The short answer—yes, the use of open-source intelligence (OSINT) is completely legal. However, if you yourself are conducting an OSINT investigation, you might find yourself asking, “Is this ethical?” or “Am I crossing a personal boundary of my own?”
While the use of OSINT is completely legal, the how leaves room for many ethical and legal dilemmas. In this article, we will dive into the steps you can take to maintain an ethical code of conduct when working in the multi-source intelligence field.
Table of Contents
The Power of OSINT
Firstly, the amount of open-source data that exists today is insurmountable. Artificial intelligence and OSINT tools have made it easier than ever for analysts and even everyday people to reduce the number of hours spent combing through media. The result is a faster, more holistic overview of situational awareness that makes decision-making quicker and easier.
Eager to learn more about OSINT? Check out our top 3 book recommendations to learn more.
Legal Limitations in OSINT
Today, sets of laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union, define what personal data can be available to the public. Laws like GDPR exist to protect individuals and their privacy in today’s digital world where almost anything and everything is accessible at the click of a button. GDPR is not only, arguably, one of the most famous data protection regimes to date but also one of the strictest. However famous though, GDPR is a set of rules that only apply to European Union states.
Conversely, in the United States, the Fourth Amendment protects people against unreasonable searches and seizures. Historically, this referred to places or things and not exactly electronic data or communications of a person. Therefore, many states have started creating their own provisions and rules to do exactly this. Currently, one of the most famous is the California Consumer Privacy Act (CCPA), which in some cases, can indirectly and legally limit consumers and business in other states. The result is a discordant set of rules across the country.
At this time, there is no international standard set of laws to protect individuals’ data. This means that OSINT analysts must remain extra vigilant and aware of the set of laws they are required to adhere to when investigating and creating reports.
How to Stay Ethical in OSINT Investigations
Due to varying laws and regulations based on location, analysts and users of OSINT tools may feel perplexed at how to remain ethical in their practices. Therefore, we have created the following four steps to help create a code of conduct to remain scrupulous when conducting investigations.
1. Know the Laws and Governing Bodies in Your Area
As mentioned above, there are a plethora of different laws and governing bodies that can influence one’s OSINT investigation. This is why it is important that one is well-versed in the laws that govern their area as a starting point.
To find out which data privacy and legislation applies to your country and/or region, you can use the United Nations Conference on Trade and Development’s interactive map online.
2. Build Your Own Code of Conduct
While legislation exists that oversees data protection and human rights, we each have our own moral code that we feel compelled to follow. Before starting an investigation, we recommend sitting down and outlining the areas in which you personally do not feel comfortable pursuing. While these may be legal in your country or region, you might find that you feel they actually go against your own moral code.
Your code of conduct can include the following:
- 3-4 key values you or your organization believes in
- What behaviours represent these values
- Step-by-step practices to live key values
Having these guidelines before you start any investigation will make it easier for when sticky situations arise. Additionally, if you are working as a group or company, a code of conduct ensures that everyone is aligned on key values.
3. Document the Actions and Steps You Make
Transparency is key when it comes to holding yourself accountable. By having clear and concise documentation of what data you are using and how you are using it, you will not only have a record for yourself but also for your respective governing body.
Many countries have specific requirements for how and what should be documented, which is why it is again incredibly important to make sure you are well-versed in your regional legislation.
For anyone residing in the European Union, you can use the interactive GDPR checklist for data controllers.
4. Test Your Knowledge with Case Studies
There are plenty of ways to test your knowledge without being in the literal hot seat. By building and examining hypothetical situations, you can apply not only the laws in your area but also your own code of conduct and documentation methods to see if you pass the test.
Don’t know if you have good examples? We have created a few scenarios below of challenges presented in OSINT to test your knowledge.
Ethics in OSINT Case Studies
Case Study 1: OSINT and Organized Crime Monitoring
Use the three scenarios below to see how well you know your own regional legislation as well as test your own code of conduct. We integrated a poll feature so that you can compare your thoughts to others.
Please note: While some answers may have a majority vote, this does not mean that they are correct for you or your location.
Case Study 2: Employee Social Media Monitoring
Case Study 3: Company Projects and Employee Concerns
Conclusion
While open-source data is totally legal to use, the use of it is not always black and white. In order for individuals to stay vigilant, they must understand the ethical and moral implications of their work.
Firstly, they must be well-versed in the laws and regulations that govern their location.
Secondly, they should build their own set of rules for best practices before investigating. Furthermore, if a company or group is working together, these set of rules define a mutual understanding.
In action, those conducting investigations should document their actions for validation, and finally, they should test their knowledge and beliefs against various examples that could test them.
