OSINT vs Privacy

OSINT is the practice of open-source intelligence. It is a methodology for collecting, analysing, and making decisions about data. This data is accessible in publicly available sources, to be used in an intelligence context.  Privacy in its most basic form is “the right to be left alone”. It is the subject of The Human Rights Act Article 8. Article 8 protects your right to respect for your private life, your family life, your home and your correspondence (letters, telephone calls and emails, for example). The Human Rights Act came into force in the UK in October 2000.

In the intelligence community, the term “open” refers to overt, publicly available sources. However, I wonder if this is fair in terms of privacy and if you’re expecting people to behave in this way? Do the terms and conditions of websites, Companies House, et al entitle you to practice OSINT without considering the impact?  Is OSINT within the domestic exemption? If you’re doing it for work do you have a public interest processing condition? I have many unanswered questions that I’d like to address in this post.

Privacy Infringement

Without going into too much detail on what is ethical,  we need to understand that just because you can make it lawful doesn’t mean it’s a good idea!  You can be infringing on someone’s privacy despite it being legal. It is really important to remember that just because you can, it doesn’t mean you should.  Data protection and privacy are not the same and have different purposes. Data protection is quite literally the protection of data, records and information. Privacy is your right to be left alone.

OSINT isn’t a Criminal Offence, or is it?

The Human Rights Act is specifically worded regarding government interference. There are situations when a public authority can interfere with your right to private and family life, home and correspondence. However, this is only allowed where it can be demonstrated that the action is lawful, necessary and proportionate in order to:

• protect national security
• protect public safety
• safeguard the economy
• protect health or morals
• prevent disorder or crime, or
• protect the rights and freedoms of other people

A good example case is Goodwin & I v United Kingdom [2002] which was the founding case for the Gender Recognition Act 2004

The terms ‘proportionate’ and ‘no more than necessary’ have never been defined.  So at what point is OSINT appropriate and not more than necessary? For the most part, it depends on who is doing the OSINT.

OSINT by a Commercial Organisation

Any organisation that wants to take data from the internet will need a lawful basis for processing under the Data Protection Act 2018 (DPA). When OSINT is carried out, the subject is not usually involved. In these cases, it is likely based on one of the following criteria:

• Public Interest (with appropriate test)
• Legal Obligation (required by law to do it)
• Legitimate Interest (with appropriate assessment balancing the rights and freedoms of the individual

It is carried out for the purpose of pre-employment checks, to investigate misconduct or other straightforward checks. This doesn’t give an organisation an automatic right to carry out these checks. They must first give a fair processing notice to their employees or whomever they are targeting. However, it may not just be about their staff that they perform it. OSINT is an exceptional tool for determining market trends and finding information on competitors.  It can help you protect yourself against data leaks and other vulnerabilities. Often, businesses looking to move into new markets use OSINT to help them gain a better understanding of the region and its profit potential.

Other laws

OSINT by a private individual or a private investigator/journalist has to take into account any other laws within the UK that might legally restrict them.

Some journalists will claim it is in the public interest and therefore it’s perfectly okay to carry out this type of research prior to publishing.  This takes us to ‘freedom of the press’ scenarios, which isn’t the primary focus of this blog. Maybe one day I might throw that grenade into the mix but, for now, I’m simply looking at Open Source Intelligence and making decisions based on that.

In the United Kingdom, the Protection from Harassment Act 1997  makes cyber-stalking an offence. This was introduced into the act through the Protection of Freedoms Act 2012, but that doesn’t necessarily mean that OSINT in itself is a criminal offence. Online harassment is a relatively new phenomenon.  Organisations often struggle to deal with this effectively, particularly on social media platforms. You’ll notice that they often have a stab at it in their terms and conditions. For example, Facebook references their “Community Standards” – how one should act in the community.

Community Standards

As a community, it’s very difficult to define what you can and cannot do. When is something legal, or not?  Is there a common understanding of what we should hold our standards to be?  Like, don’t be creepy, cruel or crass?

The Facebook “Community Standards” only outlines what not to do in terms of bullying. It mainly refers to contacting an individual or posting about an individual.

I feel they cover bullying pretty well (although it doesn’t stop it from happening). The definition of the word harassment has not been laid out entirely. However, OSINT is not necessarily used to harass someone. However, making decisions based on the information you find in the public domain means someone could feel harassed as a result of OSINT.  Even in the very final parts of their statement on bullying and harassment, it doesn’t cover anything about what you can do with information that is publicly available. Moreover, it doesn’t explicitly say “Do not use this information for….”

It’s not technically stalking if it’s publicly available

Those who are privacy-conscious may not use social media.  But the concerns do not stop at the information available on these platforms. You can access lots of information through reasonable routes and without much effort.

For example, You can:

• Go onto Companies House and view corporate paperwork. This public information is accessible for a very long time
• Check whether the address registered is personal or commercial using Google maps and check photos
• Is there a ‘For Sale’ sign?
  • go to Zoopla and check when a house sold.  You will also find sale prices and pictures of the property
  • go onto an estate agent’s site to find selling prices and recent pictures
• Access a will/probate for anyone who has died recently for £1.50. You can see if an individual has benefited from a will.
• Go to the DVLA website and undertake a vehicle enquiry. You can see whether a vehicle is taxed and when the MOT is due
• You can even misuse haveibeenpwned.com by submitting an email address for anyone – without notifying the individual. You’ll find details of any data (albeit nothing sensitive) compromised in a breach.
• Go on dating websites and purposefully seeking out a specific individual using filter functions.  You can use their profile information to draw further conclusions.
• Check the WhatsApp function to see when an individual was last online.

This is in addition to simply ‘Googling’ someone or checking their social media accounts.  Do you own a house or a car? Were you the victim of a data breach? Do you use chat apps? Are trying to find love, or do you run your own business? If you’ve answered yes to any of these, there is the chance that someone could carry out OSINT on you. Someone can infringe your privacy without your knowledge.

But, what is stalking and is it different to OSINT?

Stalking is unwanted and/or repeated surveillance by an individual or group toward another person

We often think of stalking as the act of being followed in person with intent. There is also such a thing as “cyber-stalking”. This term is used when an adult is involved. If a child is involved it’s usually known as cyber-bullying.  It could be argued that the term ‘repeated’ means to take one website and repeatedly check it – because the action must be the same.  How do we determine ‘unwanted’ though? I don’t want someone searching the web and gathering information about me, but can you really stop someone? Are we relying on someone’s conscience to decide whether what they are doing is okay? Probably.

Although there are existing laws that prohibit stalking or harassment in a general sense, legislators sometimes believe that such laws are inadequate or do not go far enough.  They often bring forward new legislation to address this perceived shortcoming combined with a right to free speech. This is why we see the struggles on how best to deal with people such as online trolls.  The answer is never to give everyone an ID because that just enables the far right, or the far left, or the government to intrude on privacy.  Although The Human Rights Act outlines what a government can and cannot do, there is always a way around these types of things.

That said, Article 8 includes the right to respect for correspondence. Again, the definition of ‘correspondence’ is broad, and can include communication by letter, telephone, fax, text message or e-mail. However, it doesn’t directly call out information placed on the internet. I think this is where we start to see how OSINT vs Privacy is not clear enough.

Can OSINT be for the good?

You can use OSINT in a positive way.  Law Firms often make use of OSINT for managing their legal cases.  They use information from social media platforms and similar resources to bolster a case.

Unfortunately, criminals use OSINT to gather information on their targets. In like manner, however, law enforcement and other groups can use OSINT to investigate the behaviours and whereabouts of criminals and ultimately build piles of evidence against them. Most law enforcement agencies have massive workloads severely limiting their resources and personnel to perform effective OSINT investigations. I reached out to Jonathan Younie from Innocent Lives Foundation (ILF). Jonathan explained how ILF uses OSINT:

“The Innocent Lives Foundation’s mission is to close that gap by providing Predator Identification as a service. The ILF’s volunteer force of technology specialists use their extensive OSINT skillsets to identify predators who target children and generate/propagate Child Sexual Abuse Material (CSAM, formerly known as Child Pornography).

The methods used by the ILF are very specific and targeted. Data that is inadvertently collected as part of an investigation that involves someone who is not a person of interest is immediately discarded to protect the innocent. The ILF takes a strong and public non-vigilante stance that is echoed throughout all policies and procedures, recognizing that it is the duty of law enforcement to determine the best course of action to be taken with investigation data.

By working to assist law enforcement with the information they need to bring predators to justice, the ILF hopes to make this world a safer place for our children to grow up.”

Jonathan specifically mentions the disposal of inadvertently collected data.  This gives me confidence that mass data collection is not the purpose of many OSINT activities.  They do not seek to infringe someone’s privacy just because they can.

Summary

So it really does boil down to OSINT v Privacy being about the purpose for which you are doing it.  Who you are, why you’re doing it and what you do with that information.   With OSINT, it is easy to search the internet and find lots of information about someone, but should you be doing it?  Will it get you in trouble? Probably. Are your motivations sinister?  I like to ask myself how I would feel if I was the subject. Would I be happy with it?  If the answer is no, I don’t do it to other people.  However, for some people that is their job.  As long as the job has a good purpose and it can be justified, then there isn’t anything to argue.

—

If you like this blog post, please see other posts here.

If you enjoyed my content, please consider buying me a virtual G&T or three here.