A Cyber Bill of Rights
A Cyber Bill of Rights

The U.S. Bill of Rights was written to protect individual liberties and to limit the powers of an overarching government but some privacy advocates fear courts may need reeducating as to how those principles apply in the digital age.

As more of our private information becomes digitized and made available only online, question arise as to how far these basic protections go. How much freedom of speech does the First Amendment grant as soon as said speech is online? Are digital communications such as emails protected from unlawful search and seizers under the Fourth Amendment? And how does the Fifth Amendment apply to medical information?

Some have even questioned if the Second Amendment provides a right to bear encryption and called for additional legislation to consider internet access a basic right and more.

A growing body of cases raises the question of how much protection Americans have under the existing Bill of Rights, how these rights are interpreted when modern technology factors into the equation, and even if a more pointed Cyber Bill of Rights is necessary to ensure internet security and freedom.

The National Security Council former Senior Director for Cybersecurity Ari Schwartz, currently managing director of cybersecurity services and policy at Venable, doesn't think the U.S. needs a new Bill of Rights, but did say law enforcement and lawmakers need to answer important questions concerning consumer rights in the digital age.

Particularly, they should explore how existing protections granted by the document apply to the internet in terms of the First, Fourth, and Fifth Amendment concerning privacy and online security.

Some of these question include “how do Fourth Amendment search and seizures apply in regards to government surveillance issues,” “what's a reasonable search and seizure in the age of encryption,” and “how the Fifth Amendment applies when asking people if they need to turn over passwords or thumbprints.”

Schwartz says “it's important to remember that the First Amendment and freedom of speech played a big role in what the framers of the constitution were trying to do,” but he notes that challenges increase as the number of cameras increase and the impact it has on free speech and the right for people to congregate are important boundaries that need to be clarified.

As for the Fourth Amendment, Schwartz said the biggest question is “what makes it a reasonable search?” He suggested the courts craft laws to ensure that all proceedings have transparency and oversight. Those searched should understand what was done in the search after the fact. The only thing that makes a search unreasonable, he says, is if it was done unfairly or if the scope of the search was too broad or not good enough.

“Some say the Fifth Amendment doesn't cover biometric information while others argue it should,” says Schwartz. In one recent case, data from a suspects a suspected arsonist's pacemaker was used to charge them with fraud after doctors concluded that his story of him escaping a house fire didn't match his heart rate at the time?

Although a warrant was used to glean the information, the Electronic Frontier Foundation (EFF) questioned the actions arguing that Americans shouldn't have to make a choice between health and privacy with the possibility of being compelled to turn over protected medical information.

Encryption will present greater challenges as it's built into more products, Schwartz says.

Making everyone more secure while at the same time help law enforcement do its job is easier said than done, Schwartz says, noting that law enforcement needs to be made aware of all of the available tactics to access information other than by using backdoors.

“Only 13 percent of phones that the FBI has can't be accessed,” Schwartz says, adding that there are some basic “tricks of the trade” that local law enforcement agencies need to learn.

That understanding shouldn't get lost in the digital age, he says, contending that the internet security can actually be enhanced by the Bill of Rights with proper understanding.

And while Schwartz agrees that the First, Fourth, and Fifth Amendments are relevant to protecting freedoms and privacy online some security professionals go as far as to say that the Second Amendment applies to encryption.

“In order for us to have a government, nation or free state it was assumed that we need weapons,” Cybereason Chief Product Officer Sam Curry says. “What's the difference from a cyber perspective?”

While Schwartz says he has heard this argument made before, but doesn't agree since guns can be regulated while encryption can't. 

Nevertheless, Curry calls for a national debate that includes input from tech experts, civil liberties advocates, and public legislators concerning what basic rights consumers are entitled. The discussions should include freedom of speech, religion, privacy, rights to basic internet access, and world views, he says.

Any debate should include consideration of what degree of privacy is ensured and address issues of anonymity, confidentiality, availability, and the right to exchange private messages.

He also noted that the Committee of Correspondence, which rallied colonial opposition against the British before the American Revolution, communicated using letters that were considered private and were the similar to modern email communications. It's important to keep in mind that these private communications were crucial in the founding of our country, Curry says.

Another thing to mull is whether citizens have a right to secret conversations and a right to conduct business in a way that no one can track. If so, he asks, what are the criteria for doing so?

Furthermore, consideration should be given to the fact that what is difficult to do online will still happen offline.

Some privacy advocates, such as Center for Democracy and Technology Vice President Policy Chris Calabrese, say the courts should be re-educated in how the Bill of Rights and other existing laws apply in the digital era.

Calabrese said the existing Bill of Rights already applies to cybersecurity and online privacy and courts should be educated on the values of privacy and the right to control personal information, openness and net neutrality, and freedom of expression without government censorship.

Courts should apply Fourth Amendment protections to emails and other online communications and that we should reject the idea of balancing privacy and security, he says.

“Fixing security will improve privacy,” Calabrese explains, adding the notion of national security needing to invade privacy is counterintuitive as the two are not mutually exclusive.

In addition to re-examining basic rights protection, Calabrese says that third-party doctrines, a legal theory which holds that people who voluntarily give information to third parties have no expectation of privacy, needs updating to better protect users as we are required to share more personal information online and as more of this information is stored online.

Since most information online is handled by third parties, legislation is needed to ensure that the information is secure, clarify who is responsible for it, and address issues that arise with internet of things (IoT) systems.

Currently these doctrines operate under the premise that if something is shared with a third party, it isn't mean to be private. Issues arise when considering personal information requested to fill out applications for various services online such as job applications, medical forms and anything else where a user would be required to divulge personal data.

The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have used their authority to push companies in the right direction, but Calabrese says that at some point Congress will have to weigh in.

FireEye Security Chief Executive Officer (CEO) Kevin Mandia says a cybersecurity Bill of Rights would have to consider the private sector as well as a duty to protect critical infrastructure.

“When I look at cybersecurity there's a lot of ways to frame it, there's the private citizen's perspective, there's an enterprise perspective, and there's the governments perspective and then inside of that there's the internet of things perspective which kind of transcends all of them,” Mandia says. “What each one needs or wants is probably different because I would think if you're a private citizen you'd probably want privacy on the internet, and we gotta figure out and sort out how much anonymity is needed for privacy.”

For enterprises however, he would like to see a cyber Bill of Rights that assures the private sector that the government has their back in the event of a nation-state attack. 

“If it's a drive-by shooting on the information highway it's okay that we get sued and we have to deal with plaintiff lawyers and fined,” Mandia says. “But when we're attacked by a cybermilitary unit or a nation state attack we want the government to stand beside us.”

There should be deterrence from cyberattacks outside of the cyber realm, he says, to prevent escalation of cyber activities already in play. In addition, Mandia would like to see the government help with the attribution of cyberattacks.

“If our intelligence organizations knew today that a great hacking group in some country was going to target a hospital here in New York City, how do we defend it?” he says.

The FireEye CEO believes critical infrastructure such as hospitals should have the ability and means to use government resources to deter these attacks for military cyberattacks. “The average voter doesn't want to hear that a utility was shut down, people died, and the capability to stop it or the knowledge to stop it was in the government the before the attack occurred,” he says.

The country should start with a belief that the big mission of the government is to protect its citizens, something the U.S. is not doing well in cyberspace.

The prohibiting factors mostly include trust, the reluctance of firms wanting to share data or wanting to make cyber threats and vulnerabilities public, Mandia says, noting the technology is already in place and responsible security companies would be willing to assist in the transition once these issues are worked out.

While we have rules of engagement with clear domain in combat they are not so clear when it comes cybersecurity. Complexity is added when all communications for personal lives are riding the same communication channels that we use to control satellite to control televisions, physical devices, dams, windmills, and utilities, he said.

“It's weird to have one medium where two drunk people could be chatting in it and at the same time frame on the same copper wires or fiber you can have signals going through it to control a damn,” Mandia says, adding, though that's the very thing that makes the internet so unique.

Ultimately, security experts agree that the Bill of Rights will play a huge factor in determining consumer protections and law enforcement reach as technology advances. While privacy advocates, public sector executives and law enforcement may all have different perspectives on what liberties are granted in the digital, they all agree that courts will need to be educated on how to handle the new challenges presented.