David Thaw

University of Pittsburgh | 3900 Forbes Avenue, Pittsburgh, PA 15260 | dbthaw@gmail.com


I am a Law and Computing and Information professor at the University of Pittsburgh. A lawyer and computer scientist by training, I use my training in both fields to tackle problems related to law and techology policy. My primary focus is cybersecurity. I also work with computer crime, privacy, and cyber warfare issues. Like many professors, my work focuses on research and scholarship, teaching, and public service.

I have been something of a technology "nerd" since I was a young child, and remained interested in the types of questions which arise when social structures are challenged by new technologies. Often this intersection disrupts traditional assumptions regarding human behavior, which can in turn undermine that social framework upon which our legal system is built. When these issues collide, understanding the interaction between the two is critical to identifying the effects proposed technological and policy solutions may have. I believe it is therefore critical that those working on technology policy integrate both legal and scientific understanding, hence my educational background and current work in both fields. I use my knowledge in this regard to facilitate interdisciplinary collaborations, teach cross-disciplinary courses, and support public interest initiatives and national and international policymaking efforts.

My legal and policy scholarship examines the efficacy of legal mechanisms for regulating emerging technology problems. My scholarly focus is on two of these mechanisms -- the regulatory state and the criminal law. In particular, I am interested in the extent to which we can empirically evaluate the "efficacy" of both statutory and administrative regulatory measures. My work in this regard also looks at the role of administrative agencies as "experts," and what challenges agencies face in developing and maintaining expertise for highly heterogeneous, rapidly-changing fields like cybersecurity. I am also interested in to what extent certain activities should be regulated by the force of the criminal law, and why. Aligned with these interests, I teach law school courses in Adminstrative Law, first-year criminal law, and a cross-listed course in cybercrime.

My scientific research focuses on developing the empirical data necessary to evaluate the effectiveness of policy approaches. I am particularly interested in evidence-based policymaking, and am deeply concerned about recent trends of "policy by anecdote" in cybersecurity. (Consider the example of password complexity policies.) In the CyREN Lab we are developing technologies and scientific methods to apply those technologies to collect data which improves our understanding of how cybersecurity breaches happen "on the ground." My research seeks to improve our understanding of cybersecurity practice and effectiveness through empirical and experimental methods. Aligned with these interests, I teach a cross-listed course in Cybersecurity and Privacy Regulation.

Originally, I’m from a small farm town near the University of Connecticut. After the unexpected loss of my mother, my father struggled to raise my brother and me as a single parent. He worked tirelessly as a public servant, serving severely disabled populations, and ultimately sacrificed many of his public service dreams to provide for our family. His strength and resilience through those difficult times shaped my appreciation of public service, education, and the American dream. He further instilled in us a sense of pride, through sharing stories of my family’s multi-cultural heritage, as Askenazi and Sephardi (Hispanic) Jewish refugees from his family and as Native Americans from my mom’s family. These values gave me strength to persevere through my own hardships and transform those challenges into positive contributions to my own identity. Today, I am grateful to share my life with a loving partner and our two dogs Cedar and Willow.

(hi-resolution bio picture)