How to Avoid Doxxing Yourself While Doing OSINT: 8 Privacy Habits
By Soren Vega ·
- osint
- privacy
- opsec
- doxxing
- security
The same public web that gives you a research subject also has a record of you. Eight privacy habits that keep your research project from exposing your home address, your employer, your family, or your research notes — without slowing you down.
How to Avoid Doxxing Yourself While Doing OSINT
The same public web that gives you a research subject also has a record of you. Every public record you search for yourself leaves a trace — in your search history, in the platform's logs, in the cached pages a future reader can find, and in the way your own accounts and writing tie your research to your real identity. A research project that ignores the practitioner's own exposure is a project that puts the practitioner at risk.
Doxxing yourself is a feature, not a bug, of the public web WarningThe public web is symmetric. The same techniques you use to find information about a subject can be used to find information about you. A research project that does not consider this symmetry is a project that leaves the practitioner exposed.
Habit 1: Use a separate research browser
The single most useful move. A second browser profile, dedicated to your project, with the extensions you need and nothing else.
- No personal logins. No email, no social, no bank, no work accounts.
- No cookies from your normal browsing. The research profile is a clean profile.
- No saved passwords. Anything important goes in a password manager you can re-find, not in the browser.
- A different default search engine if you want to break the personalization link.
A research profile that is logged into your personal email is a research profile that ties the research to your identity at the level of every page that runs Google Analytics. The cost of a separate profile is minutes. The cost of not having one can be much higher.
Habit 2: Scrub your publishing metadata
When you publish the brief, the document you upload can carry metadata that identifies you:
- PDF author, title, subject. Set these to project-relevant strings, not your name.
- Image EXIF. Strip the EXIF before publishing. A photo of a screen with your face reflected in it is also a finding.
- Document revision history. A "tracked changes" view of a draft that ended up in the published version is a leak.
- Cached drafts on platforms. Google Docs, Notion, and similar platforms keep revision history. Publish from a clean copy, not from the editing document.
A useful habit: before publishing, open the file in a metadata inspector and confirm the author is not your name. A few minutes of work prevents a much longer cleanup.
Habit 3: Use a research-only email
If your research project requires an account on a platform — to view private content the subject has shared, to file a public-records request, to subscribe to a newsletter — use an email address that is not tied to your real name.
A research-only email is:
- A separate address on a separate provider, or a separate alias on a provider you trust.
- Not used for any other purpose. A research email that also subscribes to a personal newsletter is a research email that can be tied to you.
- Forwarded to your real address only if you want the convenience. The forwarding leaves a trail on the provider's logs.
A research-only email is not a guarantee of anonymity. It is a way to make the linking of the research to your real identity a deliberate step, not an accident.
Habit 4: Keep work and personal devices separate
A research project that lives on the same laptop as your personal email, your bank account, and your photo library is a research project that, if compromised, exposes all of those things. A few rules of thumb:
- Use a separate user account on your laptop for research. A different login, with different file storage and a different browser profile.
- Use a separate device for high-stakes research. A cheap laptop dedicated to the project, with no personal accounts, is much safer than a heavily-used personal device.
- Encrypt the research drive. FileVault on macOS, BitLocker on Windows, LUKS on Linux. A stolen laptop should not be a leaked project.
- Back up to encrypted storage. A backup that is not encrypted is a backup that can be read by anyone who gets the drive.
Habit 5: Vary your writing style if you publish under a pen name
If you publish the brief under a pen name, your writing style is itself a fingerprint. Stylometry — the statistical analysis of writing style — can identify a pen name from a corpus of public writing if the corpus is large enough.
A few rules of thumb:
- Do not copy-paste your own previous writing. A pen name that has the same sentences as a real-name article is a pen name that has been linked.
- Do not use the same metaphors. The fingerprints that matter most are the small ones — the phrases you reach for, the structure of your arguments, the way you open a section.
- Have a real pen-name voice, not a fake one. A pen name that has been deliberately flattened reads as deliberately flattened.
This is not a guarantee. It is a way to make the linking of the pen name to your real identity a more deliberate step.
Habit 6: Store research on encrypted volumes
The notes, the records, the captures, the prompt logs — all of it is sensitive. A project that lives on an unencrypted drive is a project that can be read by anyone who gets the drive. The minimum:
- Full-disk encryption on the laptop. FileVault, BitLocker, or LUKS.
- Encrypted volumes for the project folder. A VeraCrypt container or a platform-native encrypted volume.
- Encrypted cloud backup. Backups are a common leak vector. An encrypted backup is not.
- A documented destruction plan. When the project ends, the records are deleted, the captures are deleted, the backups are deleted. A documented plan is a plan that actually happens.
Habit 7: Never log into personal accounts from the research browser
The single most common leak. A research session that requires checking a personal email is a research session that ties the research to your identity. The fix:
- Use a separate browser profile or device for personal accounts. This is the same as habit 1, but worth saying twice.
- Do not check personal email "just for a minute" from the research browser. A minute is enough for a cookie to be set, for a referrer to be sent, for a fingerprinting script to correlate the two sessions.
- Do not use the same browser to read your own writing. A research session that ends with you reading your own published work in the same browser is a session that ties the reading to the publishing.
Habit 8: Assume the project will eventually be public
The most useful mental model: anything you write in the project notes, anything you save to a project folder, anything you publish, will eventually be public. A research project that is designed for the assumption of eventual publication is a project that does not have surprises in it.
A few implications:
- Write the notes as if a future reader will see them. "I think the CEO is a crook" is a note that does not survive publication. "The CEO was indicted on date D for charge X" is a note that does.
- Do not save anything to the project that you would not want published. Screenshots with personal reflections, drafts with frustrated margin notes, captures of pages you found uncomfortable — these are all candidates for publication.
- Have a lawyer review high-stakes work before publication. A lawyer who knows your jurisdiction will catch things you will not.
The eight habits are not a complete program. They are the minimum discipline for a research project that takes the practitioner's own exposure seriously.
Frequently Asked Questions
Can you dox yourself while doing OSINT?
Yes. Every public record you search for yourself leaves a trace — in your search history, in the platform's logs, in the cached pages a future reader can find, and in the way your own accounts and writing tie your research to your real identity. A research project that ignores the practitioner's own exposure is a project that puts the practitioner at risk.
How do I protect my privacy while doing OSINT?
Eight habits help: use a separate research browser, never log into personal accounts from it, scrub your publishing metadata, use a research-only email, keep your work and personal devices separate, vary your writing style if you publish under a pen name, store your research on encrypted volumes, and assume your project will eventually be public.
Related Guide
Open Source Intelligence