Every day, people follow a set of digital routines. Some people read the news online while drinking their morning coffee. Others check their work email from their smartphone. Still others log into social media to see what’s going on with their friends and family.
Consider the statistics for a few minutes. In 2007, the Pew Research Center reported that 47% of all internet users had searched for information about themselves online, with 25% of internet users saying that a photo, names of groups they belonged to, or things they wrote that had their names on it were available online.
However, this was before social media became a global phenomenon. In September 2006, Facebook became available to all users older than thirteen who had a valid email address. Simultaneously, LinkedIn reached 8 million members by the end of 2006.
Today, the digital landscape looks different. Consider the statistics on the top types of websites visited and apps used during June 2022:
- 95.5%: chat and messaging
- 95.2%: social networks
- 82.6%: search engines or web portals
- 56.1%: shopping, auctions, or classifieds
For every interaction people have online, they leave behind digital hints about themselves. By understanding what a digital footprint is and how threat actors can use it, people and organizations can protect themselves more effectively.
What does digital footprint mean?
A person’s digital footprint is the trail of personal information created during online interactions. Some examples of interactions that create a digital footprint include:
- Social media posts
- Newsletter subscriptions
- Online reviews
- Online shopping
- Streaming media
- Reading news
A person’s overall digital footprint consists of active and passive digital footprints.
A user’s active footprint consists of information that the person purposefully shares. Examples of this information include:
- Social media accounts, usernames, profiles, and posts
- Online forums
- Online forms, like downloading a whitepaper or subscribing to a newsletter
- Blog posts
- Website cookies
A person creates a passive digital footprint when they don’t know that someone is collecting their information. Some examples of these unintended traces are:
- Websites collecting visitor information, like how many visitors, number of visits, location they visit from, and IP address
- Applications using geolocation
- Advertisers compiling and analyzing data about purchases and activities for ad targeting
- Social media networks collecting information about likes, shares, and comments
- Search engines collecting search history data
What is in a digital footprint?
Most people hate the answer, “well, it depends.” Unfortunately, when discussing the information in your digital footprint, the type of information collected directly relates to your online interactions, and everyone uses the internet differently.
When you shop online, stores collect information about your:
- Search history
- Items viewed
- Purchases made
Online retailers collect this information so that they can suggest other items that might interest you, hoping you’ll spend more money.
Every entertainment streaming service collects and shares data about what you watch, listen to, or play. Similar to ecommerce, this information allows them to make suggestions based on your interests.
Social media activity
All social media companies collect, analyze, and use data about your online interactions. For example, they collect information about:
- What you’re interested in
- Hashtags you follow
- People you follow
- Status updates
With this information, they can create targeted advertising campaigns. Since businesses know their information will get in front of their ideal customer, they’re willing to pay the social media network.
Online search history
Search engines are the websites where you input your search term, like Google, Yahoo!, or Bing. Most search engines collect information about your search history so that they can personalize search responses and get advertising dollars. Some information they collect includes:
- Search terms
- Search dates
- Results clicked
- Number of times you searched for a term
- Number of times you returned to a given result
The browser is the application you use to access the internet, like Chrome, Safari, or Firefox. Browsers collect more information than search engines do. For example, they contribute to your passive digital footprint with data like:
- IP address
- Device type
- Geographic location
- Time spent on a website
- Locations clicked on a website
- How you found the website
- Actions taken after visiting the website
- Time you accessed a resource
Additionally, you may have given the browser permissions that contribute to your active digital footprint by letting it save your:
- Credit card numbers
- Phone number
Fitness and health data
Health apps and smartwatches collect data that can include:
- Steps per day
- Number of hours slept
- Heart rate
- Blood pressure
- Blood oxygen level
Although you may want the emails in your inbox, they can still track data about you. Often, marketing emails will track whether you opened the email or followed a link in the email. Additionally, some email providers collect information that they use to sell services.
Private messaging and chat apps
Even if you’re not sharing information publicly, private messaging applications and social media direct messaging tools still need to collect some information. Depending on the application, it may collect:
- Phone number
- Email address
- Contacts data
- Device ID
- User ID
- Purchase history
Data brokers aggregate publicly available information from across the internet and then sell it. Some examples of locations where data brokers obtain information include:
- Social media
- Motor vehicle records
- Census data
- Voter registration records
- Real estate records
- Court documents
- Credit bureaus
Examples of data brokers include:
Dark web forums and markets
Cybercriminals steal data so that they can use it in an attack or sell it, and they do the latter on the dark web. Accessing the dark web requires a specialized browser, called Tor. Encrypted websites and forums create anonymity, making the dark web a hotbed of criminal activity. Additionally, dark web URLs use random, constantly changing combinations of numbers and letters, making them difficult to find and monitor. Cybercriminals use dark web forums and markets to sell and buy information stolen during data breaches so that they can use it to perpetrate fraud or other crimes.
FREE THREAT EXPOSURE REPORT
See how a social engineer is most likely to contact you along with how an attacker might attempt to compromise you with Picnic’s free threat exposure report—CheckUp Light.
How do cybercriminals collect digital footprint data?
A digital footprint isn’t a bad thing. However, you should understand ways that cybercriminals can collect data and how they can use it. Cybercriminals collect digital footprint information in several ways:
- Scraping social media networks: Collecting information about contacts, interactions, work history
- Purchasing information from data brokers: Accessing information about name, address history, phone number
- Buying leaked data on the dark web: Gathering data about login credentials or malware on devices
How does a digital footprint impact cybersecurity?
Depending on the information cybercriminals have, they can use a person’s digital footprint as part of different attack methodologies.
A social engineering attack manipulates people, using a convincing pretext to trick them into taking an action that’s against their best interests. The more information cybercriminals know about you, the more convincing their social engineering attack is. Consider the following information that they can find on your LinkedIn profile:
- College attended
- Job history
- People you know
- Actions you take, like posts you comment on or people you interact with
- Interests you have
- Email address
- Phone number
With this data, they can build out a profile and story that appears convincing enough. They can build a relationship with you by referencing people you know or pretending to be someone you know. Once trust is established, getting a victim to perform an action such as clicking on a malicious link or handing over sensitive information is not difficult.
If cybercriminals have your name and an email, they can perpetrate fraud by impersonating you online. If they have more information, like a credit card number compromised during a data breach, then they could open fake bank accounts or fraudulently purchase gift cards as a way to make money.
Often, people reuse passwords across multiple accounts. If cybercriminals purchase stolen credentials on a dark web marketplace, they can try the password against other potential accounts. For example, if they purchase compromised email account credentials, they can try to use the email address and password for streaming sites, social media, or bank account logins. If they can connect that email with your LinkedIn account, they can guess at your company email and try a known password to gain access to corporate resources.
5 way to reduce your digital footprint
Although your digital footprint is inevitable and valuable, you want to control the information that companies have or people can find.
Customize privacy settings
Since social media networks have a vested financial interest in your data, their default settings usually make you as visible as possible.
Some steps you can take on social media include limiting:
- Who can find you
- What your connections can see
- What data you allow the application to collect
- Data sharing across applications
It’s tempting to make new accounts or sign up for newsletters. However, you should think about the information you provide as a transaction. The service might not cost you dollars, but your data is valuable. You should review the benefit you receive and weigh it against the cost of giving away your information.
One way to limit the data you share is to use a burner email for registrations. With a service like Burner Mail, anonymous email addresses are generated for every service you sign up for, keeping your inbox and identity secure and private, and making it difficult for companies and advertisers to track you online.
Search for information online
Using your preferred search engine, look yourself up online. Often, you’ll find information like:
- Social media accounts
- Data brokers who have your information
- Email addresses listed publicly
Usually, you can request that data brokers remove your information, reducing cybercriminals’ ability to purchase it and use it against you.
Additionally, you can use online services to find out whether any of your passwords have been leaked during a data breach. For example, you can enter an email or telephone number into have i been pwned?, a free service that aggregates information from data breaches including over:
- 630 websites
- 11.9 billion accounts
- 115,000 pastes
- 223 million paste accounts
If any of your credentials have been exposed in a breach, make sure these are no longer being used on any of your accounts.
Deactivate dormant accounts
Most people have accounts that they no longer use. For example, you might have:
- Old email addresses, like Yahoo! or hotmail
- Accounts for unpopular, outdated social media networks, like MySpace or Friendster
- Ecommerce logins for companies you no longer shop with
- Rewards programs that you no longer use
When you deactivate these accounts, cybercriminals who purchase credentials on the dark web won’t be able to commit fraud using them.
Customize your browser and search engine settings to disable cookies. Some browsers do this by default, while others require you to change the settings manually. This also limits a browser’s or search engine’s ability to store information like passwords or payment card details.
Limit your risk by reducing your digital footprint
Whether you’re an individual or a corporation, you need to monitor your digital footprint. Increasingly, malicious actors scrape the internet for any information that helps them further their criminal goals. Knowing what data they can find about you enables you to take control and minimize the risk, ultimately making a social engineering attack more expensive and less likely to succeed.