Privacy

OSINT self-audit

Find what a stranger can find about you in ten minutes — and then take it down. UK-specific, exhaustive, with the actual forms, request templates, and links you need. Allow yourself two hours.

Last updated: 10 May 2026. Written for a UK reader.

Before you start

Decide what you are doing this for. The audit is the same regardless, but how you act on what you find depends on your threat model. The most common reasons people run a self-audit are:

  • General hygiene — you'd rather not have your home address one Google search away from any random person.
  • Public-facing role — you've taken a job, written a book, given a talk, or stood for office, and you want to know what an opposition researcher would find.
  • Targeted concern — you are being harassed, stalked, or doxxed, or you have left an abusive relationship.
  • Professional — you handle sensitive information (legal, journalism, medical, defence, intelligence) and your home life leaking into your work life is a real operational risk.

If you are in the third category, this guide is the wrong starting point. Operational safety comes before audit. Talk to Refuge's Tech Safety team, the Suzy Lamplugh Trust's National Stalking Helpline, or your local police if there is an immediate threat. You can audit later from a safe baseline.

For everyone else: open a fresh notes document, set a two-hour timer, and let's begin.

Part 1 — Find yourself

The goal of part 1 is observation only. Don't act yet. Don't message your local council, don't fire off GDPR requests, don't delete anything. Just look, and write down what you find. You will see things that surprise you. You will see things that don't matter. You can't tell which is which until you have the whole picture.

1.1 — The basic name search

In a private/incognito window, signed out of every account, search for:

  • Your full name in quotes, e.g. "Joanna Smith"
  • Your name plus your town: "Joanna Smith" Stockport
  • Your name plus your employer or your professional field: "Joanna Smith" pharmacist
  • Your name plus old surnames if you've ever changed yours.

Run those searches against Google, DuckDuckGo, Bing, and Yandex. The four engines have meaningfully different indexes — Google ignores some old content, Yandex retains it for years longer.

While you are there, search Google Images for your name. And search using your own profile photo — drag the image in — to find every reused copy of it across the web. Yandex Images is dramatically better at reverse-image search than Google for faces.

1.2 — The breach databases

Check every email address you have used in the last fifteen years against:

  • Have I Been Pwned — the canonical breach database. Free, run by Troy Hunt, well-respected. Sign up to the notify-me service while you are there.
  • Pwned Passwords — k-anonymity password lookup. If a password you've used is in there, change every site you used it on.
  • SpyCloud (free tier) — sometimes catches breaches HIBP doesn't.
  • BreachDirectory — partial-character preview of leaked passwords; useful for confirming a credential really has been exposed.

Note every breach. You'll need the list later when you decide what passwords still need rotating.

1.3 — The Wayback Machine

The Internet Archive's Wayback Machine remembers what you wrote on your old MySpace page in 2007, what your old company's about-us page said, and what your old personal blog used to look like. Search:

  • Your name on every old domain you have ever owned.
  • Old usernames you have abandoned (more on this below).
  • Old Twitter / X handles via https://web.archive.org/web/*/twitter.com/yourhandle/*

If you find old content you'd rather wasn't archived, the Internet Archive will remove pages on request for "valid reasons" — they're reasonable about this in practice.

1.4 — UK-specific aggregators

This is where the UK-flavoured part starts. Search yourself on:

  • 192.com — UK directory aggregator. Pulls from the open electoral roll, BT phone book, Companies House, and other public registers. The most important one to clean up.
  • Companies House — if you have ever been a director, your name and an address are public. Director addresses became less exposed after 2009 but historical filings still show old home addresses.
  • Endole and OpenCorporates — free corporate-data aggregators that pull from Companies House. Removing yourself from Companies House does not automatically remove you from these.
  • HM Land Registry — anyone can buy a "title register" for any property in England and Wales for £3, which lists owners, the price they paid, and any mortgage charge. There is a separate process for Scotland (Registers of Scotland) and Northern Ireland.
  • The open electoral roll — see "the open electoral roll" below.
  • Probate records — wills become public once probate is granted. Check whether you appear in a parent's or grandparent's will.
  • General Register Office — births, marriages, and deaths. Index is searchable for free; certificates cost.
  • TrustOnline — county court judgments and bankruptcies. Costs ~£10 per search. Worth running once.

1.5 — The open electoral roll

This catches almost everyone in the UK out at least once. There are two electoral rolls:

  • The full register is used for elections, jury selection, and the prevention of fraud. You cannot opt out of it.
  • The open register (formerly "edited register") is sold by local authorities to anyone who wants it — typically marketing companies and credit-reference agencies. You can opt out, but every adult has to opt out for themselves, and you must do it again whenever you move house.

Your name and home address sitting on the open register is the single biggest source of UK-specific personal-data leakage for most people. Aggregators including 192.com pull from it directly. Opt-out instructions are in part 3.

1.6 — Social and professional graph

For each platform you use or have used, search yourself signed out:

  • LinkedIn — your full work history is the closest thing most people have to a public CV. Note who is endorsing you, what photos are public, what your "about" section reveals.
  • X / Twitter — even if your account is private, replies to public accounts are public. Run advanced search for from:yourhandle with no date bounds.
  • Bluesky / Mastodon / Threads — same drill.
  • Facebook — old check-ins, tagged photos, group memberships, your year of birth on your profile.
  • Instagram — geotagged photos and old "stories" highlights.
  • Reddit — there are tools that will list every post and comment a username has ever made. Try Reveddit — it surfaces removed comments too.
  • GitHub / GitLab — your public commits include your committer email by default. Many people accidentally commit with their real-name email. Check yours: any commit you've pushed publicly carries that email forever.

1.7 — Old usernames

Make a list of every username you have used since you first got online. Aim back as far as your first email account, your first AIM/MSN handle, your first forum login. Then search each one with sherlock or WhatsMyName — both will check hundreds of sites for that username in one go. You will be surprised by how much old content is out there under handles you stopped using a decade ago.

1.8 — Domains, WHOIS, and the certificate transparency log

If you have ever registered a domain name, your name, address, email, and phone number may be in WHOIS records. Some registrars switch on privacy by default; many don't. Check the current WHOIS for every domain you own at ICANN Lookup. Then check historical WHOIS via tools like ViewDNS — once your details have been published, the historical record is, in practice, permanent.

Certificate transparency logs record every TLS certificate issued for every domain. Search for any domain you control on crt.sh — including subdomains. Subdomains you forgot about are a common operational-security hole.

1.9 — Family tree leaks

Even if you have never used Ancestry, MyHeritage, or 23andMe, an enthusiastic relative may have uploaded your name, parents' names, and date of birth to a public family tree. Search Ancestry, FamilySearch, and Geni for your full name. Some trees can be made private on request to the owner.

Part 2 — Triage

You should now have a notes document with quite a long list. Sort everything you found into four buckets:

  • Take down. Things you can remove or have removed: open-register listing, 192.com record, old social-media account, an embarrassing forum post from 2009, an old WHOIS record exposing your home address.
  • Lock down. Things you can keep but make less visible: tighten LinkedIn privacy, switch your GitHub committer email to a private no-reply alias, change your Companies House service address.
  • Acknowledge. Things you cannot remove and should plan around: a court judgment, a published academic paper with your old institution's address, a charity-trustee filing. You can't unpublish these — you can decide they're not a vulnerability if your operational baseline assumes they're known.
  • Future hygiene. Patterns to fix going forward: stop using your home address for domain registrations, stop using your real-name email for GitHub commits, switch to alias addresses for online accounts.

Now you have a to-do list. Part 3 walks through how to act on each bucket.

Part 3 — Take it down

3.1 — Opt out of the open electoral roll

Each local authority handles this slightly differently, but they all have to. The simplest path is:

  1. Search "your council name open register opt out".
  2. Use the form (most councils have an online form; some require email or a letter).
  3. Specify that the opt-out applies to every adult at the address who wishes to opt out — each person has to be named.
  4. Repeat any time you move.

The Electoral Commission's guidance on personal data gives the legal basis if you need to point a recalcitrant council at it.

3.2 — Remove yourself from 192.com

192.com publishes a removal form: how do I remove my details. Submit it. Keep a screenshot of the confirmation. They are usually quick (days, not weeks). Do this after opting out of the open register — otherwise the next refresh will put you back on.

3.3 — Tighten Companies House

Three separate things to do depending on your situation:

  • Service address. If your filings list your home address as your "service address", change it now. Use a registered-office service, an accountant's address, or a virtual office. The change is free and online via the CH01 form.
  • Registered office. Same idea — if your company's registered office is your home, move it. The AD01 form does this for free.
  • Suppress historical home addresses. Companies House offers an application to remove a home address that appears on historical filings — SR01 form for ordinary cases, with a small fee per document. There is a separate SR04 "extreme circumstances" application — used by people facing real, evidenced threats — which suppresses the address on the live register from being available to credit-reference agencies and the public. SR04 requires evidence and is properly assessed; don't use it unless you genuinely need it.

3.4 — Get content out of search results

Three different mechanisms, each with its own scope:

  • Right-to-be-forgotten request (UK / EU GDPR) — Google's form. Asks Google to delist a URL from search results when your name is the query. Doesn't remove the page itself. Useful for old, irrelevant, or harmful results. The page-owner gets notified.
  • Personal information removalGoogle's "Results about you" tool. For pages exposing specific PII (home address, phone, ID numbers). Faster than RTBF; aimed at consumer doxxing rather than legal grounds.
  • Outdated contentGoogle's outdated-content tool. For when a page has been changed or deleted but is still cached / indexed. Quick to action, free.

Bing has equivalents at Bing's EU privacy request and content-removal tool. DuckDuckGo and Brave Search proxy other indexes; remove from Bing/Google and they will follow.

3.5 — UK GDPR right to erasure

For any UK or EU organisation that holds your personal data and has no good reason to keep it, you have a right to ask them to delete it (Article 17 UK GDPR). You can also exercise:

  • Subject access (Article 15) — "tell me what you hold on me". Free, must be answered within one calendar month.
  • Rectification (Article 16) — "this is wrong, fix it".
  • Restriction / objection (Articles 18 / 21) — "stop processing for this purpose".

Send a single short email. You don't need to cite article numbers, you don't need a specific form, and you don't need to pay. The ICO's Your Data Matters pages give plain-English templates. If the organisation refuses or doesn't reply within a month, escalate to the ICO.

3.6 — Data brokers

The UK has a smaller data-broker industry than the US, but the major ones are still here. Submit erasure requests to:

For the credit reference agencies (Experian, Equifax, TransUnion), full erasure is rarely possible because they have a legal basis to retain certain credit-history data. But you can opt out of marketing uses, suppress data brokerage, and get your records corrected.

3.7 — Lock down the social graph

For each platform that you've decided to keep:

  • Audit the privacy controls. The defaults are never the right answer.
  • Remove old content you don't want public (or the whole account if you don't use it).
  • Strip metadata from photos before posting (Instagram and Facebook strip EXIF; X partially does; Bluesky does not).
  • Set up GitHub's "block command-line pushes that expose my email" option and use the users.noreply.github.com alias for commits.
  • Move your LinkedIn profile to "name and headline visible, everything else login-walled".

3.8 — Domains and TLS

Move every domain you control to a registrar that includes WHOIS privacy by default (Porkbun, Cloudflare Registrar, Gandi). For .uk domains, opt for the "non-trading individual" status at Nominet to suppress your address from public WHOIS.

You can't undo what's already in historical WHOIS — but you can stop adding to it. For TLS certificates, certificate-transparency logs are immutable; the right move is not to issue certificates for hostnames you don't want made public (use a private CA for genuinely private services, or wildcard certificates that don't enumerate every subdomain).

Part 4 — Stay clean

Audit and take-down is a one-off project. Staying clean is a set of habits. The most useful ones, in priority order:

4.1 — Use email aliases

Stop giving your real email address to every service. Use an aliasing provider — SimpleLogin, addy.io, DuckDuckGo Email Protection, or Apple's "Hide My Email". Each service you sign up to gets a unique alias. When that service gets breached or starts spamming, kill the alias. You stop being the product.

4.2 — Use a password manager and unique passwords

1Password or Bitwarden, hardware-key 2FA via Yubikey or similar, no exceptions. The password reuse you do today is the breach you read about in two years.

4.3 — Use phone-number aliases

For UK numbers: a free giffgaff SIM in a cheap second handset gives you a "for paperwork" number that isn't your real one. Or, for online-only accounts, a service like NumberBarn or MySudo for receive-only numbers.

4.4 — Don't publish what you don't have to

Date of birth, mother's maiden name, name of first school, name of first pet, place of birth: these are not biographical details, they are common security questions and identity-verification answers. Strip them from social-media bios. Don't post a "20 facts about me" thread. The fact that the security questions are bad doesn't mean you should hand-feed them to whoever asks.

4.5 — Annual review

Diary a recurring task to repeat the audit once a year. The internet is constantly trying to re-list you. The aggregators repopulate. New breach data turns up. New services launch. An hour, once a year, keeps it under control.

If this was useful

Tell a friend. Send them this URL, or print this page out and walk through it together. The audit is dramatically more effective when two people do it together — you'll find each other's exposures faster than your own. If you found errors or have additions, drop me a line — I keep this guide actively maintained.

Tagged: privacy, osint, uk. Linked from: Privacy hub.