INFORMATION AND COMMUNICATIONS TEVHNOLOGY LAW II

SECOND SEMESTER
2024/2025 SESSION
LECTURE NOTE 2
TOPIC: INTERNET COOKIE MANAGEMENT & PRIVACY ENHANCING
TECHNOLOGIES
LECTURER: Dr. Osuntogun

INTERNET COOKIE MANAGEMENT

Guarding your privacy online can be overwhelming. Fortunately, even a basic

understanding of cookies can help you keep unwanted eyes off your internet activity.
Whilst most cookies are perfectly safe, some can be used to track you without your
consent by cybercriminals. In this article, we will guide you through how cookies work
and how you can stay safe online.

What Are Internet Cookies?

Cookies (often known as internet cookies) are text files with small pieces of data — like
a username and password — that are used to identify your computer as you use a
network. Specific cookies are used to identify specific users and improve their web
browsing experience. Data stored in a cookie is created by the server upon your
connection. This data is labeled with an ID unique to you and your computer. When the
cookie is exchanged between your computer and the network server, the server reads
the ID and knows what information to specifically serve you.

Due to international laws, such as the EU’s General Data Protection Regulation
(GDPR), and certain state laws, like the California Consumer Privacy Act (CCPA), many
websites are now required to ask for permission to use certain cookies with your
browser and provide you with information on how their cookies will be used if you
accept.

Cookie Control

Cookie control is all about managing user consent for cookies and compliant use of
cookies to protect the data and privacy of users. It is a widely discussed and analyzed
subject in the digital space, since the enforcement of the EU’s General Data
Protection Regulation (GDPR). Cookie Control involves obtaining and managing valid
user consent to use cookies and how you can give the users more control over their
data collected via cookies. Cookie control has been carried out by many privacy
regulations in the world. Among these, the EU’s GDPR, ePrivacy Directive, and the
US’ CCPA (California Consumer Privacy Act) have stricter rules and wider territorial
reach. Both the EU and US laws give users the right to deny websites from
using third-party cookies that sell or share their data with third parties. The EU has the
most stringent rules for data protection in the world. Their laws are comprehensive
and have a wider reach. Perhaps, that is why they are the blueprint for many other
data protection laws that have been implemented all around the world. We can say
that cookie control in the EU member countries set a benchmark for other
countries. ePrivacy Directive (EU Cookie Law) and the GDPR regulate the use of
cookies in the EU. According to both the laws, websites that collect and use the
personal data of EU users to offer services and goods cannot use cookies without
users’ consent. Cookies, here, are those that collect personal data and track user
activity. The laws exempt strictly necessary cookies that are necessary for a website
to function properly from requiring consent.

Magic Cookies and HTTP Cookies

All cookies generally function in the same way, but have been applied to different use
cases:

Magic cookies are an old computing term that refers to packets of information that are
sent and received without changes to the data. This would commonly be used for a
login to computer database systems, such as a business internal network. This concept
predates the modern “cookie” we use today.

HTTP cookies are a repurposed version of the “magic cookie” built for contemporary
internet browsing. In 1994, web browser programmer Lou Montulli used the “magic
cookie” as inspiration to create the HTTP cookie, whilst he was helping an online
shopping store fix their overloaded servers. The HTTP cookie is what we currently refer
to as a cookie more generally today. It is also what some cybercriminals can use to spy
on your online activity and hack your personal information.

What are HTTP Cookies?

HTTP cookies, or internet cookies, are built specifically for web browsers to track,
personalize and save information about each user’s session. A “session” is the word
used to define the amount of time you spend on a site. Cookies are created to identify
you when you visit a new website. The web server — which stores the website’s data —
sends a short stream of identifying information to your web browser in the form of
cookies. This identifying data (known sometimes as “browser cookies”) is processed
and read by “name-value” pairs. These pairs tell the cookies where to be sent and what
data to recall.

So, where are the cookies are stored? It’s simple: your web browser will store them
locally to remember the “name-value pair” that identifies you. When you return to the
website in the future, your web browser returns that cookie data to the website’s server,
triggering the recall of your data from your previous sessions.

To put it simply, cookies are a bit like getting a ticket for a coat check:

You hand over your “coat” to the cloak desk. You connect/visit a website and a pocket
of data is linked to you on the website’s server. This data can be your personal account,
your shopping cart or even just what pages you’ve visited.

You get a “ticket” to identify you as the “coat” owner. The cookie (containing the data) is
then given to you and stored in your web browser. It has a unique ID especially for you.

If you leave and return, you can get the “coat” with your “ticket”. When you revisit the
website, your browser gives the website the cookie back. The website then reads the
unique ID in the cookie to assemble your activity data, bringing you back to where you
were when you first visited, as if you never left.

What Are Cookies Used For?

Websites use HTTP cookies to streamline your web experiences. Without cookies,
you’d have to login every time you leave a site or rebuild your shopping cart if you
accidentally closed the page. Making cookies is an important part of the modern internet
experience.
To be more concise, cookies are intended to be used for:

Session management: For example, cookies let websites recognize users and recall
their individual login information and preferences, such as sports news versus politics.

Personalization: Customized advertising is the main way cookies are used to

personalize your sessions. You may view certain items or parts of a site, and cookies
use this data to help build targeted ads that you might enjoy. They’re also used for
language preferences as well.

Tracking: Shopping sites use cookies to track items users previously viewed, allowing
the sites to suggest other goods they might like and keep items in shopping carts while
they continue shopping on another part of the website. They will also track and monitor
performance analytics, like how many times you visited a page or how much time you
spent on a page.

While this is mostly for your benefit, web developers get a lot out of this set-up as well.
Cookies are stored on your device locally to free up storage space on a website’s
servers. In turn, websites can personalize content, whilst saving money on server
maintenance and storage costs.

What are the different types of HTTP Cookies?

With a few variations (which we’ll discuss later), cookies in the cyber world essentially
come in two types: session cookies and persistent cookies.

Session cookies are used only while navigating a website. They are stored in random
access memory and are never written on to the hard drive. When the session ends,
session cookies are automatically deleted. They also help the "back" button work on
your browser.

Persistent cookies, on the other hand, remain on a computer indefinitely, although

many include an expiration date and are automatically removed when that date is
reached. Persistent cookies are used for two primary purposes:

Authentication. These cookies track whether a user is logged in and under what name.
They also streamline login information, so users don't have to remember site
passwords.
Tracking. These cookies track multiple visits to the same site over time. Some online
merchants, for example, use cookies to track visits from particular users, including the
pages and products viewed. The information they gain allows them to suggest other
items that might interest visitors. Gradually, a profile is built based on a user's browsing
history on that site.

First-Party vs. Third-Party Cookies

From here, internet cookies can be broken down into two further categories: first-party
and third-party. Depending on where they come from, some cookies may potentially be
more of a threat than others.

First-party cookies are directly created by the website you are using. These are
generally safer, as long as you are browsing reputable websites or ones that have not
been compromised by a recent data breach or cyberattack.

Third-party cookies are more troubling. They are generated by websites that are
different from the pages that the users are currently surfing, usually because they're
linked to ads on that page. Third-party cookies let advertisers or analytics companies
track an individual's browsing history across the web on any sites that contain their ads.
However, as previously mentioned, due to new data protection laws, allowing third-party
cookies to access your browser is now optional in many countries and states. These
days, most third-party cookies have no direct impact on your browsing experience, as
many browsers have already begun phasing them out (Google has announced the end
of third-party cookies in Chrome by 2024). Many websites still operate fine and
remember your preferences without using third-party cookies.

Zombie cookies are a form of third-party, persistent cookie, which are permanently
installed on users' computers. They have the unique ability to reappear after they've
been “deleted” from your computer. They are also sometimes called “flash cookies” or
“supercookies” and are extremely difficult to remove. Like other third-party cookies,
zombie cookies can be used by web analytics companies to track unique individuals'
browsing histories. Websites may also use zombies to ban specific users. In some
cases, however, these types of cookies can be fabricated by hackers and used to infect
your system with viruses and malware.
Essential Cookies are now synonymous with the pop-up asking you for your cookie
preferences when you first visit a website. Essential cookies are first-party session
cookies that are necessary to run the website or services you have requested online
(such as remembering your login credentials).

Advantages of using cookies

o Cookies store your login credentials, enabling you to access a website swiftly
without the need to repeat login procedures each time you visit the website.

o Cookies are used on eCommerce websites to help retain your preferences and
suggest similar products based on your previous interactions.

o Cookies on websites store user preferences, ensuring settings remain

unchanged and persist across page reloads.

Disadvantages of using cookies

While cookies offer valuable functionality, they also come with notable drawbacks,
including:

o Vulnerability to cyberattacks.

o Introduction of cookies by advertisements, enabling tracking of web-behavior.

o Potential for data theft and privacy breaches through ads.

o Tracking of personal information by cookies, leading to personalized

advertisements.

To address these concerns, web browsers offer options to manage cookies,

including blocking third-party cookies and clearing cookies from your browser
history. Additionally, legislation such as the General Data Protection Regulation
(GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in
the United States aim to protect user privacy by regulating the collection and use of
personal data, including cookies.

Safeguards when using cookies

To safeguard against compromised cookies and protect your online privacy, consider
the following precautions:
 o Use Secure Websites: Stick to reputable websites that use HTTPS encryption to
ensure secure communication between your browser and the website's server.
o Keep Software Updated: Regularly update your web browser, operating system,
and security software to patch known vulnerabilities and protect against exploits.
o Enable Browser Privacy Settings: Configure your web browser to block third-
party cookies and clear cookies regularly to prevent tracking across websites.
o Use Cookie Management Tools: Take advantage of browser extensions and
privacy-focused tools that allow you to manage and block cookies selectively.
o Be Cautious with Personal Information: Avoid entering sensitive information on
websites that you don't trust, especially if they use unsecured connections or lack
privacy policies.
o Monitor Account Activity: Regularly review your online accounts for any
unauthorized activity or changes, and report suspicious behavior to the
respective service providers.
o Educate Yourself: Stay informed about common online threats, such as phishing
attacks and malware, and learn how to recognize and avoid potential risks.

By implementing these precautions, you can reduce the likelihood of falling victim to
compromised cookies and protect your privacy while browsing the web.
 PRIVACY ENHANCING TECHNLOGIES
Privacy Enhancing Technologies (PETs) are a suite of tools that can help maximise the
use of data by reducing risks inherent to data use. Some PETs provide new tools for
anonymisation, while others enable collaborative analysis on privately-held datasets,
allowing data to be used without disclosing copies of data. PETs are technologies, tools,
techniques, and practices designed to protect individuals’ privacy. They achieve this by
safeguarding personal data during storage, processing, and transmission. And with 94%
of consumers expecting companies to protect their data and data breaches costing
businesses an average of $4.45 million per incident, organizations must find ways to
harness data without compromising privacy. As regulations tighten, PETs are becoming
acritical solution for ensuring compliance and maintaining trust. Sometimes also
referred to as privacy-preserving technologies or data protection technologies, PETs
include methods like encryption, anonymization, access controls, and solutions such as
differential privacy, synthetic data generation, and confidential computing. They help
organizations and individuals maintain control over their data and mitigate privacy risks
in an increasingly data-centric world.

Types of privacy-enhancing technologies

Synthetic data

Synthetic data allows organizations to generate artificial data that closely mimics real-
world data, while still preserving privacy. Organizations can safeguard sensitive
information by generating synthetic datasets. These synthetic datasets closely resemble
real data, encompassing not only the same shape but also similar statistical qualities.
While they lack private details, they maintain correlations and patterns found in real
data. This enables companies to conduct analyses and develop machine learning
models without the risk of data exposure. For example, in a well-designed synthetic
dataset, it might be possible to observe a correlation between age and heart disease,
preserving the statistical characteristics crucial for accurate analysis.

Use cases:

 ‍AI and machine learning – Synthetic data is frequently used in AI and machine
learning to create training datasets when real data is limited or too sensitive to
use.‍

 Software testing and development – Developers use synthetic data to test

applications or systems without risking exposing real customer data, ensuring
that privacy is maintained.
Example:
A healthcare company uses synthetic patient data to develop a new predictive algorithm
for diagnosing diseases. The synthetic dataset reflects the characteristics of real
medical records but doesn't expose any actual patient information, protecting privacy
while still allowing the algorithm to be tested and refined.

Differential privacy

Differential privacy is a mathematical method used in data analysis. It works by

introducing randomness or noise into query responses, making it harder to pinpoint
individual data points. However, not all noise-adding techniques qualify as differential
privacy. Differential privacy is specifically about determining the precise amount of noise
needed to achieve statistical privacy assurances. Differential privacy employs
aggregation to balance data analysis with privacy preservation. This technique involves
summarizing and generalizing data to derive meaningful insights while protecting
individual privacy.

Practical use cases:

 ‍Census data – Governments can apply differential privacy to their census data,
ensuring that individuals cannot be identified through detailed demographic
information, even when data is broken down into small geographic units.‍
  Consumer behavior analysis – Companies can analyze customer behavior
patterns across different regions or demographic groups without revealing any
individual’s data.
 Example:
The U.S. Census Bureau applied differential privacy to protect the privacy of
respondents. When the census data is made publicly available, the noise
ensures that no one can use the data to identify specific households or
individuals.

Confidential computing

 Confidential computing enables data processing within secure enclaves. This

innovative approach prevents unauthorized access to data during computation,
offering a new level of security in data processing and analysis.
 Confidential computing keeps sensitive data safe even during use with two key
data security methods: isolation and remote attestation. The former safeguards
sensitive information while in use, while the latter verifies this protection and what
the data will be used for before computation even begins.

Use cases:

 Cloud computing – Confidential computing enables organizations to securely

process sensitive data in the cloud without risking exposure to the cloud provider
or external threats.‍

 Healthcare and financial services – These industries use confidential

computing to perform computations on highly sensitive data (e.g., medical
records or financial transactions) in environments where privacy and security are
paramount. These industries use confidential computing to perform computations
on highly sensitive data (e.g., medical records or financial transactions) in
environments where privacy and security are paramount.
Example:

Swiss banks used confidential computing from Decentriq to collaborate and gain
insights into cyberthreats. The result was they were able to detect new phishing
campaigns, identify common patterns and compare the phishing defense of all
participating organizations.

Homomorphic encryption

Homomorphic encryption enables computations on encrypted data without decrypting it

first. This ensures data privacy while still allowing meaningful operations to be carried
out on the encrypted information.

Use cases:

 ‍Secure data analytics – Companies can perform data analysis on encrypted

datasets without revealing the underlying sensitive information.

 Financial calculations – Homomorphic encryption is used in the financial

industry to perform calculations on encrypted transactions, ensuring that
sensitive financial information remains protected.
Example:
In digital advertising, homomorphic encryption enables advertisers to analyze encrypted
user data without accessing personal information. This allows for the delivery of
personalized ads while maintaining user privacy. For example, an advertising platform
can process encrypted user preferences to match relevant ads, ensuring that sensitive
data remains confidential throughout the process.

Secure multiparty computation

Secure multiparty computation (SMC) relies on cryptographic protocols using encryption

and mathematical techniques to enable multiple parties to jointly compute a function
over their individual inputs while keeping those inputs private. It ensures that no party
learns anything beyond the output of the computation, even in the case of participants
who follow the protocol correctly but might attempt to learn additional information from
the received data.

Use cases:

 ‍Collaborative research – Multiple institutions can securely analyze combined

datasets without revealing their individual data to each other.
  Joint business intelligence – Businesses can collaborate on shared market
analyses, pooling their data for better insights, while maintaining the
confidentiality of their proprietary datasets.
Example:
A group of healthcare providers wants to collaborate on a new research project using
patient data, but each institution must protect its own data due to privacy concerns.
Using SMC, they can securely compute a joint analysis of treatment outcomes while
ensuring that no party can access the sensitive data of the others.

Federated learning

Federated learning is a decentralized machine learning approach. Here, a model is

trained across multiple decentralized devices or servers holding local data samples,
without exchanging them. Instead of sending raw data to a central server, only model
updates (gradients) are communicated, preserving data privacy.

Use cases:

 ‍Mobile AI – Federated learning enables mobile devices to improve features like

predictive text, image recognition, or voice assistants without sharing sensitive
user data with a central server.‍

 Healthcare AI – Hospitals and healthcare institutions can collaborate on training

AI models for medical diagnosis without exchanging patient data, preserving
privacy while developing more robust models.
Example:
Google uses federated learning in its Gboard keyboard to improve predictive text
functionality. The data remains on individual users' devices, and only updates to the
machine learning model (based on their local usage) are sent to Google’s servers,
ensuring privacy.

Trusted execution environments

Trusted execution environments (TEEs) are secure hardware or software environments

within a computer system. They provide a secure and isolated area for executing
sensitive code or operations. They protect code and data within them from external
tampering, even from the operating system or other software layers.
Enclaves and trusted execution environments are a key part of confidential computing
and are broadly interchangeable terms. They typically imply that the environment is
hardware-based. A few rare exceptions of software-based “enclaves” exist, but they
provide less robust security.

Use cases:

 ‍Cloud data processing – TEEs enable secure data processing in the cloud,
where users can compute on sensitive data without exposing it to the cloud
provider or other parties.‍

 Secure financial transactions – TEEs are used in the financial sector to

securely process transactions and other sensitive operations while keeping the
underlying data protected.
Example:
A financial institution may use TEEs in its cloud infrastructure to securely process credit
card transactions. Even if the cloud provider or server is compromised, the transaction
data remains encrypted and secure within the TEE, preventing unauthorized access.

What are the benefits of privacy-enhancing technologies?

With the rapid growth of digital technologies, individuals and organizations are sharing
and processing an unprecedented amount of personal data. This creates new
opportunities, but also significant risks. Privacy-enhancing technologies are essential for
addressing these risks, enabling secure data processing, maintaining privacy, and
ensuring compliance with ever-evolving privacy regulations. And adoption progress
shows no signs of stopping, with the global PET market estimated to grow to USD 28.4
billion by 2034.

Below, we explore the key reasons why PETs are crucial, both for individuals and
organizations.

For individuals:

Enhanced privacy

As more personal data is shared online, maintaining privacy has become a significant
concern. PETs help individuals control how their personal data is used, ensuring that
they retain ownership and protect their identities. Without PETs, individuals are at risk of
having their data exposed, leading to identity theft, fraud, or unwanted surveillance.

Use case:

A consumer uses a secure online payment platform that employs tokenization. Their
credit card information is tokenized, meaning that the sensitive data is never stored or
transmitted in its original form, ensuring privacy during the transaction process.

Example:
When signing up for a new online service, users may choose to use a
pseudonymization technique to keep their real name and contact details secure. This
means the platform uses this pseudonymized data for its operations, reducing the risk of
exposing the user's actual identity if a breach occurs.

Reduced risk of data breaches

Data breaches are one of the most significant threats to personal privacy. When data is
exposed, individuals can become victims of financial theft, fraud, or identity theft. PETs
like encryption, differential privacy, and secure multiparty computation help minimize the
risk of unauthorized access to sensitive data, reducing the impact of potential breaches.

Use case:

An individual’s personal health information is encrypted before being stored in a

hospital’s database. Even if the database is hacked, the data remains encrypted,
preventing unauthorized access to sensitive health records.

Example:
When using an online banking app, customers' account details and transaction histories
are encrypted using homomorphic encryption. This ensures that even if a hacker
intercepts the data while it's in transit, it remains unreadable and secure.

Improved trust in digital platforms

The growing concern over privacy issues has made trust a key factor in individuals'
decisions to use digital platforms and services. By using PETs, companies can
demonstrate their commitment to protecting customer data, fostering greater trust. This
is especially important as consumers become more conscious of how their personal
information is being used.

Use case:

A company incorporates differential privacy into its analytics platform, allowing it to

process user data for insights without exposing any individual’s information. This builds
consumer trust, as users know their data is being handled securely and anonymously.

Example:
A tech company that offers online health tracking services uses federated learning to
train its AI models. The company guarantees users that their sensitive health data never
leaves their device, which encourages users to trust the platform with their personal
health information.

Better online experiences

When data privacy is ensured, individuals can enjoy more personalized and engaging
online experiences without sacrificing their privacy. By leveraging PETs, businesses can
deliver tailored recommendations, services, and products, all while keeping personal
information secure.

Use case:

A music streaming platform uses federated learning to improve its recommendation

algorithm based on users' listening habits. The platform can offer a personalized
experience without sharing users' private data, ensuring that their preferences remain
secure.

Example:
A user of a fitness app experiences tailored workout plans, based on their activity data
stored on their device. The app uses homomorphic encryption to compute insights
locally on the device, ensuring that all data stays private and never leaves the user’s
phone.

For organizations:
Compliance with privacy regulations

As privacy regulations become stricter globally, organizations are required to implement

robust privacy protection measures for personal data. PETs are crucial for ensuring
compliance with data protection laws such as the General Data Protection
Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA),
and California Consumer Privacy Act (CCPA). PETs can help organizations can avoid
legal consequences, fines, and reputational damage.

Use case:

An e-commerce company processes customer data to improve its services. It uses

encryption to protect personal information, ensuring that it complies with GDPR
requirements, which mandate the secure storage and processing of customer data.

Example:
A healthcare provider uses data collaboration technology based on privacy-preserving
technology to collaborate on the data for research purposes. This ensures compliance
with HIPAA, which protects patient confidentiality while allowing valuable data to be
used for medical advancements.

Secure data collaboration

Organizations often need to collaboration on data with third parties, such as partners,
vendors, or researchers. PETs allow for secure data collaboration without exposing
sensitive information. This promotes innovation while preserving privacy. Secure
multiparty computation and federated learning, for example, enable multiple parties to
collaborate on data analysis without revealing their individual datasets.

Use case:

A pharmaceutical company collaborates with multiple research institutions to develop a

new drug. By using secure multiparty computation, they can share and analyze
research data without disclosing sensitive patient data or proprietary research findings
to the other parties.
Example:
A multinational company uses federated learning to train AI models on data collected
from various international branches. Each branch processes the data locally on its
devices, contributing only model updates rather than raw data, ensuring that no
sensitive customer data crosses borders.

Data minimization

One of the key principles of privacy regulations like the GDPR is data minimization,
which dictates that only the minimum amount of data necessary fora specific purpose
should be collected and processed. PETs enable organizations to work with data more
efficiently and securely, without storing or processing unnecessary personal information.

Use case:

A financial institution uses tokenization to reduce the storage of sensitive information

such as full credit card numbers. Tokenization allows the institution to perform
transactions without ever storing the actual credit card details, minimizing the risk of
exposure.

Example:
An online retailer uses pseudonymization to anonymize user data for targeted marketing
campaigns. This allows the company to use the data for personalized offers without
revealing personal information like names or addresses.

Data misuse prevention

PETs provide a framework to prevent the misuse of data. By applying encryption,

homomorphic encryption, and other privacy-preserving techniques, organizations can
ensure that data is only used for the intended purpose and by authorized parties,
reducing the risk of data being misused, sold, or shared inappropriately.

Use case:
A social media platform uses trusted execution environments to process users' personal
data for targeted advertising. By using TEEs, the platform ensures that advertisers can
only access the aggregated, anonymized data and not any personally identifiable
information.
Example:
A government agency working with sensitive citizen data employs secure multiparty
computation to collaborate with external contractors. The contractors are only given the
necessary aggregated results, preventing the misuse or leakage of confidential
individual data.

Innovation and data use

While data privacy is critical, organizations also need to use data effectively to innovate
and improve services. PETs allow organizations to utilize data for analysis and insights
without sacrificing privacy. By adopting PETs, organizations can unlock new
opportunities for innovation while adhering to privacy standards.

Use case:
A research organization uses synthetic data to test and develop new AI models. By
using synthetic data, they can advance their research without exposing any real
personal data, leading to innovation while maintaining privacy.

Example:
A tech company develops a recommendation engine using federated learning. The
company can provide personalized suggestions to its users without ever accessing their
sensitive data, ensuring privacy while continuing to innovate and improve the service.

Reduced legal and financial consequences

Failure to protect personal data can result in significant financial penalties and damage
to an organization's reputation. PETs help mitigate this risk by ensuring that data is
handled securely and in compliance with privacy laws, ultimately protecting
organizations from costly lawsuits, fines, and reputational harm.

Use case:

An online marketplace implements differential privacy to aggregate data for customer

insights while ensuring that no individual’s information is exposed. This helps the
company stay in compliance with privacy regulations like GDPR, avoiding penalties.
Example:
A financial services firm adopts homomorphic encryption to secure sensitive client data
in their cloud-based systems. This encryption ensures that even if the data is
intercepted during processing, it remains unreadable, protecting the company from
potential financial penalties.