Impediment of privacy in the use of clouds by educational institutions

—Cloud computing is considered as one of the technologies that revolutionizing the educational sector. Innovation of nascent interactive and user friendly educational tools and resources helps in the improvement of students’ academic performance. The technology revolutionized the delivery of educational tools and materials shifting from educator-centric to student-centric. The cloud based education spur considerable interest among the students. The technology adoption theories found that students were satisfied and motivated by the cloud-based learning environment and were adopting it as their lifestyle. While the adoption is impressive, the concern for privacy is real. The laws in US, EU countries and UAE are not directly addressing the privacy and data protection issues in clouds. However, the existing laws could be extended to cover the cloud service use by educational institutions and protection of personal data. The major issue in protecting privacy of students and others is the extra-jurisdiction effect of the Patriot Act and Foreign Intelligence and Surveillance Act (FISA) of US. These laws give opportunities to the US regulators to access and use private data of various parties in US and beyond for security reasons.


I. INTRODUCTION
Cloud computing is used to transform education by facilitating educational tools and access to providers and students around the clock at any device. The use of cloud helps the educational institutions to satisfy the technology savvy students who increasingly demand innovative ways for receiving education services which are more secure, reliable, and cost effective. As the demand for education never goes down, utilization of cloud computing in education increased in facilitating better research, discussion, and collaboration and enables classes to be run on remote locations [1].
According to The United States National Institute of Standards and Technology "cloud computing" is defined as a model that provides convenient on demand access to shared pool of resources [2]. Marston et.al also defined it as a service-oriented technology comprises of hardware Manuscript received June 4, 2015; revised August 14, 2015. and software where delivery made possible on-demand through a network regardless of time and location [3]. Cloud provides a comprehensive computing platform since it allows multiple applications as single application software services to multiple people and usages thereby making the computing technology to be better utilized as the digital ecosystem [4]. Cloud provides services without deploying any costly infrastructure to multiple users [3].
A cloud usually could provide an Infrastructure as a Service (IaaS) where the user benefits from processing, storage, networks, and other computing infrastructure resources. Though the user does not control the infrastructure, he has control over operating systems, applications. It is also possible to provide the cloud as Platform as a Service (PaaS). Under this service, users are allowed to deploy applications development using specified programming languages or frameworks and tools onto the Cloud infrastructure. In this service the user has control over deployed applications. The other type of cloud is Software as a Service (SaaS). Under this service, users are allowed to access cloud infrastructure and application via end-user devices like a web browser [5]. A cloud service provider could provide services to the clients as private clouds or public cloud or hybrid or community clouds. When they act as private clouds providers, they only operate for one organization, the services may be managed by the service provider or could be outsourced to a third party. Public clouds are open to the general public or a large industry group, Hybrid clouds allow to combine two or more clouds (private or public) whereas Community clouds is shared by several organizations and supports a specific community [6].
The educational institutions like any other organizations clasp the cloud service since they provide On-demand service server time and network storage as needed automatically without human interaction. It also offers broad network access where cloud could be assessable through various devices. The other reason for adopting cloud computing is the facility to pool the resources. The facilities in cloud computing are pooled to multiple consumers using a multi-tenant model. This allows many institutions to cut on IT infrastructure, application and manpower resources. Like other utilities, the cloud could also be managed as "metering" service [5]. The cloud usage could be monitored, controlled and reported, this in turn allows transparency for both the provider and consumer of the service. The article using content analysis provides a review on the use of clouds in educational institutions, the adoption of the cloud services by the students and the challenge of privacy protection.

II. CLOUD USAGE IN EDUCATIONAL INSTITUTIONS
The cloud computing has impacted strongly on the education sectors. The Universities and other educational institutions in the world including United Arab Emirates use the cloud computing facilities to substitute existing data centres, servers, and applications, replacing these machines' traditional "physical" presence on campus. The cloud computing also allows various stakeholders of the educational institution to access file storage, e-mail, databases, and other university applications anywhere ondemand. This expanded, device-neutral access theoretically lets everyone use information more effectively. The cloud computing helps the educational institutions to modernize small, overcrowded classrooms and facilities.
Through a "utility model", a scalable 24 x 7 x 365, pay-as-you-go model of cloud computing provide two major benefits to the educational initiations and the students. These services facilitate greater access to educational recourse and learning tools while helping in cost-saving measure for institutions of higher education. The educational institutions could on-demand adjustments to increase or decrease capacity to accommodate temporary spikes in demand, which are often dynamic and elastic [7]. For instance during examination, registration, events and conference periods, the demand could be high and other period the demand will be less. Accordingly, the institution will be able to negotiate for flexible on-demand services [8].
Students can actually log onto a space online and attend classes outside of the classroom environments. Cloud allows students to share their ideas and resources which could assist in reducing the educational institutions overhead expenditures on quality learning materials. By creating interactive and user friendly educational tools and resources they help students to excel in their academic performance and to improve quality of education. . In addition, they can share their expertise with others. The educators benefit, the real time and peer-topeer learning facilities also motivate the students learning. Teachers are able to prepare online tests for students, deal and create better content resources for students through content management, assess the tests, homework, projects taken by students, send the feedback and communicate with students through online forums. They also could use the clouds to manage the projects and experiments that require considerable storage space or processing capacity in addition to remote access [9].

III. TECHNOLOGY ADOPTION THEORIES
Students integrate the technology in their life greatly and it becomes part of their lifestyle and culture. They process information faster and adopt any technology quicker than others as they have more affinity for technology [10], [11]. Educational facilities used through mobile devices at any location and anytime boost the appetite for active learning. The flexibility and accessibility provided by clouds allow the young learners to be engaged and take a proactive approach to learning [12]. Researchers established that technological innovation adoption theories and social cognitive theory could be used to understand factors influencing an individual in adopting cloud computing services. Technological innovation adoption theories used factors like complexity, communicability, cost, compatibility, observability, social approval and trialability in influencing technology adoption [13], [14], [15].Social cognitive theory looks at person's environmental and organizational attributes in influencing the adoption process.
The diffusion of innovation (DOI) theory is one of the earlier theories of technology adoption that focuses more on individual behaviour of adoption [16].The theory states that diffusion of technology could be faster if the new technology is compatible, complex and has a relative advantage to other existing products or services (Rogers,1995). Since this theory does not concern about whether an innovation is actually accepted or used by an adopter [17], the theory of reasoned action was developed to study the complex behaviour of adoption [18]. The technology acceptance model extends to cover three attitudes: ease of use, usefulness and enjoyment [19]. The technology acceptance model explains how people accept a technology based on the belief that a person's attitudes towards using a technology. Though the theory of reasoned action (TRA) model was developed from actual system usage [19], it is being criticised as biased towards perceived behaviour rather than actual behaviour. It is also criticised as being relied on self reporting and not taken into consideration of the cultural difference among the users in diffusion of technology. Different types of beliefs such as behavioural, normative and control also have been neglected in the theory of reasoned action behaviour [20].
To come with a better model of technology adoption, theory of planned behaviour (TPB) was developed. This model looks at behaviour in the form of a person's facilitating and perceived behaviour regardless of their intention. Thus the theory of planned behaviour incorporates part of the theory of reasoned action as it includes perceived behavioural control but extends the previous theory to include different conditions that affect behavioural intention [21]. Actual behaviour can then be predicted by focusing on a person's perceived behavioural control without looking into their attitudes towards usage and subjective norms. Thus the theory of planned behaviour enables an examination of how a person's perceptions towards internal and external behaviour facilitate technology implementations.
Social cognitive theory has been applied in the technology innovation literature to analyze the internal and external social environment that influences technology adoption [22]. Social cognitive theory which is also called as social learning theory states that individual behaviour is determined by their social environment [23]. This relatively new behavioural intention theory helps to understand the expectation and attitudes a person developed due to social environment [24]. According to this theory, positive expectant attitude of individuals could be expected if outcome of using new things is positive. Hence, the cloud computing is adopted widely due to better learning satisfaction. Positive outcome expectancy is related to an understanding of the innovation. Understanding towards a technology has both cognitive and physiological dimensions [25]. Cognitive dimensions comprises of the knowledge, beliefs and ideas individuals have about their environment and the ability to use a technology. The cognition often focuses on how individuals within a social group react to the technology adoption [26]. The physiological dimensions include the physical or functional elements and the cost.
The young users of cloud computing facilities are more likely to adopt and benefit from the technology aided learning as they are said to be adopting technology inclusive life style and create a sense of achievement or self-efficacy. People with more self-efficacy will likely to use the learning facilities and get more satisfied with the learning experience [27]. Cheng [28] stated that external influences such as media reports and information are likely to influence more learning opportunities in individuals. Interpersonal influences such as connections with family and friends will encourage more collaboration and success of learning implementation.
A recent 2010 survey of undergraduate student found that the students are using various web-based services to support their college education and most of them with instructional activities and tools that were assigned by an instructor. In these learning activities, Information is openly shared, transparent, and democratized. The shift from faculty-driven to student-driven learning creates an important pedagogical development. The technology while facilitating learning also helps the providers to document frequently visited sites, recent searches, and posted comments or "likes" on a class wiki. This creates the concern for possible privacy intrusion [29].
Study conducted by researchers show that faculty members are more concerned about privacy than students. Students and faculty members in business faculty are less concerned than in arts and sciences, nursing, and education. Study also shows that university employees are most concerned about improper use of student information. This shows that the young students do not understand or care less for their privacy. Therefore it becomes significant for passing proper laws in protecting the interest of students and others alike [29].

IV. LEGAL DIMENSION OF PRIVACY IN CLOUD USE IN EDUCATIONAL INSTITUTIONS
In the context of cloud, one of the most important legal issues is the guarding of privacy and confidentiality of data in the clouds. The educational institutions will be worried about the security and privacy of corporate and students' data while researchers may be concerned about pre-mature release of new data or discoveries as the physical infrastructure in cloud facilities are shared among a number of users. To ensure the growth and adoption of cloud computing ensuring adequate guarantee for protection of privacy is germane. The challenge in cloud computing is that it provides global services with multiple players crossing various governments and their regulations. Thus the service providers need to accommodate different culture and legal requirement [30].
There is an absence of legislation in general in all most all the countries that addresses the issues raised by the cloud computing. Issues like who is a data controller, processor and service provider in clouds, what cloud providers can and cannot do with users' data and at what point does information gathering become nefarious data mining? are not addressed in any of the laws. Liability of cloud computing service providers when information stored on remote systems are disclosed or shared with government regulators is also not available.
In US, since many of the cloud service providers are US corporations, they could store and facilitate the access to cloud service from US jurisdiction. In such situation the data of local schools may be protected by applying the general rules of Privacy Bill of Rights and other constitutional rights protecting against "unlawful intrusions" on privacy "by both private and governmental actors." Besides there are other statues that specifically protect the underage children's data. For example, the Family Educational Rights and Privacy Act (FERPA) is silent on the employment and selection of cloud providers and the management of these relationships. FERPA does not prevent an educational institution from contracting with a person but imposes a condition that "the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the parent or eligible student." The law also required protecting the accuracy and privacy of student records at all levels of schooling. To access young children data who are below 18, students' parents consent is necessary. When a child turns 18, the rights are transferred to students directly. Any data of the student's work is posted online, a record of the student's work and involvement in the course is automatically created and thus may be subject to FERPA restrictions.
Another applicable legislation is Children's Online Privacy Protection Act (COPPA). This legislation regulates the collection of personal information from students who are below thirteen. This law imposes a requirement to all the parties collect, use, or discloses a child's personal information to get consent from the parents and to properly secure the data they collect and disclose their information sharing practices.
However, section 217 of US Patriot Act is being considered as a legislation that could give regulators easy access to private and confidential information. In the case of foreign citizens, the constitutional right to privacy is not applicable and using the Patriot Act the US government agencies could easily monitor the foreign citizens' data. This practice is creating widespread concern in many countries, in particular among the European Countries who apply a very strict data protection rules.
Another legislation of concern is the Foreign Intelligence and Surveillance Act (FISA), which provides special procedures for conducting physical searches and electronic surveillance of individuals who are suspected of involving in international espionage or terrorism against the United States of America. Enacted in 1978, the FISA was amended to facilitate the surveillance of foreign electronic communications (Title VII). Under section 1881a of this legislation, the relevant authority is authorised to access the remote computing services that are located in cloud within and outside US without a warrant.
In EU countries, though there is no specific cloud relevant legislation however, the existing law on data protection could be used to provide protection. The main concerns in using cloud in educational institutions are collection of data, third-party use of data, unauthorised access and the occurrence of error in data [29]. The EU data protection regime provides adequate protection for these concerns. It provides 6 comprehensive data protection principles that are incorporated in all EU member countries' legislation. The data protection principles require the data collector to process data fairly and lawfully. Fair and lawful collection necessitates the collection of data directly from the data subject. The collection of data must be for specified explicit and legitimate purposes. Thus the processing of the data must be for the purpose for which the initial collection of data was performed. The Directive is also very clear in prohibiting excessive and irrelevant information. It also mandates the eraser of data once the purpose ceases to exist. The data protection principles in the Directive also place responsibility on the data controller to ensure accuracy of data and keep the data up to data. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary and it should be processed in accordance with the rights of data subjects. It also requires the use of adequate security or organisational measure to ensure safety of data kept.
When the cloud services are used by the EU based educational institutions, the parties need to get consent for collection and take care of the data while in their custody. They also should ensure that the data is kept in EU countries and all the data protection principles are followed strictly. Under article 25 (1) the transfer of personal data to a third country outside the European Union is not permissible unless the country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to processing of personal data. Safe Harbour principles allow the US based cloud service providers to transfer and handle personal data from and to U.S. provided that they comply with the data protection principles. Though the regulators and the cloud service providers follow voluntary codes of conduct, failure to comply with the agreed principles can be actioned by the U.S. Federal Trade Commission and punishable by various sanctions [31].
However, the US Patriot Act, Foreign Intelligence and Surveillance Act, 1978 and various allegations of privacy violations of EU citizens by US service providers created an environment of mistrust among the EU regulators and civil societies [32]. EU commission and individual countries are trying to control the long arm effect of US laws in violating the data protection and privacy rights of the EU citizens. This prevailing mistrust will impact the operation of US operated cloud services in EU and the countries will demand more protection for their citizens' data and most importantly the sensitive data of students.
In UAE, though there is no specific law that is applicable for cloud computing use for educational purposes, the Federal Constitution, the Penal Code and the Computer Crime Act could be used to protect various privacy and security concerns of users of cloud services. The Federal Constitution in Article 31 protects that secrecy of communication and the information of the individuals and institutions. Disclosure and usage of private information could be treated as violation under this provision. Section 378 of the Penal Code classifies the disclosure or use of any information or picture or view of a person's private life as a crime while section 379 protects the information received in confidence. These provisions could easily be used to protect any data of educational institution, students or researchers from misuse or mishandling. The UAE Federal Law No. 2 of 2006 on cybercrimes can also be used to protect the privacy of private data of educational institutions and their various stakeholders. Article 2 of the 2006 law punishes any intentional revealing secrets or republishing personal or official information. Article 6 criminalizes tempering with the data while article 10 penalizes identity theft and imposes imprisonment. The Computer Crimes law penalise all the parties involved in the crime whether directly or indirectly [33].
When the cloud service providers contract with the educational institution for cloud services, it is necessary for them to adhere to the legislative provision of privacy and data protection. Allowing US regulatory authorities access to the data held in UAE could amount to be a violation and this will result in criminal prosecution. Nonetheless, the major weakness of the UAE legislation is that they do not have extra-jurisdictional effect unlike the US legislation.

V. CONCLUSION
Educational facilities supported by cloud create a positive appetite for active learning. Additionally, the real time and peer-to-peer learning facilities motivate the students to be connected with the services offered via cloud. The adoption of cloud-facilitated learning platform is widespread among the students who have the empathy towards technology. Technological innovation adoption theories and social cognitive theory are used by researchers to understand factors that motivate individuals in adopting cloud computing services. Technological innovation adoption theories use factors like complexity, communicability, cost, compatibility, observability, social approval, trialability, person's environmental and organizational attributes to access adoptability. Though the adoption of cloud based learning is high, there is a greater concern expressed by various sectors of the community about the possible challenge of guarding privacy in the current situation. The US Federal Constitution, the Family Educational Rights and Privacy Act and the Children's Online Privacy Protection Act ensure protection of privacy in US. Similarly the EU directive on Data Protection specifies general principles of data protection. The UAE in the Federal Constitution, the Penal Code and the Computer Crime Act enshrine the right to privacy and data protection. However, the requirement of US legislation that the US companies which provide cloud services locally and internationally should allow US regulators access to data held in the cloud for security reason is going to be the greatest challenge in protecting the personal and business data of educational institutions worldwide. Jawahitha Sarabdeen is an Associate Professor in the Faculty of Business at the University of Wollongong in Dubai. She chairs the UOWD Disciplinary Committee and is a member of the UOWD Education Committee. Dr Sarabdeen is Program Director for the Bachelor of Business Administration and teaches undergraduate and postgraduate students across a range of business disciplines, as well as supervising a number of PhD and DBA students. She also served as UOWD PhD Program Co-ordinator, Head of the Law Unit and Chairperson of the Centre of Excellence for Cyberlaw in the Faculty of Management, Multimedia University. Her main teaching areas include marketing, human resource management, ethics and law. She received a number of accolades and commendations recognising her outstanding teaching practices. Dr Sarabdeen's research interests include electronic marketing aspects, legal and ethical issues of information and communication technology and human resource management, adoption of e-government and comparative analyses of conventional and Islamic banking and financial products. Her extensive research has produced more than 50 papers in refereed journals, conference proceedings and book chapters. Dr Sarabdeen is a Winner for UOWD Research Excellence Award 2012. She received a number of prestigious research grants, research excellence and best conference presenter awards recognising outstanding contributions to research and research achievements. Dr Sarabdeen has contributed to drafting legal policies for international organisations on Data Privacy and IP laws while having completed various research projects funded by both government and non-governmental bodies. She has delivered training programs for international institutions including the Basic Human Needs Organization, Japan, Japan International Co-operation Agency (JICA), the Ministry of Energy, Water and Communications (KTAK), Malaysia, and Central Bank, UAE. Dr Sarabdeen's consulting areas include electronic marketing aspects, legal and ethical issues of information communication technology and human resource management, adoption of e-government, comparative analysis of conventional and Islamic banking and financial products, risk management and corporate governance. Her client organisations include the International Telecommunication Union (ITU), Japan International Co-operation Agency (JICA), the Ministry of Energy, Water and Communications (KTAK), Malaysia, Microsoft Arabia and numerous non-governmental bodies.
Mohamed Mazahir Mohamed Ishak is currently working with some researchers at University of Wollongong in Dubai (UOWD) on various research projects including cloud computing and entrepreneurship. He has a Master's degree in law and extensive experience in research, publications, consulting and teaching.