Over 2 years I wrote this blog post on opsec and privacy fails when doing OSINT. Basically a list of examples (practical, not theoretical) of what could go wrong and how it could damage or impede your investigation.
Today’s post might as well be read in conjunction with the old one. It was triggered by some recent discussions and reading on various legal (and illegal, or at least borderline) aspects of OSINT.
Let me explain what I mean by it.
All OSINT is legal, it's open source & openly available. Right?
Generally yes and it’s a universal truth that all OSINT practitioners globally accept.
But some exceptions might apply and here is how various jurisdictions can approach the topic from totally different viewpoints.
For example, you might be as surprised as I was that in the United Kingdom there is currently NO legal requirement or formal qualification standard for a person who wants to become a private investigator. Literally anybody can don the PI mantle and practice the tradecraft as professionally or as poorly as they like.
Apparently, legislative efforts are currently underway to change this situation and make PI licensing mandatory.
Right now there is a weird duality on the UK private investigations market – there is a body called Security Industry Authority (SIA) and they do issue licenses, but these licenses mainly focus on private security workers, from regular security guards, door supervisors to CCTV operators and close protection agents.
When it comes to private investigators, they are not required to have the SIA license, nor is there any level of scrutiny of enforcement.
Private investigators can use OSINT techniques and engage in many OSINT-related activities, from conducting background and reputation checks on people to undertaking efforts to locate missing persons.
Now, this is drastically different in Ireland, where the Private Security Authority (PSA) regulates and licences private investigators (along with other types of private security employment). The following is a definition of a “private investigator” (taken from here):
A Private Investigator is defined as a person who in the course of a business, trade or profession conducts investigations into matters on behalf of a client and includes a person who:
a) obtains or furnishes information in relation to the personal character, actions or occupation of a person,
b) obtains or furnishes information in relation to the character or kind of business in which a person is engaged,
c) searches for missing persons,
d) obtains or furnishes information in relation to the loss or damage of property
Does any or all of the above sound like OSINT-able information? Absolutely.
An important distinction here however is that this applies to persons who do this for monetary gain and “on behalf of a client”. So the focus is on the contractual nature of the business relationship between a private investigator and the client.
Licensing for the above activities does not for example apply to people who carry out these actions as part of their regular employment for a company (business risk managers, compliance staff, etc).
To clarify it further, here is a list of those who don’t require licensing, taken from the same source as the requirements listed above:
• a person who undertakes technical surveillance counter measures,
• a person who provides information technology security measures,
• a person who has statutory powers to carry out investigations for their employer,
• a person who carries out workplace investigations with the consent or knowledge of the person under
investigation and where the matters under investigation are subject to regulation under the enactments
listed in Schedule 1 of the Workplace Relations Act 2015,
• store detectives in the normal course of their duties who hold a valid PSA Security Guard (Static) or PSA
Security Guard (Guarding) licence,
• law searchers conducting documentation searches,
• a person whose activities relate to accessing publicly available information,
• the professional activities of accountants, auditors, barristers, broadcasters, journalists and solicitors*,
• any other such person as the PSA may decide.
*where these persons engage third parties outside of these professions to undertake activities falling within
the definition at (1) above, such third parties will require a licence.
Based on the above (and on the individual circumstances) the answer to the “Is all OSINT legal?” question changes from “Hell, yes” to “Well, it depends”.
If you work in a private capacity, as a freelancer investigator and engage in any or all of the four investigative activities for monetary gain, you can’t do your OSINT legally in Ireland without a PSA licence. Period.
Note that there could be many other jurisdictions with abundant examples of similar tricky legislation.
Accidental disclosure
“Whoever fights monsters should see to it that in the process he does not become a monster. And if you gaze long enough into an abyss, the abyss will gaze back into you.” – Friedrich Nietzsche
I use this ill-suited quote from a philosopher to illustrate the point of accidental disclosure during OSINT investigations. Let’s consider the following scenarios:
Scenario 1 – your searches for sensitive keywords or personal information on various websites, social media platforms, forums and so on are recorded not only by all those very resources you searched, but also by third party vendor tools that you could be using to assist your investigation. This can lead not only to generating interest around your search criteria, but it can also result in alerting potential targets that somebody is sniffing around. Suddenly shady forums begin profiling your activity based on various technical parameters (see here for examples of what is collected).
Scenario 2 – you are researching threat actor activity and examining some files acquired in the process. You want to keep your findings confidential but you also want to err on the side of caution and avoid accidentally downloading malware to your machine. You upload sample files to online malware sandbox services like Virus Total. Then you suddenly realise that uploads of files to Virus Total and similar sites can be viewed, accessed and downloaded by thousands of other users who have a paid subscription plan for the platform. Obviously, it’s too late now to stuff the genie back into the bottle.
Scenario 3 – you are navigating a shady website hosted in what could be considered a high risk country. You’re behind a VPN and follow good opsec rules. Suddenly your VPN connection drops and you suddenly realise you don’t have a kill switch enabled. Your computer automatically re-establishes the connection to the site, but this time from your true home IP address :/
Scenario 4 – you are on the other side of the proverbial fence; this time you’re responding to a Freedom of Information Act request, likely made by a journalist or maybe an OSINT researcher. In the course of collecting the response material, you somehow accidentally append a spreadsheet containing personal information of ALL other employees and send it to the requesting person.
(If this sounds far-fetched, check out the details of the 2023 Police Service of Northern Ireland data breach).
To sum up – accidental disclosure is a thing in OSINT. Learn about it in order to protect your own privacy and the integrity of your research.
Examples of illegal or "grey area" OSINT
The most obvious example of when OSINT gets out of hand and laws could get broken is crowdsourced investigating.
Although using the word “investigating” is too much here, since very often these activities are just glorified social media witch hunts. They usually happen after a shocking incident takes place; people take to social media to find out more, to search for the identity of the suspect or the victim and the location.
Sometimes it could be the news (true or false) that a convicted sex offender was either seen in the area or is about to get housed in an area after the release from prison. A spontaneous quasi-OSINT effort takes place (minus the intelligence and the analysis part) and very quickly personal information, images and addresses appear online in a full-blown vigilante doxxing spree.
It’s often the case that the information shared was either inaccurate or completely wrong – but this fact gets noticed much later, when it’s already too late and somebody’s property or health (or both) had been damaged.
Naturally, professional OSINT investigators don’t act in this manner, so this example is not really applicable to the wider OSINT community.
So let’s take a look at one that is.
The context for this is Ireland-specific, but it might be relevant elsewhere too.
For the last 2 – 3 years or so, any large scale data breach in Ireland (typically as a result of a ransomware attack; see last year’s BlackCat attack against Munster Technological University in Cork) is handled in accordance with a playbook that includes making a legal application to the High Court for an injunction against anybody who would download, leak or share any data unlawfully disclosed as a result of the attack.
This step was also taken in the aftermath of the 2021 Conti ransomware attack against the Health Service Executive. The idea behind this is to limit the proliferation of the data breach – not by the cyber criminals, they don’t care – but by others, meaning everybody from the casual snooper to an OSINT practitioner.
High Court injunctions might not deter a cyber criminal in russia, but anybody living in Ireland will think twice about the possible consequences of accessing and sharing the data dump, even if it’s only for OSINT research purposes and even if it’s already publicly available somewhere else. The injunction notice published at the time by the MTU reflected their determination to minimise the impact from the incident:
MTU (…) secured an interim injunction from the High Court in order to help prevent the sale, publication, possession, or other use of any data that may have been illegally taken from our systems. MTU will seek to enforce that injunction as far as possible. To that end, MTU has engaged specialist services to closely monitor the internet for any possible leak of data.
So what’s the impact of this on OSINT? Well, if you rely on collecting data breaches for investigating digital footprints of individuals you should bear in mind that in some cases downloading a particular database, even if already publicly available, is against the law.
The last example I have also touches on data breach records ingestion and processing for OSINT purposes. Publicly available records or not, these still contain personal and private information of thousands of people. Processing, storing and using those records for business purposes (either as an OSINT freelancer or a company) could easily be classed as data processing under the EU General Data Protection Regulation (GDPR). This to me is a grey area as it seems to depend on specific details of how, where and why the data collection and its further processing took place. One thing is certain, the people whose data is in the breaches collected and processed by OSINT companies did not express their consent – but professional legal expertise might be needed to drill into this topic effectively.
PS. If you’re interested in examples from Belgium, France and beyond, check out these four blog posts by the OSINT FR collective, they are really informative: