How much does the internet know about us?

For this week’s Reality Cheque, we’re looking at the common misconception around our online lives and privacy.

How much time will you spend online today? If you’re like most Canadians, it could be six hours or more. That’s a lot of clicking, swiping, liking and watching. Plus sharing and shopping. None of it goes unnoticed. Behind the scenes, platforms, advertisers and others track what you do. Every tap and scroll adds another data point. So, how much does the internet really know about us?

More than we think, says Benjamin Fung, a professor in the School of Information Studies at McGill University who studies data mining and data privacy. “From the time we’re born to the time we pass away, all our data is being collected by different entities,” he says.

Much of it is scattered across different sites—from government portals to social media accounts. On its own, each piece doesn’t divulge much. But when pieced together, a large part of our lives becomes visible online.

Social media: the data we spread

Most of us don’t realize how much we’re sharing on TikTok, LinkedIn and other social platforms. It’s not just profiles and photos, but also what we like, what we comment on and who we connect with.

“On social media, people often reveal where they live, where they work, their family connections, travel plans, routines, interests, political views, spending habits and even when they’re away from home,” says Terry Cutler, an ethical hacker and CEO of Cyology Labs, a cybersecurity firm based in Montreal.

That information can be used by marketers and scammers to build detailed profiles. For example, marketers can take information about your interests or perceived income to send you ads and offers.

“The problem isn’t just targeted ads. The bigger issue is how much data can be collected, combined, sold, breached and reused without people fully understanding it,” Cutler says.

Websites: the data we leave behind

Even if you rarely post on social media, your browsing activity tells a story. Every website you visit leaves a trace. Websites track users and link their information using web cookies, network information, browser fingerprints, and device fingerprints, Fung says. 

This becomes a concern when all that information about you gets pulled together. Data brokers (firms that collect and sell personal information) can match identifiers across websites and sometimes across devices. The info, such as which websites you visited, can then be sold to marketers and other firms looking to advertise products and services.

Apps: the data we don’t think about

Apps offer even deeper access into our lives. Because they live on our phones, they can collect detailed information about how we behave.

Cutler says apps can track how people move through a platform, including what they tap, how long they linger and which features get the most attention. Behind the scenes, that activity is tied to identifiers that allow tracking over time.

Many apps also request access to location, contacts, the camera or the microphone. Some of that is necessary. Much of it isn’t.

Location data, for example, can map daily routines (home, work and regular stops) even when the app isn’t in use. Combined with identifiers and login data, this can link activity across apps and devices, connecting what you do on your phone with what you browse on your laptop.

The dark web: the data that leaks

The dark web gets talked about a lot—and for good reason. This is the part of the web where cybercriminals lurk. It’s not searchable via Google, but instead uses encrypted URLs and browsers. After a data breach, passwords, emails and financial details can end up there for sale. Criminals buy and combine that data to run scams and commit identity theft. For example, in 2024 a data breach at Western Canadian chain London Drugs resulted in hackers posting files about the company’s employees on the dark web.

How can you know if your information has made its way to the dark web? Experts suggest avoiding visiting these sites yourself (you’ll need special software for it anyway). 

You can look to see if your email addresses have appeared in known data breaches through services like Mozilla Monitor, says Cutler. If you suspect a leak, take steps to protect yourself, he advises: change your passwords immediately (give each email a different one); start using multi-factor authentication and watch for phishing emails and fake calls: and closely monitor your banking and credit card info.

But the larger concern for most consumers isn’t hidden within the dark web, Cutler says. “When people hear ‘dark web,’ they sometimes imagine that all privacy risks begin there. That’s not true. In many cases, the bigger issue is how much data is being legally gathered and circulated, long before a criminal ever gets access to it.”

By the time data is made available for sale, it’s already been collected, shared, and reused in multiple places. As Cutler puts it, “when you’re not paying to use a product, you are the product.”

How to limit what’s known about you

A big part of life now happens online, and so you can’t erase your digital footprint. But you can make it harder for others to track you.

Start by sharing less on social media. It’s fine to post updates for friends, but many people give away too much, says Cutler. For instance, skip quizzes on sites like Facebook. They often ask for details that mirror common security questions. “They may ask you for your favourite colour or Disney character or the name of your last pet,” says Cutler. “They’re harvesting all these answers.”

Another simple move: don’t post vacation photos while you’re away. Wait until you’re home, Cutler says. Otherwise, you’re signalling to potential criminals that your house is empty.

Be selective with cookies. Some improve your experience by remembering preferences or items in your cart. Others track you across multiple sites. When in doubt, select “deny.” The data from cookies can be used to build a profile of your interests, habits and demographics, then sold to marketers and even insurance companies. When you can, reject third-party advertising and analytics cookies, Fung says.

Make yourself harder to track. Fung suggests using more than one online identity. For example, “you can have two email addresses. One is for important stuff like medical, government and taxes and the other one is for other things like shopping. That cuts down spam and phishing emails.”

You can do the same with social media. Use one ID account for professional platforms like LinkedIn and another for personal use. It makes it tougher for others to build a single, detailed profile of you.

Finally, clean up your digital footprint. Over time, information about you piles up online. It’s worth clearing some of it out. For example, delete old accounts you no longer use, including outdated email addresses (your old university email, that Hotmail account?) that may still contain sensitive information such as passwords.

Review your privacy settings on social media. Set them so only friends, not the public, can see your posts. You can also use private browsing modes so your searches aren’t saved. And if you want less tracking, try browsers like DuckDuckGo that don’t track users or build profiles.

“You don’t need to disappear from the internet to be safer,” Cutler says. “But assume that anything posted publicly could be seen, copied and stored by people you never intended to reach.”

Read more from this issue of The Get:

1. Why haven’t mortgage rates come down more?
2. Artist Christopher Rouleau opens up on Selling Canada—and the business of art
3. What is a digital footprint? Should it be part of your will?
4. How much money will I need to retire at 60?