Skip to content

Operational security

OSINT is collection, but collection is not invisible. Opening a tool, loading a remote image, or mishandling a backup can expose your interest, your identity, or your subject's data. This page covers practical operational security (OPSEC) for working with Osintracker.

This is general guidance, not legal advice or a guarantee of anonymity. Adapt it to the sensitivity of your case.

Mind what reaches the network

Osintracker keeps your data local, but some actions deliberately contact third parties. Know which ones:

  • Opening a resource sends the entity's value to that third-party tool, from your IP address. If the tool is operated by — or visible to — your subject, you've just signalled interest.
  • Remote images (entity image URLs) are fetched from their host when the graph loads, revealing your IP to that host. Connector profile-photo downloads on osintracker.com are proxied, so the avatar host sees OSINTracker's server rather than your IP.

The app's reference data (types, families, resources) is bundled into Osintracker — opening the app makes no startup call that includes your data.

See Privacy & data → What leaves your browser for the full list.

Separate your investigation identity

Don't let investigative activity touch your personal footprint.

  • Use a dedicated browser profile (or a separate browser, or a VM) for OSINT work, with its own logins and history.
  • Manage your network attribution deliberately — a VPN or Tor changes the IP that third-party tools and image hosts see. Decide before you start clicking.

Active vs. passive — don't tip off the target

  • Treat every outbound click as potentially observable by the subject.
  • For sensitive targets, prefer archived copies (the Internet › archive type) over visiting live pages directly.
  • Be cautious with connectors: they import a JSON you exported from the service, so the import itself is local — but generating that export on the service is an active step performed under your account there.

Protect your data at rest

Your investigations live in your browser, and your exports live as files. Both deserve protection.

  • Enable persistent storage so data isn't silently evicted, but remember it also means sensitive data persists on the device — clean up when done.
  • On a shared or public computer, never leave investigations in the browser. Export what you need, then clear the site's data (see Deleting your data).
  • Consider full-disk encryption on your working machine.

Protect your backups

.osintracker export files are plaintext — anyone who opens one reads the entire case, including comments and notes.

  • Store backups on an encrypted disk or inside an encrypted archive (e.g. an encrypted ZIP or a vault).
  • Don't email or upload them to general-purpose cloud storage unprotected.
  • Apply retention limits: delete backups you no longer need.

Share exports carefully

Before sending a report out, remember what it contains.

  • HTML / Markdown / CSV / JSON exports can include every value, comment and note — review them for sensitive details and redact as needed.
  • Exported reports may embed images and source links; check that none expose more than intended.
  • Prefer secure, access-controlled channels for anything sensitive.

A pre-investigation checklist

  • [ ] Dedicated browser profile / VM ready, unrelated to your personal accounts
  • [ ] Network attribution decided (VPN/Tor or not) and verified
  • [ ] Persistent storage enabled; device disk encrypted
  • [ ] A backup routine and a secure place to store .osintracker files
  • [ ] Awareness of which clicks are observable by the subject

For investigative method and the legal/ethical dimension, see Methodology & best practices.

Osintracker user guide