The Rise of OSINT: Few Rules, Many Opportunities
Today, with almost infinite sources and publicly available sensors, open-source intelligence (OSINT) collection has achieved high sophistication and allows, for example, the ability to follow battlefield movements in Ukraine in real time. While the practice has been refined since the days of phone books and news monitoring, the requirements to acquire and process information are ubiquitous and cheap. And the key factor behind this is artificial intelligence to collect and process material at speeds only recently imaginable.
U.S. law defines OSINT as “intelligence that is produced from publicly available information and is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.”
The agencies working with OSINT are both law enforcement and intelligence. Law enforcement is where most rights activists have expressed their concern.
Currently, 80% to 90% of all intelligence activities carried out by Western law enforcement and national agencies is OSINT, according to a compilation paper by Riccardo Ghioni, Mariarosaria Taddeo and Luciano Floridi.
The activity touches various aspects of the law, and these changes depend on where the investigator and the target are located.
One of the tallest hurdles law enforcement faces when using OSINT is the nature of much of the information obtained. In many cases, social media can have hearsay or lightly substantiated statements that are likely to be dismissed in court, according to Fraser Sampson, chief executive and solicitor, Office of the Police & Crime Commissioner, West Yorkshire, United Kingdom.
Analysts have laid out three general criteria that would comply with international standards for collecting OSINT as evidence. The first is clear and lawful identification of the sources, especially if investigators impersonated someone to approach a person of interest online, according to Alison Lyle, a legal researcher at Sheffield Hallam University in the United Kingdom.
The second is the reliability of the evidence in case the data was altered or tampered with. Finally, the dependability of the author providing the evidence must be considered. For example, a judge would most likely dismiss an anonymous source.
As law enforcement collects and uses volumes of data that could potentially be used in court, privacy tops the agenda of critics and nongovernmental organizations, even though only publicly available information is acquired.
“Different agencies and companies all work under different sets of guidelines defined by their governing organizations. While these rules may differ in wording and nuances, it is generally accepted that information gained from OSINT must be obtained in a way that does not violate existing privacy laws, must not be used in a malicious manner, and must be done only as a necessary means to an end,” warned the Department of Homeland Security in a paper in accordance with analysts’ general principles.
While some U.S. states are more zealous about protecting the privacy of their residents, at an international level, the regulations are looser.
The Convention on Cybercrime, effective since 2004, allows cross-border OSINT gathering. The United States and most of its allies around the world are signatories, while China, Russia and Iran are among those who do not adhere to it.
These activities are allowed under Article 32 of the text, which states, “a Party may, without the authorization of another Party: access publicly available (open source) stored computer data, regardless of where the data is located geographically.”
Being able to collect or process available information poses challenges before and after the process, according to one legal expert.
“Technology-facilitated investigations of open sources by the police often constitute an interference with the right to privacy; hence, they require a legal, statutory basis that is sufficiently clear for citizens to understand what the police are doing,” said Bert-Jaap Koops, professor of regulation and technology at Tilburg University in the Netherlands, in an email exchange.
This means there is a responsibility, especially from law enforcement agencies, to inform their citizenry and be transparent as to which activities they may conduct to keep the community safe. And this work brings about liability for those practicing OSINT, and it is the privacy of stored data.
“Open-source investigation tools and practices used must meet general data-protection requirements and forensic reliability standards,” Koops wrote.
According to Koops, a third legal risk for citizens of a democracy comes about because of the information aggregation process—even when data is not fully labeled in compliance with regulations. Several pieces of data identify individuals. Even when each element comes from open sources, the final collection may provide a detailed profile of a person, despite that not being the intention at the outset. Observing data security is one avenue for mitigating this legal risk, according to Koops.
As the practice of OSINT continues to evolve, striking a balance between intelligence needs, privacy concerns and regulatory frameworks remains crucial for responsible and effective information gathering in the modern era.