How to Avoid Doxxing Yourself While Doing OSINT: 8 Privacy Habits
By Soren Vega ·
- osint
- privacy
- opsec
- doxxing
- security
The same public web that gives you a research subject also has a record of you. Eight privacy habits that keep your research project from exposing your home address, your employer, your family, or your research notes — without slowing you down.
How to Avoid Doxxing Yourself While Doing OSINT
The same public web that gives you a research subject also has a record of you. Every public record you search for yourself leaves a trace — in your search history, in the platform's logs, in the cached pages a future reader can find, and in the way your own accounts and writing tie your research to your real identity. A research project that ignores the practitioner's own exposure is a project that puts the practitioner at risk.
Doxxing yourself is a feature, not a bug, of the public web WarningThe public web is symmetric. The same techniques you use to find information about a subject can be used to find information about you. A research project that does not consider this symmetry is a project that leaves the practitioner exposed.
Habit 1: Use a separate research browser
The single most useful move. A second browser profile, dedicated to your project, with the extensions you need and nothing else.
- No personal logins. No email, no social, no bank, no work accounts.
- No cookies from your normal browsing. The research profile is a clean profile.
- No saved passwords. Anything important goes in a password manager you can re-find, not in the browser.
- A different default search engine if you want to break the personalization link.
A research profile that is logged into your personal email is a research profile that ties the research to your identity at the level of every page that runs Google Analytics. The cost of a separate profile is minutes. The cost of not having one can be much higher.
Habit 2: Scrub your publishing metadata
When you publish the brief, the document you upload can carry metadata that identifies you:
- PDF author, title, subject. Set these to project-relevant strings, not your name.
- Image EXIF. Strip the EXIF before publishing. A photo of a screen with your face reflected in it is also a finding.
- Document revision history. A "tracked changes" view of a draft that ended up in the published version is a leak.
- Cached drafts on platforms. Google Docs, Notion, and similar platforms keep revision history. Publish from a clean copy, not from the editing document.
A useful habit: before publishing, open the file in a metadata inspector and confirm the author is not your name. A few minutes of work prevents a much longer cleanup.
Habit 3: Use a research-only email
If your research project requires an account on a platform — to view private content the subject has shared, to file a public-records request, to subscribe to a newsletter — use an email address that is not tied to your real name.
A research-only email is:
- A separate address on a separate provider, or a separate alias on a provider you trust.
- Not used for any other purpose. A research email that also subscribes to a personal newsletter is a research email that can be tied to you.
- Forwarded to your real address only if you want the convenience. The forwarding leaves a trail on the provider's logs.
A research-only email is not a guarantee of anonymity. It is a way to make the linking of the research to your real identity a deliberate step, not an accident.
Habit 4: Keep work and personal devices separate
A research project that lives on the same laptop as your personal email, your bank account, and your photo library is a research project that, if compromised, exposes all of those things. A few rules of thumb:
- Use a separate user account on your laptop for research. A different login, with different file storage and a different browser profile.
- Use a separate device for high-stakes research. A cheap laptop dedicated to the project, with no personal accounts, is much safer than a heavily-used personal device.
- Encrypt the research drive. FileVault on macOS, BitLocker on Windows, LUKS on Linux. A stolen laptop should not be a leaked project.
- Back up to encrypted storage. A backup that is not encrypted is a backup that can be read by anyone who gets the drive.
Habit 5: Vary your writing style if you publish under a pen name
If you publish the brief under a pen name, your writing style is itself a fingerprint. Stylometry — the statistical analysis of writing style — can identify a pen name from a corpus of public writing if the corpus is large enough.
A few rules of thumb:
- Do not copy-paste your own previous writing. A pen name that has the same sentences as a real-name article is a pen name that has been linked.
- Do not use the same metaphors. The fingerprints that matter most are the small ones — the phrases you reach for, the structure of your arguments, the way you open a section.
- Have a real pen-name voice, not a fake one. A pen name that has been deliberately flattened reads as deliberately flattened.
This is not a guarantee. It is a way to make the linking of the pen name to your real identity a more deliberate step.
Habit 6: Store research on encrypted volumes
The notes, the records, the captures, the prompt logs — all of it is sensitive. A project that lives on an unencrypted drive is a project that can be read by anyone who gets the drive. The minimum:
- Full-disk encryption on the laptop. FileVault, BitLocker, or LUKS.
- Encrypted volumes for the project folder. A VeraCrypt container or a platform-native encrypted volume.
- Encrypted cloud backup. Backups are a common leak vector. An encrypted backup is not.
- A documented destruction plan. When the project ends, the records are deleted, the captures are deleted, the backups are deleted. A documented plan is a plan that actually happens.
Habit 7: Never log into personal accounts from the research browser
The single most common leak. A research session that requires checking a personal email is a research session that ties the research to your identity. The fix:
- Use a separate browser profile or device for personal accounts. This is the same as habit 1, but worth saying twice.
- Do not check personal email "just for a minute" from the research browser. A minute is enough for a cookie to be set, for a referrer to be sent, for a fingerprinting script to correlate the two sessions.
- Do not use the same browser to read your own writing. A research session that ends with you reading your own published work in the same browser is a session that ties the reading to the publishing.
Habit 8: Assume the project will eventually be public
The most useful mental model: anything you write in the project notes, anything you save to a project folder, anything you publish, will eventually be public. A research project that is designed for the assumption of eventual publication is a project that does not have surprises in it.
A few implications:
- Write the notes as if a future reader will see them. "I think the CEO is a crook" is a note that does not survive publication. "The CEO was indicted on date D for charge X" is a note that does.
- Do not save anything to the project that you would not want published. Screenshots with personal reflections, drafts with frustrated margin notes, captures of pages you found uncomfortable — these are all candidates for publication.
- Have a lawyer review high-stakes work before publication. A lawyer who knows your jurisdiction will catch things you will not.
The eight habits are not a complete program. They are the minimum discipline for a research project that takes the practitioner's own exposure seriously.
Frequently Asked Questions
Can you dox yourself while doing OSINT?
Yes. Every public record you search for yourself leaves a trace — in your search history, in the platform's logs, in the cached pages a future reader can find, and in the way your own accounts and writing tie your research to your real identity. A research project that ignores the practitioner's own exposure is a project that puts the practitioner at risk.
How do I protect my privacy while doing OSINT?
Eight habits help: use a separate research browser, never log into personal accounts from it, scrub your publishing metadata, use a research-only email, keep your work and personal devices separate, vary your writing style if you publish under a pen name, store your research on encrypted volumes, and assume your project will eventually be public.
Should I use a VPN for OSINT research?
A reputable VPN can hide your home IP from target sites, but it is not enough alone. Combine it with a dedicated research browser profile, separate accounts, and careful metadata stripping on files you download or publish.
Is it safe to log into personal accounts during an investigation?
No. Never mix personal email, social logins, or cloud drives with research identities. Cross-contamination is how investigators accidentally link their real name to a subject’s environment.
Related Guide
Open Source Intelligence