A worldwide guide to using public information to verify identity, spot romance scams, and protect yourself — without crossing into stalking, doxxing, or illegal data gathering.
Why this matters
Meeting someone online now comes with a basic modern question: who is this person, really? That question is reasonable. So is a limited amount of checking. Consumer-protection agencies and major dating platforms actively recommend steps like staying on-platform at first, doing a video call, using verification tools, and reverse-image-searching suspicious profile photos to spot scams and impersonation.
But there is a hard line between verifying someone for your safety and building a dossier on them. Once your “research” turns into deceptive collection, repeated monitoring, publication of private details, or attempts to obtain restricted records, you are no longer doing smart due diligence. You are entering legal, ethical, and safety trouble.
The safest rule is simple: verify identity and consistency, not private life and vulnerability.
What OSINT should mean in dating — and what it should not
In a dating context, OSINT should mean using open, public, voluntarily shared, or platform-provided information to answer a narrow set of questions: Is this person real? Do their photos match? Do their basic facts line up? Are there scam signals? That is a very different goal from trying to uncover someone’s address, relatives, daily routine, or old personal records.
That distinction matters because public data can still be harmful when it is aggregated, exposed, or weaponized. The FTC notes that people-search sites compile social media, government records, and brokered data into reports that can reveal addresses, family members, and other sensitive details. Australia’s eSafety Commissioner warns that doxxing can involve information sourced from public records and still cause serious privacy and safety harm.
The right way to think about “legal” OSINT
Here is the cleanest practical test:
| Usually appropriate for dating safety | Usually out of bounds |
|---|---|
| Reverse-image-searching profile photos for scams | Creating fake accounts to gain access |
| Asking for an in-app video or voice call | Impersonation or pretexting |
| Using app verification tools | Buying restricted records or trying to obtain them under false pretenses |
| Checking whether basic public-facing claims are consistent | Digging for home address, family members, or daily routine |
| Looking for obvious scam patterns | Posting or sharing someone’s private details |
That framework tracks closely with what regulators, safety agencies, and dating platforms allow or warn against: verify identity, protect your own privacy, stay on-platform early, and do not obtain or expose private information through deception or harm-causing conduct.
What you can usually check without crossing the line
A sensible OSINT check starts with the information the person has already chosen to present. Are the same first name, age range, city, occupation field, and photos showing up consistently? If the story changes every few messages, that matters more than whether you can find a deeper record somewhere else. Consistency is the goal.
The most useful single tactic for scam detection is still the most basic one: reverse-image search the profile photo. The FTC explicitly recommends it for romance-scam screening. If the image is tied to another name, another country, or a completely different profile history, that is not a small red flag. That is often the story.
Before meeting, use the safety tools built into the platform. Tinder advises keeping the conversation on-platform while you are getting to know someone, because bad actors often try to move quickly to text, phone, or other apps. Bumble recommends photo verification, in-app voice or video calls, and avoiding early sharing of your home or office address. That is smarter than jumping straight into third-party databases.
What crosses the line fast
The first obvious red line is deception. If you create a fake account, pretend to be someone else, or use false pretenses to obtain private information, you have moved out of ordinary checking and into conduct that regulators have treated as unlawful. The FTC has been explicit for years: obtaining confidential information through false pretenses or impersonation is illegal pretexting.
The second red line is exposure. Doxxing is not made acceptable just because the information was technically obtainable somewhere. Australia’s eSafety Commissioner defines doxxing as the intentional online exposure of someone’s identity or personal details without consent, with intent to cause harm, and notes that even accurate information sourced from public records can be weaponized.
The third red line is fixated, repeated, unwanted monitoring. In Canada, criminal harassment includes repeated conduct that causes someone to fear for their safety and has no legitimate purpose. UK prosecution guidance similarly describes stalking and harassment as repeated, obsessive, unwanted behavior, including following, online monitoring, publishing material about someone, or pretending to be them.
The global legal reality: privacy law often carves out personal use — but that does not give you a free pass
Across major privacy regimes, there is a common pattern: purely personal or household activity is often carved out of general privacy law. The GDPR excludes processing by a natural person in the course of a purely personal or household activity. The UK ICO says the same is true under UK GDPR. Singapore’s PDPA generally does not apply to an individual acting on a personal or domestic basis. Brazil’s LGPD does not apply to processing by a natural person for exclusively private and non-economic purposes. India’s Digital Personal Data Protection Act excludes personal or domestic processing by an individual, and also excludes personal data made publicly available by the data principal or under law.
That said, this is the part many articles get wrong: a household exemption is not a blank check. It does not convert stalking into “research.” It does not authorize hacking, pretexting, impersonation, doxxing, or platform-rule violations. And once conduct moves beyond genuinely private use — for example, by publishing someone’s information more broadly — different legal duties and liabilities can attach. The ICO specifically notes that information being in the public domain does not automatically erase data-protection duties, and that posting material publicly beyond friends and family can take conduct outside purely personal use.
California is a good example of why people oversimplify this topic. The CCPA gives California consumers rights against businesses that collect, use, share, or sell their personal information. It is an important privacy law, but it is not a personal dating manual and it does not tell you that a private search is automatically lawful just because the information exists somewhere.
Brazil offers another useful nuance. Under the LGPD, even where data is public, processing must still consider purpose, good faith, and the public interest that justified the data being made available in the first place. That is a strong reminder that “public” is not the same as “anything goes.”
The criminal-record myth: in many places, you cannot casually run an official background check on another adult
This is where many “vet your date” guides become irresponsible. In practice, official criminal-record systems are generally not designed for casual dating checks. In Ontario, consent must be granted by the individual being checked, and organizations cannot request a police record check without the person’s knowledge and consent. In Australia, anyone can apply for a National Police Certificate for their own use, but you cannot apply for someone else without their consent. In the UK, a private individual cannot apply for a DBS check on behalf of another person; the applicant has to do it themselves, and you can ask to see the certificate if they choose to provide it.
That does not mean criminal history is never relevant to safety. It means the lawful route is usually consent-based or role-based, not private snooping. If you reach a point where you feel you need official screening to feel safe, that is usually a sign to slow down, meet only in public, rely on platform safety features, or walk away entirely.
A practical OSINT workflow that stays on the right side of the line
1) Stay on-platform first
Do not rush to text, WhatsApp, Telegram, or email just because the other person wants to. Tinder explicitly warns that bad actors often try to move off-platform quickly, because platform messaging is subject to trust-and-safety systems.
2) Ask for verification, not personal disclosures
Use app features first: photo verification, ID verification where available, and an in-app voice or video call. Bumble specifically points users to photo verification and in-app calling as safer ways to confirm identity without handing out personal contact information too early.
3) Reverse-image-search suspicious photos
This is low-friction, high-value, and directly recommended by the FTC for spotting romance scams. It will not tell you everything, but it can reveal the worst fakes very quickly.
4) Check for consistency, not completeness
You do not need their whole life story. You need to know whether the basics they chose to share appear coherent across public-facing information. A real person can still want privacy. Privacy is not the red flag. Contradiction is.
5) Protect your own data while you are vetting theirs
Do not reveal your home address, work address, routine, children’s details, or financial information early. Both Tinder and Bumble tell users to limit that kind of disclosure, and for good reason.
6) Meet in public, control your transport, tell someone
Dating-platform safety guidance is remarkably consistent here: meet in a public place, control how you get there and back, and let a trusted person know where you are going. These are not “extra” precautions. They are basic.
Red flags that should end the conversation, not deepen the investigation
If the person refuses a simple video call, keeps canceling plans to meet, claims to be overseas or stranded, asks for money, pushes investment schemes, or tries to escalate intimacy before basic verification, you do not need better OSINT. You need better boundaries. The FTC and Europol both flag these patterns as common romance-scam behavior. Tinder does too.
The same goes for someone who pressures you to move off-platform immediately, dodges basic questions, or makes you feel rushed, guilty, or isolated. A healthy person may protect their privacy. A scammer typically tries to manage yours.
What not to rely on
People-search sites are tempting because they promise certainty. What they usually deliver is aggregation. The FTC says these sites buy and compile data from brokers, public records, and public-facing social media, and can package up addresses, relatives, employment history, and other sensitive details into a report sold to anyone willing to pay. That makes them risky for the subject and often misleading for the buyer.
So do not treat a people-search report as truth, character evidence, or permission to dig deeper. If you use one at all, use it cautiously and skeptically — and never as justification to expose, contact, or pressure someone based on sensitive details they did not choose to give you.
If something feels wrong
Block and report the profile on the platform. Save only the information you need to make the report or protect yourself. Tell a friend what is happening. And if the conduct becomes threatening, persistent, or fear-inducing, stop “researching” and start treating it as a safety issue. Platforms explicitly encourage reporting suspicious behavior, and stalking and harassment laws exist for a reason.
The bottom line
Using OSINT to vet a date can be smart. It can also go wrong fast. The legal and ethical version is narrow: verify identity, check for consistency, use platform tools, watch for scam signals, and protect your own privacy. The moment your process depends on deception, hidden collection, publishing private details, or repeated unwanted monitoring, you are no longer doing dating safety. You are creating a different kind of risk.
The best OSINT for dating is not the deepest. It is the most disciplined.