Law Review Articles

Cybersecurity Mission Creep
University of Illinois Law Review (2026)

Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust regulations, to alleged journalist misconduct, to anti-sex trafficking statutes become what this Article calls “cybersecuritized.” Before this reframing, these issues present as important but not existential. But once cybersecuritization positions the issues as threats intensified by their technological nature, they gain access to the politics and law of urgency and exceptionalism and invite troubling governance responses.

Positioned as security threats, cybersecuritized issues become endowed with the apparent normative power to override countervailing considerations, oversimplifying the problem. Cybersecuritization’s oversimplification risks unidimensional solutions like incarceration, obscures harms to marginalized groups, and invites use of argumentative trump cards, like First Amendment challenges. Cybersecuritization, by positioning policy issues as difficult-to-counter technical threats, also invites deference to purported specialists and their proposed solutions. Together, the reductive tendencies of cybersecuritization and the deference it prompts to specialists renders ultimate governance choices more opaque. And this opacity erodes public trust and political legitimacy.

This Article surfaces the phenomenon of cybersecuritization and offers a novel framework for analyzing and critiquing it. Mining cases from across criminal and civil domains, the account also demonstrates the insidiousness of cybersecuritization and the likelihood that it will continue to expand. Confronting cybersecuritization is crucial. If we continue to ignore it, we risk abdicating further responsibility for difficult choices to the trump card of cybersecurity. This Article’s analysis and critique aim to help reclaim the hard work of governance for our hands.

Fragmentation of International Cybercrime Law
Utah Law Review (2025)

Non-dominant states often join multilateral legal mechanisms drafted by dominant states. But this feature has not borne out to the extent expected in the cybercrime and cybersecurity context. The primary legal mechanism promulgated by Western states, the Budapest Convention on Cybercrime, has struggled to achieve full global uptake. Instead, many states have used regional organizations to create their own multilateral legal mechanisms addressing cybercrime and cybersecurity threats. This Article examines this fragmentation, the first to analyze all of the regional conventions together. Through comparative analysis of the legal texts, this piece establishes that multilateral mechanisms for governing cybersecurity and cybercrime are divergent. It categorizes the approaches taken, providing an analytic lens to digest detailed differences. Three distinct views of cybercrime and cybersecurity emerge, a law enforcement approach, a statist approach, and a command-and-control approach. Each region leverages these distinct approaches in service of a broader aim, fortifying the concept of sovereignty its member states prioritize in the international system, both online and offline. Last, although this sovereignty account provides one window into international cybersecurity law fragmentation, it does not provide a full explanation, especially for the weakest states. This Article identifies where this account falls short and sets up the next article in this series. Going forward, I argue that weak states, contrary to expectations, actively employ cybersecurity and other legal fragmentation to advance a broad range of strategic interests.

Zero Progress on Zero Days: How the Last Ten Years Created the Modern Spyware Market
University of Nebraska Law Review (2024)

Spyware makes surveillance simple. The last ten years have seen a global market emerge for ready-made software that lets governments surveil their citizens and foreign adversaries alike and to do so more easily than when such work required tradecraft. The last ten years have also been marked by stark failures to control spyware and its precursors and components. This Article accounts for and critiques these failures, providing a socio-technical history since 2014, particularly focusing on the conversation about trade in zero-day vulnerabilities and exploits. Second, this Article applies lessons from these failures to guide regulatory efforts going forward. While recognizing that controlling this trade is difficult, I argue countries should focus on building and strengthening multilateral coalitions of the willing, rather than on strong-arming existing multilateral institutions into working on the problem. Individually, countries should focus on export controls and other sanctions that target specific bad actors, rather than focusing on restricting particular technologies. Last, I continue to call for transparency as a key part of oversight of domestic governments’ use of spyware and related components.

Warranted Exclusion: A Case for a Fourth Amendment Built on a Right to Exclude
SMU Law Review (2023)

Searches intrude; fundamentally, they infringe on a right to exclude. So that right should form the basis of Fourth Amendment protections. Current Fourth Amendment doctrine—the reasonable expectation of privacy test—struggles with conceptual clarity and predictability. And the leading competitor, what I call the “maximalist” property approach, risks troublingly narrow results. This Article provides a new alternative: Fourth Amendment protection should be anchored in a flexible conception of property rights—what this Article terms a “situational right to exclude.” When a searchee has a right to exclude some law-abiding person from the thing to be searched, in some circumstance, the government must obtain a warrant before gathering information about that item. Keeping the government out is warranted when an individual has a situational right to exclude; it is exactly then that the government must get a warrant.

The New Editors: Refining First Amendment Protections for Internet Platforms
Notre Dame Journal of Emerging Technologies (2021)

First Amendment editorial privilege, as applied to Internet platforms, is often treated by courts and by platforms themselves as monolithic and equally applicable to all content moderation decisions. The privilege is asserted by all types of platforms, whether search engine or social media, and for all kinds of decisions, whether about content-specific decisions or wholesale moderation policies. In the world of traditional media, editorial privilege is strong but not absolute: courts have allowed it to ebb when editorial judgments are spurred by fraud or profit motives, and, to some degree, when judgments are wholesale rather than individual. Section 230’s broad protections for Internet platforms have largely precluded the development of a robust body of First Amendment law specific to Internet platforms. But, with Section 230 reform a clear priority for Congress, Internet platforms will likely turn to First Amendment defenses to a greater extent in coming years. This Article envisions what it could look like to tailor First Amendment editorial privilege to the multifaceted nature of the Internet landscape, just as courts have done in the offline world.

Local Police Surveillance and the Administrative Fourth Amendment
Santa Clara High Technology Journal (2020)

Police surveillance has become a problem of governance, not a problem of procedure. The introduction and use of sophisticated surveillance technologies, once reserved for elite central governments, in local policing has raised questions about the sufficiency of existing approaches. This Article argues that the proper response to use of sophisticated investigative technologies by local police is local administrative governance by city councils. Having an external administrative body make rules about police technology brings with it an ability to consider expanded concerns about technology, timeliness, and an ability to regulate interactions with private actors.  In addition to offering a set of legal arguments, this paper contains two novel descriptive contributions. First, where other articles have focused on the legal risks of certain technologies, this Article compiles a comprehensive look at a range of police technologies and systematically analyzes the risks they pose both legally and at the local level. Second, this Article offers the first comprehensive assessment of the current efforts localities have made towards implementing this kind of local administrative governance for police technology.  

This Article argues that the appropriate place to consider public accountability factors in whistleblower cases is at sentencing. Courts can take, and have taken, substantive First Amendment rights into consideration at sentencing as mitigating factors. Examining historical sentencing practices in fugitive slave rescue and conscientious objector cases, this Article demonstrates to courts the historical validity of taking substantive constitutional interests into account at sentencing—that the constitution does not evaporate with a verdict. It also argues that courts should implement sentence mitigation on the basis of First Amendment interests in whistleblower cases, providing an immediate pragmatic solution and potentially prompting a more sustainable long-term approach to government whistleblowers.

Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis
I/S: A Journal of Law and Policy for the Information Society (2015)
(now: Ohio State Technology Law Journal) [available here]

The global trade in zero-day vulnerabilities – software flaws unknown to the maker and public – constitutes a serious cybersecurity problem. Governments use zero days for military, intelligence, and law enforcement cyber operations, and criminal organizations use them to steal information and disrupt systems. The zero-day trade is global and lucrative, with the U.S. and other governments participating as buyers. Cybersecurity experts worry this trade enables governments, non-state actors, and criminals to gain damaging capabilities, as well as undermining U.S. and global cybersecurity. These problems are generating a nascent, but growing, policy debate about the need to regulate the zero-day trade. This Article contributes to this debate by analyzing U.S. domestic and international options for controlling the zero-day trade. If controlling the trade is a desired aim, without U.S. leadership and coordinated international action, realpolitik will prevail.

---