How to Avoid Doxxing Yourself While Doing OSINT: 8 Privacy Habits

By Soren Vega ·

The same public web that gives you a research subject also has a record of you. Eight privacy habits that keep your research project from exposing your home address, your employer, your family, or your research notes — without slowing you down.

How to Avoid Doxxing Yourself While Doing OSINT

The same public web that gives you a research subject also has a record of you. Every public record you search for yourself leaves a trace — in your search history, in the platform's logs, in the cached pages a future reader can find, and in the way your own accounts and writing tie your research to your real identity. A research project that ignores the practitioner's own exposure is a project that puts the practitioner at risk.

Doxxing yourself is a feature, not a bug, of the public web

The public web is symmetric. The same techniques you use to find information about a subject can be used to find information about you. A research project that does not consider this symmetry is a project that leaves the practitioner exposed.

Warning

Habit 1: Use a separate research browser

The single most useful move. A second browser profile, dedicated to your project, with the extensions you need and nothing else.

  • No personal logins. No email, no social, no bank, no work accounts.
  • No cookies from your normal browsing. The research profile is a clean profile.
  • No saved passwords. Anything important goes in a password manager you can re-find, not in the browser.
  • A different default search engine if you want to break the personalization link.

A research profile that is logged into your personal email is a research profile that ties the research to your identity at the level of every page that runs Google Analytics. The cost of a separate profile is minutes. The cost of not having one can be much higher.

Habit 2: Scrub your publishing metadata

When you publish the brief, the document you upload can carry metadata that identifies you:

  • PDF author, title, subject. Set these to project-relevant strings, not your name.
  • Image EXIF. Strip the EXIF before publishing. A photo of a screen with your face reflected in it is also a finding.
  • Document revision history. A "tracked changes" view of a draft that ended up in the published version is a leak.
  • Cached drafts on platforms. Google Docs, Notion, and similar platforms keep revision history. Publish from a clean copy, not from the editing document.

A useful habit: before publishing, open the file in a metadata inspector and confirm the author is not your name. A few minutes of work prevents a much longer cleanup.

Habit 3: Use a research-only email

If your research project requires an account on a platform — to view private content the subject has shared, to file a public-records request, to subscribe to a newsletter — use an email address that is not tied to your real name.

A research-only email is:

  • A separate address on a separate provider, or a separate alias on a provider you trust.
  • Not used for any other purpose. A research email that also subscribes to a personal newsletter is a research email that can be tied to you.
  • Forwarded to your real address only if you want the convenience. The forwarding leaves a trail on the provider's logs.

A research-only email is not a guarantee of anonymity. It is a way to make the linking of the research to your real identity a deliberate step, not an accident.

Habit 4: Keep work and personal devices separate

A research project that lives on the same laptop as your personal email, your bank account, and your photo library is a research project that, if compromised, exposes all of those things. A few rules of thumb:

  • Use a separate user account on your laptop for research. A different login, with different file storage and a different browser profile.
  • Use a separate device for high-stakes research. A cheap laptop dedicated to the project, with no personal accounts, is much safer than a heavily-used personal device.
  • Encrypt the research drive. FileVault on macOS, BitLocker on Windows, LUKS on Linux. A stolen laptop should not be a leaked project.
  • Back up to encrypted storage. A backup that is not encrypted is a backup that can be read by anyone who gets the drive.

Habit 5: Vary your writing style if you publish under a pen name

If you publish the brief under a pen name, your writing style is itself a fingerprint. Stylometry — the statistical analysis of writing style — can identify a pen name from a corpus of public writing if the corpus is large enough.

A few rules of thumb:

  • Do not copy-paste your own previous writing. A pen name that has the same sentences as a real-name article is a pen name that has been linked.
  • Do not use the same metaphors. The fingerprints that matter most are the small ones — the phrases you reach for, the structure of your arguments, the way you open a section.
  • Have a real pen-name voice, not a fake one. A pen name that has been deliberately flattened reads as deliberately flattened.

This is not a guarantee. It is a way to make the linking of the pen name to your real identity a more deliberate step.

Habit 6: Store research on encrypted volumes

The notes, the records, the captures, the prompt logs — all of it is sensitive. A project that lives on an unencrypted drive is a project that can be read by anyone who gets the drive. The minimum:

  • Full-disk encryption on the laptop. FileVault, BitLocker, or LUKS.
  • Encrypted volumes for the project folder. A VeraCrypt container or a platform-native encrypted volume.
  • Encrypted cloud backup. Backups are a common leak vector. An encrypted backup is not.
  • A documented destruction plan. When the project ends, the records are deleted, the captures are deleted, the backups are deleted. A documented plan is a plan that actually happens.

Habit 7: Never log into personal accounts from the research browser

The single most common leak. A research session that requires checking a personal email is a research session that ties the research to your identity. The fix:

  • Use a separate browser profile or device for personal accounts. This is the same as habit 1, but worth saying twice.
  • Do not check personal email "just for a minute" from the research browser. A minute is enough for a cookie to be set, for a referrer to be sent, for a fingerprinting script to correlate the two sessions.
  • Do not use the same browser to read your own writing. A research session that ends with you reading your own published work in the same browser is a session that ties the reading to the publishing.

Habit 8: Assume the project will eventually be public

The most useful mental model: anything you write in the project notes, anything you save to a project folder, anything you publish, will eventually be public. A research project that is designed for the assumption of eventual publication is a project that does not have surprises in it.

A few implications:

  • Write the notes as if a future reader will see them. "I think the CEO is a crook" is a note that does not survive publication. "The CEO was indicted on date D for charge X" is a note that does.
  • Do not save anything to the project that you would not want published. Screenshots with personal reflections, drafts with frustrated margin notes, captures of pages you found uncomfortable — these are all candidates for publication.
  • Have a lawyer review high-stakes work before publication. A lawyer who knows your jurisdiction will catch things you will not.

The eight habits are not a complete program. They are the minimum discipline for a research project that takes the practitioner's own exposure seriously.

Frequently Asked Questions

Can you dox yourself while doing OSINT?

Yes. Every public record you search for yourself leaves a trace — in your search history, in the platform's logs, in the cached pages a future reader can find, and in the way your own accounts and writing tie your research to your real identity. A research project that ignores the practitioner's own exposure is a project that puts the practitioner at risk.

How do I protect my privacy while doing OSINT?

Eight habits help: use a separate research browser, never log into personal accounts from it, scrub your publishing metadata, use a research-only email, keep your work and personal devices separate, vary your writing style if you publish under a pen name, store your research on encrypted volumes, and assume your project will eventually be public.

Related Guide

Open Source Intelligence

Read guide