What is OSINT?
Open-source Intelligence (OSINT) is the process of using freely available information from public sources (online and offline) to gather information. Examples of data sources include news articles, social media posts, government records, and publicly available data found through search engines.
OSINT is used throughout cyber security, in areas like threat intelligence, incident response, and vulnerability management.
In threat intelligence, OSINT involves monitoring online activities, forums, and social media, to act in advance of emerging threats. With incident response, cyber security professionals can use OSINT to discover an organisation claiming responsibility for a recent attack. OSINT can be used to manage vulnerabilities, whether systems or people.
Furthermore, OSINT is often sold as a service, under guises like ‘internet discovery’, ‘corporate intelligence’, and ‘open-source investigation’. These services include researching companies or key individuals to discover information valuable or exploitable to an attacker. By leveraging OSINT techniques, a bad actor can gather information about a company or individual and use it nefariously (through social engineering perhaps). An example is spear phishing, learning information about a well-placed individual to trick them into engaging with an illegitimate email.
But what are the ethical issues?
But when we set out to uncover information about an individual, what are the ethical issues?
Collating and analysing information about an individual raises concerns around privacy. When using OSINT, whether paying a professional or using a specific tool, information should be found via public sources. While information is publicly available, when gathered and evaluated, sensitive information may be revealed about a person, without that being the individual’s intention.
For example, many professionals have a LinkedIn account, with experience and location included. It is very easy to type in a name and find a person. A photo taken of one’s children lined up outside their home (first day of school perhaps) and posted on Instagram (possibly including a house number in the image), combined with a known location from LinkedIn, can tell everyone exactly where they live (and who lives there) despite this not being the intention.
Furthermore, when one chooses to post different parts of their life to different social media and internet channels – we as users choose where and when this information is displayed. Is it right for a tool to aggregate this information, and sell it as a package to those willing to buy it?
Especially for those who have grown up with the internet, data can become outdated and misleading. When one’s digital footprint includes thoughts they had when they were much younger, can valid conclusions be drawn about their beliefs through OSINT? An obnoxious comment written on Twitter (now X) when one was in their early teens, may not reflect their beliefs as working professionals. However, this incomplete data could lead to unjust accusations (possibly in a field like threat intelligence)
Can GDPR help?
Many ethical issues surrounding OSINT come back to the UK General Data Protection Regulation (GDPR). Legislation like UK GDPR highlights and draws ethical and legal lines in this field, through restrictions on keeping and processing personal data.
Underpinning many OSINT ethical concerns is consent, an unjustifiable OSINT investigation, without transparency or accountability, is unethical. However, when organisations conduct surveillance for threat intelligence, incident response, vulnerability management, and more security-related purposes, ethical considerations become far more complex.
Overall, the ethical issues surrounding OSINT profoundly concern data privacy and the potential for misuse. OSINT offers numerous advantages for security and threat detection, however with the risks to personal privacy and data protection, how can industry ensure its practices are ethically sound while operating effectively?