Predators hunt patterns. Operatives erase them. This manual teaches civilians the same habits, reducing your open-source shadow.

OSINT (Open-Source Intelligence) is information pulled from public sources and turned into insight: web pages, social feeds, photos and metadata, maps, forums, public records, and breach dumps. It’s how investigators, journalists, and criminals build profiles of targets without crossing legal lines.

You’ll reduce credential attacks, targeted ads, pretext calls, stalking risk, and so on - with breach fallout smaller and faster to contain.

For our purposes, it’s the sum of what strangers can learn about you from what you publish or what others publish about you - unless you control it.

The objective is to make it difficult to impossible for anyone to profile you from open sources. Data brokers, scammers, and low-skill investigators rely on patterns, specificity, and persistence in your public trail. By cutting precision, breaking patterns, and compartmenting identities, you lower your exposure and raise their cost.

That’s why operatives practice tradecraft on routine days, not just during crises. This is personal security and risk management . Clean inputs, quiet outputs, and disciplined habits keep you away from potential hostiles and safe to live your life.

To be a 'Hard Target' as a Civilian

ALIAS

·

Oct 9

Read full story

1) Threat Picture: Who’s Looking and Why

Before you start cutting data trails, understand who’s collecting them. Every move you make online or offline generates signals that someone can monetize, exploit, or weaponize. Understanding them first lets you choose the right counter-measures. Treat it like recon - you identify their motives, methods, and resources before adjusting your posture.

Common collectors

• Data brokers and advertisers.

• Scammers and social engineers.

• Stalkers and doxxers.

• Burglars and opportunists.

• Low-skill investigators using people-finder sites.

• Automated scrapers indexing your social accounts.

Likely use cases against you

• Identity theft and account takeovers.

• Social engineering using your relatives, pets, or past addresses as pretext.

• Physical targeting using routine patterns and geotags.

• Credential stuffing after breaches.

Decision rule

• If it can be scraped, assume it will be scraped.

• If it identifies you, reduce, delay, or disguise it.

2) Exposure Inventory: Find What’s Already Out

Every fix starts with discovery. Before erasing anything, build a complete picture of what’s public and where. Every address, photo, and alias already in circulation is an anchor point for anyone profiling you. Document them all, even the minor ones. What’s written down becomes measurable and fixable.

Targets to check

• Full name variations, nicknames, maiden names.

• Phone numbers (current and old).

• Email addresses (personal, work, throwaways).

• Home and past addresses.

• Family links and employers.

• Social handles across platforms.

• Photos of you, your car, your house, your kids.

• Domains you own, WHOIS records.

• Public records: property, voter, court, business filings.

• Breach traces for your emails.

How to sweep fast

• Search your name with quoted strings and key cities.

• People-finder sites: note where you appear.

• Image search your profile pictures.

• Check “Have I Been Pwned”-style breach lookups.

• Review your first two pages of results per identity element.

Deliverable

• One spreadsheet tab per category above.

• Columns: Source | Data Item | Risk (H/M/L) | Action | Date | Status | Proof (screenshot/link).

3) Priorities: What to Remove or Blunt First

Not all exposure carries equal weight. Focus on the data that could cause immediate harm or enable correlation. Operatives work in order of consequence - starting where risk and recoverability intersect. Protect live identifiers first, dead data later. The work’s not about perfection, it’s to create friction for whoever’s watching.

High value targets

• Current home address and exact location cues.

• Phone and email linked to banking or recovery.

• Dates of birth.

• Children’s school and routine.

• Daily pattern markers (gym, commute, check-ins).

• License plates and distinctive vehicle shots.

• Employer and office location.

• Photos with visible serial numbers, barcodes, or mail labels.

Principle

• Reduce precision first (address → city).

• Reduce persistence next (photos with EXIF).

• Reduce linkability last (reusing handles and emails).

4) Data Broker and People-Finder Takedown

These databases are the fuel lines for open-source profiling. Kill the feed, and you starve most amateur collectors. The process is tedious but strategic. Work methodically, track confirmations, and expect relists. This is attrition warfare against automation.

Process

1. List the top 15–20 broker sites where you appear.

2. Use their opt-out pages or email templates.

3. Validate removal with a fresh search in 2–4 weeks.

4. Calendar a quarterly recheck.

Templates (short, firm)

• Email subject: Opt-Out Request – [Your Full Name]
  Body:
  “I request removal of my personal information under applicable privacy laws. Remove records for [Full name, DOB (month/year only), current city/state, listed phone and email]. Confirm completion. – [Your Name]”

• Use unique burner emails for broker interactions. Don’t give more data than they already show. Provide only the minimum they require to match the record.

Tip

• Some brokers re-list you. Keep your spreadsheet and reuse it. Consider paid removal services if time is scarce, but verify results.

5) Social Media Hardening

Social platforms are designed for collection, not connection. Every tag, like, and comment expands your footprint. Treat each account like a listening post - limit what it can hear and what it can transmit. Harden your settings, change your habits, and make every post a controlled signal, not a leak.

Account structure

• Separate “real-name” presence (minimal) from interest accounts (aliases).

• One alias per platform. Don’t cross-link handles.

• Unique emails and phone numbers per account. Use masked emails or pass-through aliases.

Privacy controls (minimums)

• Set profiles to private where possible.

• Disable contact discovery via phone/email.

• Hide friend lists, follows, and groups.

• Review past posts; archive or lock any that reveal location or schedule.

• Turn off face recognition and “tag suggestion” features.

• Disable location services for social apps at the OS level.

Content rules

• Post after you leave a place. Never in real time.

• Crop out house numbers, school logos, badges, boarding passes, and car plates.

• Remove EXIF data from uploaded photos.

• Avoid humble-brag gear shots that show serials or home layout.

Signal discipline

• Don’t argue in public threads under your real name. It only feeds collectors.

• If you must keep a public profile for work, treat it as a business card: sparse, boring, factual.

6) Identity Layer: Emails, Numbers, and Names

Every account identifier is a handle for correlation. Reuse even one, and you’ve built your own link analysis chart. Proper identity layering severs those bridges and forces any collector to start from zero. Operatives treat names, emails, and phones as burnable tools - nothing sacred, everything replaceable.

Email

• Create a root email only you know; never share it. Use it for password resets only.

• Create three tiers: financial, personal, throwaway. Unique addresses per tier.

• Use unique aliases per merchant (plus-addressing or masked emails).

• Enable MFA on all. Prefer hardware keys for financial and root.

Phone

• Keep your main number off public profiles.

• Use a secondary number for signups and public posts.

• Be careful with app-based numbers that recycle; keep backups updated.

Names

• Don’t post your full legal name unless required.

• If your surname is rare, prefer initials.

• Avoid predictable aliases that reuse parts of your real name across platforms.

7) Device and Browser Fingerprint Control

Hardware betrays you quietly. Trackers fingerprint your system through fonts, sensors, and timing data long before you click “accept cookies.” Isolation is the fix - separate devices, distinct browsers, unique profiles. Think of it as camouflaging your digital scent.

Baselines

• Use two browsers at minimum:

  • Trusted for banking and private accounts.

  • General for browsing.

• Consider a dedicated dirty profile for unknown links.

Settings

• Block third-party cookies.

• Clear site data on exit (general browser).

• Disable browser sign-in sync on the general profile.

• Limit extensions to essentials. Each one is a sensor.

Network

• Use DNS over HTTPS.

• Use your mobile hotspot rather than public Wi-Fi when possible.

• If you must use public Wi-Fi, avoid sensitive logins even with a VPN.

Mobile

• Disable ad ID or reset it regularly.

• Turn off Bluetooth and Wi-Fi auto-join.

• Enable MAC randomization.

• Review app permissions quarterly. Remove camera/mic/location unless needed.

OS telemetry

• Opt out where allowed.

• Don’t share analytics or crash reports by default.

• Audit “Nearby” and “Sharing” features; turn off when idle.

8) Photo and File Hygiene

Files and images leak more intelligence than words. Metadata, reflections, file paths - every byte can betray context. Clean, strip, and review before you share. The smallest mistake, like an unblurred reflection or author tag, can expose a whole identity chain.

Before posting or sharing

• Strip EXIF/metadata. Many editors can do this.

• Blur backgrounds that reveal locations.

• Watch mirrors and glass for reflections of screens or documents.

Documents

• Export to PDF when sharing. Remove author and company fields.

• Redact with proper tools, not by drawing black boxes in a doc.

• Remove hidden sheets and comments in spreadsheets before sending.

9) Home Footprint: Physical OSINT

Your residence leaks more than Wi-Fi. Street-view angles, mail labels, and utility filings reveal pattern and placement. A disciplined footprint keeps your home ordinary and untraceable from open sources.

Outside

• Don’t display your full surname on mailboxes or doorbells.

• Avoid vanity plates.

• Hide VINs in photos.

• Be mindful of visible delivery labels in trash day photos.

Mail

• Use a CMRA (commercial mail receiving agency) or PO box for packages and business filings.

• Opt out of pre-approved credit offers.

• Shred, don’t recycle, anything that links identity and address.

Utilities and filings

• When lawful, list the mailing address (CMRA/PO box) for public records.

• Check property records; some jurisdictions allow redactions for safety.

10) Financial and Breach Controls

Money and credentials tie every identity together. Once a breach hits, reaction time decides whether damage stays financial or turns physical. Build your defense before compromise, not during it.

Must-dos

• Freeze credit with all bureaus. Free and reversible.

• Use transaction alerts on cards and bank accounts.

• Unique, long passwords for every account. Use a reputable manager.

• MFA everywhere possible. Prefer app-based or hardware factors.

Breach response drill

1. Identify the breached service and email used.

2. Change password; rotate unique one.

3. Check other sites for reuse; change those too.

4. Monitor for phishing using breach-themed lures for 90 days.

5. Note actions in your spreadsheet.

11) Travel and Routine Pattern Control

Predictable movement creates predictable risk. Adversaries plan around repetition—flight posts, gym hours, commute photos. Changing timing and delaying posts isn’t paranoia; it’s operational discipline. Your routine is your signature, smudge it.

Posting

• Never announce travel before or during. Post the album after you return.

• Use generic captions. Avoid room numbers, boarding passes, and gate screens.

Connectivity

• Assume hotel Wi-Fi is monitored. Use mobile data for sensitive actions.

• Update devices before travel, not during.

• Don’t plug into public USB power without a data blocker.

Movement

• Vary departure times and routes when practical.

• Don’t share live location with apps you don’t trust.

12) Kids and Family Protection

Your family extends your perimeter. They’re the soft perimeter around every identity. Their innocent posts can undo months of your own control. Teach them privacy like fire safety - calm, routine, and mandatory.

Rules

• No school logos, class schedules, or bus stops in posts.

• Use initials only.

• Share photos in closed family groups, not public feeds.

• Teach kids to decline quizzes, “which character are you,” and name-of-first-pet traps.

Relatives

• Ask relatives to avoid tagging you or your location.

• Provide them a short “why” script. Keep it friendly.

13) Domains, Small Business, and WHOIS

Domains and business registrations are public by design. They can still be managed. Use privacy tools, alternate mail routes, and generic contact pages to keep operations clean. Public visibility doesn’t have to mean personal exposure.

Checklist

• Use privacy-protected WHOIS by default.

• Register with an email not used elsewhere.

• Point public addresses to your CMRA, not your residence.

• Minimize “About” pages. Keep contact forms server-side.

14) Metrics

Without metrics, OSINT control is guesswork. Regular audits show whether exposure is shrinking or drifting back. The goal is downward trends and fewer surprises, not theoretical perfection.

Key indicators

• Count of broker listings with your home address.

• Count of public social posts that expose location.

• Number of reused credentials (should be zero).

• Time to detect a new listing (aim for monthly discovery).

• MFA coverage percentage (aim for 100%).

• Breach notifications per quarter (downward trend).

Quarterly audit

• Re-run your name, emails, numbers.

• Refresh the takedown list.

• Review permissions and extensions.

• Update your spreadsheet status.

15) Quick Wins (30 minutes)

When time’s short, small actions deliver the fastest gain. These moves are frictionless and high yield - perfect for civilians starting their first cleanup pass.

• Freeze credit.

• Turn off social media location services.

• Make your profiles private.

• Enable MFA on email, bank, and main social.

• Opt out of top three broker sites that list your address.

• Reset your mobile ad ID and disable personalized ads.

16) One-Day Hardening Plan

One disciplined day changes your entire exposure profile. Treat it like a field op: set scope, execute in order, and confirm results before you stand down.

• Build the inventory spreadsheet.

• Create tiered emails; move financial accounts to the “financial” address.

• Set up transaction alerts and data-breach alerts.

• Strip EXIF on your last 12 months of posted photos or hide them.

• Audit browser profiles and cookie policies.

• Move package delivery to a CMRA or locker where available.

17) One-Week Improvement Plan

Sustainment beats intensity. Spread your cleanup across a week to catch hidden leaks and prevent burnout. Daily tasks become permanent habits.

• Complete broker takedowns for the first 20 sites.

• Replace weak/reused passwords.

• Clean old social posts and unlink apps you no longer use.

• Update WHOIS privacy for owned domains.

• Teach family the new posting rules and contact-discovery settings.

• Document your incident response drill.

18) Incident Response: If You’re Doxxed or Targeted

When you’re under exposure, calm is your weapon. Treat it like any other breach -assess, contain, communicate, and move. Don’t panic or retaliate. Precision and pace will control the narrative faster than emotion ever could.

Stay calm. Work the checklist.

1. Capture evidence. Screenshots with timestamps and URLs.

2. Assess scope. What data’s out? Address, phone, employer, kids?

3. Safety moves. Change routines; alert local authorities if threats are explicit.

4. Containment.

   • Lock down social accounts.

   • Change exposed numbers/emails if needed.

   • Freeze credit if not already frozen.

5. Takedowns.

   • File removal requests with hosts and platforms.

   • Repeat broker opt-outs.

6. Notifications.

   • Inform employer security if relevant.

   • Brief family on talking points and what to ignore.

7. Deception if appropriate.

   • Avoid feeding the actor. Don’t engage publicly.

8. Review.

   • Update your spreadsheet.

   • Identify the exposure path and fix it.

19) Mindset

Long-term safety comes from restraint, not cleverness. Operatives survive by being dull in public and disciplined in private. The mindset isn’t paranoia - it’s patience. You win by being forgettable.

• Default silence. Speak when you must.

• Need-to-share. Ask, “Who needs this detail?” If the answer is “no one,” cut it.

• Compartmentalization. Keep identities and devices separate.

• Lag. Delay posts. Delay reveals.

• Predictable unpredictability. Vary small things often.

• Verification. Trust settings you’ve checked, not what an app claims.

20) Reference Checklists

Checklists replace panic with order. Each one locks down a domain of your life - digital, physical, financial, or travel. Keep them printed, updated, and ready. In field terms: pre-briefed actions beat improvisation.

Broker takedown kit

• Spreadsheet, burner email, calendar reminders, screenshots.

Photo posting kit

• EXIF remover, blur tool, final review by a second set of eyes.

Device hardening kit

• Password manager, authenticator or hardware keys, OS updates, DNS-over-HTTPS, backup plan.

Travel kit

• Mobile hotspot, data blocker, updated devices, minimal social posting rules.

21) Red-Teaming Yourself

Good tradecraft tests itself. You’re your own first adversary. Testing your exposure like an outsider keeps your defenses sharp. Each weakness found by you is one less weapon for them.

• With only your name and city, can you find your address in 15 minutes?

• With your public Instagram, can you predict tomorrow’s routine?

• With your old email, can you find breaches and linked accounts?

• With your plates, can you find your driveway on street imagery?

If the answer is yes to any, you’ve got work.

Final

Treat your presence like an operation. Define compartments. Verify settings. Audit on schedule. If a collector still builds a picture, it won’t be sharp enough to act on. Most open-source hunters will move on to softer targets.

A CIA Lesson in Street Smarts on the Move

ALIAS

·

Aug 26

Read full story

Building a Personal SOP (Standard Operating Procedure) for Your Life

ALIAS

·

Jul 3

Read full story

How to be a Gray Man

ALIAS

·

Aug 22

Read full story