Purpose
“Cloud services” represent a growing variety of useful services available on the World Wide Web and the most innovative and rapidly developing portion of the technology market space. “Cloud applications” promise to provide a large number and variety of services that will be very useful to faculty, staff and students at MSU. However, the business models and terms of use of these services often pose a variety of risks to users and the content they deploy in using these services.
This document is intended to provide guidance to help individuals make informed, well-considered choices about appropriate use of cloud services. It includes information about the Google Apps for Education at MSU (also known as G Suite for Education), explanations and examples of current concepts of cloud services and applications, as well as risk factors all faculty, staff and students should review before using any cloud service.
Background
“Cloud services” is a general term used to include a variety of computing and information services and applications run by users across the Internet (in the “Internet cloud”) on the service provider’s systems, instead of run “locally” on personal computers or campus-based servers. These Internet-based services are sometimes called “software as a service” (SaaS), or “platform as a service” (PaaS), or “hosted” applications, storage or computing.
Most commonly, a “cloud service” is based on a “business to consumer” (B2C) model, wherein the service provider (a business) offers the service to individual consumers or users. Cloud services also may be offered in a “business to business” (B2B) model, wherein the service provider (a business) offers itservices to other business entities. Cloud providers, particularly in the B2C model, typically require user commitment to a service agreement (usually called “Terms of Use”) by clicking an “I Accept” button on the service’s website (called a “click-through agreement”), or by the user’s acceptance of the terms of use simply by beginning, and continuing, to use the service. B2B models generally involve a service agreement that is formally negotiated and executed between the service provider and the user business entity. Additionally, newer models involve educational institution agreements.
Some examples of cloud services include Google Apps, Microsoft Live services, Amazon Elastic Compute Cloud, and Simple Storage Service. Cloud services have become a mature business model, but one that continues to rapidly evolve. Because of competition in this space, we expect considerable innovative investment will be focused here for some time. Many cloud services are offered free or at very low cost in order to attract and compete for user volume.
Google Apps for Education at MSU
During the summer of 2009, Michigan State University executed an “Education Edition” (“EE”) agreement with Google for MSU-specific access to Google Apps. This gives MSU and its EE Apps users contractual terms of service that are better, for many MSU purposes, than the standard terms of service one gets when using the Apps as an individual public user; that is, it provides MSU users with the opportunity to shift from the B2C model to the B2B model.
Google Apps have become quite popular with and useful to the MSU community, and MSU had the opportunity to negotiate terms of use that are quite appropriate for many uses in instruction and scholarship, and even some “low consequence” business and administrative uses. The EE Apps are NOT appropriate for use with “high consequence” business records, intellectual property, or MSU Confidential Data. MSU Confidential Data are defined in the Guidelines for Internal and External Reporting of Data System Security Breaches.
“High consequence” business records are those for which loss or inappropriate disclosure would result in a high consequence in terms of economic loss, legal liability, loss of public trust, or fall within the university’s retention schedules. The EE Apps are NOT for uses involving any types of data that MSU has defined as Confidential (see MSU Institutional Data Policy). Users of the EE Apps are strongly encouraged to exercise caution in their use of this service and to read and apply the guidance provided in the Appropriate Uses of Google Apps for Education Edition at MSU document.
By using the EE Apps services, users consent to the terms of the MSU agreement with Google, which give MSU service administrators the right to manage user accounts, and to access user accounts and contents for purposes of monitoring, use and disclosure of these data as may be required by the agreement with Google. MSU will protect the privacy of users and their content consistent with the Acceptable Use Policy for MSU Information Technology Resources and all applicable laws, University policies, ordinances, business and administrative rules or guidelines, the terms of contractual agreements the university has made, or other applicable restrictions.
Why should everyone be concerned personally about making good choices regarding appropriate uses of cloud services?
Almost all decisions to use cloud applications are made by individual users. The data involved in each instance of use are typically only known to the user, and under MSU’s Institutional Data Policy each user is individually responsible for appropriate stewardship of Institutional Data (as defined in the policy). The cloud service may play a key role in the execution of an important academic or business process, such as teaching or taking a class, analyzing research data or developing a paper for publication. So, we each have individual and shared interests in protecting academic and business processes against unwanted disruptions, and protecting intellectual property and sensitive data against loss or unauthorized access and use. Therefore, all individuals must take responsibility for their own individual choices to use cloud applications in connection with their university work. Specifically, it is the responsibility of the individual using cloud services to ensure that their use is in compliance with all university policies and procedures, and applicable law governing the handling and protection of sensitive data.
Only a small number of individuals at MSU (typically the highest-ranking executive officers) are authorized by the MSU Board of Trustees to enter into legal contracts on behalf of the university. When individual users without such signature authority wish to use a cloud service for their university work and accept a click-through agreement, they are individually responsible and personally liable for any legal liabilities resulting from the use of the cloud service.
Risks and Challenges with Cloud Services: Key Factors to Consider
Before using any cloud provider or service give the following factors due consideration:
Non-negotiated terms of use
The terms of use of many cloud services are non-negotiated. The user has only the choice to accept the terms of use as they are (or may become; see below), or to not accept the terms of use and not use the service. This makes it very important to read and think about the terms of use that are presented.
Control of user content
Do the terms of use give the service provider rights to make use of the user’s content? Terms of use may include a provision that, by using the service, the user is granting the service provider a broad range of rights to use the content the user places in the service. Users should take care to note the difference between ownership and rights of use. Terms of use often state that user content is owned solely by the user, but the terms of use sometimes also grant the service provider the right to make its own use of user-owned content in ways the user-owner may find objectionable. Ownership and rights of use are generally addressed in separate sections of the terms of use, which may obscure the distinction between ownership and rights of use in the agreement.
Security and privacy
Do the terms of use commit the service provider to keeping a user’s data secure, or even private from other legitimate users of the service? Do the terms of use give the service provider rights to make use of the user’s identity (may the service provider share user information with business partners, or sell user information)?
Backups
Do the terms of use commit the service provider to back up user data?
Assured purging
Do the terms of use commit the service provider to fully delete from the service any content, including distributed or backup copies, that the user has intentionally deleted from their use of the service?
Non-negotiated changes to terms of use
Are the terms of use posted obviously on the service’s website, or are they hard to find? What do the terms of use say about the service provider’s ability to change the terms of use? Do the terms of use commit the service provider to: notifying the user of any such changes?; or simply posting changes on the service’s website, with the user being responsible for constantly monitoring the posted terms of use to know when they have changed? Do the terms of use require that the user formally acknowledge changes to the terms of use, or does the user accept the new terms simply by continuing to use the service? It is not unusual for terms of use to grant the service provider the right to change the terms of use at any time and in any way without the permission of the user and frequently without notifying the user. This simple provision means that the “agreement” essentially provides no real protections for the user, because any of the protections articulated in the version to which the user agrees can be changed at any time by the vendor. (Note: In early 2008, some terms of use for cloud services were observed to change as frequently as every two months.)
Non-negotiated changes to the service
Can the service provider change the service itself (for example, stop providing it at all) without notice to the user? If with notice to the user, what period of advance notice is provided to the user by the service provider, and by what means (direct notification; a posting on the service website)? Remember that a service may terminate due to the service provider’s business failure or acquisition by another party, and that this may cause abrupt changes not addressed by the terms of use.
Non-negotiated changes to the business model
Can the service provider change its business model? How likely is it to change its business model? Critical changes to the business model could include changes to the service feature set, or changes to the pricing model, or a combination (e.g., moving from “all features free” to “basic features free; valuable features at a price”).
Data formats
Do the formats in which data are stored by the service follow commonly-used standards or are they proprietary and unique to the service provider? Will the user be able to easily remove their content, or copies of the content, from the service and use it in other places or with other applications?
Indemnity
Just how vital to university business is the use being made of the service? What if something truly unwanted happened while university data were deployed in the service (e.g., a major business disruption)? Terms of use generally contain language by which the user agrees to hold the service provider harmless if the service provider does any damage to the user’s data or ability to use the service (to support the user’s business uses). Sometimes the indemnity language is even more favorable to the service provider, and may expose the user to liability to pay the service provider’s legal expenses.
Risk Triage
In addition to the foregoing factors, the following risk triage steps can be helpful to determine the appropriateness of using a cloud service. The triage is designed to help identify potentially appropriate uses by eliminating the riskiest use cases, based on the types of data intended to be deployed in using the service. The triage also identifies ethical issues worth consideration.
1. Confidential Institutional Data
It is unlawful to disclose certain types of data to third parties (including cloud service providers) without appropriate safeguards in place. MSU’s Institutional Data Policy defines “Confidential Data” and obligates all members of the MSU community to take individual responsibility for properly securing Confidential Data. Cloud-services must NOT be used with any Confidential Data, unless an appropriate contractual agreement can be negotiated with the service provider by the university.
2. Institutional business records
Business records are “information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business.” Many types of data we receive or create every day fit this definition and do not necessarily involve Confidential Data, but deserve appropriate care in how we manage the records. Business records can take the form of email, email attachments and other electronic communications, calendar entries (particularly those involving important meetings or events; e.g., meetings involved in due process protocols; vendor contacts during bidding; etc.), and documents posted and edited in file shares, wikis and a variety of other electronic tools. Cloud-services must not be used for work involving university business records, unless an appropriate contractual agreement can be negotiated with the service provider by the university.
3. Student, faculty and staff intellectual property
MSU’s Intellectual Property policies (see the MSU Technologies website) and policies regarding student intellectual property (see the Code of Teaching Responsibility) define the types of intellectual property that belong to students, faculty and staff. This property often needs to be protected carefully (e.g., content with patentable subject matter or commercial value) and should not be placed in a cloud situation unless an appropriate contractual agreement can be negotiated between the university and the service provider. Sometimes the owners of this property care less about its protection than they care about the value of the services they will be receiving from cloud applications. These trade-offs should be considered before using a cloud service, and the choices should be made by the involved content owners.
4. Agency decisions
One person should not make a decision regarding use of cloud services when others who are party to the use but not party to the decision may have valued data involved. For example, except in a limited number of circumstances, students own the copyright in works submitted to meet course requirements. If an instructor chooses to use a cloud application in a class, the application’s terms of use should be reviewed with the students in the class, and the instructor must be willing and able to provide an alternative if a student decides not to use the service due to objections to its terms of use. Similar regard should be given to faculty or student collaborators and their intellectual property if a cloud service is chosen for use to support a research project or other form of group collaborative effort. All members of the collaboration or work group should be aware of the conditions of use for the tools they are using, and should reach a consensus decision about the value of using those tools.
When you are not sure, ask
If you are unsure about a choice regarding cloud services, please do not hesitate to contact the MSU Libraries Distance Learning Services Help Desk for assistance at (517) 355-2345 or (800) 500-1554 or reachout@msu.edu.
If you are unsure about Google Apps usage, please do not hesitate to contact the MSU IT Service Desk for assistance at (517) 432-6200.
The following groups provided editorial review of the initial development of this document: Network Communication, and Instructional Computing and Technology, and Communities for Advising, Facilitating and Enabling.
This document was originally created as a working draft on April 22, 2008 to revise advice provided previously in the Deans/Directors/Chairs memo of November 3, 2007.
Revised in November 2009 to incorporate a section regarding the Google Apps for Education Edition at MSU.
Revised in March 2011 to properly reference the MSU Institutional Data Policy and in September 2011 to update it for current market conditions and to clarify certain legal issues.
Revised in October 2014 to update Google for Education references, moved from PDF to in-line web page text, and add web formatting.
Revised in October 2016 to add a reference to the name G Suite for Education per vendor service name change.
