I am a social scientist & technologist, currently an Assistant Professor at UMD's iSchool, intrigued by the governance of social problems that arise from technological progress. As technology adoption leads to clashes between value clusters such as security, privacy, fairness, and accountability, it brings to the forefront the always-relevant question of “Who Governs?” (Dhal, 1961). Technology emerges and changes faster than institutions can develop collective understandings of its policy-relevant attributes, while being adopted across the board. New responsibilities are either absorbed into current jurisdictional arrangements or transcend existing institutional boundaries. When the state is slow/unable to respond, private actors take the lead, creating their own arrangements and practically holding a significant weight in governing our information society. This misfit between technological progress and policy institutions, in the context of the way technology challenges core values and organizing principles for society such as security, privacy, surveillance, and accountability, is the focus of my research.
My overarching goal is to bring the fields of public policy, governance, and computer science closer together by (1) applying a comparative approach to study how and why politicians and bureaucrats formulate and enforce policies over social problems that arise from the application of technologies, examining how digital risks challenge traditional concepts of public administration such as enforcement, accountability, and bureaucratic and state legitimacy. I also (2) draw on theories of governance to problematize and highlight the governing role taken by industry actors in shaping our digital society, fulfilling regulatory vacuums.
In my work, I explain how public officials produce sub-optimal policy outcomes for our digital society: constructing troubling relations between security and privacy across various governmental contexts (Policy & Internet), producing cyber risk policies that are mostly disconnected from their framings and assessments across government jurisdictions (Journal of Risk Research), and in the EU context, relying on private actors and following economic integration practices in a sensitive national security topic, by creating policy reforms for cybersecurity certification in the age of IoT with only little divergence from existing, non-working, alternatives (Journal of Public Policy). As the role of the state in governing the digital keeps expanding, the changing nature of public risk governance is intriguing to evaluate.
I complement findings from the policy cycle with understandings of how private corporations govern information flows, often holding a significant role in how exposed consumers are to digital risks. In one co-authored work we traced how online trackers circumvent existing privacy policies by bringing together should-be-separated social contexts of online users (FTC PrivacyCon 2020).
My background includes years of working on network and information security, holding technical cybersecurity positions in the private sector, Israel’s Prime Minister’s Office, and the Israeli Air-Force [captain]. Academically, I was a postdoctoral fellow at Cornell Tech’s Digital Life Initiative (DLI), completed my Ph.D. in Public Policy & Governance from the Hebrew University of Jerusalem, and was a Fulbright Scholar during my MA in Public Affairs from the University of Minnesota. My B.A. in Computer Science is from the Technion – Israel’s Institute of Technology.
Despite inherent political tensions, supranational institutions are increasingly involved in national security. EU institutions not only guide but also mobilize national resources or directly produce collective security. To make sense of those variations, the article conceptualizes ideal types of ‘supranational security states’ and develops typological theory for understanding the emergence of the studied states. Based on policy documents and secondary sources, the article conducts case-centric process-tracing analysis of three decades of EU reforms in (1) export control over dual-use technologies, (2) network and information security, and (3) border security. Three types of supranational security states emerge, driven by their path-dependency logics and response to crises. Findings suggest a more nuanced understanding of security policy instruments and the dynamics of political authority in shared security spaces, contributing to debates on the positive and regulatory European security state, technology-driven security governance, and the coherence of the EU as a security actor.[Upcoming at the Journal of European Public Policy, 2023], [Full Paper].
The study explores the divergence in data protection enforcement strategies among national agencies. Whereas the literature on cross-national enforcement practices is scarce, this study develops a scale for data protection enforcement strategies and measures and compares enforcement choices across agencies. Based on survey responses from 18 DPAs, interviews with DPA employees, and secondary sources on GPDR enforcement, the paper clusters DPAs based on enforcement strategies, analyzes cross-national variations, and investigates misalignments between strategy and actions. Using Fuzzy-Set Qualitative Comparative Analysis, the paper tests how bureaucratic and political contexts – organizational capacities, budget sources, and issue saliency – impact enforcement choices. Almost half of the studied DPAs reflect high deterrence by their strategy, but for many of them, lack of resources and expertise inhibits the translation of strategy into practice. This study provides a starting point for understanding the national impacts of Europeanization post-GDPR, adding empirical support for theorizing about enforcement across the EU.[Journal of European Public Policy, 2022], [Full Paper].
The literature on risk and regulatory governance has barely heeded the institutionalization of cybersecurity regulatory practices by national policy regimes. As the role of the state in cybersecurity governance is gradually expanding, we still lack an empirical and theoretical understanding of how the regulatory state copes with the cybersecurity governance challenge. Therefore, we ask how the role of the state has expanded in leading cybersecurity governance efforts? What characteristics of cybersecurity governance challenge the regulatory state? And how the Israeli cybersecurity regulatory regime has been addressing those challenges? We trace the literature on the new roles of the state in cybersecurity governance and build an analytical framework based on the challenging characteristics of cybersecurity governance. We then conduct an in-depth case study analysis of the Israeli cybersecurity regulatory regime. In contrast to arguments about the inability of the state to cope with dynamic technological changes, we find that the state is ever more relevant, restructuring the government and creating new methods, institutional settings, and incentives to cope with the cybersecurity governance problem. The intersection of cybersecurity with the regulatory state creates new avenues of regulatory development, shedding light on new directions for regulatory governance in the digital age.[SpringerLink, 2021], [Full Paper].
Cross-contexts inference is central to the profiling and targeting capacities of advertisers. They draw on information gleaned about individuals from the different social contexts of the web, in ways that violate users’ privacy according to the theory of contextual-integrity. To measure this violation, we offer a context-sensitive empirical study of the usage of persistent-identifiers by third-party trackers. We applied an instrumented FireFox browser and launched six browsing experiments across three social contexts: news, health, education. We ask how social contexts of websites explain persistent identification? And should we expect trackers from certain contexts to become more likely to link user identities across contexts? Our findings show that social contexts matter. Third of the observed third-parties had persistently identified users among social contexts. This is happening in all three contexts, between every pair of websites. Trackers from the healthcare context are the most likely ones to link user identifiers across contexts. This contrasts previous findings that labeled healthcare websites as less risky for privacy. While tracking within sites might be marginal, the tendency of trackers to persistently identify users across social contexts is alarming. This is a modest step to apply contextual understanding to online tracking, revealing unaccounted privacy violations.[FTC PrivacyCon, 2020].
Despite promises by European Union (EU) policymakers to “fundamentally change” cybersecurity certification, they have recently created a regime that is strikingly similar to already existing certification arrangements. How can we explain this puzzle? Through a process-tracing analysis based on 41 documents and 18 interviews, this article traces the development of the EU cybersecurity certification regime over the past two decades. It deconstructs certification into standardisation, accreditation, certification, and evaluation; analyses how each regime component changed over time; and discusses to what extent causal mechanisms that are derived from classic theories of EU integration explain the limited nature of policy change. The observed dynamics uncover a “Europeanization on Demand” model that allows national authorities to completely control the extent of integration. This study challenges the dichotomous understanding portrayed by EU integration literature, of mutually exclusive dynamics of market or core state powers integration, highlighting intriguing political dynamics in EU cybersecurity policymaking.[Journal of Public Policy, 2020], [Blog post]
Cyber risk governance has been occupying U.S. policymakers in the past two decades. This pressing challenge calls for a better understanding of how policymakers frame and consequently craft risk governance frameworks using public policies. Through a novel typology that analyzes the patchwork of laws and regulations in this policy space, this article investigates how policymakers design risk governance frameworks to address cyber risks. This typology is based on a systematic text analysis of thirty federal policies from the past twenty-two years (1996–2018) in which (N = 463) key sentences were recognized and coded to ten risk governance categories. Existent literature highlights the significance of risk framing to policy outputs and explains cross-national rather than cross-sector variance in risk governance. It also considers only specific cyber policy measures and does not question the link between policymakers’ risk perceptions and chosen policy paths. In contrast, this study finds that policymakers create three distinct risk governance frameworks across private owners of critical infrastructures, health and financial service provides, and companies in the broader digital economy. These risk regimes are comparatively analyzed to gauge variance (1) across sectors: in the role of the government and the extent to which it dictates coercive risk management steps, and (2) over time: on the ways in which the government has responded to cyber threats. I found that variance stemmed from the institutional configurations in each regulated sector and the consequent decision-making structures that had been institutionalized early on, rather than the framing of cyber risks. Tracing the governance of cyber risks and the missing link between policymakers’ risk perceptions and actions, this study sheds light on how seemingly technical decisions of cybersecurity governance can be social and political issues that are contingent on institutional settings and early policy decisions, questioning the central role of framing to risk governance outputs.[Journal of Risk Research, 2019].
How does the U.S. balance privacy with national security? This article analyzes how the three regulatory regimes of information collection for criminal investigations, foreign intelligence gathering, and cybersecurity have balanced privacy with national security over a 50‐year period. A longitudinal, arena‐based analysis is conducted of policies (N = 63) introduced between 1968 and 2018 to determine how policy processes harm, compromise, or complement privacy and national security. The study considers the roles of context, process, actor variance, and commercial interests in these policy constructions. Analysis over time reveals that policy actors’ instrumental use of technological contexts and invocations of security crises and privacy scandals have influenced policy changes. Analysis across policy arenas shows that actor variance and levels of transparency in the process shape policy outcomes and highlights the conflicting roles of commercial interests in favor of and in opposition to privacy safeguards. While the existing literature does address these relationships, it mostly focuses on one of the three regulatory regimes over a limited period. Considering these regimes together, the article uses a comparative process‐tracing analysis to show how and explain why policy processes dynamically construct different kinds of relationships across time and space.[Policy & Internet, 2018], [Blog post]