Biography
Steve uses code to solve compliance problems. His current coding work focuses on three main areas:
- Quality Control Features for Gen AI / LLM Outputs
- Precision RAG Solutions
- Analysis of Network Traffic for Privacy Compliance
He builds technical solutions, with an AI focus, to help clients tackle difficult legal challenges. He works with legal and technical teams to access hard-to-get technical artifacts and then leverages AI and other technologies to identify issues, propose mitigations and reduce risk.
On the privacy front, Steve created and maintains NT Analyzer, the firm’s comprehensive privacy testing solution that evaluates the data collection footprint of clients’ websites, mobile applications, connected TV apps, and other varieties of network-aware products and services.
Steve’s clients include global companies that span a wide range of industries, including, for example, media companies, financial service entities, pharma and life sciences companies, large retailers, hospitality providers and airlines.
NT Analyzer Internals—Privacy Compliance
NT Analyzer uses network traffic analysis to identify a wide variety of legal risks, such as data leakage; form-scraping; non-working opt-outs; and unknown third parties. NT Analyzer translates technical findings into actionable legal guidance across a wide array of regulatory frameworks, including CCPA and other state privacy laws; GLBA, HIPAA, GDPR, COPPA and VPPA.
Steve made major updates to NT Analyzer in 2025 to enable the tool suite to also obtain AI-generated insights about low-level technical events that might otherwise be inscrutable. The current, full-service complement of NT Analyzer includes:
- Remote Hosts—Identification of remote hosts by corresponding company or service.
- Traditional PI—Detection of data transmissions consisting of traditional forms of personal information (email address, phone number, address, etc.).
- Technical Data—Detection of technical data such as advertising identifiers, lat-long coordinates, GUIDs, hardware identifiers, data from the ambient environment (SSIDs, BSSIDs, etc.).
- Hashed and Encoded Data—Detection of obfuscated data such as hashed data, encoded data, and permutations of hashes/encodes
- Key-Value Pair Dump—Surfacing all key-value pairs transmitted for each party and filtering same based on useful categories. This acts as a backstop for list-based string detection.
- JavaScript File Analysis—Low-level technical analysis that generates detailed documentation explaining the use-case, data flows and privacy issues associated with third-party JavaScript
- API Mapping—Low-level technical analysis consisting of robust AI insights regarding the data flows, use-cases, and parameters of first-party and third-party APIs
- Cookies and Local Storage—Identifies cookie names, values and local storage
- Opt-Out Analysis—Compares behavior of a website or app in an opted-out status to its behavior in a non-opted-out status, including analysis of any relevant opt-out strings or flags. This analysis includes determining whether GPC and similar signals are honored
- Fuzzy Match on Sensitive Subject Matter Data—AI-assisted subject matter analysis to determine what types of sensitive subject matter content is transmitted to third parties—including exact and “fuzzy” matches
- Data Confluence—Determines if identifying data is transmitted together with data regarding user’s consumption of content (such as video titles or genres for VPPA, health data for HIPAA or My Health My Data, or financial data for GLBA)
Artificial Intelligence—Development and Advisory
Steve has also created various AI-solutions using RAG, complex chain-of-thought techniques and agentic pipelines used for different types of privacy compliance functions and legal analysis. He is well-versed in AI development issues and navigating challenges relating to semantic search, vectorization/embedding processes, agentic workflows, reliability assurance, bias testing and cost efficiency. Steve is actively developing new AI solutions related to network traffic analysis as well as legal advisory services at scale.
Steve collaborates with PhD experts in machine learning, AI, computer science and statistics to ensure that clients’ development efforts and consumer-facing solutions comply not only with applicable law, but also best practices across various disciplines. Steve has overseen enterprise-wide special projects with respect to AI moderation of user interactions/comments and assisted clients with a wide variety of privacy risk assessments involving AI use cases.
Privacy Compliance Generally
Although Steve’s practice revolves around technical testing and legal advice across a spectrum of technology issues, it also involves conventional legal compliance work including preparation of privacy policies, consents, and notices; contract revision and drafting, especially with respect to privacy and security; and compliance advice with respect to the full lifecycle of consumer data.
Research
Steve is a fellow emeritus at Princeton University’s Center for Information Technology Policy (CITP). Currently, Steve actively develops privacy forensic solutions and AI applications within the context of his work at the firm.
Prior Work
Prior to practicing law, Steve worked for a state law enforcement agency as an intelligence analyst investigating public corruption and organized crime.
Professional experience
Representative experience
Representative experience
Technical and specialized engagements:
- Mobile app privacy testing on Android, iOS, and Kindle devices
- Website privacy testing and analysis
- Data Lake privacy controls
- API testing
- IoT privacy and feature testing
- Hard-coding legal decision making in privacy control platforms
- Privacy and security training
- Online ad ecosystem training
Privacy-related class action litigation defense and regulatory defense:
- Represented companies in litigation resulting from use of social network widgets
- Represented companies in relation to state attorneys general inquiries, Civil Investigative Demands (CIDs), subpoenas and investigations.
- Represented several companies in class action litigation related to the use of cookies and flash cookies.
General Compliance and Corporate Governance:
- Provided advice to large retailers with respect to geo-fencing projects
- Provided strategic advice and counsel on local, national and international privacy and data protection and data transfer laws for numerous companies
- Assisted numerous companies in drafting, design and implementation of internal company policies, including information security, data and records management and retention, data classification and handling, device management and "Bring Your Own Device" policies, codes of conduct, white papers, marketing materials, vendor white lists and internal policies on Internet tracking.
- Provided counseling for large communication provider, software companies and mobile app developers with respect to issues pertaining to security, encryption and authentication.
- Provided advice to numerous companies with respect to the use of geo-location information.
- Developed privacy training programs.
Rankings and recognitions
Rankings and recognitions
- 500 Leading Global Cyber Lawyers, Lawdragon, 2025
- Stand-out Lawyers, Thomson Reuters, 2025
- Chambers Global, Privacy and Data Security: Privacy, Chambers and Partners, 2025
- Chambers USA, Nationwide, Privacy and Data Security: Privacy, Chambers and Partners, 2024-2025
- Legal 500, Recommended Lawyer, Cyber law (including data privacy and data protection), The Legal 500, 2022-2025
- Legal 500, Recommended Lawyer, General Commercial Disputes, The Legal 500, 2021
- New York Trailblazer, New York Law Journal, 2020
- Who's Who Legal, Data: Information Technology, Legal Business Research Ltd., 2018
- Outstanding Lawyer, Nightingale's Healthcare News, 2009
- Top 40 Under 40, New Jersey Law Journal, 2008
Education
Education
JD, Rutgers Law School
BA, Cornell University
Admissions
Admissions
- District of Columbia Bar
- New York State Bar
Publications
Publications
- Author, "The biggest AI privacy problems no one is talking about: Installment 1: The Agent2Agent (“A2A”) Protocol," Data Protection Report, June 30, 2025
- Co-author, "NT Analyzer Can Help Determine Data Broker Status Under the New Bulk Data Transfer Requirements," Data Protection Report, April 30, 2025
- Co-author, "NT Analyzer Adds JavaScript File Analysis Feature," Data Protection Report, April 23, 2025
- Co-author, "NT Analyzer Adds API-Mapping Feature," Data Protection Report, April 17, 2025
- Co-author, "Don’t Throw the AI-Baby Out with the Data Leakage Bath Water: Reading AI Snake Oil with a Spirit of Optimism," Data Protection Report, October 24, 2024
- Co-author, "Google's Data Safety Form: Timeline Extended and Key Considerations," NT Analyzer Insights, February 28, 2022
- Co-author, "Google's Data Safety Form: Timeline Extended and Key Considerations," Data Protection Report, February 28, 2022
- Co-author, "European rulings on the use of Google Analytics and how it may affect your business," Data Protection Report, February 14, 2022
- Co-author, "Data Privacy Concerns in 2022 and Beyond," NT Analyzer Insights, January 31, 2022
- Co-author, "iOS 15 Privacy Report Update: What it Means for App Owners," NT Analyzer Insights, January 19, 2022
- Co-author, "Google Play Store Releases Data Safety Form," NT Analyzer Insights, November 19, 2021
- Co-author, "Does Your App Track Users that Opted-out of Tracking?," NT Analyzer Insights, October 26, 2021
- Co-author, "iOS 15: New Privacy Features Industry Should Note - NT Analyzer," NT Analyzer Insights, October 7, 2021
- Co-author, "Why is Unintended Data Leakage and Third Party Code So Prevalent?," NT Analyzer Insights, July 26, 2021
- Co-author, "Global Privacy Control Opt-Out of "Sale" – A Technical and Legal Viewpoint," NT Analyzer Insights, July 16, 2021
- Co-author, "Google Will Nix the "GAID" for Opted-Out Users on Android," NT Analyzer Insights, June 8, 2021
- Co-author, "How Data Privacy Can Affect Consumer Goods," NT Analyzer Insights, June 2, 2021
- Co-author, "iOS 14.5 and ATT Framework Coming to an App Near You," NT Analyzer Insights, April 22, 2021
- Co-author, "Rejected: Don't Let Apple Determine Your App's Fate," NT Analyzer Insights, April 13, 2021
- Co-author, "NT Analyzer Navigates Virginia's New Privacy Law," NT Analyzer Insights, April 7, 2021
- Co-author, "Google Privacy Sandbox Won't Support Alternate Identity Solutions," NT Analyzer Insights, March 19, 2021
- Author, "iOS: IDFA/Tracking Opt-In: What You Should Know," NT Analyzer Insights, March 11, 2021
- Co-author, "Solving Apple's New App Privacy Requirements," NT Analyzer Insights, October 16, 2020
- Co-author, "101 Problems and Schrems Ain't One," NT Analyzer Insights, September 25, 2020
- Co-author, "IDFA Opt-In: Good for User Privacy or Not So Much?," NT Analyzer Insights, July 21, 2020
- Author, "Why So Many Cookie Policies Are Broken," NT Analyzer Insights, June 25, 2020
- Co-author, "How to navigate Advanced Persistent Threat (APT) intrusions," New York Law Journal, March 2020
- Co-author, "CCPA: 'Wait and see' is not the right approach," Norton Rose Fulbright Data Protection Report, August 29, 2019
- "A Deep Dive Into the Privacy and Security Risks for Health, Wellness and Medical Apps," IAPP Privacy Tech, April 6, 2015
- "How Much Does Cybercrime Threaten Latin American Companies?" Inter-American Dialogue Financial Services Advisor, March 20-April 2, 2014
- "Trust Darknet: Control and Compromise in the Internet's Certificate Authority Model", Internet Computing, IEEE, February 6, 2013, co-author Stephen Schultze, (Peer Reviewed)
- Co-author, "Study Criticizing Android Apps Was Pretty Lame," Law360, December 3, 2012
- Co-author, "The New Corporate Approach To Privacy Compliance," Law360, July 31, 2012
- "SSL Hacked: 2011 Proved That The Enterprise Can't Rely On Encrypted Communications; But Corporate Counsel Can Champion a Fix," Corporate Counsel, Law.com, September 28, 2011
- "Information Security and Privacy: A Practical Guide for Global Executives, Lawyers, and Technologists," Science and Technology Law Section, American Bar Association, February 17, 2011
- "The Flawed Legal Architecture of the Certificate Authority Trust Model," Freedom to Tinker Blog, December 15, 2010
- "Encryption Is Not Enough: Why It's Time for General Counsel to Weigh In on Authentication Practices Associated With Secure Communications," e-Commerce Law Report, Vol. 12, Issue 11, West Publications, November 2010
- "The 'Certificate Authority' Trust Model for SSL: A Defective Foundation for Encrypted Web Traffic and a Legal Quagmire," Intellectual Property & Technology Law Journal, Vol. 22, No. 11, November 2010
- "The Next Generation of Artificial Intelligence in Light of In re Bilski," The Intellectual Property & Technology Law Journal, Vol. 21, No. 3, March 2009
Speaking engagements
Speaking engagements
- International Association of Privacy Professionals (IAPP) Little Big Stage Online, NT Analyzer: Empowering You to Manage Digital Privacy Risk at Every Level, June 3, 2021
- Webinar - NT Analyzer: Partnering With Your Business to Prepare for the Future of AdTech, May 25, 2021
- Webinar - Solving Apple's New App Privacy Requirement, November 13, 2020
- "The Insecure Digital World: Data Breaches and Other Threats to Consumers," Consumer Federation of America Consumer Assembly, May 10-11, 2018
- "Moral Humans, Immoral Algorithms," Privacy Security Risk (IAPP), San Diego, October 2017
- Steven Roosa and Josh Kroll, "The Algorithm Made Me Do It: Predictive Power, Ethics and the Law in the Age of Machine Learning, Artificial Intelligence, and Mathematical Perplexity," Highmark Health All-Hands Privacy Workshop, Pittsburgh, PA, January 11, 2017. (Invited).
- "Moral Humans and Amoral Algorithms: How Machine Learning Creates Privacy and Ethics Exposure and What You Need to Know About It," Privacy + Security Forum, October 24-26, 2016
- "New Legal Challenges Resulting from an Escalation of Cyber Risks and Data Breaches," New York Bankers Association's Bank Counsel Seminar, April 23, 2015
- "AdvaMed's Mobile Health, Wellness and Medical: A Privacy Workshop," Regulatory Oversight of Mobile Medical Devices and Health and Wellness Apps by the FDA and FTC, Hands on Testing of Mobile Apps for Privacy and Security, Shortcomings in De-Identification Schemes, April 22, 2015
- "Mobile Apps and Network-Aware Devices: Legal Exposure in the Collection of Data and What to Do About It," AdvaMed Webinar, November 4, 2014
- "Cyber Security Risks that Threaten Corporate Intellectual Property and Client Confidentiality," IP Trademark, Copyright & Licensing Counsel Forum, October 28-29, 2014
- "Financial Services IT – Avoidance of Risks," Information Security Issues, Practising Law Institute, May 21, 2014
- Moderator, "Mobile Apps and Privacy: The Hidden Risks," IP Trademark, Copyright & Licensing Counsel Forum, October 22, 2013
- Moderator, "Compromise and Control at the Perimeter of the Network: Online Trust, Mobile Security and Mitigating Risk in Mergers and Acquisitions," North Virginia Technology Council General Counsel Committee Event, June 7, 2013
- "Mobile Privacy and Security," The Current Regulatory Landscape and New Risk Threat Model, April 16, 2013
- "Mobile Privacy and Monetization: Risks and Opportunities in the Era of Networked Data," L2 Blog Social CRM Clinic, April 4, 2013
- "Privacy and Security in Mobile Apps, the Cloud, and the Internet of Things: The Role of In-House Counsel In Mitigating New Risks," Association of Corporate Counsel, Northeast Chapter, October 3, 2012
- "Mobile Security & Privacy Best Practices," Online Trust Alliance's Forum, October 1-4, 2012
- Presenter, "The Devil Is in the Indemnity Agreements: A Critique of the Certificate Authority Trust Model's Putative Legal Foundation," The Center for Information Technology Policy at Princeton University, December 9, 2010
Insights and news
Insights
News
