Google Scholarh-index 26, i10 30

Active research projects

Law & Policy for the Quantum Age

Quantum technologies use quantum effects to provide some utility. These capabilities are so different from our conventional intuition that quantum technologies seem to ride the fine border between science fiction and fantasy—yet many quantum technologies can be commercially purchased today, and more are just around the corner.

With Simson Garfinkel, I am developing work that details the state of the art in three related, but different areas of quantum technology: quantum sensing, quantum communications, and quantum computing. Quantum sensing, the most mature, makes it possible to literally see through walls and sense difficult to detect objects—even stealth aircraft and submarines. Quantum communications has interesting implications for communications integrity and confidentiality, allowing one to detect communication interception and providing a higher level of security in the content itself. Finally, quantum computation holds promise for myriad fields, from materials science to machine learning.

Since the dawn of the atomic age, quantum technology has always provided capabilities that seem strange, powerful, and at times frightening. Just as the atomic bomb (the first quantum weapon) changed our understanding of war, the democratization of quantum technology-based innovations will have disruptive effects. Our goal is to anticipate these effects and to present their implications from the strategic (in an international relations sense) to the new realities for the ordinary citizen/consumer. What actors should be involved in QT policy? What institutional structures will be necessary? How should industrial policy be used to promote (or control) QT? Are there kinds of quantum technologies or certain misuses of it that are tractable by regulation? What are the most important issues to resolve now?

Cybersecurity in Context

Every one now has a stake in the healthy functioning of communications and control networks, in the devices and services dependent on network, and by implication, in all the complicated infrastructure required to keep networks, devices, and services operating. As we have become more affluent and as the economy has become more interconnected, we are interdependent in ways never thought possible.

The proper functioning of communications networks, which carry everything from banal social updates to the second-by-second valuations of companies to the intelligence that shapes governments’ posture in conflicts, is now a central problem. But it is also an insoluble problem. Cybersecurity is a wicked problem. Cybersecurity is an unbounded problem that cannot be cleanly extricated from an array of social problems and interests. In managing cybersecurity there are few unqualified good approaches, but rather a series of contests and choices among important values. Cybersecurity will also never be solved definitively; instead concerns about whether we can trust devices, networks, and the information present in them will persist and need to be managed.

My project with Jennifer Urban intends to explain how cybersecurity has come to encompass these complex interests, how cybersecurity is conceptualized, and how cybersecurity concerns and rules are diffusing through the public and private sectors.

Representative publications:

Still Simmering

Digital Consumer Protection

As products and services merge, we need new kinds of marketplace signals and rules to ensure that consumers understand the exchange, and so that competition is fair and vigorous. In a series of works with Case Western University Professor Aaron Perzanowski and Berkeley JSD/Yale JD candidate Aniket Kesari, we have used legal/empirical analyses to elucidate consumers’ understanding of digital marketplaces.

Our most ambitious work in this field is The Tethered Economy, which explores how sellers are exercising post-transaction control over consumers using both legal and technical mechanisms. We describe tethering as a deliberate strategy, one that reflects a reconceptualization of the modern consumer from owner to renter. Tethers make a product dependent on the seller for its ordinary operation, and in doing so, sculpt consumers’ decision space. We explain the pathologies that arise from tethering mechanisms, on both the individual consumer and market level. We conclude by suggesting ways to change incentive alignments to reduce transaction costs, reduce opportunities for guile, and to promote competition. Our most radical intervention surrounds network effects. We think network effects are more powerful than regulators understand, and that to counter them, consumers need not just the right to switch providers, but structured help to do so. We articulate this as a “micro-services switch over” principle.

Representative publications:

Internet Tracking & Cybercrime

We have performed terabyte-scale studies of internet tracking and of cybercrime networks, using a series of tools including Palantir Gotham, Palantir Contour, mitmproxy, STATA (Here is my STATA Cheat Sheet), Python, and a custom-built crawler.

This has led to several insights, including new forms of consumer tracking in the wild (flash cookies, cache cookies), the demonstration of how fragile cybercrime networks are to deterrence by denial approaches, and how online advertisers use rhetoric of individual choice in political theaters, while using clever coding to remove all forms of actual consumer choice in the technology domain.

Representative publications:

  • Deterring Cybercrime: Focus on the Intermediaries, 32(3) Berkeley Technology Law Journal 1093 (2017)(with Damon McCoy, Amanda Maya and Aniket Kesari).
  • Privacy and Adult Websites, Workshop on Technology and Consumer Protection (ConPro ’17), May 2017, San Jose, CA, with Ibrahim Altaweel and Maximilian Hils. (The security and privacy of adult websites is understudied and this is a problem given the amount of web use focused on such websites. In this paper, we show how sensitive preference data entered by users of pornographic websites are leaked in clear text to Google and to Russia-based Yandex, and how a specialized adtech network services adult entertainment sites.)
  • Online Pharmacies and Technology Crime, in The Handbook of Technology, Crime and Justice (Michael McGuire and Thomas J. Holt, eds.) (Routledge Press 2017)(invited contribution)
  • Web Privacy Census, Technology Science (2015) (with Ibrahim Altaweel and Nathaniel Good)(peer reviewed)
  • Behavioral Advertising: The Offer You Cannot Refuse, 6 Harvard L. & Policy R. 273 (2012)(with Ashkan Soltani & Nathaniel Good). Received the 2014 CPDP Multidisciplinary Privacy Award.
The term lynchrim is leaked to Google and Yandex on adult websites
Using Palantir, we demonstrate the interconnectedness and service vulnerabilities of pharma crime networks

Inactive Projects

The problems of bilateral monopoly in personal information transactions
transaction costs in personal information exchanges

Internet Services Are Not Free

In articles with University of Washington Economist Jan Whittington (Ph.D., UC Berkeley 2008), we explore consumer-oriented internet services through the lens of transaction cost economics.  As implied by its name, transaction cost economics takes the transaction as the unit of analysis.  We contribute to the competition and privacy law landscapes by identifying the special attributes of exchanges with internet services, focusing upon those that lead to inefficiency. We argue that personal information has asset specificity, meaning that as consumers pay with data, they become bilaterally dependent on services.

This contribution explains why the exchange between consumers and online services is not simple and discrete, but rather a continuous transaction with atypical attributes. These exchanges are difficult for consumers to understand and come with costs that are significant and unanticipated by consumers.  Many of these costs come in the form of privacy risks, but they go far beyond privacy and form the basis for competition law/antitrust analysis of platform power.

Federal Trade Commission Privacy Law and Policy

This book is a historical account, an institutional study, and a discussion of policy choices made by the U.S. FTC.

The FTC’s creation in 1914 represented a turning point in American history where skepticism of expertise and central regulatory authority was overcome by the need to address contemporary market conditions. My book connects today’s tussles over privacy regulation to the institutional structures created by America’s nascent administrative state.

A central theme in the book surrounds public choice theory and its fit to the FTC over the past century.

The book has been reviewed five times and has been translated into Japanese. A Chinese version is forthcoming. Over 1,000 copies have sold in English. Here’s my blog with book updates and commentary on the FTC.

Cover of Federal Trade Commission Privacy Law and Policy
WSJ Data

The Wall Street Journal reprinted some of our poll findings in Julia Angwin, How Much Should People Worry About the Loss of Online Privacy, The Wall Street Journal, Nov. 15, 2011. Why is this important? Reputable newspapers vet public opinion polls; Alan Westin’s–and many industry funded survey research efforts–could never pass that vetting.

Consumer Knowledge & Attitudes

Alan Westin’s well-known and often-used privacy segmentation fails to describe privacy markets or consumer choices accurately. It describes the average consumer as a “privacy pragmatist” who influences market offerings by weighing the costs and benefits of services and making choices consistent with his or her privacy preferences. Yet, Westin’s segmentation methods cannot establish that users are pragmatic in theory or in practice. Textual analysis reveals that the segmentation fails theoretically. Original survey data suggests that, in practice, most consumers are not aware of privacy rules and practices, and make decisions in the marketplace with a flawed, yet optimistic, perception of protections. Instead of acting as “privacy pragmatists,” consumers experience a marketplace myopia that causes them to believe that they need not engage in privacy analysis of products and services.

Westin’s work has been used to justify a regulatory system where the burden of taking action to protect privacy rests on the very individuals who think it is already protected strongly by law. Based on knowledge-testing and attitudinal survey work, we suggest that Westin’s approach actually segments two recognizable privacy groups: the “privacy resilient” and the “privacy vulnerable.”

The most syncretic version of our work is Alan Westin’s Privacy Homo Economicus. Other works can be found here: Berkeley Consumer Privacy Survey Archive

WSJ Data

Identity Theft Causes, Incentives, and Deterrence

In a trio of articles (for NSF-TRUST), I showed how identity theft is an externality of credit granting, where costs of fraud are spread among victims, merchants, and society generally. For instance, the image below is summary data on an identity theft victim who I interviewed–the impostor in the case made numerous errors in pretending to be the victim. Yet mortgage lenders were willing to grant huge loans in the victim’s name, despite mismatches in personal information and the presence of fraud alerts.  This incident of identity theft, and many others, are crimes committed by bad actors, but they are also incidents where credit grantors’ pursuit of profit causes them to overlook evidence of fraud.

In this work, I explain the economic incentives that lead grantors to overlook fraud. Understood as a problem of incentives, different public policy options could be sought. Instead of prescriptive rules proposed by privacy advocates, I argued that credit grantors should be liable for identity theft victims’ lost time and financial costs.  These costs should be allocated to credit grantors, because they are least cost avoiders in the identity theft context, and because consumers cannot control the credit granting process nor insure against identity theft losses efficiently.

My analysis shows that consumer education cannot be effective at stemming identity theft, because the most forms of the crime cannot be prevented through consumer action or inaction.  Further, criminalization largely failed to address the problem, because of law enforcement priorities, a lack of training, and reluctance among businesses to participate in investigations.


Before coming to Berkeley, I worked in Washington, DC as a privacy advocate. I was struck by the character of policy debates there. Industries lobbied using a blend of libertarian and one-eyed public choice argument, repeating it so often that to me it sounded like simple cliché. In fact, it wasn’t debate, it was intransigence.

My brother Mark and I called this “Denialism,” rhetoric that gave the appearance of a debate but was actually a charade. I also, awkwardly, tried to illustrate denialism as a Deck of Cards. At the time, we were not aware that Albert Hirschman had modeled much of the problem. Nowadays, denialism would be recognized as a technique of disinformation.

Denialism is now described in the academic literature; in 2009, Michael Specter wrote a book on Denialism; in 2015, Maastricht University held a conference on denialism and human rights.

The techniques of denialism–conspiracy theories, cherry-picking data, fake experts, moving goalposts, and logical fallacies–work. The key is not to engage them, but to teach others how to recognize misleading forms of argumentation. Remember Pushkin’s advice: never argue with fools.

Denialist Cards