Chapter 29 Further Reading: Privacy, Security, and AI
Privacy Foundations and Theory
1. Solove, D. J. (2008). Understanding Privacy. Harvard University Press. The definitive academic treatment of privacy as a concept. Solove argues that privacy is not a single value but a family of related concerns — including information collection, processing, dissemination, and invasion. This taxonomy is invaluable for understanding why different privacy regulations emphasize different protections, and why AI systems can violate privacy in ways that traditional IT systems cannot. Essential background for anyone working at the intersection of technology and privacy policy.
2. Nissenbaum, H. (2009). Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press. Introduces the concept of "contextual integrity" — the idea that privacy is violated when information flows deviate from the norms of the context in which the information was originally shared. A user who shares purchase data with a retailer for the purpose of completing a transaction expects that data to remain in a transactional context; using it to train an AI model that infers health conditions violates contextual integrity. This framework is particularly useful for evaluating AI data practices and designing consent mechanisms.
3. Zuboff, S. (2019). The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. PublicAffairs. A sweeping critique of the business model that drives much of the AI industry: the extraction and monetization of personal behavioral data. Zuboff argues that "surveillance capitalism" represents a new form of economic power that undermines autonomy and democracy. While the book's thesis is debated — some find it overstated — it provides essential context for understanding the economic incentives that drive data collection and the privacy risks of AI at scale.
Privacy Regulations
4. Schwartz, P. M., & Solove, D. J. (2024). Information Privacy Law (8th ed.). Wolters Kluwer. The standard law school casebook on information privacy, updated to cover GDPR, CCPA/CPRA, LGPD, PIPL, and the EU AI Act. Comprehensive and authoritative, though dense. Business leaders will benefit from the chapter-length treatments of each major regulation, which provide more depth than most practitioner guides while remaining accessible to non-lawyers.
5. Hoofnagle, C. J. (2016). Federal Trade Commission Privacy Law and Policy. Cambridge University Press. A thorough examination of how the FTC has used its authority under Section 5 of the FTC Act to regulate privacy practices in the United States. Essential reading for understanding the US approach to privacy regulation — which relies on sectoral laws and agency enforcement rather than a comprehensive framework like GDPR. The Equifax enforcement action discussed in Case Study 1 is an example of this approach.
6. European Commission. (2016). "General Data Protection Regulation (GDPR) — Complete Text." Official Journal of the European Union. The primary source. While secondary analyses and summaries are useful, there is no substitute for reading the actual regulation — particularly Articles 22 (automated decision-making), 25 (data protection by design and by default), 35 (data protection impact assessments), and 17 (right to erasure). Available freely online in all EU languages.
Differential Privacy
7. Dwork, C., & Roth, A. (2014). "The Algorithmic Foundations of Differential Privacy." Foundations and Trends in Theoretical Computer Science, 9(3-4), 211-407. The authoritative technical reference on differential privacy by Cynthia Dwork, who co-invented the concept. This monograph covers the mathematical foundations, composition theorems, and mechanism design in rigorous detail. It is technical — requiring comfort with probability theory and algorithm analysis — but it is the definitive source for anyone who needs to understand, implement, or evaluate differential privacy claims.
8. Desfontaines, D., & Pejó, B. (2020). "SoK: Differential Privacies." Proceedings on Privacy Enhancing Technologies, 2020(2), 288-313. A systematic comparison of different variants of differential privacy — local vs. global, central vs. distributed, pure vs. approximate, and newer relaxations like Rényi differential privacy and concentrated differential privacy. Particularly useful for practitioners evaluating which variant is appropriate for their use case. More accessible than Dwork and Roth for readers with intermediate technical backgrounds.
9. Tang, J., Korolova, A., Bai, X., Wang, X., & Wang, X. (2017). "Privacy Loss in Apple's Implementation of Differential Privacy on MacOS 10.12." arXiv preprint arXiv:1709.02753. The University of Southern California research team's analysis of Apple's differential privacy implementation, which raised questions about the epsilon values Apple uses in practice. Essential context for Case Study 2 and for understanding the gap between theoretical privacy guarantees and real-world deployments. A cautionary example of how even well-intentioned privacy implementations can fall short of academic standards.
Federated Learning
10. McMahan, H. B., & Ramage, D. (2017). "Federated Learning: Collaborative Machine Learning without Centralized Training Data." Google AI Blog. Google's introduction of federated learning for a general audience. Clear, well-illustrated, and written by two of the researchers who developed the technique. An excellent starting point for understanding how federated learning works and why it matters for privacy. Pair with the more technical papers below for depth.
11. Kairouz, P., McMahan, H. B., Avent, B., et al. (2021). "Advances and Open Problems in Federated Learning." Foundations and Trends in Machine Learning, 14(1-2), 1-210. A comprehensive survey of the federated learning field, covering algorithms, systems design, privacy analysis, and open problems. Authored by 56 researchers from Google, Apple, CMU, Stanford, and other institutions. At 210 pages, it is exhaustive — use it as a reference rather than reading cover to cover. The sections on privacy attacks against federated learning (model inversion, gradient leakage) are particularly relevant to this chapter.
AI Security and Adversarial Machine Learning
12. Goodfellow, I. J., Shlens, J., & Szegedy, C. (2015). "Explaining and Harnessing Adversarial Examples." Proceedings of the International Conference on Learning Representations (ICLR). The foundational paper on adversarial examples, introducing the Fast Gradient Sign Method (FGSM) — a simple technique for generating inputs that fool deep learning models. Goodfellow's insight that adversarial vulnerability is a fundamental property of linear models (not just a quirk of complex networks) reshaped the field. Required reading for understanding evasion attacks.
13. Biggio, B., & Roli, F. (2018). "Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning." Pattern Recognition, 84, 317-331. A retrospective on the first decade of adversarial machine learning research, covering evasion attacks, data poisoning, and defenses. The authors provide a useful taxonomy of threat models and a candid assessment of the state of defenses (which, they conclude, remain inadequate for most real-world adversarial scenarios). Accessible to readers with a machine learning background but not deep expertise in security.
14. MITRE ATLAS (Adversarial Threat Landscape for AI Systems). https://atlas.mitre.org/ MITRE's framework for understanding adversarial threats to AI systems, modeled on the widely adopted MITRE ATT&CK framework for cybersecurity. ATLAS catalogs real-world case studies of AI attacks, maps them to a taxonomy of techniques and tactics, and provides a common language for discussing AI security threats. An essential practical resource for security teams responsible for AI systems.
Data Breach Response and Cybersecurity
15. IBM Security. (2024). Cost of a Data Breach Report 2024. IBM. The most widely cited annual study on breach costs, based on analysis of over 600 real-world breaches across 16 countries and 17 industries. Key findings include the average cost of a breach ($4.88M), the impact of AI-powered security tools ($2.22M cost reduction), and the value of incident response preparedness ($2.66M cost reduction). Essential data for building the business case for privacy and security investments. Updated annually.
16. Ponemon Institute & Proofpoint. (2024). "The Cost of Insider Threats Global Report 2024." While the chapter focuses on external breaches, insider threats — employees, contractors, or partners with authorized access who misuse it — account for a significant proportion of data security incidents. This report provides data on the cost and frequency of insider threats, with analysis by industry, region, and threat type. Relevant to the Athena case, where the breach vector was a compromised third-party partner's credentials.
Privacy-Enhancing Technologies
17. Archer, D. W., et al. (2018). "From Keys to Databases — Real-World Applications of Secure Multi-Party Computation." The Computer Journal, 61(12), 1749-1771. A practical survey of secure multi-party computation applications beyond academic research — including privacy-preserving auctions, financial benchmarking, genome analysis, and tax fraud detection. Provides the business context that most SMPC papers lack. Useful for evaluating whether SMPC is appropriate for your organization's privacy challenges.
18. Gentry, C. (2009). "A Fully Homomorphic Encryption Scheme." PhD dissertation, Stanford University. The breakthrough that made fully homomorphic encryption theoretically possible. While the original scheme was computationally impractical, it opened a field of research that has produced increasingly efficient implementations. Technical and mathematical, but worth understanding at a conceptual level for anyone evaluating homomorphic encryption as a privacy tool. The introduction provides an accessible overview of the concept.
Privacy by Design and Privacy Engineering
19. Cavoukian, A. (2011). "Privacy by Design: The 7 Foundational Principles." Information and Privacy Commissioner of Ontario. The original articulation of the privacy-by-design framework, written by its creator. Brief (12 pages), clear, and surprisingly practical for a document that has influenced global privacy regulation. The seven principles are now codified in GDPR Article 25, making this document both a philosophical statement and a de facto regulatory guide.
20. Dennedy, M. F., Fox, J., & Finneran, T. R. (2014). The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value. Apress. A practical guide to implementing privacy protections in software systems, written for engineers and product managers rather than lawyers. Covers privacy engineering processes, design patterns, testing methodologies, and metrics. Particularly useful for organizations transitioning from a compliance-oriented privacy program to an engineering-oriented one.
AI, Privacy, and Society
21. Kosinski, M., Stillwell, D., & Graepner, T. (2013). "Private Traits and Attributes Are Predictable from Digital Records of Human Behavior." Proceedings of the National Academy of Sciences, 110(15), 5802-5805. The study demonstrating that Facebook "likes" alone can predict sexual orientation, ethnicity, political affiliation, and other sensitive attributes with high accuracy. A landmark paper that made the inference problem tangible and launched a broader conversation about the privacy implications of behavioral data analysis. Frequently cited in privacy policy debates.
22. Rocher, L., Hendrickx, J. M., & de Montjoie, Y.-A. (2019). "Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models." Nature Communications, 10(1), 3069. The study finding that 99.98 percent of Americans could be re-identified using 15 demographic attributes — even in "anonymized" datasets. Provides the empirical foundation for the chapter's claim that anonymization is a legal fiction for most practical purposes. The paper's interactive web tool allows readers to estimate the re-identification risk for specific combinations of attributes.
23. O'Neil, C. (2016). Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy. Crown. While primarily focused on algorithmic bias (covered in Chapter 25), O'Neil's book includes important discussions of privacy — particularly the ways in which predictive models create feedback loops that entrench inequality. Her analysis of predictive policing, credit scoring, and employment screening models illustrates how privacy violations and bias are often intertwined. Accessible and compelling.
Industry Reports and Frameworks
24. NIST. (2023). "NIST AI 100-2: Adversarial Machine Learning — A Taxonomy and Terminology of Attacks and Mitigations." National Institute of Standards and Technology. NIST's authoritative taxonomy of adversarial attacks on AI systems, covering evasion, poisoning, and privacy attacks with standardized terminology and mitigation strategies. Designed as a reference for practitioners, policymakers, and regulators. Complements the MITRE ATLAS framework with a more structured taxonomy and deeper technical analysis.
25. Cisco. (2024). "Data Privacy Benchmark Study 2024." Cisco Systems. An annual survey of consumer privacy attitudes and organizational privacy practices, covering over 2,600 security professionals in 12 countries. Key findings include the business value of privacy investment (median ROI of 1.6x), consumer willingness to switch companies over data practices (46 percent have done so), and the growing importance of AI transparency. Provides the empirical data behind the chapter's argument that privacy is a competitive differentiator.
These readings span foundational theory, regulatory analysis, technical implementation, and business strategy. For regulatory foundations, start with entries 4-6. For privacy-preserving technology implementation, start with entries 7-11. For AI security, start with entries 12-14. For the business case for privacy, start with entries 15 and 25.