[music playing]

- Here's a name that you're bound to remember, one that made headlines all around the world-- Edward Snowden. As a teenager growing up in America he had three main interests-- Japan, computers, and martial arts, and, in a way, these three things are all interconnected.

In 2004, Snowden joined the US Army. It was the year after America had invaded Iraq and apparently he was compelled by a desire to help a population that he felt had been oppressed by a tyrannical dictator. However, he never made it to the front line as he couldn't complete the training thanks to the flare up of an old leg injury. However, he was given a job as a security guard at a university research centre, one sponsored by the NSA, the National Security Agency.

After that job, Snowden worked for the CIA in Switzerland and then for Dell, who you probably know as a computer manufacturer but may not know as the manager of computer systems for multiple government agencies, including the NSA, who he then worked for next when he was assigned to one of their facilities at Yokota Air Base near Tokyo, a posting that brought those interests of computing and Japan together.

It was Snowden's job to instruct top officials and military officers in how to defend their networks from Chinese hackers and it was during this time that he looked into the mass surveillance programme of the Chinese regime and realised his own country was doing exactly the same thing. Snowden became aware of a US government surveillance programme codenamed Prism.

Started in 2007 by President George Bush under the Protect America Act, the programme compelled major tech companies to share any data that matched certain court-approved search terms, including those found in email and social media accounts. The US public had no idea.

This mass surveillance programme, this sharing of the public's data without their knowledge, it didn't sit comfortably with Edward Snowden, and in 2013 he decided to go public, sharing hundreds of thousands of files with two journalists, Glenn Greenwald and Laura Poitras. In the days that followed, news outlets around the world jumped on the story and the 29-year-old Snowden was forced to flee, eventually taken up residence in Moscow.

Last year, in a landmark ruling, the US Court of Appeal found that Prism, the countrywide surveillance programme led by the US government, was quote, "unlawful" and they made that decision entirely thanks to the evidence Snowden collected. And here's the thing, Snowden claims that it isn't just the US operating this kind of programme. He says that the UK's cyber security agency GCHQ also carries out quote, "mass interception and tracking of internet and communications data."

[music playing]

Following all this, the US have, well, publicly at least, been working to restrict the data collection powers of the NSA. The UK's response was to introduce the Investigatory Powers Act, but some journalists have claimed that it not only consolidates bulk data collection into law, it also adds even more intrusive powers. But, and here is the big question, do we care?

Polls released at the time found that we British care more about security than privacy. So if these laws help keep us safe, is our reduced privacy a worthwhile sacrifice? But how much privacy are we losing? Edward Snowden revealed quite how much of our data government intelligence agencies had access to. And if they can get access to it, who else can? As we use our connected devices-- our phones, our laptops, our smart tech-- we leave our digital footprints around the internet. Who is able to see and follow them and to what aim? My name is Greg Foot and today's Which? Investigates asks, are you being tracked online?

[music playing]

Which? Investigates is a podcast from the OK's consumer champion. We work to make life simpler, fairer, and safer for everyone. In this season I'm exploring concerns around tech and security. Is technology making life easier for scammers? How hackable is your home? And even, how much is too much tech? If you've got something you'd like us to investigate, do get in touch. If you're on social, I'm @gregfoot and Which? is @whichuk, or you can email us on podcast@witch.co.uk.

[music playing]

Coming up, I get an idea of the scale of the problem.

- If we were to think about online lives in the physical sense, every single time we walked into a shop, imagine 100 or 1,000 people walking into that shop with you, writing down everything you looked at, writing down every place in the shop you stood, what method of payments you gave, writing down the things you picked up and put back down on the shelf, and then following you out of the shop and into the street to join you in all the other shops you go into. And that's what tracking online is like.

- I hear the risks our thirst for faster connectivity is exposing us to.

- These days it seems that, you know, we want the bandwidth. I describe sort of jumping on a public Wi-Fi network as the internet equivalent of finding an open bottle of beer in the street and drinking from it. It's one of those things that does carry risk-- inherent risk-- not least, at the very lowest end of that risk spectrum, you're giving away information about yourself. But at the highest end of that spectrum, of course, that could be a totally untrusted network.

- And I ask, if for many of us convenience is king, if we weren't being tracked would we miss out on something?

- You can call it creepy, and it certainly is creepy when you suddenly see something being advertised to you that you didn't even know you were interested in but actually you're very interested in. If you turn off tracking, which you can do-- you can decline tracking, although that's a whole other can of worms because it's not that easy and it's deliberately made not that easy-- but if you turn it off you'll get less relevant adverts.

[music playing]

Let me take you back to last week's episode, I wanted to find out what our smart assistants-- Alexa, Siri, Google Home, et cetera-- what they actually record and whether there are any privacy or security issues that we should be aware of. And towards the end of the investigation, Kate, the editor of Which? Computing Magazine, told me this.

- It's entirely reasonable to worry about what your smart assistants are listening to and what they're sending to the cloud and what they know about you. But remember, it's not just smart assistants. The web and Facebook and everything else is tracking everything you do online as well.

- And that's when it became clear I was only exploring the tip of the iceberg. As a globe we've never been more connected. According to Statista, as of January this year, 2021, there were way over 4.5 billion active internet users worldwide. That's almost 60% of the global population. And while I'm firing off stats left, right, and centre, have another. On average, us Brits will spend the equivalent of 22 years, one month, and four days of our lives online. A figure, I think, I find impressive and depressing in equal measures. But what are we doing with our time online that others may be so interested in?

- So if you think about it, we have a number of interactions with the digital world. We spend a lot of time at our office, for example, or home using a computer. That means usually using a browser and using different websites. Then there is also other things that we voluntarily share on social media.

- This is Hamid Haddadi who was also part of last week's episode. He was a fount of knowledge about smart assistants and, it turns out, also internet use in more general. One other thing we discussed was what our mobile phone use may tell about us.

- There are a large number of sensors available on your phone. Number one, and probably the most important one, is your location. Where you are, what sort of apps you have, what sort of device you have. The type of device that you have is kind of indicator of your wealth. What websites do I go to? What sort of shopping do I do on these various websites? How many tabs do I have open? What other tabs do I have open in my browser? Modern browsers, they go to a level of protection against these kind of leakages across different portions of the browser, but, still, a lot can be analysed.

- Yeah, it's safe to say there's a lot of information out there. We are constantly sharing a lot of personal data.

- Personal data, in its broadest sense, is any information that can be tied to you as a living person, you know, so name, address, phone number, IP address, and then usernames, passwords, what you bought last Friday on Amazon after that bottle of wine or whatever it happens to be. That's all personal data.

- Paul Vlissidis is a man you're going to hear a lot from today. He works for NCC Group, the same company that we here at Which? worked on with our hacking investigations that I mentioned in our first couple of episodes of this season. He's also in the hit Channel Four show Hunted and he's just released his own book, aptly titled How to Survive the Internet.

- I'm not sure many people really use browsers as much as they used to, because we experience most of the internet through our phones these days, but, actually, most apps are just actually a front end to a browsing experience. And the way that browsing works is, as you visit the sites, that will record information about where you're coming from.

- So, yes. When it comes to the question of this week's investigation, are you being tracked online, the answer is pretty clear and I'll give it to you, pretty obvious. But the how of it-- how we are being tracked and what they know about us, asking that doesn't just open a can of worms. It opens a container of snakes, if that's a thing.

Here's a sound I'm sure you're familiar with.

[pop]

You know the one. You're on a website for the first time an up pops the message, "do you accept cookies?"

- Cookies are one of the things that most of us probably are aware of, but we may very well ignore because we see the pop ups appear when we join any website and we're just like, yes, yes, tap, click, I agree, and very few of us actually stop to take the time to have a look at what it is that we were actually agreeing with.

- I feel seen.

- I'm Renata Samson, I'm principal policy advisor in the Digital and Scams Team here at Which? which means I get to look at policy and everything that's to do with our digital and data lives.

Thanks, Renata. So what is a cookie? Back to Kate first.

- It's a little tiny piece of data that's placed on your device that captures a particular piece of information. So that could capture the state of your shopping cart, for example. What you've got in your shopping trolley on Amazon or on another website. It also captures where you are, the device you're using, the browser you're using, the software you got from your device. You know, and all of this feeds back into the sort of giant ad tech machine.

More on that later. First, I asked Renata why websites have cookies in the first place.

- There are a wide variety of different types of cookies. The ones that are most useful and that are considered strictly necessary are ones that make the website that you are visiting work. So that means that the website loads properly, that it remembers any information you have given it before, such as your email address or your preferences as to what the website might look like, and these tend to be cookies used by what's called a first party. That is the website that you are on. So those are ones that you don't get to choose whether you accept them or not. They are strictly necessary and they happen regardless and if they didn't happen you would find that website just didn't work very well. But then there's a whole range of other types of cookies.

So, a first-party cookie is a bit like a ledger, right? It's a recording of where you've been and what you've done and they're apparently necessary in order for websites to work.

- There are plenty of other cookies that actually don't bring any benefit to you. It's just running a piece of code trying to understand what sort of web pages, for example, you go to or how long do you spend on various parts of a website and things like that. So in a way, it doesn't bring any benefit or functionality for you.

So these cookies, unlike the first-party ones, aren't necessary for websites to work. They're there to collect information on your activity, to collect your personal data, as are this next type.

- Tracking cookies or advertising cookies, and these tend to be cookies that are used by third-party websites. Now that means it's not just the website that you're on. It means it's other internet services, such as maybe a platform that you're familiar with like Google or Facebook, or a whole range-- and this could be tens or hundreds, if not more, of advertising organisations who drop a cookie onto your computer which lets them see what you're looking at so that they can start to build a profile about you and that profile is used to help identify what adverts should be served to you as you move around the internet.

So all those creepy adverts that you wonder why, "I was looking at a pair of shoes," or, "I was looking at a lawnmower on such and such a website," why am I seeing adverts everywhere I go? Those tend to come from third parties using tracking or advertising cookies.

- As Kate said earlier, they're part of the great ad tech machine. In my previous investigation, I settled some worries about the feeling that I definitely have had that I've been talking about something close by to an Alexa or Google Nest or even a phone with Siri active and then the next day I get an advert for it on Instagram.

I heard, though, how these smart assistants are only listening and recording and analysing after you've said the wake word. Otherwise, they'd just have way too much data to crunch. But Renata just mentioned how cookies can lead to something similar.

However, this time its adverts that do come up off the back of what you've searched for or the websites that you visited or whatever you've posted on social media. Talking of this actually, I want to tell you about a Which? investigation that uncovered the scale of Facebook's user profiling very soon. However, first, I want to tell you some good news-- that the days of the tracking cookies-- those ones used by advertisers-- they could be about to end.

[music playing]

Popular web browsers Firefox and Safari have already started to block tracking cookies from being used. And Google Chrome, which is the world's most popular web browser, has announced it's following suit, although not until 2023.

So until then, what do we do?

- Legally, many websites they cannot enforce you to accept many of the cookies unless the ones which are absolutely essential. For example, for logging into the website or for tracking a shopping that you've done in the website. So the analytics cookies and third-party cookies, all of these by default could be disabled.

So, yes, Hamid says they could be disabled. But be honest, how many of us just click Accept to get rid of the pop up so we can keep on browsing? I know I do. Or I know I used to. However, we are not to blame.

- But the consent mechanism around the web has really been broken in this space, the consent specifically with the GDPR. The consent mechanism has been abused, that people have just been, in a way, forced to press the Accept in order to, I don't know, read an article or something like that.

- However, like with the recordings that smart assistants can keep of us--

- We can periodically delete cookies from our browsers. They do bring some benefits. For example, logging into various services, but there's also lots of cookies that we could just simply do without.

- The reason why you get these pop ups dates back to May 2018 when the GDPR, the General Data Protection Regulation, came into force. GDPR is something that we mentioned last week, including that the UK government is currently consulting on the future of the privacy legislation that was brought in by the EU and the UK has only agreed to stick to its rules until 2025.

- A couple of months ago, the UK government launched a consultation where they proposed a range of different changes to what's called the UK GDPR. The government is looking at areas that could be changed and so this document was produced. It's a 146 page document called "Data and New Direction," and which, along with many, many other organisations and companies, are responding to it with the things that we think will be most important to keep consumers safe online.

- This is another up to the minute insight into some of the work people like Renata are doing into this area right now.

- We interviewed, over the course of six days through what's called a community engagement project, 22 consumers from across the UK to ask them about their thoughts on cookies and on automated decision making. In the main, the people that we interviewed said that whilst they felt that analytical cookies could be a little bit unnerving, a little bit creepy, they understood that they would be helpful for first-party websites to be able to understand how many people are looking at a web page at any one time.

However, where our community really were very concerned was that they didn't want any type of cookie that tracked them to be considered strictly necessary. In fact, no one out of our 22 participants said that they would be happy with a tracking cookie or any type of technology that might track them around the internet to be presented without the right for an individual to be able to consent to its use.

- I think if I'd been asked to contribute to that project I probably have said the same thing. But if the type of cookies that track us changed, would that affect our browsing experience?

- It's a double-edged sword, like a lot of things are. To some extent, if I'm going to have adverts given to me at all I would probably rather they were relevant to me. But then the question is, when does relevant to me start to become prurient and spooky?

- Although, again, those tailored adverts can sometimes be, well, helpful.

- You can call it creepy, and it certainly is creepy when you suddenly see something being advertised to you that you didn't even know you were interested in but actually you're very interested in, but if you turn it off you'll get less relevant adverts.

- And this is exactly the sort of positive feedback loop that keeps us more pro than con on cookies. It's almost as if those third-party advertisers don't want you to decline them.

[music playing]

So, yes, cookies are keeping tabs on us, but the good news is that if Google is true to their word, in just a couple of years, those less appetising cookies from third-party advertisers will be banned from all major internet browsers. And will that spell the end of being tracked online? Sadly not. Even without cookies in their armoury there are plenty of other tools available in the quest for our personal data and chief among those is something we all have but something I doubt you could give me now-- your IP address.

- The IP address is basically a location. It's where you connect to the network and it's just one of many different location beacons. I mean, it's not as accurate as your phone, which knows exactly where you are at all times, but as you use the internet your IP address goes out to whoever you're talking to and that can be used to track you.

- US Cybersecurity expert Bruce Schneier has been giving advice to his thousands of subscribers and followers on the issue of online privacy for decades. And for him, your IP address is where you should be paying way more attention.

- It really is the sea of information about you that computers generate because that's what they do and that information is collected. So you block one thing, whoever is tracking you will probably get it someplace else. It really is this ecosystem of tracking that makes all of this possible.

- If, again, you're like me, you may at this point not feel like you have much of a grip on what an IP address is, so here is my attempt to break it down.

[music playing]

The use of an IP address happens behind the scenes. You don't see your computer broadcasting it when you visit a website but the process works like this. First, your device, which could be your phone or a laptop or a smart TV, that indirectly connects to the internet by connecting to a network that grants it access. When you're at home, that network will probably be your internet service provider, your ISP. At work, it's likely your company network, and its that network that grants your device access to the internet.

Second, the network provider then gives your device an IP address-- an internet protocol address. Your internet activity, say, the request for a particular web page, that goes out through the network via that IP address and that's where the information comes back in through, too. It's like the package you ordered being delivered to your home address through your letterbox and, I guess, like you sending requests out through the letterbox, too.

Now, unlike your home letterbox's address, your device's IP address can change. Because you connect to different networks at home, at work, at the cafe in town, or at the hotel while you're away, those network providers will assign a different IP address to your device. A different letterbox, so to speak. And you can actually change your IP address at home, too, by turning your modem or your router off and on or by asking your internet service provider to change it for you.

- A huge thanks to the guys at Kaspersky for their IP Address Guide, by the way. That helped me get my head around it. And I want to just take a second to explore that bit about getting online on the go because I often wonder if it's less than wise to connect to open, public Wi-Fi at an airport or a train station or whatever. I asked Paul about this and you're about to hear what might be my favourite analogy of the series so far.

- These days it seems that we want the bandwidth and if we haven't got 5G-- and let's face it, that's still a work in progress-- then we want to jump on the internet. I describe sort of jumping on a public Wi-Fi network as the internet equivalent of funding an open bottle of beer in the street and drinking from it. You know, I mean we've all probably done it from time to time on a Friday night, you know, but--

- I'd just like to say, Paul, I've never picked up a half bottle of beer off the street.

- [laughs]

You didn't go to the university I went to, clearly.

- [laughs]

- But yeah, but it's one of those things that does carry risk-- inherent risk-- that not least, at the very lowest end of that risk spectrum, you're giving away information about yourself. But at the highest end of that spectrum, of course, that could be a totally untrusted network.

- And that untrusted network could then use your IP address to find out all manner of information about you. It's like someone locating your letterbox, peering through, and having a good old look at the contents of your home.

- There's something called browser fingerprinting which is where they actually gather quite a lot of information-- obviously, things like your IP address-- and if that's your home broadband connection that will probably reveal-- it will reveal to your internet service provider. And your device name has got your name on it. Many phones do. It might include things like your phone, your browser settings. Might even include some sort of information you would consider to be private to yourself. And then, of course, if you then subsequently log on to something like a website or an app, at that point, of course, they know exactly who you are and they'll have access to lots of information about you probably from previous log ins that you've done.

- And they can use that information to build up more and more of a picture of you. Not just what you like and dislike, but also what you search, where you access the internet from, where you travel. I was discussing all this with Kate from Which? when she asked me to do something.

- So go to amiunique.org--

- Yeah.

- --and I'm doing that now myself, and then click View My Browser Fingerprint.

- Our test indicates that you have strong protection against web tracking.

- I'm using Chrome on a Chromebook. Mine says your browser fingerprint appears to be unique among the 233,696 tested in the past 45 days. Your browser conveys at least 17.83 bits of identifying information.

- I'll be honest, I didn't expect that. After some of these interviews, I thought our browsers may be sharing way more, but 17 bits of info doesn't sound like much. Maybe that's because Kate was using Google's Chrome and there's good protection. I was using Firefox who, as I mentioned earlier, have already phased out third-party cookies and that's why I also had very few bits of identifying information being shared. But what about our other expert's browsing preferences then, if that isn't too personal a question?

- So I use a browser called Brave.

- I hadn't heard of Brave, but that's what Paul from NCC Group and Hunted uses and it turns out that one of the other experts that I chatted to for this episode, and last week's episode too, is Brave's chief scientist, Hamid Haddadi, who I was originally speaking to about his research on smart assistants.

- So Brave is a browser that the primary aim is to prevent excessive online tracking. So by blocking, ads, cookies, fingerprinting mechanisms, what we aim to do is to, number one, prevent excessive online tracking and also, in a way, turn around the economics of the web which has been traditionally around tracking analytics in exchange for ads.

- Kate at Which? mentioned Brave to me too. And if you'd like to go and check out yourself, you can, of course. I'll put a link to some more information in the show notes.

[music playing]

There are, of course, some things we can influence more than others when it comes to making life harder for those nefarious individuals looking to get their hands on our personal data. As we've just heard, first is which browser you use. What about the others? In at number two is our email address or, is often the case, our email addresses.

- I've actually got over 600 online accounts. And how do I know this? Because I have a password manager. I've been using one for a few years now and it keeps track of all my online accounts. And, of course, most of those online accounts for logging in are a email address, so I know that my footprint is still fairly large in the sense that there's lots of people out there who know my email address.

- I've only got a couple of email addresses and I use them regularly all over the internet. Whoops. Well, in an article for Forbes last year, journalist Maury Harbour claimed that each person should be using at least four different email addresses regularly to protect from potential cyber attacks. He even goes as far as to give advice on what each address should be used for. Over to producer Rob.

- The first email should be associated with any type of sensitive accounts, the second email address should only be used for personal correspondence, the third account should be for junk emails or shopping, and, finally, the fourth email address is relatively straightforward and should only be used for any correspondence associated with your employment.

- It makes a lot of sense. So your browser and email addresses can collect or be routes into harvesting your personal data. What else? Well, how about an obvious one? Social media.

- The social media platforms have got this down to a fine art and are gathering enormous quantities of data about all of your activities, including who your friends are, if you have connections on the site, and the sort of stories that you're lingering on in terms of stuff you're reading.

If you're on, I don't know, TikTok, the stuff you just immediately swipe past you'll probably end up getting less of that the stuff that you stop and look at for a few seconds, you'll probably get more of that. And that kind of tracking is much more about targeting stuff at you and trying to learn your sort of preferences, whether conscious or unconscious, and then using that to reflect data back to you that they think are going to command more of your attention.

- And here's the thing that gets me. We're giving these advertisers this information about ourselves for free. Earlier this year, the New York Times Customer Insight Group published a study entitled, "The Psychology of Sharing: Why Do People Share Online?" They suggested five reasons.

One, to bring valuable and entertaining content to others, two, to define ourselves to others, three, to grow and nourish our relationships, four, to fulfil ourselves, and, five, to get the word out about causes or brands. And when we're doing any of that, we're giving out lots of personal data.

- You give Facebook so much information. It knows what websites you visited, your phone knows where you've been, your phone knows who you've been with. So, say I'm talking to my friend Lexi. She and I are both on Facebook. We're friends on Facebook. Both our phones would register that we were in the pub because we're connected on Facebook. Facebook knows that we have been together in that pub. It can deduce from the time of day that we were probably having lunch.

- And Kate suggests that here is a way that you can be talking about something at lunch and then get adverts for it the next day even if you didn't search for it. Because perhaps your friend, Lexi, has cats, and even if you haven't searched for cat food you could get cat food adverts because Facebook crunches the data and thinks you're like your friend and likely have similar interests.

- Getting cat food adverts is not even remotely surprising because she and I have been talking about cats in the pub and it's not because it's been listening to us.

- And again, all of this personal data skimming-- the collecting of it, the testing of it with the adverts you're shown, and then the analysis of what you click or even what you just hover over-- it's all with the goal of building up a more detailed, more targetable digital version of you.

- Social media sites are basically in the same kind of vein in that they're looking to target you based on your kind of preferences, conscious or unconscious. That's nothing to do with cookies. That tracking is stored and held by the platforms back at base, as it were. That's the stuff they really build up about you. That's the vast, vast, you know, Cambridge Analytica being able to predict where you're going to vote in the next election.

[music playing]

- In March 2018, the New York Times, working with the Observer of London and The Guardian, obtained documents from Cambridge Analytica. They revealed that the data firm used data improperly obtained from Facebook to build profiles of potential voters ahead of the 2016 US presidential election. Even more worrying was that Steve Bannon, a former aide to then-presidential nominee Donald Trump, was a board member. The leak showed how Facebook was holding data on tens of millions of users. To use the oft-quoted phrase, "if you are not paying for it, you're not the customer you're the product."

- There's an entire ecosystem of data surveillance. A lot of companies profit from it. In the US at least, the market is very opaque. There are thousands, possibly ten thousands-- we don't even know-- of data brokers that buy and sell and use your data. Certainly, the large platforms-- the Facebooks and Googles-- they make all their money spying on you. That's their business model. But it is surprisingly hard to get a handle on the complexity of this economic system. Shoshana Zuboff calls it surveillance capitalism and it's a good name for it.

Surveillance capitalism. Great term, scary term, but it's how these social media platforms make their money.

- In a way, we've been used to getting things online for free, but the costs of that has been the data that we give away and it's been a good deal for them. They sell ads. Majority of the ads just get clicked on by botnets and not necessarily by individuals, but still, sales get made, deals get made, and income revenue is generated. So the advertising model has become the dominant model for the large data collectors out there.

- Last year, Which? Research found that 82% of people surveyed are being tracked on Facebook far more than they expected. We asked over 1,300 people who said they used Facebook at least once a day to check their settings and the average number of websites or apps that Facebook reported tracking them on was-- get this-- 283.

- For 5% of those users we found that more than 1,000 websites and apps were tracking them, which is actually quite a phenomenal amount. So, 82% of the people that we did this survey with said that these numbers were much higher than they expected and 84% of them were surprised by the types of organisations that Facebook allowed to track them. So this comes back around to the whole thing about cookies and third party use. We don't know who all of these companies are that are looking at what we're doing online.

Now, it might not matter to many of us, but we may have the view that we are engaging with online companies in the same way that we engage with physical companies. If we were to think about online lives in the physical sense, every single time we walked into a shop, imagine 100 or 1,000 people walking into that shop with you, writing down everything you looked at, writing down every place in the shop you stood, what method of payments you gave, writing down the things you picked up and put back down on the shelf, and then following you out of the shop and into the street to join you in all the other shops you go into, and that's what tracking online is like.

- When we told Facebook about this episode, they told us about their Download your Information tool which lets users download the information that they have shared with Facebook. This includes photos that you've uploaded, contacts that you've added to your account, posts on your timeline, and much more. They also said users can check things like off Facebook activity and their privacy checkup lets you know which privacy settings apply to your account. And it goes without saying that Facebook isn't the only one doing this.

Can I ask you who are the most dominant data collectors?

- So today the biggest ones by far are Google, Facebook, Amazon, and now, to a larger extent, Apple as well. So while Apple has been seen as a privacy company, but recently they've also massively expanded their advertising revenue and systems.

- In 2018, Google, which trades under the name Alphabet, made over $30 billion in revenue and analysts believe a large chunk of that figure was the result of super targeted advertising, something they couldn't do without our data. Oh, and it should be said that this isn't just big business for the advertisers and big tech companies too. There's money to be made elsewhere.

- If you're a hacker they'll pay anything from $20 to $100 per record for essentially a reasonably complete picture of you, so your name, address, IP addresses, email addresses, mobile phone numbers, in a perfect world various accounts, and, of course, passwords to go with those accounts, so that they're worth anything from $20 upwards. I mean, the prices very enormously.

- So, what can we do? I always try to finish each of these investigations with some helpful advice, some takeaways that you can use to improve your life and inform your choices. But you know what? This week, honestly, that's pretty tough to do. I mean, the sheer scale of the tracking operation means our hands are tied. As we heard earlier, there are more protective browsers like Brave, but what else do our experts recommend?

- One thing that does help is using something like a VPN.

- A Virtual Private Network, something that makes it harder for someone to find your IP address. Or, to continue the analogy from earlier, a VPN is essentially a little like going ex-directory if you're old enough to know what that is.

- So if you are using something like a VPN, there is free ones and there's paid for ones, what that does do is it anonymizes-- well, it does a number of things. It protects you. It basically means that whoever's on that network, if it is an untrusted network and maybe there's bad people sniffing traffic on that network or whatever, it actually means they can't see what you're doing because it's all encrypted over the VPN. So the VPN gives you that level of initial privacy.

It also tends to hide where you're coming from. So if you use a VPN, to all the websites you'll appear to come out of that VPN provider's internet zone as opposed to wherever you actually are in the world. So it's very useful from that point of view.

- I also asked Bruce Schneier what advice he could give.

- The best thing we can do right now to limit the amount of data collected about us is to agitate for political change. This is not something the market can solve. This is not something you can solve by changing your brand of phone or the type of credit card you have or your email address. This is a pervasive part of the way the internet works today. Surveillance capitalism is everywhere. And if we don't like it, if we think it is immoral, if we think it shouldn't happen, if we want more privacy rights, the way we're going to get that is through government regulation, so make this a political issue. That is what you need to do.

- And there's something else you can do right now, too.

- I really would encourage people, if you do feel uncomfortable, you can take control about this. And it just means having a look, opening up the cookie settings, opening up those pop-up browsers. You don't have to read everything and know it all inside-out, you don't need a legal degree, but you should be able to say, I agree or I disagree, and turn things off if you're not comfortable with it.

[music playing]

- While it's clear that, yes, we are being tracked and, yes, there needs to be increased regulation, do we perhaps have to evaluate our own relationship with the internet too? Perhaps we don't stop and think about our role, about our choices, about our behaviour enough.

- I would say, yes, this stuff exists, yes, it is potentially privacy invading, but also, if you opt out of it you will find the web a lot less useful. Decide what the trade off is appropriate for you. I would also add that most of us are not very informed in this and this stuff is happening by default and by definition without our consent.

As ever, it's about education and awareness.

- I've done some stuff with the BBC and a few other people helping people who have been victims, and what you tend to find is that people were using the internet in a relatively open and uncaring kind of way. I don't mean negligent, just mean they weren't that bothered about it. Then they discover that actually there's a load of stuff going on in the background that they just weren't aware of and suddenly they go, hang on a minute, I'm now not happy about this. I now want to bring this under control.

- The more people that are aware, perhaps the more power we have to create change. I'll leave you with this.

- The future is more data collection, less privacy, more things used against us.

- And I guess it's up to us how we respond to that future.

[music playing]

Thanks for listening to this episode of Which? Investigates. If you're enjoying this season I would super appreciate you putting up a quick review on Apple Podcasts. It helps spread the word. That'd be ace. If you'd like to get in touch and you're on social media, you can reach me @gregfoot and Which? are @whichuk. We've also got the email address you can use now too, which is podcasts@which.co.uk. And if you've got a few minutes to spare, we'd love to know what you think of the podcast. We've got a short questionnaire over at which.co.uk/investigates.

Today's episode was presented by me, Greg Foot, written and produced by me and Rob Lilley, editing and original music is by Eric Briyah, and our executive producer is Angus Farker. Special thanks go to Richard Headland, Paul Lester, Kate Bevan, Andy Laughlin, and Renata Sampson. And I'll be back soon with our next investigation.

[music playing]