Open-Source Intelligence — OSINT — is the discipline of gathering information from publicly available sources. The term comes from military intelligence and has been used by journalists, investigators, security researchers, and law enforcement for decades. What has changed is the density and accessibility of the data, and the tooling available to aggregate it.
Understanding what OSINT practitioners can find about you is not paranoia — it is the prerequisite for making informed decisions about your own privacy posture. You cannot reduce your footprint if you do not know what is already out there.
The Sources Nobody Thinks About
The obvious data sources — social media profiles, LinkedIn, Google results — are not the interesting ones. Most people mentally account for those. The sources that surprise people are the ones they never opted into.
Voter registration records are public in many US states. In some states, the publicly available file includes your full name, registered address, date of birth, and party affiliation. The rules vary: California allows you to opt out of the commercial distribution of voter data; other states have no such mechanism.
Property records are maintained by county assessors and are generally public. If you own a home, your name, address, purchase price, and in some jurisdictions your mailing address (useful if you use a PO box) are a public records request away — and often already indexed by third-party sites.
Court records vary widely by jurisdiction, but civil suits, small claims cases, evictions, and traffic violations are often accessible through court portals or commercial data aggregators. A divorce filing, a landlord dispute, or a name change can all generate court records.
Business registration records are public in every US state. If you have ever formed an LLC or registered a business, your name appears as the registered agent or organizer. Some states also require a physical address.
WHOIS data for domain registrations was historically fully public — name, address, phone, email for every registered domain. ICANN's 2018 GDPR compliance changes obscured much of this, but historical WHOIS data is still accessible through services like DomainTools, and gTLDs with weaker compliance still leak registrant details.
The Aggregation Problem
Each data point above seems harmless in isolation. A voter record gives your address. A LinkedIn profile gives your employer. A court record gives your old address. A domain registration gives a phone number. None of these, on its own, tells a complete story.
The danger is aggregation. A motivated investigator stitching together voter data, WHOIS records, LinkedIn, court filings, and people-finder sites builds a profile that includes your current and historical addresses, employer, approximate income range, family members, vehicle information, and daily patterns — without accessing a single system they were not supposed to access.
Privacy law and privacy intuition both tend to evaluate data points individually. Knowing your name is harmless. Knowing your address is harmless. Knowing your employer is harmless. The combination — name, address, employer, daily commute route, physical description — is a stalking toolkit. Aggregation creates a qualitatively different risk that individual data points do not suggest.
People-finder services like Spokeo, Intelius, BeenVerified, and Whitepages.com exist specifically to perform this aggregation commercially. They pull from public records, data brokers, and scraped web content, and sell it as a subscription product or per-lookup fee. The data is often outdated, but it is frequently accurate enough to be actionable.
Tools Investigators Actually Use
OSINT practitioners are not using specialized hacking tools for most investigative work. The tooling is largely open-source or commercially available:
| Tool | What It Does | Who Uses It |
|---|---|---|
| Google dorking | Advanced search operators (site:, filetype:, inurl:, intitle:) to surface indexed data that basic searches miss | Journalists, security researchers, recruiters |
| Shodan | Search engine for internet-connected devices — routers, cameras, industrial systems indexed by IP and banner | Penetration testers, security researchers, threat intelligence |
| Maltego | Link-analysis platform for visualizing relationships between entities — people, domains, IPs, organizations | Law enforcement, corporate investigations, red teams |
| HaveIBeenPwned | Checks email addresses and phone numbers against known breach datasets | General public, security teams, credential monitoring |
| TheHarvester | Aggregates email addresses, subdomains, and hosts from public sources for a given domain | Penetration testers, red teams |
| Archive.org / Wayback Machine | Historical snapshots of websites — reveals content that has since been deleted or modified | Journalists, legal investigators, OSINT analysts |
None of these require special access. Shodan requires a free account. Maltego has a free community edition. HaveIBeenPwned is free for individual lookups.
Breach Data Is Its Own Category
Beyond public records and aggregator sites, breach data is a persistent and underappreciated source. Major data breaches from services like Adobe (2013, 153M records), LinkedIn (2012 and 2021), Yahoo (2013, 3B accounts), and hundreds of smaller incidents have put plaintext or weakly-hashed credentials, email addresses, usernames, IP histories, and security question answers into circulation.
This data is traded and sold in underground markets, but significant portions also appear in public dumps that anyone can download. An investigator with your email address can cross-reference it against known breach data to find usernames you have used on other platforms, passwords you may still be reusing, and services you have accounts on that you may not remember.
Password reuse is not just a security problem — it is an OSINT problem. The same username-and-password combination from a 2014 forum breach can reveal your handle on a dozen platforms, connecting identities you believed were separate.
Reducing Your Footprint
A complete digital footprint elimination is not realistic for most people. The goal is reduction and compartmentalization — making aggregation harder, making the data less accurate, and making your sensitive activities harder to connect to your real identity.
Data broker opt-outs are tedious but effective for the highest-risk sources. Sites like Spokeo, Intelius, BeenVerified, and Whitepages all have removal processes. Our post on data broker opt-outs covers the practical workflow. The limitation is that new data gets scraped regularly, so opt-outs require periodic re-submission.
Registered agent services for business filings keep your personal address out of public business records for a modest annual fee. If you run any kind of business, this is worth doing.
Domain privacy protection (WHOIS privacy) is now offered free by most major registrars. Enable it on every domain you own. It replaces your contact information with the registrar's proxy service in public WHOIS records.
Pseudonymous accounts for low-stakes services reduce the number of places your real name appears. The key discipline is not letting pseudonymous accounts develop detectable behavioral patterns — writing style, posting times, topics, and cross-references can de-anonymize accounts even without a name attached. Our post on browser fingerprinting covers related tracking techniques.
Unique email addresses per service prevent the cross-site correlation that makes breach data so useful to investigators. Email aliases — whether through a service like SimpleLogin or a custom domain with catch-all routing — mean that a breach at one service cannot be linked to your accounts at others.
What This Means for Your Communications
OSINT reconnaissance is often the first step before more targeted attacks: phishing, social engineering, SIM swapping. An attacker who knows your email address, carrier, and the last four digits of your Social Security number (often inferrable from breach data) has the raw material for an account takeover.
This is the argument for separating your communication identity from your public identity. A messaging platform tied to your phone number or your name links your private communications to the same profile that public records, data brokers, and breach databases are building. A platform that allows pseudonymous accounts and does not require a phone number breaks that link — though it does not eliminate it entirely if you access the service from identifiable infrastructure.
Haven uses email-format identifiers (not phone numbers) and derives your vault key client-side from your passphrase — your server-side account does not store your real identity by necessity. It is one option among others for reducing the surface area between your communication identity and your public record. The broader point is that the architecture of how a service identifies you matters more than its encryption claims.