Forgive the longish excursus through a virtue ethics landscape well known to many. But with that behind us, let us return, now, to the question of civil rights and cybersecurity , reformulating the issue in the virtues framework . The key notion will be the virtuous citizen’s full participation in community. Virtues being derivative from life in community, the first problem is what counts as the relevant notion of community in cyberspace .

Much has been written, both deep and facile, about new community structures in cyberspace. They range from groups of Facebook friends and Twittermates, to the social action networks that played such a large role in Arab Spring, from crowd funders and players of massively multiplayer online role-playing games to users of the US Department of Defense’s ultra-secure intranet. The Internet in its totality might be modeled as a community. These structures have a complicated topology and geography, with overlap, hierarchy, varying degrees of mutual isolation, and mutual interaction. There are also communities of corporations or corporate persons, gangs of thieves, and bands of angels doing charity on scales small and large. With progress in artificial intelligence, there are already now and soon will be more non-human and trans-human actors in cyberspace. Most cyber communities transcend traditional geographical and political boundaries, but some—either by accident or design—respect such bounds, as with my neighborhood discussion list.

Each of these communities evokes virtues appropriate to its own goods, context, and history. Just as Athenian virtue and Spartan virtue are somewhat different, so, too, will be the virtues appropriate to the community of online genealogists and the community of Spotify fans. It follows immediately that there will be no univocal answer to the question of balancing, say, a right to privacy , or the virtue ethics surrogate for that, against the need for online security. If I have any one main point that I want to stress in this chapter it is that the community-relative nature of the configurations—by which I mean, ultimately, the social and political structures—will norm our practices. Each community will evolve different customs regarding permitted and commendable disclosure and refusal to disclose. The Facebook community is more accepting of extensive disclosure, the LinkedIn community a bit less so. Individual preferences can and do vary within each, but patterns of practice emerge. The two communities differ, as well, with regard to the degree of intrusion and control they tolerate for the sake of guaranteeing their respective expectations about privacy. The more corporate LinkedIn world tolerates tighter, top-down controls. Facebook users are quicker to complain about highhandedness on the part of the Facebook management and expect more individual latitude in setting privacy levels.

Noteworthy in my view is the manner in which customs and norms evolve from within these communities, rarely by way of explicit legislation or rule making, more often just emerging as communities mature. Since I happen to be a long-time member of the community of online genealogists (it’s a hobby of mine), let me speak about examples in that domain. When the community was young and first enjoying the gains of easy data sharing, it was common for GEDCOMS (the acronym for Geneological Data Communication) to contain birth dates for living individuals and social security numbers for even the recently deceased. 11 Today, one almost never sees either. The reason is simple. It was quickly realized that identity thieves were lurking in the community and harvesting such data. There exists no authority for policing genealogical practice. No new laws have been written, and no one has been fined or jailed for a breach of privacy rights. But community practice changed nonetheless. How practice changed is interesting. First, exemplary practices were emulated, as one just noticed how wiser collaborators shared their data and then followed suit, learning along the way to be more alert to the risks of disclosing too much and more respectful of those whose lives were affected. Civility is among the relevant civic virtues here. Second, those whose practices did not mature in this way just disappeared from the community. Since there is no constituted authority , no one was forbidden to post to discussion boards or publish data online. Instead, those who cared more about best practices simply stopped sharing with those who did not. Those lacking in virtue were exiled.

Striking the right balance is an ongoing challenge within this community. There was an outcry from genealogists—but also epidemiologists, social scientists, and other researchers—when the Social Security Administration several years ago removed some four million death records from its public data base, after determining that it was not legally obligated to make this batch of data public. The government’s aim was to make identity theft more difficult, a goal upon which all members of the community agree. But the research communities clearly preferred self-policing of their practices. The balance preferred within all of these communities involves open initial access to the data with strict, self-imposed restrictions on the further sharing of that data.

What about my data? Do I have a right to privacy about my birth date and my social security number in online databases? In all honesty, it has never occurred to me to think that way. Why? Consider a different online community, the community of customers of my local credit union. A lot of my personal data sits in the credit union’s servers. If I were to assert a privacy right to the data in that context, it surely would not be absolute, because the reasons why I joined that community entail a necessity precisely to reveal that data to some members of the community, namely, those employees of the credit union whose jobs require access to that data. My full participation in that community, with all of the goods that such participation makes possible, from direct deposit of my paycheck to low-cost mortgage financing, requires disclosure. The problem is not disclosure per se. The problem is disclosure to the wrong people in the wrong fora at the wrong times and in the wrong ways, or the use of the data in the wrong way. The failure, the lapse, if there is one, is not that my right to privacy has been violated but that another member of the community has not behaved as virtue demands.

Turn our attention to another asserted right, discussed at the beginning of the chapter, the right claimed in Estonia and France to internet access itself. Does one have such a right? My answer is no. But that doesn’t mean that I don’t want people to have internet access. I would have us ask, instead, what is required for full citizen participation in various communities and, thus, the flourishing of those communities. Internet access being a precondition for participation in any cyber community, there simply are no such communities without access, so if we deem full participation in any cyber community a good, then members of the community must have access. Internet access is not a right in part because no duly constituted authority on an appropriately international scale can declare it to be a right. But civic virtue among the relevant members of many online communities—say each official of the telecom agency in each member state of the European Union as it exists in cyberspace (and all states now exist in cyberspace)—involves their taking such steps as are necessary and appropriate to facilitate internet access for those within their area of responsibility. A good analogy would be as follows. Full citizen participation in democratic government requires access to voting. Corresponding to that is the expectation that election officials will facilitate, not impede, access to the polls. Service—in the guise of public service—is the relevant civic virtue from Walzer ’s list, service in this context involving the facilitation of access to both the voting booth and the internet.

Exactly how to facilitate access and who has a responsibility to help in affording access will remain a matter local to different communities. In a poor nation, internet access will probably have to be free for all. In a wealthy nation, paid access for most will suffice, with subsidized access for the few. In a community with excellent public transportation or widespread ownership of private transportation, it will suffice to open the doors to the polls. In a poor, rural community, with isolated elderly voters scatted over a wide space with no transport of their own, it may well be necessary to provide transportation for at least some voters. And in a community such as that, responsibility for providing transportation may extend beyond election officials to ordinary members of the community who can help by giving Grandpa Jones a ride.

What if security against cyberattack , cyberespionage, or cybertheft required compromise with internet access? Would that be an impermissible breach of a right? Clearly not in all circumstances. The question, again, is not about rights per se but about what is involved in the flourishing of life in community. Shutting off internet access for someone whose laptop is infected with the Nitol botnet malware may well be necessary to protect a nation’s banking industry and thereby the unhindered access of many other community members to their own bank accounts. Even if the laptop’s owner is not personally responsible for the machine’s having become infected through failure to update security software or incautious behavior on the Internet , the well-being of the community, and thereby, the well-being of that individual requires action. Do not object that, in this way, a license is given to let the needs of the community always and anywhere trump the needs of the individual, or that a tyranny of the majority threatens. Such objections assume a mistaken, merely additive model of community good. In the virtues framework, the good of the community is not the sum of all individual goods, and most individual goods are derivative from the individual’s mode of participation in the community.

Much of the allure of rights talk comes from the suggestion that, if rights are universal—“all men are endowed by their Creator with certain unalienable Rights”—then we have premises for critiquing the practices of other nations and communities. We think a theocracy unacceptable because it limits or disallows the free exercise of religion that we think a right of all. A common criticism of the virtues framework is that, by contrast, in making all questions relevant to a community, we lose the ability to critique the practices of others. But this criticism has always failed for assuming a simplistic geography and topology of community structures . Yes, it might be a problem if Athens and Sparta were isolated communities whose members never came together in war, commerce, the Olympics, or other common endeavors. But that has never been the case in pre-internet days, and it is certainly not the community structure of cyberspace , where, as has now repeatedly been stressed, the structure of communities is extremely complicated. I am a member of many score communities online, some of them disjoint, some of them overlapping, many of them subordinate to others, all of them subordinate to the internet community as a whole. Critique occurs when I step, momentarily, out of one community identity and into another, as when Don the United Airlines online customer exhorts Verizon to do a better job with online customer service, more like the service I get from United. Critique occurs as well when I step up to a more comprehensive community identity that I share with the targets of my critique, as when Don the citizen of the world internet community faults Chinese snooping on internet traffic when he is traveling in China . Relativity to community does not devolve into relativism.

How, within the virtues framework, can critique of practice be effective in bringing about needed change when laws and rules are not to be had or, perhaps, are not even desirable tools? Let me make a few suggestions. The first is that critique, to be effective, must be more than mere reprimand, complaint, or even exhortation. It is one thing to name a wrong; it is quite another to name it in a manner likely to effect change. Overt coercion, threats, and intimidation sometimes work, as does exile or other forms of removal from full community participation, as discussed previously. But unless those are tied to some clear plan for reshaping defective habits, for turning vices into virtues, their effectiveness is limited. The real aim is to encourage changes in practice. In this connection, shame is one underutilized tool. Putting people on display in the stocks was often quite effective in changing patterns of behavior. What is the cyber equivalent? But even shaming has its drawbacks. Far better than any of the aforementioned is critique in the form of oneself proffering a model of better, more virtuous behavior. One’s making oneself an example of best practices is often the most effective way of inducing change for the good. This is my second suggestion. Think back to the case of the community of online genealogists. Better practices with respect to data like birth dates and social security numbers emerged mainly in consequence of the more thoughtful and respectful members of that community changing their practices in ways that were clearly visible to all. Critique in the form of one’s making oneself a better model has much to recommend it. It avoids exposing others to ridicule or embarrassment; it leaves behind much less in the way of negative affect. If done too ostentatiously, it can pass over into moral priggishness. But the remedy for that is tact.

There may be settings in which mere modeling is inadequate, especially in complex communities where even the best practices might not always be visible to all members of the community. My third suggestion is that, in such cases, the public promulgation of norms can be effective. There is nothing novel in this suggestion. Professional associations do it all the time when they develop codes of ethics. Such codes have little legal standing or normative force. They function as reminders, suggestions, or sketches of model behavior. We are already beginning to see the employment of explicit norms in the cyberworld , as with the years-long project to develop what are now termed the Tallinn norms for the regulation of cyberconflict . More such are needed to address the challenges less helpfully addressed by assertions of rights in the cyberworld.

One especially important area where the promulgation of explicit norms is urgently needed is in corporate cybersecurity. Even if one thinks that the notion of corporations as persons is more than a little silly, corporations nonetheless form communities, and their behaviors can be assayed within the virtues framework. There are corporate virtues, just as there are individual ones. Moreover, as recent debates in the United States make clear, there is very little chance of our adequately addressing the problem of corporate cybersecurity through explicit legislation. Progress is more likely if we work through governments, industry associations, and international organizations to develop appropriate norms for everything from outsourcing data storage to the maintenance of adequate internal security controls and granting access, as needed, to external entities such as the FBI and, in extremis, US Cybercommand, or their counterparts in other nations.