I am a public policy & computer scientist, currently an Assistant Professor at UMD's College of Information, intrigued by the governance of social problems that arise from technological progress. I study how public policies are designed, implemented, and inspired by tech, inspecting a range of tech-policy challenges, including cybersecurity, privacy, government surveillance, and AI accountability.
As technology adoption leads to clashes between value clusters such as security, privacy, fairness, and accountability, it brings to the forefront the always-relevant question of “Who Governs?” (Dhal, 1961). Technology emerges and changes faster than institutions can develop collective understandings of its policy-relevant attributes, while being adopted across the board. New responsibilities are either absorbed into current jurisdictional arrangements or transcend existing institutional boundaries. When the state is slow/unable to respond, private actors take the lead, creating their own arrangements and practically holding a significant weight in governing our information society. This misfit between technological progress and policy institutions, in the context of the way technology challenges core values and organizing principles for society such as security, privacy, surveillance, and accountability, is the focus of my research.
My overarching goal is to bring the fields of public policy, governance, and computer science closer together by (1) applying a comparative approach to study how and why politicians and bureaucrats formulate and enforce policies over social problems that arise from the application of technologies, examining how digital risks challenge traditional concepts of public administration such as enforcement, accountability, and bureaucratic and state legitimacy. I also (2) draw on theories of governance to problematize and highlight the governing role taken by industry actors in shaping our digital society, fulfilling regulatory vacuums.
In my work, I explain how public officials produce sub-optimal policy outcomes for our digital society: constructing troubling relations between security and privacy for government surveillance across US policy arenas (Policy & Internet) and producing cybersecurity policies that are disconnected from their risk framings and assessments across US government jurisdictions (Journal of Risk Research). In the EU context, policymakers followed economic integration practices in a sensitive national security topic, by creating policy reforms for cybersecurity certification, with only little divergence from existing, non-working, alternatives (Journal of Public Policy). The EU is also witnessing the increasing use of supranational policy instruments to govern tech-driven national security spaces, based on certain institutional legacies (Journal of European Public Policy). As the role of the state in governing the digital keeps expanding, the opaque nature of tech policy implementation becomes increasingly problematic. I've been also advocating for a positive definition of privacy and developed a scale to measure and theorize why Data Protection Authorities (DPAs) in the EU differently enforce the GDPR (Journal of European Public Policy), and how privacy NGOs strategically trigger GDPR violations to address differential policy implementation and bridge GDPR enforcement and compliance gaps (West European Politics).
I complement findings from the policy cycle with the development and application of computational tools to create understandings of how private corporations and policy targets govern information flows, often holding a significant role in how exposed consumers and citizens are to digital risks. In one co-authored work we traced how online trackers circumvent existing privacy policies by bringing together should-be-separated social contexts of online users (FTC PrivacyCon 2020). I also traced with my colleauges the cynical moves of the AdTech industry in providing "privacy" for consumers (Big Data & Society) and analyzed what platform companies mean when they promise 'privacy' in their advertising attribution solutions (New Media & Society). I am also working with colleagues to develop and apply computational methodologies to enumerate, assess, and explain the cyber attack surface of local governments across all US counties (Draft).
My background includes years of working on network and information security, holding technical cybersecurity positions in the private sector, Israel’s Prime Minister’s Office, and the Israeli Air-Force [captain]. Academically, I was a postdoctoral fellow at Cornell Tech’s Digital Life Initiative (DLI), completed my Ph.D. in Public Policy & Governance from the Hebrew University of Jerusalem, and was a Fulbright Scholar during my MA in Public Affairs from the University of Minnesota. My B.A. in Computer Science is from the Technion – Israel’s Institute of Technology.
This study analyzes the meanings and technical mechanisms of privacy that leading advertising technology (adtech) companies are deploying under the banner of “privacy-preserving” adtech. We analyze this discourse by examining documents wherein Meta, Google, and Apple each propose to provide advertising attribution services—which aim to measure and optimize advertising effectiveness—while “solving” some of the privacy problems associated with online ad attribution. We find that these solutions define privacy primarily as anonymity, as limiting access to individuals’ information, and as the prevention of third-party tracking. We critique these proposals by drawing on the theory of privacy as contextual integrity. Overall, we argue that these attribution solutions not only fail to achieve meaningful privacy but also leverage privacy rhetoric to advance commercial interests.
[New Media & Society, 2023].Digital advertising and technology companies are resigned to a new privacy imperative. They are bracing for a world where third-party tracking will be restricted by design or by law. Digital resignation typically refers to how companies cultivate a sense of powerlessness about privacy among internet users. Our paper looks through this optic from the other end of the lens: How is the digital advertising industry coping with the increasing salience of privacy? Recent developments have forced companies to implement “privacy-preserving” designs—or at least promise some semblance of privacy. Yet, the industry remains dependent on flows of data and means of identification to enable still-desired targeting, measurement, and optimization. Our paper analyzes this contradiction by looking at systems that aim to replicate existing functionalities while protecting user “privacy.” We call this a form of “cynical resignation” and characterize its key maneuvers as follows: (a) sanitizing surveillance; (b) party-hopping; and (c) sabotage. We argue that this “cynical resignation” to a privacy imperative represents a policy failure. In the absence of decisive interventions into the underlying business models of data capitalism, companies offer techno-solutionism and self-regulations that seem to conform to new laws and norms while reinforcing commitments to data-driven personalization. This may benefit the largest tech companies, since their privileged access to first-party data will make more companies reliant on them, and their computational power will be even more valuable in a world where modeling is used to compensate for the loss of third-party data and traditional methods of personal identification.
[Big Data & Society, 2023].Recent data protection laws in the EU institutionalise NGO engagement with regulators and enable new mechanisms for bottom-up policy implementation. The article studies thirteen European NGOs and maps their contribution to policy implementation based on a novel typology for understanding their scope (national vs. transnational) and goals (direct vs. strategic) of actions. The article asks: (1) how do NGOs vary in their contribution to data privacy implementation in Europe? and (2) what are the implications of those variations for differentiated policy implementation? Through analyses of NGOs’ informational activities and GDPR complaints, the article finds that NGOs converge towards privileging a transnational strategic civic-enforcement model, prioritising pan-European privacy cases to alter policy implementation, over individual citizen advocacy and empowerment at the national level. Civic engagement has served to mitigate cross-border policy implementation disparities, while preserving considerable regulatory discretion nationally. Integrating NGOs into the analysis of differential privacy policy implementation helps in highlighting the evolving nature of EU civil liberties.
[West European Politics, 2023], [Full Paper].Despite inherent political tensions, supranational institutions are increasingly involved in national security. EU institutions not only guide but also mobilize national resources or directly produce collective security. To make sense of those variations, the article conceptualizes ideal types of ‘supranational security states’ and develops typological theory for understanding the emergence of the studied states. Based on policy documents and secondary sources, the article conducts case-centric process-tracing analysis of three decades of EU reforms in (1) export control over dual-use technologies, (2) network and information security, and (3) border security. Three types of supranational security states emerge, driven by their path-dependency logics and response to crises. Findings suggest a more nuanced understanding of security policy instruments and the dynamics of political authority in shared security spaces, contributing to debates on the positive and regulatory European security state, technology-driven security governance, and the coherence of the EU as a security actor.
[Journal of European Public Policy, 2023], [Full Paper].The study explores the divergence in data protection enforcement strategies among national agencies. Whereas the literature on cross-national enforcement practices is scarce, this study develops a scale for data protection enforcement strategies and measures and compares enforcement choices across agencies. Based on survey responses from 18 DPAs, interviews with DPA employees, and secondary sources on GPDR enforcement, the paper clusters DPAs based on enforcement strategies, analyzes cross-national variations, and investigates misalignments between strategy and actions. Using Fuzzy-Set Qualitative Comparative Analysis, the paper tests how bureaucratic and political contexts – organizational capacities, budget sources, and issue saliency – impact enforcement choices. Almost half of the studied DPAs reflect high deterrence by their strategy, but for many of them, lack of resources and expertise inhibits the translation of strategy into practice. This study provides a starting point for understanding the national impacts of Europeanization post-GDPR, adding empirical support for theorizing about enforcement across the EU.
[Journal of European Public Policy, 2022], [Full Paper].The literature on risk and regulatory governance has barely heeded the institutionalization of cybersecurity regulatory practices by national policy regimes. As the role of the state in cybersecurity governance is gradually expanding, we still lack an empirical and theoretical understanding of how the regulatory state copes with the cybersecurity governance challenge. Therefore, we ask how the role of the state has expanded in leading cybersecurity governance efforts? What characteristics of cybersecurity governance challenge the regulatory state? And how the Israeli cybersecurity regulatory regime has been addressing those challenges? We trace the literature on the new roles of the state in cybersecurity governance and build an analytical framework based on the challenging characteristics of cybersecurity governance. We then conduct an in-depth case study analysis of the Israeli cybersecurity regulatory regime. In contrast to arguments about the inability of the state to cope with dynamic technological changes, we find that the state is ever more relevant, restructuring the government and creating new methods, institutional settings, and incentives to cope with the cybersecurity governance problem. The intersection of cybersecurity with the regulatory state creates new avenues of regulatory development, shedding light on new directions for regulatory governance in the digital age.
[SpringerLink, 2021], [Full Paper].Cross-contexts inference is central to the profiling and targeting capacities of advertisers. They draw on information gleaned about individuals from the different social contexts of the web, in ways that violate users’ privacy according to the theory of contextual-integrity. To measure this violation, we offer a context-sensitive empirical study of the usage of persistent-identifiers by third-party trackers. We applied an instrumented FireFox browser and launched six browsing experiments across three social contexts: news, health, education. We ask how social contexts of websites explain persistent identification? And should we expect trackers from certain contexts to become more likely to link user identities across contexts? Our findings show that social contexts matter. Third of the observed third-parties had persistently identified users among social contexts. This is happening in all three contexts, between every pair of websites. Trackers from the healthcare context are the most likely ones to link user identifiers across contexts. This contrasts previous findings that labeled healthcare websites as less risky for privacy. While tracking within sites might be marginal, the tendency of trackers to persistently identify users across social contexts is alarming. This is a modest step to apply contextual understanding to online tracking, revealing unaccounted privacy violations.
[FTC PrivacyCon, 2020].Despite promises by European Union (EU) policymakers to “fundamentally change” cybersecurity certification, they have recently created a regime that is strikingly similar to already existing certification arrangements. How can we explain this puzzle? Through a process-tracing analysis based on 41 documents and 18 interviews, this article traces the development of the EU cybersecurity certification regime over the past two decades. It deconstructs certification into standardisation, accreditation, certification, and evaluation; analyses how each regime component changed over time; and discusses to what extent causal mechanisms that are derived from classic theories of EU integration explain the limited nature of policy change. The observed dynamics uncover a “Europeanization on Demand” model that allows national authorities to completely control the extent of integration. This study challenges the dichotomous understanding portrayed by EU integration literature, of mutually exclusive dynamics of market or core state powers integration, highlighting intriguing political dynamics in EU cybersecurity policymaking.
[Journal of Public Policy, 2020], [Blog post]Cyber risk governance has been occupying U.S. policymakers in the past two decades. This pressing challenge calls for a better understanding of how policymakers frame and consequently craft risk governance frameworks using public policies. Through a novel typology that analyzes the patchwork of laws and regulations in this policy space, this article investigates how policymakers design risk governance frameworks to address cyber risks. This typology is based on a systematic text analysis of thirty federal policies from the past twenty-two years (1996–2018) in which (N = 463) key sentences were recognized and coded to ten risk governance categories. Existent literature highlights the significance of risk framing to policy outputs and explains cross-national rather than cross-sector variance in risk governance. It also considers only specific cyber policy measures and does not question the link between policymakers’ risk perceptions and chosen policy paths. In contrast, this study finds that policymakers create three distinct risk governance frameworks across private owners of critical infrastructures, health and financial service provides, and companies in the broader digital economy. These risk regimes are comparatively analyzed to gauge variance (1) across sectors: in the role of the government and the extent to which it dictates coercive risk management steps, and (2) over time: on the ways in which the government has responded to cyber threats. I found that variance stemmed from the institutional configurations in each regulated sector and the consequent decision-making structures that had been institutionalized early on, rather than the framing of cyber risks. Tracing the governance of cyber risks and the missing link between policymakers’ risk perceptions and actions, this study sheds light on how seemingly technical decisions of cybersecurity governance can be social and political issues that are contingent on institutional settings and early policy decisions, questioning the central role of framing to risk governance outputs.
[Journal of Risk Research, 2019].How does the U.S. balance privacy with national security? This article analyzes how the three regulatory regimes of information collection for criminal investigations, foreign intelligence gathering, and cybersecurity have balanced privacy with national security over a 50‐year period. A longitudinal, arena‐based analysis is conducted of policies (N = 63) introduced between 1968 and 2018 to determine how policy processes harm, compromise, or complement privacy and national security. The study considers the roles of context, process, actor variance, and commercial interests in these policy constructions. Analysis over time reveals that policy actors’ instrumental use of technological contexts and invocations of security crises and privacy scandals have influenced policy changes. Analysis across policy arenas shows that actor variance and levels of transparency in the process shape policy outcomes and highlights the conflicting roles of commercial interests in favor of and in opposition to privacy safeguards. While the existing literature does address these relationships, it mostly focuses on one of the three regulatory regimes over a limited period. Considering these regimes together, the article uses a comparative process‐tracing analysis to show how and explain why policy processes dynamically construct different kinds of relationships across time and space.
[Policy & Internet, 2018], [Blog post]