Anti-Doxxing Personal Security: Removing Data from Brazilian Data Brokers

You type your name into Google and find a partial CPF, an old address, your mother's phone number and your sister's wedding photo indexed on a genealogy site. That is not paranoia, it is the default state of any Brazilian over 25 with an online history. The Basilisk team treats doxxing as a supply chain: every broker, every Serasa 2021 leak, every 2009 Facebook profile is a node in the graph. Cutting all of them gives a false sense of control; cutting the right 12 nodes removes 90% of the real risk. This guide is the same runbook we run for clients targeted by stalkers, disgruntled ex-employees and extremist groups.

Before any removal, do OSINT against yourself. Spin up a throwaway VM, a clean browser with no logins, and run structured queries: full name in quotes, name + city, name + partial CPF, phone with and without country code, primary email and aliases. Catalog everything in a spreadsheet with columns url, broker, exposed data, priority, status. Tools like Maltego CE, Spiderfoot and holehe automate part of this; the step-by-step lives in Ethical OSINT: Investigating Your Own Digital Footprint with Maltego and Spiderfoot. Without inventory you treat symptoms and leave the root intact. Expect 40 to 200 unique hits, that is normal.

In Brazil the brokers that dominate first-page results are Tudo Sobre Todos, Telelistas, ConsultasBrasil, Quem Sou Eu, Encontre uma Pessoa, Cadastros BR plus aggregators like 4devs and Consulta CPF. Each one has a different opt-out flow: Tudo Sobre Todos accepts a form with an ID photo; Telelistas requires the email registered for the number; ConsultasBrasil ignores requests that do not explicitly cite LGPD article 18. Standard email template: subject 'Erasure request - LGPD Art. 18, V', body quoting the specific URL, 15-day deadline and notice of complaint to ANPD. Keep everything in writing, never call. In 60% of cases removal lands in 7 to 20 days.

Social media is the most underestimated vector. Your 2010 Facebook still has your phone public under 'About'; LinkedIn leaks your exact city via the location field; Instagram exposes geotags on old stories; Strava publishes your daily run starting from home. Audit per platform with a checklist: profile privacy, friend visibility, bulk old posts, connected third-party apps, active sessions. For old photos, run exiftool and mat2 before republishing anything; the procedure is in Metadata Hygiene: Stripping EXIF, PDF and Office Before You Publish. Splitting public and private identities into separate accounts is the next step, detailed in Digital Compartmentalization: Separate Identities Without Leaking Metadata.

Government and judicial data is a special case. Official gazettes, TJSP cases, JusBrasil and Escavador reindex rulings with your CPF and address. JusBrasil accepts deindexation requests via form citing LGPD; Escavador demands a power of attorney or formal document. For sealed proceedings improperly exposed, the path is a direct petition to the court. Protest registries and the Junta Comercial leak your home address when you are a MEI partner; switch the registered address to a coworking or PO box before opening the company. If you are a high-visibility target journalist, activist, executive the threat model shifts entirely and the guide in Personal Security for High-Visibility Targets: Journalists, Activists, and Executives covers the extra controls.

Phone and email deserve surgical treatment. Provision a VoIP number (Google Voice via a US relative, or an international eSIM) for public registrations and MEI paperwork; keep your real number for banking, critical MFA and close family only. For email, use SimpleLogin or addy.io aliases: one alias per service, burnable on attack. Migrate SMS MFA to passkeys or TOTP on a hardware token per Passwords and MFA: Moving to Passkeys Without Breaking Your Recovery. For sensitive communication with sources or lawyers, Signal with a burner number is the minimum; SimpleX with no identifier at all is the ideal, see Comms OPSEC: Signal, SimpleX and Session Technically Compared. Define your personal threat model first following OPSEC for Security Researchers: Building a Personal Threat Model, because protocol without a model is theater.

Finally, automate maintenance. Brokers republish data every 3 to 6 months as they buy new dumps. Create a monthly cron that runs Google queries like site:tudosobretodos.com.br YOUR_NAME and similar, emailing you when anything reappears. Keep a versioned dossier in a private Git repo with screenshots, sent emails, deadlines and ANPD protocol numbers. Under active doxxing, freeze your credit at Serasa and Boa Vista, file an electronic police report, notify platforms with an emergency takedown request and engage a lawyer. Practical takeaway: block next Wednesday 2pm to 6pm, run OSINT against yourself, fire the first 12 priority opt-outs, and schedule a review 60 days out. Privacy is not a state, it is a continuous process.