This week’s post is about mistakes that OSINT investigators make – and how those mistakes can affect their own privacy and operational security.
This is not a theoretical or academic guide, or a set of “best practices” so unwieldy and out of touch that barely anyone follows them – but everybody will pretend they do.
Each of the examples listed below actually happened in real life. Each mistake was made either by me personally or by a colleague of mine in my presence (and no, I won’t say specifically which of the fails belong to me).
So here’s to learning from the privacy and OSINT fails of others – may you never have to repeat them.
Let’s go.
* Using your own private device for investigative tasks
The first big NO on this list. In this case, the investigator decided to casually browse (“I’ll only take one quick look”) a thread of messages posted by the subject on a third party platform. The investigator was using their own device. Suddenly they realised the subject’s messages had investigative value, so they started taking screenshots of the content. With their own private mobile phone.
Some time afterwards all of the messages written by the subject were deleted from the platform. The website was hosted in a third world country and the regular route of acquiring information from the service via a subpoena / warrant was not possible. The only evidence for the existence of the messages was what the investigator captured using their own device – and by doing so they created a chain of evidence which their own private device was now part of.
SOLUTION: Always use dedicated devices for investigations, especially if faced with a possibility of a court appearance down the line. Collecting OSINT material with your own device might in some cases lead to a court order compelling you to hand it over as evidence. Do not allow your own device become part of a chain of evidence.
* Investigative account de-anonymisation via data breaches
Creating investigative accounts on third party services and platforms using your official (government or corporate) work email is a recipe for disaster. It might seem potentially handy to have all the investigative accounts in one place and connected to one inbox – but it’s creating a centralised connection between them all in the event of those details surfacing in data breaches or leaks. And they will – it’s just a matter of how and when.
The same can be said for reusing a password (especially a strong, distinct one) for all investigative accounts. Again, it might seem convenient and easy to remember, but in the event of data breaches all these accounts can be connected to each other through either plain text passwords or hash values of these passwords.
SOLUTION: Use dedicated burner / aged email addresses (depending on the type of investigation and the type of platform) when creating accounts. Set up your own management system for investigative accounts and passwords – for example using a password manager for your OSINT accounts.
* Contact contamination due to unfamiliar default settings
Another example of a convenience trap: an investigator is using a dedicated investigations-purposed Android device, but without a dedicated Google account. Instead they are using either a recycled, old investigative account, or what is worse – their own private one.
In this particular case, the investigator was adding names, email addresses and other contact details of their targets to the dedicated mobile device. The default setting on that mobile phone (with Android OS) was that it automatically saved the newly added contacts to the associated Google account and not to the device as the investigator believed in the first place.
The result? Contamination of data – be it with details of targets from the last case (if not deleted after the case concluded) or with the investigator’s private contacts on their own Google account that they never intended to actively use for work.
SOLUTION: Practice both account and device separation. Don’t trust the default settings of both devices and operating systems. If unsure, test whatever you intend to do first before starting the case.
* Working outside of the investigative mindset
In this example, the investigator had a slow burning case that was taking longer than usual to develop. At the time there wasn’t much progress happening, so the investigator was infrequently monitoring several accounts of interest. After a busy day spent working on other cases, the investigator decided to wind down by lying in bed with their operational mobile phone and flicking through the content posted by the subject of “the slow burning case”.
This haphazard, half-assed attitude, coupled with tiredness, resulted in a mis-click and the investigator accidentally re-shared one of the posts made by the subject. Occurrences like this, even when using a sock puppet account, can be detrimental to the investigation and can arouse suspicion in the subject.
SOLUTION: Approach the investigations seriously and with the focused, professional investigator mindset. Working on any case when tired or not “in the zone” is one sure way to make mistakes. Remember that adequate rest and sleep are very important – especially when working on the “big cases”.
* Accidental direct interaction with the subject
Similar to the above example, but worse. Two situations to illustrate this:
1. The investigator adds the phone number of interest to their contacts on a dedicated mobile phone. Between interacting with various apps and managing other contacts (all of whom are subjects), the investigator accidentally selects one of the contacts and dials the number. They realise too late what happened and even when they immediately hang up – the subject gets a missed call from the investigator’s burner mobile number (not the end of the world – don’t we all get missed calls from strange numbers from time to time?).
2. The investigator is working on a high-impact, dynamically evolving case (police investigation). There is a live operation in place. A colleague hands a paper file to the investigator and tells them to contact another colleague (let’s call him Agent Smith) about the subject of the investigation. On the paper file cover the officer writes the phone number of Agent Smith, as well as the phone number of the subject. The investigator picks up the phone – but dials the wrong number… The subject picks up and hears: “Hi Agent Smith, this is so-and-so from the police station”.
SOLUTION: To avoid what happened in the first scenario, you should disable outgoing calls on the handset used for investigations or use a mobile phone emulator software. To avoid the results of the second situation, you should have a strict workflow and documentation process in place (instead of scribbling stuff in random places). You can rely on those things especially during dynamic, stressful cases when being in a hurry creates an additional risk of making fatal errors.
* Investigative accounts getting shut down
This is a rather commonly encountered problem in the OSINT community – it has probably happened at least once to anybody who does hands on investigations. In this example, the investigator had nearly all of their investigative accounts on various platforms suspended – and could not figure out why.
It turned out that the issue lied in privacy overkill: creating sock puppet accounts while using VPNs, from within a virtual machine and a Firefox browser with a very generic fingerprint; signing up to platforms using freshly created burner emails with zero digital footprint; using multiple privacy-enabling browser extensions; uploading blatantly fake, AI-generated faces as profile images – and more.
SOLUTION: Effective threat modelling. If a third party platform is not your adversary – don’t treat it like one. Sign up for accounts using public WiFi; it’s OK to do so from your regular laptop. It’s also OK to use regular Gmail accounts for investigations – Google might want your data, but they are not your OSINT enemy or target. Privacy oriented emails like Protonmail or Tutanota are great but they also frequently raise red flags with certain services due to being abused by scammers and fraudsters. For more – read my older post on how to avoid getting your investigative account shut down here.
* Doxxing your IP address
An investigator conducting a sensitive enquiry into a target website (a criminal forum) accesses it regularly to monitor the activity on it and to collect intelligence. Connections are always going through the VPN, and it always works – until the day it doesn’t.
Unfortunately, the realisation that the VPN had disconnected itself a while ago came as the investigator was halfway through his intelligence collection effort, while being logged on to the site. Now this criminal forum knows the investigator’s real IP address, be it their office’s IP address, or worse – their home IP address (if they were working from home).
SOLUTION: This would not have happened if the investigator used a killswitch function in the VPN. A killswitch will automatically disable the Internet connection, should the VPN disconnect, crash or otherwise stop working. Always check if your VPN is working! For more details and examples on why a VPN matters, read this.
* Unwanted friends
This example is from my time in law enforcement and it only really applies to police work. A police officer, who had accounts on various social media platforms in their own real name, was regularly on patrol duty in a certain area where a number of high profile criminals lived.
One day, when using a popular social networking app, the officer noticed a change in the type of suggested friends – they were no longer people they knew or went to school with; instead, they were mainly people from the area they frequently spent time in on patrol duty. Including some of the known criminals. The worst thing about it was when the officer realised that their own profile is most likely being suggested to all those people (including the crims) as a potential friend.
SOLUTION: Know the privacy settings and terms of service of apps that run on your phone. Learn how to make these apps private or delete them altogether – especially if working on patrol duty like in the example above. For a quick glance at various ToS, go to Terms of Service Didn’t Read.
Know any other examples of opsec and privacy fails when conducting OSINT gathering? Share them in the comments below!