Further Reading — Chapter 39: Designing for Privacy

1. Cavoukian, Ann. "Privacy by Design: The 7 Foundational Principles." Information and Privacy Commissioner of Ontario, 2009. Available at ipc.on.ca.

The original source document for Privacy by Design. Cavoukian's framework, available freely from the Information and Privacy Commissioner of Ontario's website, is concise (11 pages) and accessible to non-technical readers. Reading the primary document alongside this chapter's analysis will reveal both the power of the framework and the gap between its aspirations and common practice. Students interested in privacy governance careers should treat this as essential primary reading.

2. Dwork, Cynthia, and Aaron Roth. "The Algorithmic Foundations of Differential Privacy." Foundations and Trends in Theoretical Computer Science, vol. 9, 2014.

The foundational technical paper on differential privacy, written by the technique's inventors. Technically dense but accessible in its introductory sections; the first three chapters provide sufficient background to understand the mathematical guarantees of the Laplace mechanism without requiring a computer science background. For students who want to understand why differential privacy works — not just that it works — this is the essential source. Available freely through standard academic databases.

3. Hartzog, Woodrow. Privacy's Blueprint: The Battle to Control the Design of New Technologies. Harvard University Press, 2018.

Hartzog's argument that technology design determines privacy outcomes more than law does is the intellectual foundation for this chapter's approach. His analysis of how design choices about obscurity, trust, and defaults shape the privacy landscape — regardless of legal requirements — provides the theoretical basis for why privacy by design matters at the architectural level. The chapters on "obscurity" as a privacy mechanism and on the limits of notice-and-consent are especially relevant to the design arguments in Chapter 39.

4. Acquisti, Alessandro, Laura Brandimarte, and George Loewenstein. "Privacy and Human Behavior in the Age of Information." Science, vol. 347, 2015.

A rigorous synthesis of behavioral economics research on how people actually make privacy decisions — which turns out to be quite different from how rational actor models assume they do. Acquisti and colleagues document the consistent finding that privacy preferences are highly context-sensitive, easily manipulated by framing and defaults, and frequently inconsistent. This research is essential for understanding why "privacy as the default" is not merely a policy preference but a design requirement: if people cannot be expected to protect their privacy through deliberate choices, the design of defaults becomes determinative.

5. Solove, Daniel J., and Paul Schwartz. Privacy Law Fundamentals. 8th ed. International Association of Privacy Professionals Press, 2024.

The standard legal reference for U.S. privacy law. Solove and Schwartz cover FERPA, COPPA, HIPAA, CCPA, GDPR applicability to U.S. entities, and the developing federal privacy landscape in an accessible format designed for practitioners and students. The annual update cycle means the current edition captures recent regulatory developments. Students who want to understand the legal framework within which privacy by design operates should have this reference.

6. European Data Protection Board. "Guidelines on Data Protection by Design and by Default." EDPB, 2020. Available at edpb.europa.eu.

The EU's authoritative interpretation of GDPR's privacy by design and by default requirements. The Guidelines explain how regulators interpret the Article 25 requirements, what constitutes adequate implementation, and what the EDPB expects from data protection impact assessments. Reading this alongside Cavoukian's framework reveals both the alignment between the original framework and its regulatory implementation and the gaps where regulatory requirements go beyond or depart from the framework.

7. Narayanan, Arvind, and Vitaly Shmatikachev. "Robust De-anonymization of Large Datasets (How to Break Anonymity of the Netflix Prize Dataset)." IEEE Symposium on Security and Privacy, 2008.

This paper demonstrating that Netflix's "anonymized" movie rating dataset could be de-anonymized by correlating it with IMDB ratings is one of the most influential findings in privacy research. It established empirically what Latanya Sweeney's work had suggested theoretically: anonymization is much weaker than assumed, and "de-identified" datasets can be re-identified with limited additional information. The paper is accessible despite its technical context and is essential for understanding the limitations of anonymization as a privacy technique.

8. Mackey, Tim K., et al. "Emerging Models of Consent in Precision Medicine Research: Systematic Review of Ethical Issues." Journal of Medical Internet Research, 2020.

An accessible review of how consent frameworks are being redesigned in medical research contexts where traditional single-event consent is inadequate — where research uses data in ways that were not anticipated at collection, where participants cannot meaningfully evaluate future uses, and where the value of data sharing (for research) must be balanced against privacy protection. The analysis of "dynamic consent," "open consent," and "meta-consent" models is relevant to the consent problems that Chapter 39 identifies as structural limitations of notice-and-consent frameworks generally.

9. Sarabdeen, Jawahitha. "Protection of the Privacy of the Data Subject with GDPR and Right to Be Forgotten." Journal of Information, Communication and Ethics in Society, 2022.

An analysis of GDPR's implementation in practice, with particular attention to the right to erasure ("right to be forgotten") and its limitations. The article documents the gap between the statutory right and its practical enforceability — many GDPR rights are difficult to exercise in practice because companies make the exercise process cumbersome, data subject access requests are often inadequately fulfilled, and enforcement is slow relative to the scale of violations. Useful for understanding why well-designed legal frameworks do not automatically translate into functional rights.

10. Calo, Ryan. "The Boundaries of Privacy Harm." Indiana Law Journal, vol. 86, 2011.

Calo's influential law review article proposes a taxonomy of privacy harms that is more useful than previous frameworks for assessing the harms produced by specific surveillance systems. He distinguishes between subjective harms (distress from awareness of surveillance) and objective harms (practical consequences of data disclosure), and between harms to individuals and harms to groups. This taxonomy is directly useful for the privacy impact assessment framework developed in Chapter 39: what are you assessing for in a PIA, and how do you determine when a harm is serious enough to warrant design modification or prohibition?

Students interested in the technical implementation of differential privacy should supplement this list with the open-source Google library "differential-privacy" (GitHub.com/google/differential-privacy) and Apple's open-source differential privacy documentation, both of which include worked examples. For policy practitioners, the International Association of Privacy Professionals (IAPP) publishes practitioner-oriented resources on GDPR compliance, algorithmic auditing, and privacy by design implementation.