People OSINT

The Ethical Starting Point

People OSINT is probably the most sensitive area of the entire discipline, because it deals directly with data about real individuals. That is why it must begin — and not end — with ethical reflection. Before searching for a single datum, you must be clear about the investigation's legitimate purpose, its authorized scope, and the applicable legal framework, especially data protection laws like the EU's GDPR or equivalent regulations in other countries.

The guiding principle is proportionality: collect only the information necessary for the stated objective, no more and no less. Discovering that something is technically possible does not mean it is ethical or legal to do it. Legitimate people OSINT happens in contexts like consented identity verification in hiring processes, due diligence, public-interest journalism, or authorized penetration tests that include social engineering.

It must never be used for harassment, stalking, doxing, impersonation, or surveillance of an ex-partner or acquaintance. These activities are illegal in most jurisdictions and constitute a serious breach of professional ethics. This course teaches the technique to defend, investigate legitimately, and protect; never to harm.

Social Media and Public Presence

Social media is the richest source of people OSINT, because users voluntarily publish large amounts of information. LinkedIn profiles reveal work history and professional connections; posts on X, Instagram, or Facebook show interests, locations, and relationships. The technique consists of analyzing what is publicly visible, without ever accessing private content or circumventing privacy controls.

A key aspect is analyzing the network of contacts and interactions: who a person interacts with, what pages they follow, what events they post. These connections often say as much as the direct content. Published photos can contain relevant background information (location cues, visible documents) and, as we will see in Lesson 6, metadata.

Verification is fundamental: social media abounds with fake profiles, namesakes, and abandoned accounts. Confusing two people with the same name is a frequent and potentially serious error. Each attribution must be backed by several independent indicators before it is considered confirmed.

Usernames and Identity Correlation

People tend to reuse usernames across different platforms, which makes them an excellent pivot point. If you find that someone uses "jdoe_dev" on GitHub, it is reasonable to search for that same identifier on Reddit, technical forums, gaming platforms, and social networks. Tools like Sherlock, Maigret, or WhatsMyName automate this search across hundreds of services and return the matches.

Email correlation follows similar logic. From an email address you can discover associated profiles, registered services, and — using tools like Hunter.io — deduce an organization's email pattern. The goal is to build an identity graph that links the different presences of the same person, always within the limits of the investigation.

It is worth remembering that correlation is never absolute certainty. Two accounts with the same username may belong to different people, and one person may maintain deliberately separate identities. The analyst must express conclusions with the appropriate confidence level and never present a likely correlation as a fact.

Data Breaches and Public Records

Data breaches are a delicate resource. Services like Have I Been Pwned let you check, legitimately and in aggregate, whether an email address has appeared in known leaks — very useful information in security audits to alert an organization to compromised credentials. However, downloading, buying, or using the raw content of leaked databases (passwords, personal data) is illegal in most jurisdictions and falls completely outside ethical OSINT.

Public records, by contrast, are a perfectly legitimate source when the law makes them accessible: business registries, official gazettes, intellectual property, sanctions, public litigation, or professional registries. Their availability varies greatly by country, and the responsible investigator knows what is legally accessible in their jurisdiction.

In every case, the rule is the same: use only what is public and legal, document the source, and respect privacy. People OSINT done well is a powerful tool for security and justice; misused, it is a violation of rights. The difference lies entirely in intent, scope, and respect for the law.