud. Research by Marshall and Tang on file synching and sharing mechanisms in the cloud, for example, shows that cloud users’ uncertainty and misconceptions limited their ability to fully take advantage of the service’s features . Users needed more accurate and robust models to be able to discover and trust cloud computing services . It is reasonable to assume that cloud consumers’ lack of knowledge and understanding of cloud computing influences their risk perception and subsequently their understanding of cloud computing.
Also the concerns with respect to privacy seem to depict other values and perspectives to what are believed to be risks or issues with respect to cloud computing. Previous research with regard to privacy and online behaviour demonstrates that many consumers do not trust most Web providers enough to exchange personal information in online relationships with them . Not privacy but trust seems to be a quintessential element in online relations. Moreover, the public’s perceptions of having little control over information privacy on the Internet have a strong influence on the consumer’s willingness to engage in relationship exchanges online [28, 29, 30].
Based upon the examples and deliberation above one can assume that the concerns with cloud computing not only relate to the uncertainty of the technology itself, but also to its ethical, economic and societal impacts. Importantly, one should not assume that public issues involving risks are in fact risk issues . The concerns go beyond scientific identified risks as data breaches and beyond mere compliance with data protection laws, and also relate to ‘social exclusion’ by not having access to the networked society or feelings of loss of control on one’s data. These concerns should be elicited to encompass public expectations and policy issues that are not, or not yet, reflected in, for example, law.
2.3 Innovation and Involving the Public
The involvement of the public at large and the elicitation of public concerns is a topic heavily debated in the field of governing innovation. It is the articulation of the public issue that should steer future development of technologies and related regulations [5, 32, 33, 34]. Global innovations like cloud computing “…should respond to people’s self-determined needs and aspirations, provided that certain background conditions of information and deliberation are met” . In order to articulate the public issue at hand, one should ask the public for its concerns regarding the risks of cloud computing and its needs for responsible governance mechanisms to ensure that boundaries are upheld where necessary.
However, the articulation of the public issue regarding the innovations in science and technology is not a self-evident matter. Current (democratic) governing mechanisms have not kept pace with the technological developments. Then how to deal with the risks and uncertainties in a democratic and scientific informed way? A first step could be to elicit the concerns and risks not only from the scientific community, but also from other relevant stakeholders and even the general public. Such understanding of the risks might allow for collective agreements to emerge in order to cope with unavoidable residual risks, either via contracts, law, the extension of democracy or other governing mechanisms . Jasanoff, for example claims that an important question of responsible governance of innovations is when and how to involve relevant stakeholders such as the general public . It may be unnecessary to involve stakeholders when the drivers of the innovation can be trusted to act responsibly, but this raises the question when this is the case and how we can know? Related questions deal with who are knowledgeable actors to participate in governance mechanisms, and whether the general public even is interested in knowing every potential risk related to all innovations. Don’t they have a right to remain lay and trust governments to control potential threats?
These questions with respect to cloud as an information and communication technology innovation that changes our societies’ organizations and our relation with governments fits within the call for responsible innovation that entered the scientific and policy makers’ debates early 2000’s. This call for responsible innovation is a reaction to the variety and characteristics of emerging technologies like genetically modified foods, medical technologies and nanotechnology and the way these technologies are shaping society. Also new communication technologies like the cloud and future Internet services influence how we relate to the natural world. As cloud computing is an innovation that crosses frontiers it raises special problems for its responsible governance. For one, cloud is in essence a consumer good and not a public good. Then how to debate the responsible governance of the cloud and with whom? Moreover, in the last decade we have witnessed how the call for accountability and the responsible governance of our data in the cloud has increased due to controversies like PRISM. Subsequently, there is a need for a more reflective and deliberative role for a broad set of actors, also given the large investments that governments and private firms make in research and innovation . Moreover, it is important to have insight in how responsible governance is shaped in practice, and more specifically the way this is operationalized through ‘accountability’ in the cloud ecosystem.
3 Exploring the Introduction of Accountability in the Cloud
Within cloud ecosystems accountability is becoming an important (new) notion, defining the relations between various stakeholders and their behaviours towards data in the cloud. However, accountability is a notion with many dimensions, different meanings to different people and different usages. For example, accountability is enshrined in regulatory frameworks like the data protection regulation, and simultaneously accountable behaviour is shaped in the relation between cloud customers and cloud providers. In our exploration of accountability in the cloud ecosystem we take a social scientific approach. Such an approach entails, for one, that we do not assume that there is a road map out there telling us how accountability works and how it will steer people to behave responsibly with data in the cloud. In fact there are many questions to ask in order to gain an understanding about accountability and the cloud: for example, what is accountability according to the different relevant stakeholders? How does accountability govern people’s behaviour in general? And how does accountability govern people’s behaviour in the cloud? Each of these questions requires different research approaches and different methodologies. In this paper we will focus on the way the use of the accountability notion in the private sector of cloud computing is informed by its use in the public sector, drawing upon earlier work of, for example, Bovens [36, 37, 38, 39].
3.1 Accountability in the Public Sector
In the public sector accountability predominantly is used prescriptively; accountability of some agent to some other agent for some state of affairs. It reflects an institutional relation arrangement in which an actor can be held to account by a forum. Accountability then focuses on the specific social relation or the mechanism that involves an obligation to explain and justify conduct. Subsequently, accountability is “a relationship between an actor and a forum, in which the actor has an obligation to explain and to justify his or her conduct, the forum can pose questions and pass judgement, and the actor can be sanctioned” . In an accountability relationship thus three parties can be distinguished: (a) the steward or accountor, (b) the principal or accountee or forum, and (c) the codes on the basis of which the relationship is struck. The latter are the shared framework for explanation and justification that are negotiated between the accountor (answer, explain and justify) and accountee (question, assess, and criticize). An accountability code then is a system of signals, meanings and customs, which binds the parties in a stewardship relation.
In order to do so there are different stages in accountability relations: (a) information in which explanation is given and one’s conduct is justified, (b) debate, in which the adequacy of the information and/or the legitimacy of conduct is debated (answerability) and last, (c) the forum must pass judgement and sanction whether formal (fines, disciplinary measures, unwritten rules leading to resignation) or informal (having to render account in front of television cameras or disintegration of public image and career). Accountability as a mechanism thus can be used as a tool to induce reflection and learning. It provides external feedback on (un)intended effects of its policies.
However, accountability is also used in a more normative way. Bovens calls this ‘accountability as a virtue’ . Accountability as a virtue is much defined by bad governance; what is irresponsive, opaque, irresponsible, ineffective or even deviant behaviour. Accountability as a virtue, a normative concept, entails the promise of fair and equitable governance. Behaving accountable or responsible then is perceived as a desirable quality and laid down in norms for the behaviour and conduct of actors. Moreover, accountability then is not something imposed upon someone or an organization by another actor, but an inherent feeling, the feeling of being morally obliged to be responsive, open, transparent and responsible .
Defining elements of accountability or the accountability relationship are: transparency, responsibility and responsiveness. Transparency broadly means the conduct of business in a fashion that makes decision, rules and other information visible from outside . However, the relation between accountability and transparency is not as straightforward as depicted above. Transparency can have different meanings in relation to accountability. First, transparency and accountability can be inextricably intertwined: “accountability in the sense of answerability necessarily implies the answerers sharing information with those to whom they are answerable, while transparency in the sense of openness is itself a way of answering for the conduct of an individual or organisation” . Second, transparency and accountability are both needed to produce good governance yet in principle are separable. This is what Hood calls the ‘matching parts’. Third, the realization that “effective accountability and all variants of transparency do not always run smoothly together, and difficult trade-offs between the two principles often have to be faced” . This can best be seen as the ‘awkward couple’ view that focuses on perverse effects of transparency in the form of e.g. box-ticking that can lead to one-way communication rather than real answerability in effective dialogue . Nevertheless, in general transparency is perceived as an instrumental dimension of accountability; it is the revelation of information for purposes of accountability. Responsibility, though semantically not always distinguishable from accountability, is derived from the noun to respond. Yet accountability has a broader meaning: how responsibility is exercised and made verifiable. In an accountability relationship responsibility entails the stewardship of one party entrusted by another with resources and/or responsibilities. Responsibility thus refers to ownership, acknowledging being the steward or accountor with respect to certain resources and/or responsibilities. Also, it can entail an inward sense of moral obligation to explain or answer . Responsiveness is a more evaluative dimension of accountability and refers to the aim of making governments, organisations or institutions accord with the preferences of the people . Public service providers are called on to be responsive to the needs of their clients in a way analogous to private sector firms being sensitive to consumer demands . However, these defining elements of accountability, transparency, responsibility and responsiveness are in themselves ideographs and umbrella concepts that are in need of operationalization themselves.
Nevertheless, in the public sector accountability often is used in relation to good governance. One can speak of good governance when the interaction between the actor and the forum has such an institutional realization it entails societal interests and moral values the best way possible. Good governance focuses upon the creation of conditions that allow collaborations, interactive processes or policy networks to function the best way possible. Moreover, these conditions do take into account the different stakeholders’ responsibilities and societal interests. The driving force behind all systems of accountability, in the public services, including professional accountability is the democratic imperative for government organizations to respond to demands from politicians and the wider public [42, 43]. The use of accountability in the public sector therefore is more evaluative than descriptive and reflects upon what responsible behaviour is.
3.2 Accountability in the Cloud
The claim that accountability is relatively new in the private sector as a mechanism to govern responsible behaviour in the cloud actually is less topical than expected. First, the notion of accountability is introduced in the field of law as a data protection principle more than 30 years ago and since then more steps have been taken in the discussion on accountability in data flow and privacy protection in EU . One of the main reasons for the revival of the accountability principle in the late 2000’s is the globalisation of data flows . Second, the equivalent of good governance, corporate governance, also dates back more than 30 years. Corporate governance entails the totality of structures, regulation and conventions that determine the way and efficiency with which a company is run and controlled. Within corporate governance the values of control and oversight of performances are embodied in the notion of accountability. The demand for more transparency in the sense of more and reliable information to inform the accountee, i.e. the share holders, allowed for more control and recommendations with respect to management and authority.
However, accountability’s current use in the private cloud sector seems to point at a new perspective on accountability and good governance. Instead of focusing on control and supervision as in corporate governance, accountability now also seems to refer to a learning perspective in the sense of good governance. For example, in the A4Cloud project “[a]ccountability consists of defining governance to comply in a responsible manner with internal and external criteria, ensuring implementation of appropriate actions, explaining and justifying those actions and remedying any failure to act properly” . Accountability entails an image of transparency and trustworthiness. It holds the promise of fair and equitable governance and beholds a desirable quality of actors. Subsequently its current use seems to combine accountability as a mechanism and accountability as a virtue.
This renewed use of accountability likely is a reaction to the failure of the cloud computing market mechanism and to its governing problems due to the cloud’s transborder nature. With respect to the market failure, accountability aims to address the power asymmetry between (international) corporations or cloud providers and individuals or (smaller) cloud users. The latter lacks resources and knowledge to assert their rights to information on how their data is handled in the cloud. Moreover, vendor lock-in has refrained cloud users to exit and choose other cloud vendors. In a competitive market, the main mechanism of responsiveness is consumer choice, the capacity of the consumer to exit to an alternative provider. Moreover, in the private sector accountability is mostly applied to owners and shareholders and more to the company’s manager to account for the company’s performance than to customers whose main right is to refuse to purchase. However, in the public sector, accountability is usually understood as a voice not an exit strategy. Including accountability in the market system of cloud computing aims to assure an increased attention of ‘customer-driven’ services. With respect to the transborder nature of the cloud Bennett argues that accountability in the online/Internet sector came into play when solutions were sought for governing the more complicated, networked and global environment for international data transmissions . In legislative terms we see a change in focus from the legal regime to the actual protections afforded by receiving organisations. Focusing on how data is actually protected by real organisations in receiving jurisdictions rather than on the ‘black letter of the law’. This means that it is not the flow of data across boundaries that should worry us, but the use of that information in ways that may harm, discriminate, deny services and so on [46, 47]. Therefore the focus should be on how to govern accountable behaviour with respect to data and personal information.
A known criticism to accountability is its connection to and implication of self-regulation. Previous Accountability Projects like the Galway Project and Paris Project have defined key requirements for accountable organisations e.g. privacy policies, executive oversight, event management and complaint handling and redress. According to Bennett , these elements are not significantly different from the conclusions about self-regulation in the 1990 s. What has changed is that now we have a broad consensus of what it means for a responsible organisation to protect personal data and to respect the privacy of the individual . Moreover, accountability entails more than self-regulation and includes mechanisms of oversight and supportive tools and mechanisms to govern accountable behaviour.
Nevertheless, accountability in the cloud seems to be able to address data protection and privacy issues from a regulatory perspective. First, because systems are build to ensure compliance with current legal regulations for protecting privacy. Second, as it is believed that accountability can form the focus for dealing with issues of scale in regulation, privacy risk assessment, self-regulation through certification and seals and foster an environment for the development of new technologies for managing privacy. Third, accountability is a binding principle through which those who control data should on request from regulators be able to demonstrate compliance with data protection legislation as a minimum.
The renewed focus on accountability in the cloud is supposed to positively affect data controllers responsible behaviour. Since breaches of personal information may have significant negative effects both in economic and particularly in reputational terms, data controllers in both public and private sectors seem to have gained interest in minimising risks, building and maintaining a good reputation, and ensuring the trust of citizens and consumers .
This extension of accountability entails the extension to public dialogue. The obligation to account used to derive from the relationship between business and shareholders and between business and customers. The new approach of accountability not only focuses on the shareholder or the customer, but also to ‘the other’, the public at large. Accountability is seen to be a dialectical activity, requiring accountors to answer, explain and justify, while those holding them to account engage in questioning, assessing and criticizing. It thus might involve open discussion and debate about matters of public interest. The society at large has a right to information about the extent to which an organisation has complied with the (minimum) standards of law and other regulation of a quasi-legal nature. Subsequently organisations are expected to be more transparent, to make information available on behalf of an often unspecified mass audience. Importantly such an information disposal should not become a goal in itself; it is the two-way communication in which stakeholders, such as the public at large, should be able to voice their concern.
According to Gray “the empirical basis of accountability can be substantially extended from law, and quasi law to public domain matters of substance” . A restriction to financial account, or legal accounts would critically limit the attempts at holism in the cloud ecosystems. Although this is not incontestable, it does lead to the specification of a community’s moral and natural rights. A specification of the public domain matters of substance can be elicited via public opinion. Organisations then owe accountability to the public at large for these specified public domain matters of substance. Subsequently, the public at large has the right to information about actions that influence society, other societies, and/or future societies. The community in which the accountor operates then is the level at which information is reported, the level at which transparency must be sought. However, to what information about organisations, such as cloud vendors and cloud service providers, do communities have rights? And, to what extent does voicing concerns without a clear consequence make sense? Importantly, these public domain matters of substance should be defined and become part of an iterative process of seeking dialogue and not only providing an account. As Raab argues “[i]n any case, the audience for an organisation’s or government’s account must somehow be involved with the process by which the account is produced, and not only with the product” .
4 The Dutch Public’s Understanding of the Cloud
Whereas in the previous sections we have described a normative plea for the treatment of cloud computing as a new emerging technology that requires the elicitation of public concerns and responsible governance through accountability, this section is actually exploring current public’s understanding of cloud computing.
4.1 A Survey on the Public Understanding of the Cloud
In order to learn what governing mechanisms might contribute to gaining a grip on the distribution and steering of accountability in cloud computing, it is important to distinguish the underlying concerns that ideally these governing mechanisms will address. Whether the public is concerned about cloud computing and what type of concerns they have is explored based on the empirical knowledge gathered from white papers in combination with literature on the public understanding of science, risk society, accountability and related topics such as control, trust, transparency and responsiveness. These insights have been used for the design of a survey on the public understanding of cloud, their concerns and coping mechanisms.
Sample demographics and comparison Dutch population*
20 to 40
41 to 60
61 to 80
81 and older
4.2 Survey Results
De obtained data is processed and analyzed using SPSS, v21. The resulting findings are depicted below.
Internet Use and Experience with the Cloud. Respondents reported to make the most use of the Internet at home, spending an average of 7 and a quarter hour per week on the Internet (M = 7.25, SD = 9.36). Next, comes work with a little over 4 hours a week on average (M = 4.14, SD = 8.75), followed by about half an hour at school (M = 0.56, SD = 2.99), and lastly respondents spend some time elsewhere on the Internet (M = 0.13, SD = 1.37). When asked whether respondents had heard of cloud computing before, 23.5 % of respondents (N = 534) reported that they had not heard of cloud computing before and 76.5 % (N = 1736) of respondents reported that they had. Of these latter respondents, 32.7 % (N = 742) indicated that they had often heard of cloud computing and the remaining 43.8 % (N = 994) had only heard of cloud computing incidentally. While 23.5 % of respondents reported not to have heard of cloud computing, only 14.1 % (319) does not make use of any cloud Services. The other 85.9 % (N = 1951) indicated to make use of at least one cloud service presented to them. In appendix D all cloud services are listed with the number of respondents that make use of them. Hotmail (44.7 %, N = 993), Gmail (51.4 %, N = 1166), and Facebook (57,3 %, N = 1300) are the cloud service used by the most respondents.
Expectations of the Cloud. Expectations of cloud services can be both negative and positive. We asked respondents to respond to the following item: cloud computing comes with both benefits and concerns. What do you think about the balance between benefits and concerns? Response categories were ‘the benefits outweigh the concerns’, ‘the concerns and benefits are about equal’, and ‘the concerns outweigh the benefits’. This way we were able to distinguish between cloud enthusiasts (i.e., individuals that expect the benefits to outweigh the concerns), from cloud neutrals (i.e., individuals that expect the benefits and concerns to be about equal), and cloud worriers (i.e., individuals that expect the concerns to outweigh the benefits) in our sample. We found that 28.1 % (N = 638) of our sample were cloud enthusiasts and expect the benefits to outweigh the concerns. The majority of 41.8 % (N = 948), however, was cloud neutral, expecting the benefits and concerns to be in balance, and the remaining 30.1 % (N = 684) were cloud worriers, who consider the concerns to outweigh the benefits. One sample t-test between percentages showed that there were significantly more cloud neutrals than either cloud worriers, t(2,269) = 6.64, p < .001, and cloud enthusiasts, t(2,269) = 7.91, p < .001. The number of cloud enthusiasts and worriers did not differ significantly, t(2,269) = 1.25, p = .212.
Next we investigated the concerns and benefits people may experience with regard to the cloud in more detail. Seven items assessed whether respondents expected cloud services to yield benefits for society. Responses were on a 5-point Likert Scale with (1) Completely disagree and (5) Completely agree. Reliability analysis supported combining these items into a single scale Benefits (α = .81). The remaining 23 items addressed general cloud concerns, data security concerns, and legal concerns. Responses were on a 5-point Likert Scale with (1) Completely disagree and (5) Completely agree. Factor Analysis with Varimax rotation appeared to verify the existence of the three scales at first glance. Based on the criteria of eigenvalues > 1, the items regarding general, data security, and cloud concerns were distinguished in three separate scales. However, factor analysis did not provide any support to distinguish between different types of concerns and instead all items were combined into a single total concern scale. Descriptive analysis showed that respondents generally shared the concerns presented to them as they scored above average (M = 3.55, SD = .74; on a scale of 1 to 5). Looking at the individual items, presented in Table 2 (see Appendix), we see that almost none of the items deviate far from the total average and each other with means ranging from 3.31 to 3.78. In other words, no specific concern appears to spring out in particular. Only the item concerning the possible incompatibility of the individuals’ current data infrastructure with the requirements of the cloud instigated less concern among respondents (M = 3.01, SD = 1.07).
We subsequently looked at what benefits respondents associate with the cloud. In general, respondents did associate the cloud with the presented benefits (M = 3.35, SD = .62). Looking at the individual items, shown in Table 2b, we see that respondents appear to recognize several benefits more than others. Respondents mostly see the benefit of the cloud in the fact that it automatically organizes the backup of information (M = 3.54, SD = .92), it improves information sharing and collaboration (M = 3.92, SD = .82), and it makes more efficient use of hardware (M = 3.65, SD = .84). Respondents appear less convinced that the cloud has great beneficial effects on the economy (M = 3.11, SD = .93), allows for better security of information (M = 2.95, SD = .97), and provides individuals with more control over their personal information (M = 3.09, SD = .98).
Trust and Responsibility. In order to assess the trust and sense of responsibility, respondents have in relation to cloud services, we asked them to fill in two general trust scales, and indicate the level of trust and responsibility they place in relevant parties. The results showed that respondents were generally more inclined to believe that others are to be trusted and would be fair to them, scoring a 6.02 (SD = 2.12) and a 6.04 (SD = 2.22) respectively on a ten point scale with higher scores indicating more trust in others. Next, we look at the trust and responsibility respondents assign to the handling and supervision of their data in the cloud.
Assigned trust for supervising data in the cloud.
Independent consumer organizations
Individual Cloud providers
Assigned responsibility for appropriate use of data in the cloud***
Most responsibility <---> Least responsibility
N = 2209
Actual coping behaviour
I ask others (e.g. friends/family) whether a certain cloud provider is reliable
I check the terms and conditions before I subscribe to a cloud service
I check the privacy policies of the cloud services I use
I make sure not to store sensitive personal information in the Cloud
I only make use of certified cloud providers
My information is stored in one country only
Actual Coping Behaviour Scale (Total)
The depicted results are mainly descriptive yet give good insight whether the general public indeed has concerns, what these concerns might be, whom they trust and whom they deem responsible for the appropriate handling of data in the cloud.
5 Cloud’s Social Implications and the Need for Accountability
In the previous sections we have argued that cloud computing is not just a new innovation like the tablet or any other regular consumer good, but is an information and communication technology innovation with a deep impact on society. Cloud computing has changed and still is changing our society’s organization. Moreover, cloud computing has enabled the increased control and controlling capabilities by governments by accessing public and business data in the cloud. In order to stimulate the responsible innovation in cloud and future Internet services it is of importance to elicit potential risks and public issues with respect to the cloud’s impact on society. These risks and public issues not only refer to technical, but also to social, ethical and legal issues. Moreover there is a need to govern the identified risks and public issues in order to warrant the sustainability of the cloud ecosystem.
Within cloud ecosystems accountability might be perceived as the solution in governing the responsible behaviour with respect tot data in the cloud. Accountability, especially in relation to responsible behaviour, stems from the public sector and subsequently relates to public issues. Nevertheless, this type of accountability now has entered the private cloud sector too. Cloud’s impact on society by reshaping its organisation and controversies like the Snowden files are reasons to call for accountability to society at large. From a normative perspective cloud no longer is a consumer good, but has become a consumer good with public issues.
In contrast, the survey results seem to imply that the general public is not concerned much with cloud computing, nor feels the need to address its concerns actively (see actual behaviour). Cloud is a widely accepted information technology model that can expect a seamless adoption. The majority of the respondents 85.9 % (N = 1951) already use at least one cloud service presented to them of which social media services were used most. Moreover, the biggest part of the sample indicated to be either a cloud enthusiast 28.1 % (N = 638) or have a neutral feeling towards the cloud 41.8 % (N = 948). Only, 30.1 % (N = 684) are labelled as cloud worriers. In line with these findings the public assigns the most responsibility for the appropriate use of data in the cloud to the individual user. This response is in line with the perception of cloud as a consumer good.
Only the trust and responsibility results might imply that there is a need and desirability for external oversight by the in order to safeguard responsible behaviour and could plea for accountability in the cloud system. While the public generally assigns responsibility to the individual user, it also assigns most trust to legal authorities and the least trust in the individual cloud providers. These findings are in line with findings by Sjöberg and Fromm, demonstrating that individual cloud consumers (or the population at large) mainly see the benefits of cloud computing and are only to some extend aware of related risks .
Does this discrepancy between the normative frame in the former sections and the depicted results in the latter then demonstrate inconsistencies in the normative frame? The survey results mainly provide the picture of a consumer good for individuals, while the normative considerations plea for the public interest at stake due to cloud computing’s impact on society. Some caution might be needed before drawing the conclusion that the normative considerations do not seem to hold. The survey results do indicate that currently the public is not concerned about the implications of cloud for society. Cloud computing simply is not perceived as a life altering technology accompanied with risks as genetic modified foods or xenotransplantation have been in the past. According to Warren the public most likely tends to focus on other contemporary problems that are deemed more threatening to the individual and/or society . Other explanations might be that the displayed lack of interest might be caused by a general feeling of trust in the proper handling of data in the cloud, or it might be the knowledge asymmetry and the lack of knowledge on what the cloud is and why and how it should be assessed. New controversies like PRISM as well as the growth in cybercrime might, however, change this momentum of cloud computing’s acceptance.
However previous research and events also demonstrate that the public sometimes realizes that public issues are at stake long after the wide spread adoption of the technology or product. An example is the use of diethylstilbestrol (DES), a medication that was used to treat morning sickness of pregnant women. Only after years of use DES was taken off national drug formularies due to the increased risk of the mother’s child to rare forms of cancer and reproductive deformity due to the mother’s use of DES. Another consumer good that first was widely accepted and later on perceived as having a negative societal impact is the cigarette. Cigarette smoking nowadays is related to health consequences with a negative effect on society, i.e. health costs and economic productivity.
The need for accountability might not be uttered by the general public, the business context of cloud computing does demonstrate some indications towards the need for increased transparency, responsibility and accountability. For example, Microsoft has issued several Law Enforcement Request Reports since March 2013. Microsoft explicitly states: “Microsoft receives legal demands for customer data from law enforcement agencies around the world. In March 2013, as part of our commitment to increased transparency, Microsoft began publishing details of the number of demands we receive each year in our Law Enforcement Requests Report and clear documentation of our established practices in responding to government legal demands for customer data” . Similarly Apple states: “We believe that our customers have a right to understand how their personal information is handled, and we consider it our responsibility to provide them with the best privacy protections available. Apple has prepared this report on the requests we receive from governments seeking information about individual users or devices in the interest of transparency for our customers around the world” . These statements indicate businesses’ concerns with keeping governmental bodies like the NSA outside the data entrusted to them in order to maintain not only good business-to-business relations, but also a good reputation in the larger public. While cloud computing is not a new emerging technology like genetic modified foods, xenotransplantation or nanotechnology, it might still be considered as an innovation that needs public debate and accountability to society at large.
The facilitation of the public debate on cloud as well as accountability relations is something that does not usually origin from developments within the private sector. The private sector is less likely to seek public debate then for example scientists. However, since accountability already is introduced in the cloud ecosystem it might open up further public debate on cloud’s social implications and the further need for responsible governance. Importantly, accountability in the private sector, specifically in the cloud market, is not a notion that should be used rhetorically or as a fashion accessory. Accountability as in the responsible behaviour with data in the cloud has deep implications for the relationship between cloud providers and the public at large, between data controllers and data processors, between business cloud users and (lay) end-users. Accountability is based upon certain ways of knowing and certain kinds of knowledge. Also, accountability requires the empowerment of participants who in turn require transparency as a condition of critical public discussion.
Despite the big promises of accountability in the cloud, some general warnings do remain. First, if the accountability process is to be trusted, it too must be transparent and open to accountability procedures. Even third parties or supervisory authorities need to account for their actions, results and intentions, to the wider public. Second, it is important to be aware of the accountability paradox; more accountability arrangements do not necessarily produce better governance. If the regulatory implementation merely adds administrative burdens without improving effectiveness, it will fail to deliver its stated objective. Third, accountability to the public is not straightforward, either in enhancing transparency of systems without generating more data sharing or in encouraging participation in the future direction of system development without undermining security. Fourth, scholars like Jasanoff warn for democratic participation as currently operationalized, it entails the wrong representation of the public and its views . Questions to ask are to what information about organisations, such as cloud vendors and cloud service providers, do communities have rights? And, to what extent does voicing concerns without a clear consequence make sense? Subsequently there is a need for reclaiming the turf of democracy: who should be served by innovation and for what purposes. This also goes for cloud computing.
We conclude that society as a whole has an interest in accountability for cloud providers. Cloud computing is a technology that potentially has a significant impact on society. The way we structure work and leisure may change as a result of cloud services and cloud arrangements. Moreover reflection is needed on the governmental access to data in the cloud. Society thus has an interest in the responsible development of the innovations cloud and future Internet services. Accountability and the associated mechanisms and tools allow inspection of what happens in the cloud, not only for individuals, but indirectly also for society at large.
Although Article 20 of the Data Protection Directive on prior checking when data processing presents specific risks is considered a predecessor to PIA.
The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 The Cloud Accountability Project (A4Cloud).
- 1.Fenn, J.: Inside the Hype Cycle: What’s Hot and What’s Not in 2009 (2009). http://my.gartner.com/it/content/1101800/1101817/august12_hype_cycle_final_jfenn.pdf
- 3.Marris, C., Wynne, B., Simmons, P., Weldon, S.: Public perceptions of agricultural biotechnologies in Europe. Final report of the PABE research project funded by the Commission of European Communities. Contract Number FAIR CT98-3844 DG12-SSMI (2001)Google Scholar
- 7.Raab, C.: The meaning of the word “accountability” in the information privacy context. In: Managing Privacy through Accountability, p. 15 (2012)Google Scholar
- 11.Alnemr, R.: Reputation Object Representation Model for Enabling Reputation Interoperability. Potsdam University, Potsdam (2011)Google Scholar
- 13.Almorsy, M., Grundy, J., Müller, I.: An analysis of the cloud computing security problem. Presented at the Proceedings of APSEC 2010 Cloud Workshop, Sydney, Australia, 30 November 2010Google Scholar
- 14.KPMG: Embracing the cloud. Global cloud survey (2011)Google Scholar
- 15.KPMG: The cloud takes shape. Global cloud survey (2013)Google Scholar
- 16.Niezen, M., Prüfer, P., Leenes, R.E., Nuñez, D., Agudo, I., Fernandez Gago, C., Koulouris, T., Alnemr, R.: A4Cloud D:B-4.1 Interim report. Tilburg University, TILT (2013)Google Scholar
- 17.De Oliviera, A., Garaga, A., Martucci, L.A., Felici, M., Alnemr, R., Stefanatou, D., Niezen, M., Fernandez, C., Nuñez, D., Hasnain, B., Vranaki, A., Cayirci, E.: D:C-6.1: Risk and trust accountability in the cloud. SAP (2014)Google Scholar
- 18.ENISA: Cloud Computing: Benefits, risks and recommendation for information security (2009)Google Scholar
- 20.Purtova, N., Kosta, E., Koops, B.J.: Laws and reputation for digital health. In: Requirements Engineering for Digital Health and Care. Springer, New York (2014)Google Scholar
- 21.Rip, A., Misa, T.J., Schot, J.: Managing Technology in Society. Pinter Publishers London, New York (1995)Google Scholar
- 24.Smith, M.: Concerns about surveillance ‘fanciful,’ British official says. CNN (2013). http://edition.cnn.com/2013/06/09/world/nsa-data-mining/index.html?hpt=hp_t1
- 25.Jain, V.: The Snowden effect, changing the course of cloud security. PandoDaily (2013). http://pando.com/2013/09/11/the-snowden-effect-changing-the-course-of-cloud-security/
- 26.Marshall, C., Tang, J.C.: That syncing feeling: early user experiences with the cloud, p. 544. ACM Press (2012). doi:10.1145/2317956.2318038
- 33.Jasanoff, S.: The Fifth Branch: Science Advisers as Policymakers. Harvard University Press, Cambridge (2009)Google Scholar
- 34.Jasanoff, S.: Governing innovation. Presented at the Knowledge in Question–A Symposium on Interrogating Knowledge and Questioning Science (2009)Google Scholar
- 36.Bovens, M.: Analysing and assessing public accountability: a conceptual framework (2006)Google Scholar
- 38.Bovens, M.: Analysing and assessing public accountability: a conceptual framework. European Governance Papers (EUROGOV) No. C-06-01 (2006)Google Scholar
- 39.Bovens, M.A.P., Schillemans, T.: Handboek Publieke Verantwoording. LEMMA, Den Haag (2009)Google Scholar
- 41.Hughes, O.E.: Public Management and Administration: An Introduction, 4th edn. England Palgrave Macmillan, Basingstoke (2012)Google Scholar
- 43.Romzek, B.S., Dubnick, M.J.: Issues of accountability in flexible personnel systems. In: Ingraham, P.W., Romzek, B.S. (eds.) New Paradigms for Government, pp. 263–294. Jossey-Bass, San Francisco (1994)Google Scholar
- 45.Pearson, S.: Toward accountability in the cloud. In: IEEE Internet Computing, pp. 2–7 (2011)Google Scholar
- 46.Bennett, C.J.: International privacy standards: can accountability be adequate? Priv. Laws Bus. Int. 106, 21–23 (2010)Google Scholar
- 47.Bennett, C.J.: The accountability approach to privacy and data protection: assumptions and caveats. In: Guagnin, D., et al. (eds.) Managing Privacy Through Accountability, pp. 33–48. Palgrave MacMillan, Basingstoke (2012)Google Scholar
- 48.The Working Party on the protection of individuals with regard to the processing of personal data: Article 29 Data Protection Working Party, Opinion 3/2010 on the concept of accountability. 00062/10/EN WP 173 (2010)Google Scholar
- 50.Organisation for Economic Co-operation and Development (OECD): Classifying educational programmes: Manual for ISCED-97 implementation in OECD countries (1999)Google Scholar
- 52.Warren, M.E.: Citizen participation and democratic deficits: considerations from the perspective of democratic theory. In: De Bardeleben, J., Pammett, J.H. (eds.) Activating the Citizen: Dilemmas of Participation in Europe and Canada, pp. 17–40. Palgrave Macmillan, New York (2009)Google Scholar
- 53.Microsoft: Law Enforcement Requests Report (2014). http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
- 54.Apple: Report on Government Information Requests (2013). https://www.apple.com/pr/pdf/131105reportongovinforequests3.pdf