TL;DR: Open Source Intelligence (OSINT) tools can find your accounts, map your relationships, locate your devices, and build a complete profile from public information. This guide shows you how to: audit your current exposure, remove data from public records, sanitize social media, strip metadata from photos, compartmentalize your digital identity, and maintain ongoing protection. You can't become invisible, but you can become expensive and time-consuming to investigate.

Understanding the Threat

Before defending, understand what you're defending against.

Who Uses OSINT Against Individuals?

Actor Motivation Capability
Stalkers/Abusers Control, harassment Low-Medium (basic tools)
Doxxers Public exposure, intimidation Medium (dedicated time)
Scammers Social engineering, fraud Low-Medium
Private Investigators Paid investigations High (professional tools)
Journalists Story research Medium-High
Law Enforcement Investigations High (legal access + tools)
Hackers Reconnaissance for attacks High

What They're Looking For

  • Identity: Real name, aliases, usernames
  • Location: Home, work, frequent places
  • Contacts: Family, friends, colleagues
  • Patterns: Schedule, habits, routines
  • Vulnerabilities: Technical, social, financial
  • Pressure points: Embarrassing content, secrets

Step 1: Audit Your Exposure

You can't fix what you don't know about. Start by investigating yourself.

Username Search

  1. List every username you've ever used
  2. Run each through whatsmyname.app or Sherlock
  3. Click every result, verify what's actually there
  4. Document everything you find

Name Search

  1. Google your full name in quotes: "John Michael Smith"
  2. Search with location: "John Smith" + "Chicago"
  3. Search with employer: "John Smith" + "Acme Corp"
  4. Check image results, your photos may appear in unexpected places
  5. Use advanced operators: site:linkedin.com "John Smith"

Email Search

  1. Google your email addresses
  2. Check Have I Been Pwned for breaches
  3. Search paste sites for leaked credentials
  4. Check if email appears in public commits, forum posts, documents

Phone Number Search

  1. Google your phone number (with and without dashes)
  2. Check people-search sites: Spokeo, Whitepages, BeenVerified
  3. Reverse lookup services

Address Search

  1. Search your current and past addresses
  2. Check property records (usually public)
  3. Check voter registration (public in many states)
  4. Look for yourself on Google Maps Street View

Image Search

  1. Reverse image search your profile photos (Google Images, TinEye)
  2. Check if photos appear on sites you didn't upload to
  3. Look for metadata in photos you've shared

Step 2: Remove Data from Public Records

People-Search Sites

These aggregate public records and sell access. Opt out of all of them:

See our complete data broker opt-out guide for 85+ sites.

Voter Registration

In many states, voter records are public. Options:

  • Some states allow address confidentiality programs (ACPs) for at-risk individuals
  • Use a PO Box if your state allows it for registration
  • Check your state's specific rules on voter record confidentiality

Property Records

Real estate ownership is typically public record. Options:

  • Hold property in an LLC or trust (consult attorney)
  • Use a registered agent for the LLC
  • Some states have homestead privacy programs

Domain Registration

If you own domains, your WHOIS info may be public:

  • Enable WHOIS privacy through your registrar
  • Use a privacy-focused registrar (Njalla, 1984.is)
  • Check existing domains at whois.domaintools.com

Step 3: Sanitize Social Media

Audit Each Platform

Go through every social account and ask:

  • Does my profile reveal my real name?
  • Does my bio mention location, employer, school?
  • Do my posts reveal patterns (schedule, locations, relationships)?
  • Are there old posts I wouldn't want found?
  • Who can see my friends/followers list?
  • What's visible to non-friends/followers?

Facebook

  • Use "View As" to see what others see
  • Limit past posts: Settings → Privacy → Limit Past Posts
  • Hide friends list: Settings → Privacy → Who can see your friends list
  • Restrict profile searchability
  • Remove tagged photos or request untagging

Instagram

  • Set account to private
  • Remove location tags from photos
  • Audit tagged photos
  • Review story highlights for revealing content

LinkedIn

  • Limit public profile visibility: Settings → Visibility
  • Turn off "profile viewing" notifications so you can research anonymously
  • Consider what employment history reveals
  • Disable "People also viewed" sidebar

Twitter/X

  • Protect tweets if needed
  • Delete old tweets (use tools like TweetDelete)
  • Remove location from tweets: Settings → Privacy → Location
  • Audit likes (they're public)

Reddit

  • Use separate accounts for different topics
  • Never mention identifiable details
  • Periodically delete post history (tools: Redact, Power Delete Suite)
  • Don't link to other social accounts

Step 4: Strip Metadata from Photos

Photos contain hidden data that reveals where and when they were taken.

What EXIF Data Reveals

  • GPS coordinates: Exact location where photo was taken
  • Timestamp: Date and time
  • Device: Camera or phone model
  • Direction: Which way camera was pointing
  • Settings: Technical camera settings

Before Uploading Photos

Strip metadata using:

  • ExifTool: Command line, most powerful
  • ExifCleaner: Desktop app, drag and drop
  • Online tools: jimpl.com/remove-exif, verexif.com

Disable Location on Phone Camera

iPhone: Settings → Privacy → Location Services → Camera → Never

Android: Camera app → Settings → Location tags → Off

Social Media Auto-Stripping

Some platforms strip EXIF on upload (Facebook, Twitter, Instagram). But:

  • They may keep the data internally
  • Not all platforms strip metadata
  • Better to strip before uploading

Step 5: Compartmentalize Your Identity

The Concept

Create separate digital identities for different purposes. If one is compromised, others remain protected.

Identity Categories

Category Use For What to Use
Professional Work, networking Real name, work email, LinkedIn
Personal (Known) Friends, family Real name, personal email, locked-down social
Pseudonymous Hobbies, interests Consistent alias, dedicated email, separate accounts
Anonymous Sensitive topics Random usernames, throwaway email, VPN/Tor

Implementation

  • Separate email addresses: One per identity category
  • Different usernames: Never cross-link between categories
  • Different browsers/profiles: Prevent cookie tracking between identities
  • Password manager: Track which credentials go with which identity
  • VPN: Use when operating anonymous/pseudonymous identities

Never Cross the Streams

  • Don't friend professional contacts from personal account
  • Don't mention pseudonymous interests from real-name account
  • Don't reuse profile photos across identities
  • Don't use similar writing patterns (can be analyzed)

Step 6: Technical Protections

Browser Fingerprinting

Your browser leaks identifying information: screen size, fonts, timezone, plugins. Mitigate with:

  • Brave: Built-in fingerprint randomization
  • Tor Browser: Designed to look identical for all users
  • Firefox with privacy settings: privacy.resistFingerprinting = true

VPN Usage

Hides your IP address from sites you visit:

  • Use for pseudonymous/anonymous activities
  • Choose no-logs VPN provider
  • Don't log into real accounts while on VPN meant for anonymous use

Device Hygiene

  • Check what Shodan knows about your IP: shodan.io/host/YOUR_IP
  • Close unnecessary ports on your router
  • Change default credentials on all devices
  • Update firmware regularly

Step 7: Ongoing Maintenance

Regular Audits

Monthly:

  • Google yourself (name, email, usernames)
  • Check Have I Been Pwned for new breaches
  • Review social media privacy settings (they change)

Quarterly:

  • Run username search tools on all your handles
  • Check people-search sites (data reappears)
  • Re-submit opt-outs if needed
  • Audit old accounts for content to delete

Annually:

  • Comprehensive review of all online presence
  • Update threat model (new platforms, new risks)
  • Consider using an automated removal service

Set Up Alerts

  • Google Alerts: Set for your name, email, usernames
  • Have I Been Pwned: Subscribe for breach notifications
  • Credit monitoring: Alerts for identity theft indicators

For High-Risk Individuals

If you're at elevated risk (activist, journalist, abuse survivor, public figure), additional measures:

Address Protection

  • Use a PO Box or commercial mail receiving service for all mail
  • Register to vote using PO Box if your state allows
  • Use registered agent for any business/LLC filings
  • Consider address confidentiality programs (ACP) in your state

Phone Protection

  • Use VoIP number (Google Voice, MySudo) for semi-public use
  • Keep personal number truly private
  • Don't give real number to businesses, websites, apps

Legal Name Separation

  • Consider legal name change if fleeing abuse (consult attorney)
  • Use published pseudonym for public-facing work

Technical Hardening

  • Use Tor for sensitive research
  • Consider privacy-focused phone OS (GrapheneOS)
  • Encrypted communications only (Signal)
  • Virtual machines for compartmentalization

The Bottom Line

You can't become invisible. Too much information already exists, and new data is constantly generated. But you can:

  1. Reduce exposure: Remove what can be removed
  2. Slow investigations: Make yourself more expensive to research
  3. Compartmentalize: Limit damage if one identity is compromised
  4. Stay vigilant: Regular audits catch new exposures

Perfect privacy is impossible. Practical privacy, making yourself not worth the effort to investigate thoroughly, is achievable.

Start with the audit. See what's already out there. Then work through removal, sanitization, and compartmentalization. It's ongoing work, but it's your digital life.

References

  1. OSINT Guide, How to Protect Yourself from OSINT (2025)
  2. Incogni, What OSINT is and How to Protect Yourself
  3. OSINT Industries, Managing Your Digital Footprint with OpSec
  4. MyPrivacy Blog, Complete Guide to OSINT Protection (2025)