David Thaw

University of Pittsburgh | 3900 Forbes Avenue, Pittsburgh, PA 15260 | dbthaw@pitt.edu


I am a Law and Computing and Information professor at the University of Pittsburgh. A lawyer and computer scientist by training, I use my training in both fields to tackle problems related to law and techology policy. My primary focus is cybersecurity. I also work with computer crime, privacy, and cyber warfare issues. Like many professors, my work focuses on research and scholarship, teaching, and public service.

I have been something of a technology "nerd" since I was a young child, and remained interested in the types of questions which arise when social structures are challenged by new technologies. Often this intersection disrupts traditional assumptions regarding human behavior, which can in turn undermine that social framework upon which our legal system is built. When these issues collide, understanding the interaction between the two is critical to identifying the effects proposed technological and policy solutions may have. I believe it is therefore critical that those working on technology policy integrate both legal and scientific understanding, hence my educational background and current work in both fields. I use my knowledge in this regard to facilitate interdisciplinary collaborations, teach cross-disciplinary courses, and support public interest initiatives and national and international policymaking efforts.

My legal and policy scholarship examines the efficacy of legal mechanisms for regulating emerging technology problems. My scholarly focus is on two of these mechanisms -- the regulatory state and the criminal law. In particular, I am interested in the extent to which we can empirically evaluate the "efficacy" of both statutory and administrative regulatory measures. My work in this regard also looks at the role of administrative agencies as "experts," and what challenges agencies face in developing and maintaining expertise for highly heterogeneous, rapidly-changing fields like cybersecurity. I am also interested in to what extent certain activities should be regulated by the force of the criminal law, and why. Aligned with these interests, I teach law school courses in Adminstrative Law, first-year criminal law, and a cross-listed course incybercrime.

My scientific research focuses on developing the empirical data necessary to evaluate the effectiveness of policy approaches. I am particularly interested in evidence-based policymaking, and am deeply concerned about recent trends of "policy by anecdote" in cybersecurity. (Consider the example of password complexity policies.) In the CyREN Lab we are developing technologies and scientific methods to apply those technologies to collect data which improves our understanding of how cybersecurity breaches happen "on the ground." My research seeks to improve our understanding of cybersecurity practice and effectiveness through empirical and experimental methods. Aligned with these interests, I teach a cross-listed course in Cybersecurity and Privacy Regulation.

I'm originally from Connecticut, but have lived significant periods of time in New York, DC, California, and overseas. I am a huge college sports fan and (possibly ridiculous) dog lover. My childhood "hometown" UConn Huskies remain my primary college basketball love, although I generally follow my home team as well (nb: Duke and Stanfurd [sic] will never earn my support). I'm also a die-hard Cal Bears Football fan, and ardently believe every year that the Axe will end up back in Berkeley. Professionally, I follow the New York Giants and the Golden State Warriors. Very sadly, I've never been able to have my own dog, but have walked, cared for, and played with many friends' dogs (one of whom, we think, has decided she's my "my girlfriend"). I generally favor retrievers and have a soft spot in my heart for Yellow Labradors. I love sunshine and on a sunny day you'll likely find me outside with a football, baseball, and/or dogs.