Ethical and legal boundaries for OSINT practices

Event report

How far can open-source intelligence (OSINT) practices go? Can they include research to prevent crime or threats to national security? The main challenges are related to the violations of the right to privacy and other human rights, as well as the legality of using these tools.

The Electronic Frontier Foundation (EFF) investigates surveillance technology in the context of a project called the Atlas of Surveillance. Currently, the organisation is doing research on the USA–Mexico border, trying to identify the exact locations of surveillance towers being used for border security. By going through environmental assessments and procurement documents, and by using Google Street View, they built a dataset of more than 200 locations. The criticism they face comes from law enforcement and the pro-intelligence community who feel they are providing criminals with instructions on how to avoid surveillance, a criticism the organisation denies.

People working in the OSINT sector are faced with challenges related to two kinds of datasets: a) hacked data and the legitimacy of using them, and b) leaked information and boundaries for using something that should require higher legal authority.

Law enforcement is broadening the definition of OSINT to include commercial databases that they can purchase access to. Nevertheless, they might get access to this data to find out where certain people are at a given time, or to find information about their digital devices. An opinion was stated that this is not considered OSINT because it is not something that is publicly available.  

It was stated that OSINT practices must be understood as an output after collecting specific raw data or existing information, which are the input. Within each, both public and private data can be found. The complexity of the issue prevents us from holding clear positions regarding the impact they have on human rights.

Privacy International found that there has been no quality check on the effectiveness of the OSINT practicess in the decision-making processes of local authorities, which appear to adopt the approach that if your data is out in the open on social media, then it is fair to use it without consent. Recently, they observed that local authorities are increasingly using information from social media to determine the age of younger asylum seekers arriving in the UK. In order to determine the age of juvenile asylum seekers, local authorities are relying on data from social media without any direction, policy, or training. Consultations, independent oversight, and openness are completely absent. The use of social media intelligence is seen as a disproportionate, highly unreliable, and invasive process. Furthermore, the absence of an internal audit begs the question of how local governments can assess the programme’s effectiveness. It allows the targeting and profiling of different user groups, especially those who are already at high risk, such as women, LGBT persons, journalists, human rights defenders, and asylum seekers.

Participants concluded the session by stating that OSINT practices need to be more regulated and oversighted, and that there should be both ethical and legal limits to them, while securing privacy in online public spaces.

The burden should not be on the users to self-censor because they should not be treated as potential suspects without being legally and fairly questioned.

By Teodora Markovic

The session in keywords