You Are Not Hard to Find

Open a browser. Go to TruePeopleSearch.com. Type in your name and your state.

I’ll wait.

---

If your experience is like most people’s, you just found your home address, your phone number, your age, your previous addresses, the names of your relatives, and possibly your estimated income — listed publicly, searchable by anyone, for free. Spokeo.com will show you similar information, often with your email addresses and social media profiles attached. There are hundreds of these sites. They aggregate data from public records, commercial databases, and data brokers — the same pipeline I described in Chapter 2, except this is the consumer-facing end. The data broker sells your profile wholesale. The people search site sells it retail, one lookup at a time, to anyone who types your name.

Now do this: open a new tab and Google yourself. Try your full name plus your city. Then your name plus your phone number. Then your name plus your email address.

Look at what comes back. Look at the images. Look at how many versions of your digital identity exist across how many sites, and notice how much of it you didn’t put there.

This is what you look like to anyone who wants to find you. An abusive ex-partner. A stalker. A doxxer. An employer running an off-the-books background check. A data broker building a profile. A law enforcement officer doing preliminary research before there’s any investigation. The information is there, it’s free, and it takes less time to find than it took you to read the last paragraph.

---

Most people dramatically underestimate their own exposure. Not because they’re careless — because the gap between what you think is private and what’s actually findable has been widening for two decades, and no one sends you a notification when your home address appears on a new people-search site.

Data brokers re-aggregate your information every three to six months. Even if you’ve never signed up for a data broker site, you’re on them. They pull from public records — voter registration, property records, court filings, professional licenses — and from the commercial surveillance pipeline. Every time you opt out, you’re removing one copy. The sources keep generating new ones.

This sounds discouraging. It shouldn’t be. Here’s why.

Consumer Reports ran a study on data broker opt-outs and found that manual removals were at least as effective as paid services — and in some cases more effective, because paid services automate a process that some brokers are better at blocking than the manual route. The opt-outs work. They’re free. They take time. And yes, you’ll need to redo them periodically. Think of it the way you think about changing your oil — it’s maintenance, not a one-time fix.

---

Three things. All today.

First: search yourself on TruePeopleSearch and Spokeo. You’ve probably already done TruePeopleSearch. Do Spokeo too. Write down exactly what each site has on you. This goes in your field journal — it’s your exposure baseline.

Second: begin the opt-out process. Both sites have removal processes. For TruePeopleSearch, scroll to the bottom of the homepage and click “Do Not Sell or Share My Personal Information,” then follow the opt-out form. For Spokeo, go to spokeo.com/optout, enter the URL of your listing, provide an email address, and confirm. Use a disposable email if you have one — data brokers have been known to add the email you use for opt-outs back into their databases.

After those two, do the same for Whitepages, BeenVerified, and Radaris. Between those five, you’ll have covered the largest people-search sites. The process for each takes five to ten minutes.

Third: set up Google “Results About You.” Google has a tool that lets you request removal of search results containing your personal contact information — phone number, home address, email. Go to myactivity.google.com/results-about-you or search “Google Results About You” to find it. It’s not comprehensive, but it’s free and it flags new results as they appear. Think of it as an early warning system for your exposure.

If you’re Tier 2 or 3 in your threat model, run the free Optery scan at optery.com. It searches over a thousand data broker sites at once and shows you everywhere your information appears. The free scan tells you where you are. Their paid service handles removals, but you can use the scan results to do manual opt-outs yourself.

Record everything in your field journal. What you felt, what you found, where, what you’ve requested removal from, and what’s still outstanding. You’re going to check back in a few months.

---

Let me tell you about a trail of breadcrumbs.

In May 2020, a woman was captured on news footage setting two Philadelphia police cars on fire during a protest. She was wearing a mask, goggles, and a distinctive T-shirt. She thought she was anonymous.

FBI agents identified the T-shirt — “Keep the immigrants, deport the racists” — and found the Etsy shop that sold it. On the Etsy listing, a reviewer from Philadelphia had left a five-star review under a username. Agents searched that username and found it on Poshmark, a clothing resale site, where the display name was “lore-elisabeth.” They searched that name and found a LinkedIn profile for a massage therapist in Philadelphia. Her employer’s website had videos showing her at work. In the videos, agents spotted a distinctive tattoo on her forearm — the same tattoo visible in the protest footage.

Lore-Elisabeth Blumenthal was arrested and eventually sentenced to two and a half years in federal prison. The entire identification chain started with a reused username on a shopping site.

No facial recognition. No surveillance technology. No warrants for data. Just the connections between accounts that shared identifiers — a username, a name, a location — because no one thinks about how their Etsy reviews connect to their LinkedIn page connects to their employer’s website connects to their physical body.

That’s what OSINT is. Open-source intelligence — the practice of building a complete picture of someone from publicly available information. It’s what investigators do. It’s what doxxers do. It’s what data brokers automate at scale. And the raw material for all of it is the connections between your accounts, your names, your handles, and your patterns.

If you’ve seen Fight Club, you remember Project Mayhem’s fantasy: blow up the credit card companies, erase the debt record, reset everyone to zero. Tyler Durden wanted to destroy the system that tracked you. It’s a satisfying fantasy — but it’s a fantasy. The records can’t be destroyed. They regenerate. The data brokers re-aggregate. The public records refresh. New connections form every time you create an account, leave a review, or appear in someone else’s photo.

The real version of Project Mayhem isn’t erasure. It’s management. You can’t blow up the building where your data lives, because your data lives in a thousand buildings. What you can do is reduce your exposure, break the connections between identities, and make the trail harder to follow. That’s what the opt-outs are. That’s what username discipline is. Not a reset — ongoing maintenance of the gap between your real life and your findable life.

---

Look at your own accounts. How many of your usernames are the same across platforms? How many connect your real name to accounts you’d rather keep separate? If someone started with your LinkedIn and worked outward — the way those agents worked outward from Blumenthal’s — what would they find? How many steps between your professional identity and your private one?

You don’t need to fix all of this tonight. But you need to see it. The next chapter addresses the window you’re looking through right now — your browser. It’s a two-way window.

---