TL;DR: Open Source Intelligence (OSINT) tools can find your accounts, map your relationships, locate your devices, and build a complete profile from public information. This guide shows you how to: audit your current exposure, remove data from public records, sanitize social media, strip metadata from photos, compartmentalize your digital identity, and maintain ongoing protection. You can't become invisible, but you can become expensive and time-consuming to investigate.
Understanding the Threat
Before defending, understand what you're defending against.
Who Uses OSINT Against Individuals?
| Actor | Motivation | Capability |
|---|---|---|
| Stalkers/Abusers | Control, harassment | Low-Medium (basic tools) |
| Doxxers | Public exposure, intimidation | Medium (dedicated time) |
| Scammers | Social engineering, fraud | Low-Medium |
| Private Investigators | Paid investigations | High (professional tools) |
| Journalists | Story research | Medium-High |
| Law Enforcement | Investigations | High (legal access + tools) |
| Hackers | Reconnaissance for attacks | High |
What They're Looking For
- Identity: Real name, aliases, usernames
- Location: Home, work, frequent places
- Contacts: Family, friends, colleagues
- Patterns: Schedule, habits, routines
- Vulnerabilities: Technical, social, financial
- Pressure points: Embarrassing content, secrets
Step 1: Audit Your Exposure
You can't fix what you don't know about. Start by investigating yourself.
Username Search
- List every username you've ever used
- Run each through whatsmyname.app or Sherlock
- Click every result, verify what's actually there
- Document everything you find
Name Search
- Google your full name in quotes: "John Michael Smith"
- Search with location: "John Smith" + "Chicago"
- Search with employer: "John Smith" + "Acme Corp"
- Check image results, your photos may appear in unexpected places
- Use advanced operators:
site:linkedin.com "John Smith"
Email Search
- Google your email addresses
- Check Have I Been Pwned for breaches
- Search paste sites for leaked credentials
- Check if email appears in public commits, forum posts, documents
Phone Number Search
- Google your phone number (with and without dashes)
- Check people-search sites: Spokeo, Whitepages, BeenVerified
- Reverse lookup services
Address Search
- Search your current and past addresses
- Check property records (usually public)
- Check voter registration (public in many states)
- Look for yourself on Google Maps Street View
Image Search
- Reverse image search your profile photos (Google Images, TinEye)
- Check if photos appear on sites you didn't upload to
- Look for metadata in photos you've shared
Step 2: Remove Data from Public Records
People-Search Sites
These aggregate public records and sell access. Opt out of all of them:
- Spokeo: spokeo.com/optout
- Whitepages: whitepages.com/suppression-requests
- BeenVerified: beenverified.com/app/optout/search
- Intelius: intelius.com/opt-out/submit/
- Radaris: radaris.com/page/how-to-remove
See our complete data broker opt-out guide for 85+ sites.
Voter Registration
In many states, voter records are public. Options:
- Some states allow address confidentiality programs (ACPs) for at-risk individuals
- Use a PO Box if your state allows it for registration
- Check your state's specific rules on voter record confidentiality
Property Records
Real estate ownership is typically public record. Options:
- Hold property in an LLC or trust (consult attorney)
- Use a registered agent for the LLC
- Some states have homestead privacy programs
Domain Registration
If you own domains, your WHOIS info may be public:
- Enable WHOIS privacy through your registrar
- Use a privacy-focused registrar (Njalla, 1984.is)
- Check existing domains at whois.domaintools.com
Step 4: Strip Metadata from Photos
Photos contain hidden data that reveals where and when they were taken.
What EXIF Data Reveals
- GPS coordinates: Exact location where photo was taken
- Timestamp: Date and time
- Device: Camera or phone model
- Direction: Which way camera was pointing
- Settings: Technical camera settings
Before Uploading Photos
Strip metadata using:
- ExifTool: Command line, most powerful
- ExifCleaner: Desktop app, drag and drop
- Online tools: jimpl.com/remove-exif, verexif.com
Disable Location on Phone Camera
iPhone: Settings → Privacy → Location Services → Camera → Never
Android: Camera app → Settings → Location tags → Off
Social Media Auto-Stripping
Some platforms strip EXIF on upload (Facebook, Twitter, Instagram). But:
- They may keep the data internally
- Not all platforms strip metadata
- Better to strip before uploading
Step 5: Compartmentalize Your Identity
The Concept
Create separate digital identities for different purposes. If one is compromised, others remain protected.
Identity Categories
| Category | Use For | What to Use |
|---|---|---|
| Professional | Work, networking | Real name, work email, LinkedIn |
| Personal (Known) | Friends, family | Real name, personal email, locked-down social |
| Pseudonymous | Hobbies, interests | Consistent alias, dedicated email, separate accounts |
| Anonymous | Sensitive topics | Random usernames, throwaway email, VPN/Tor |
Implementation
- Separate email addresses: One per identity category
- Different usernames: Never cross-link between categories
- Different browsers/profiles: Prevent cookie tracking between identities
- Password manager: Track which credentials go with which identity
- VPN: Use when operating anonymous/pseudonymous identities
Never Cross the Streams
- Don't friend professional contacts from personal account
- Don't mention pseudonymous interests from real-name account
- Don't reuse profile photos across identities
- Don't use similar writing patterns (can be analyzed)
Step 6: Technical Protections
Browser Fingerprinting
Your browser leaks identifying information: screen size, fonts, timezone, plugins. Mitigate with:
- Brave: Built-in fingerprint randomization
- Tor Browser: Designed to look identical for all users
- Firefox with privacy settings: privacy.resistFingerprinting = true
VPN Usage
Hides your IP address from sites you visit:
- Use for pseudonymous/anonymous activities
- Choose no-logs VPN provider
- Don't log into real accounts while on VPN meant for anonymous use
Device Hygiene
- Check what Shodan knows about your IP: shodan.io/host/YOUR_IP
- Close unnecessary ports on your router
- Change default credentials on all devices
- Update firmware regularly
Step 7: Ongoing Maintenance
Regular Audits
Monthly:
- Google yourself (name, email, usernames)
- Check Have I Been Pwned for new breaches
- Review social media privacy settings (they change)
Quarterly:
- Run username search tools on all your handles
- Check people-search sites (data reappears)
- Re-submit opt-outs if needed
- Audit old accounts for content to delete
Annually:
- Comprehensive review of all online presence
- Update threat model (new platforms, new risks)
- Consider using an automated removal service
Set Up Alerts
- Google Alerts: Set for your name, email, usernames
- Have I Been Pwned: Subscribe for breach notifications
- Credit monitoring: Alerts for identity theft indicators
For High-Risk Individuals
If you're at elevated risk (activist, journalist, abuse survivor, public figure), additional measures:
Address Protection
- Use a PO Box or commercial mail receiving service for all mail
- Register to vote using PO Box if your state allows
- Use registered agent for any business/LLC filings
- Consider address confidentiality programs (ACP) in your state
Phone Protection
- Use VoIP number (Google Voice, MySudo) for semi-public use
- Keep personal number truly private
- Don't give real number to businesses, websites, apps
Legal Name Separation
- Consider legal name change if fleeing abuse (consult attorney)
- Use published pseudonym for public-facing work
Technical Hardening
- Use Tor for sensitive research
- Consider privacy-focused phone OS (GrapheneOS)
- Encrypted communications only (Signal)
- Virtual machines for compartmentalization
The Bottom Line
You can't become invisible. Too much information already exists, and new data is constantly generated. But you can:
- Reduce exposure: Remove what can be removed
- Slow investigations: Make yourself more expensive to research
- Compartmentalize: Limit damage if one identity is compromised
- Stay vigilant: Regular audits catch new exposures
Perfect privacy is impossible. Practical privacy, making yourself not worth the effort to investigate thoroughly, is achievable.
Start with the audit. See what's already out there. Then work through removal, sanitization, and compartmentalization. It's ongoing work, but it's your digital life.
Step 3: Sanitize Social Media
Audit Each Platform
Go through every social account and ask:
Facebook
Instagram
LinkedIn
Twitter/X
Reddit