You’ve probably seen those dramatic “iceberg” images showing the internet as a layered structure.

The surface web is at the top, the deep web in the middle, and the dark web lurking ominously at the bottom.

While visually compelling, this metaphor is fundamentally misleading and has contributed to widespread misunderstandings about how the internet actually works.

In this post we’ll explore why the iceberg metaphor is wrong, how the internet actually works, and how to keep your data off the dark web.

Why the Iceberg Metaphor is Wrong

The iceberg model suggests a sinister hierarchy, implying that things get progressively more dangerous the “deeper” you go.

In reality, the different parts of the internet are better understood as serving distinct purposes, each with their own legitimate uses and security considerations.

The deep web, which makes up the overwhelming majority of the internet, isn’t some mysterious underworld.

It’s where you check your email and access your online banking.

These password-protected areas aren’t “deeper” or more dangerous, they’re simply private spaces that keep your sensitive information secure.

Even more misleading is the placement of the dark web at the bottom of the iceberg, suggesting it’s the largest and most mysterious part.

In fact, the dark web makes up less than 0.1% of the total internet.

This is hardly the massive underwater portion the iceberg metaphor implies.

Instead of thinking about the internet as layers of an iceberg, it’s more accurate to think of it as different neighborhoods in a city.

Just as a city has public spaces (like parks and shopping centers), private spaces (like homes and offices), and restricted areas (like secure facilities), the internet has separate areas that serve different purposes.

Let’s explain what each of these different sections on the internet actually means.

What is the surface web?

The surface web is the part of the internet that’s readily accessible to the general public through standard web browsers like Chrome, Firefox, or Safari.

It’s what most people think of when they think of “the internet”.

What makes the surface web distinct is that it’s fully indexed by search engines.

When you use Google, Bing, or other search engines, you’re searching through surface web content.

This includes popular social media platforms, news websites, online shopping sites, and most of the websites we interact with daily.

What is the deep web?

The deep web is the vast portion of the internet that isn’t indexed by standard search engines.

Think of it as all the content that sits behind login screens, paywalls, or requires specific access permissions.

Unlike the surface web, you can’t simply Google your way into these areas.

Contrary to popular misconception, the deep web is largely legitimate and makes up approximately 90-95% of the entire internet. It includes:

• Private email accounts and messaging platforms
• Online banking portals and financial records
• Medical records and healthcare portals
• Corporate intranets and private networks
• Academic databases and research repositories
• Government resources and databases
• Password-protected forums and communities
• Subscription-based content services

What makes the deep web “deep” is its inaccessibility to regular search engine crawlers.

For example, when you log into your online banking, you’re accessing the deep web.

The same applies when you check your private email or access your company’s internal network.

These pages exist but are protected from public access for privacy and security reasons.

What is the dark web?

The dark web is a small but significant segment of the internet that requires specialized software, like Tor (The Onion Router), to access.

It’s a part of the deep web that’s been intentionally hidden and is inaccessible through standard web browsers.

While estimates vary, the dark web typically comprises a tiny miniscule percentage of the total internet.

What makes the dark web distinct is its focus on anonymity and encryption.

Websites on the dark web use the .onion domain suffix and are built on overlay networks that provide multiple layers of encryption.

This architecture makes it extremely difficult to track users or identify server locations.

The dark web serves various purposes.

Some are legitimate, while others aren’t. These include:

• Privacy and anonymity tools for legitimate users
• Secure communication channels for journalists and whistleblowers
• Forums for political dissidents in restrictive regimes
• Marketplaces for illegal goods and services
• Cybercrime services
• Financial fraud

Can I remove my information from the dark web?

Unfortunately, once your information is on the dark web, it can’t be completely removed.

Think of it like trying to remove a photo that’s been shared multiple times on social media - copies exist in many places and can be downloaded by anyone.

Instead of trying to erase data, focus your efforts on mitigating the damage.

Change compromised passwords, enable multi-factor authentication, and monitor your accounts for suspicious activity.

How to keep your info off the dark web?

Here are the most effective strategies that can help:

• Implement Strong Password Hygiene: Create unique, complex passwords for every account. Passwords should contain a minimum of 12 characters with a mix of numbers, symbols, and both upper and lowercase letters. Use a reputable password manager to securely store and manage these credentials. Never reuse passwords across multiple accounts.
• Enable Multi-Factor Authentication (MFA): Activate MFA on all accounts that offer it, especially financial, email, and social media accounts. Use authenticator apps rather than SMS-based verification when possible, as SMS can be compromised through SIM swapping attacks.
• Monitor Your Financial Accounts: Review your bank statements and credit card activity weekly. Set up automatic alerts for suspicious transactions. Consider freezing your credit with the major credit bureaus (Equifax, Experian, and TransUnion) to prevent unauthorized accounts from being opened in your name.
• Regularly Check for Data Breaches: Use a breach notification service like Breachsense to monitor if your employees’ email addresses or passwords have been compromised. If you discover your information in a breach, immediately change affected passwords and monitor related accounts for suspicious activity.
• Practice Safe Online Behavior: Be cautious about the information you share on social media, as criminals can use this for social engineering attacks.
• Maintain Updated Security Software: Keep your operating system, antivirus software, and all applications up to date with the latest security patches. Consider using encrypted email services for sensitive communications.