Give Me Liberty: Why We Need a Cybersecurity Bill of Rights and What It Could Include

In his June 8, 1789 speech in Congress advocating for the adoption of a bill of rights to add to the Constitution, James Madison identified “the great object” of such an addendum as the opportunity “to limit and qualify the powers of government, by excepting out of the grant of power those cases in which the government ought not to act, or to act only in a particular mode.” Moreover, Madison declared, a bill of rights would be a valuable bulwark of individual liberty because of its versatility, defending “sometimes against the abuse of the executive power, sometimes against the legislative, and, in some cases, against the community itself; or, in other words, against the majority in favor of the minority.” Although Madison never anticipated the advent of the Internet, Madison’s centuries-old speech is as relevant and applicable today for why we need a new, 21st century bill of rights, albeit in a different domain: cyberspace.

As noted in an October 2021 opinion piece by leaders of the White House Office of Science and Technology Policy, privacy in cyberspace is increasingly in peril: governments have expanded surveillance infrastructure and capabilities to support “security states”; private firms monetize uploaded personal data by storing, packaging, and reselling the information to third parties, often without consent from the individual the personal data is about; private conversations are not necessarily kept off the record; even messages, photos, videos, and emails are not confidential. Indeed, technologies have consistently outpaced laws to combat the online encroachment of citizens’ civil liberties. Thus, the time has come for a Cybersecurity Bill of Rights to protect fundamental expectations of privacy in cyberspace, especially before technology further erodes any and all confidentiality, control, and confidence in online activities.

Naturally, a call for a Cybersecurity Bill of Rights prompts a debate regarding what exactly should be included in an enumerated list of rights. Can existing, established rights simply be extended to cyberspace? Should historical rights even influence new, Internet-specific rights? As questions of policy, such inquiries lack a clear, discernable answer. Nonetheless, using the Constitution as a blueprint, five basic rights should be considered for inclusion in the final Cybersecurity Bill of Rights because they are rooted in democratic values and guard against increasingly pervasive and potent data-driven technologies.

First, the right to cyber privacy could be enshrined in a Cybersecurity Bill of Rights. Indeed, as noted in the White House Office of Science and Technology Policy opinion piece, artificial intelligence can not only collect a person’s uploaded data, but also engage in pervasive or discriminatory surveillance, abuse, and theft of a person’s uploaded data. A right to cyber privacy, therefore, protects a person’s uploaded data and safeguards a person’s online activities, such as Internet searches, online property like cryptocurrency and non-fungible tokens, and Internet profiles where a person may express personal thoughts and feelings. Importantly, the right to cyber privacy also guarantees a person the option to correct or delete information transmitted online, akin to the European Union’s right to be forgotten.

Similarly, a Cybersecurity Bill of Rights could guarantee the right to own and control personal data uploaded online. Presently, some companies voluntarily abide by this principle, but none must do so under federal law. Specifically, this liberty refers to a person’s freedom to opt in or out of a program that seeks to gain access to personal data and, upon consenting to such access, learns how the program plans to use the information for the sake of transparency and accountability. An Internet bill of rights, therefore, could not only enshrine this right, but also ensure the option as revocable upon request by the person who had authorized access to personal data. In fact, a Cybersecurity Bill of Rights could also impute a duty on companies and governments who have been granted access to personal data to implement reasonable security efforts to prevent inadvertent or unauthorized disclosure of, or unauthorized access to, such information; if personal data has been subjected to a security breach, then the duty of reasonable care would mandate that companies and governments provide timely notice of the break-in after its discovery. The right to own and control personal data uploaded online could include the freedom for individuals to move their personal data online without hindrance (known as data portability) as well.

Third, the freedom to assemble online could be included in a Cybersecurity Bill of Rights. In essence, this liberty provides that people can, in general, associate themselves with online communities and engage with one another virtually. The freedom to assemble online is likely one of the more controversial rights due to concerns about hate speech and misinformation online. Still, the freedom to assemble online counteracts censorship in cyberspace, which aligns with the Supreme Court’s unanimous holding that overbroad censorship of the Internet is unconstitutional in the landmark decision Reno v. ACLU (1997).

Fourth, a Cybersecurity Bill of Rights could also include the freedom to code. Coding, or computer programming, is a means of instructing electronic devices to do or behave in a certain manner; “writing code” refers to the development and maintenance of websites and applications, and improving the functionality of operational technology such as traffic lights, smart TVs, and cars. Although the aim of coding is to optimize efficiency, coding can be used to manifest personal interests, dreams, or goals; coding, therefore, is a form of expression. Thus, the freedom to code could be deemed necessary in an Internet bill of rights as an extension of safeguarding freedom of expression online.

Finally, the freedom to navigate online could be protected in an Internet bill of rights. To be clear, the freedom to navigate online means free and unfettered Internet access; Internet service providers, therefore, would have to abide by the principle of net neutrality and neither block nor throttle or, alternatively, neither prioritize nor favor certain content, applications, services, or devices for Internet-users. The freedom to navigate online, therefore, prevents lawmakers from even considering repealing net neutrality rules—as happened as recently as December 2017.

Without a doubt, the Information Age, which has ushered in the advent of the Internet, has had tremendous positive impact on our way of life. Still, as our use and dependence on cyberspace increase, it is necessary to ensure basic rights are protected in this nascent domain. A Cybersecurity Bill of Rights, therefore, is our best mechanism for defending our individual liberties online from government and technology industry abuse. Although what precise rights should be included is subject to ongoing debate, the significance and timeliness for an Internet bill of rights is incontrovertible; as James Madison stressed in his speech before Congress, a bill of rights is “at present…[necessary] to provide those securities for liberty which are required…as we fortify the rights of the people against [] encroachments.”

Aaron C. Mandelbaum

Georgetown Law Technology Review; Georgetown Law, J.D. expected 2022; University of Pennsylvania, B.A. 2017.