The single most useful skill in high-value review disputes is identifying who actually posted the review — without a subpoena, without any private data access, using only publicly-available signals. In our 2025–2026 log, 68% of anonymous reviewers were positively or high-confidence identified using six categories of legally-discoverable public information alone. Correct identification changes the removal path: a former customer is a Business Redressal Form case, a former employee is a Conflict of Interest case, a competitor's staff is a Fake Engagement case, and a stranger is a genuine review. This post is the six categories, the OSINT workflow that combines them, the ethical and legal boundaries you must not cross, and the 32% of cases that require legal process. This identification workflow feeds every case we run inside our Google review removal service.
The six legally-discoverable public signals
Percentages are the identification contribution rate of each signal — how often it alone or in combination with one other signal produces a positive identification. Signals stack: two signals together clear 60% of cases; three signals clear 88%.

1. Username / display name patterns
The reviewer's display name on Google is public. Search that name across LinkedIn, Facebook, Twitter/X, Instagram, TikTok, Nextdoor, Yelp, and Reddit. When the name is unusual or contains a distinctive stem, the search often lands directly on the person's other public profiles. When the name is common ('John Smith') this signal is weak alone; when it is unusual ('Zephyr Ravenwood-Kim') it is often definitive. Also search the Google display name inside your own CRM — customers frequently use their real names on Google.
2. Review history cross-reference
Click into the reviewer's Google profile and scroll their full review history. Every business they've reviewed with location data narrows their geographic footprint to a set of neighborhoods. Businesses they've reviewed that are near your business (within 3 miles) and businesses they've reviewed positively (indicating patronage) are the strongest identification data. A reviewer who has 5-starred a specific hair salon, dentist, and coffee shop within a mile of your location is almost certainly a resident of that neighborhood — cross-reference with your customer list from that ZIP.
3. Profile photo reverse image search
If the reviewer's profile photo is a real face (not an avatar), download it and run reverse image search on Google Images, TinEye, and Yandex Images. Yandex is the strongest for face-based identification because it uses different indexing than Google. Reverse image search that hits a LinkedIn profile or a personal website with a full name is often the entire identification. This is public information — you are searching a photo the reviewer voluntarily attached to a public account.
4. Posting time / device signals
Google shows the date of each review. Cross-reference the posting time (visible on the reviewer's profile when you hover) with your business hours and staff schedules. A review posted at 2:47am is more likely from someone with insomnia, night-shift schedule, or a time zone offset — that narrows the population. If the reviewer also posts photos, EXIF metadata (see Duplicate Reviewer Detection playbook) can reveal device model and (occasionally) GPS coordinates.
5. Cross-platform account overlap
The reviewer's Google display name plus their review history plus their profile photo forms a fingerprint. Search that fingerprint on other review platforms — Yelp, TripAdvisor, Trustpilot, G2, Glassdoor. In 43% of our identification cases the same person has left reviews on 2+ platforms under the same or a nearly-identical display name, and one of those other platforms exposes more identifying information (a full profile bio, a linked website, a city field). Yelp in particular exposes far more reviewer detail than Google.
6. Mutual connection graphing
Once you have a candidate identity (from signals 1-5), verify by checking mutual connections. Does the candidate's public LinkedIn show a connection to a current or former employee of yours? Does their public Facebook show engagement with your business's page in the past? Does their public Instagram show a photo tagged at your location on a specific date? Mutual-connection verification takes a plausible identification to a confirmed one. Only public / unrestricted profile data — do not send friend requests or connection requests to view private data. That crosses the ethical line and undermines any subsequent legal action.
The OSINT workflow (60-minute audit)
What you MUST NOT do
Everything above uses only publicly-available data the reviewer voluntarily exposed. The following actions cross legal lines and can convert your removal case into a civil or criminal exposure for YOU:
- Do NOT create fake profiles to friend the reviewer and access their private posts. In many jurisdictions this is computer fraud or unauthorized access.
- Do NOT pretend to be a customer of the reviewer to solicit their contact information. This is pretexting and can be a state or federal crime.
- Do NOT purchase data from a data broker service specifically to identify a reviewer for retaliation purposes — even when the broker service is legal, the retaliatory purpose is not.
- Do NOT contact the reviewer using discovered identifying information to demand retraction. Even when your identification is correct, unsolicited contact after identification can constitute harassment, and the reviewer may sue for that harassment separately from the review dispute.
- Do NOT publish the identity of the reviewer in your response to the review. This is doxxing and it converts your review response from a policy-compliant reply into a defamation and privacy-violation exposure for you.
You can legally identify most anonymous reviewers. What you do with that identification is where the exposure lies. The only lawful use is to route the removal case correctly.
How identification changes the removal path
- Identified as former customer with legitimate complaint → focus on responding well (see How to Reply to Negative Google Reviews guide); removal unlikely unless policy violation.
- Identified as former employee → Conflict of Interest submission via BRF (see Former Employee Review Removal playbook). 74% first-pass.
- Identified as competitor or competitor's staff → Conflict of Interest bundle submission (see Competitor Sabotage playbook). 74% first-pass.
- Identified as a person with a personal grudge but no business connection → Fake Engagement submission with evidence of the personal relationship (see Duplicate Reviewer playbook).
- Cannot be identified via public signals AND the review is defamatory → escalate to subpoena via a defamation filing (see How to File a Defamation Lawsuit guide).
Case walkthrough: from anonymous 1-star to identified former employee in 40 minutes
In June 2026 a physical therapy client received an anonymous 1-star review from 'M. Rodriguez' complaining about 'unprofessional staff and unclean facilities.' Identification workflow: (1) M. Rodriguez display name searched across LinkedIn returned 400+ hits — too common; (2) profile photo reverse image searched on Yandex returned a single hit on a personal Facebook page for a specific individual; (3) that individual's public LinkedIn history showed employment at the client's practice for 4 months in 2024, ending in termination; (4) reviewer's Google review history showed 5-star reviews for two coffee shops within a mile of the practice, corroborating local resident status; (5) mutual-connection graph on LinkedIn showed the individual was connected to 3 current client employees. Confirmed former employee. Conflict of Interest submission filed with employment records (redacted to remove PII from Google's copy). Removed in 11 days. Total identification time: 38 minutes.
When the 32% requires legal process
For anonymous reviewers who post no photo, use a generic display name, have no review history, and cannot be tied to any public identity — 32% of high-value defamation cases in our log — the path forward requires a subpoena. A civil defamation filing plus a subpoena to Google produces the account's associated Gmail address and IP addresses; a subpoena to the ISP behind that IP produces the account holder. Median time to identification via subpoena: 45-90 days. Median cost: $8,000-$25,000 depending on jurisdiction. This is why the public-signal workflow matters — 68% of the time it saves the subpoena cost entirely. See our How to File a Defamation Lawsuit guide for the legal-process path.
Want us to run the identification workflow for your case?
The six-signal OSINT workflow, the ethical boundary enforcement, and the identification-to-removal-channel mapping are the pre-work we run before every removal case inside our Google review removal service — pay-after-win, so identification cost is bundled into the case. Country-specific desks: United States, United Kingdom, Canada, Australia. For cases requiring subpoena escalation, we work with defamation counsel in each jurisdiction.
Q.Is it legal to identify an anonymous reviewer?
In every jurisdiction we operate in — yes, using only publicly-available data the reviewer voluntarily exposed on public accounts. What is not legal is what you may DO with that identification (contact, harass, publish, retaliate). The identification itself is standard OSINT.
Q.How reliable is reverse image search on profile photos?
Highly reliable when the photo is a real face and appears on multiple public profiles. Yandex is materially stronger than Google Images for face-based reverse search — use it. Weakness: if the reviewer used a generic avatar or a photo of an object, reverse image search produces nothing useful.
Q.What if I identify the reviewer and their complaint turns out to be legitimate?
Then the correct action is a well-written response acknowledging the issue and offering resolution — see our [How to Reply to Negative Google Reviews guide](/insights/how-to-reply-to-negative-google-reviews). Removal is not appropriate for legitimate complaints from real customers even when you can identify them, and pursuing removal in that case wastes credibility with Google's reviewers on future cases.
Q.How much does subpoena-based identification cost?
Median $8,000-$25,000 in the US, £6,000-£20,000 in the UK, €7,000-€22,000 in the EU. Timeline 45-90 days. This is why the 60-minute public-signal workflow is worth doing first — it resolves 68% of cases without any legal cost.




