One of the hallmarks of open-source intelligence (OSINT) investigations is the free nature of the sources from which intelligence data is gathered. OSINT investigations rely on publicly available information; information not hidden behind paywalls or secure networks. Because it is freely available, there may be some ethical concerns to think about.
Companies like DarkOwl need to be circumspect about the tools they develop for OSINT investigations. Every tool needs to be designed with ethical considerations in mind. Otherwise, the entire OSINT principle is compromised.
Individual Privacy and Consent
At the top of the list of concerns is individual privacy and consent. The fact that information is publicly available does not equate to the freedom to use that information in any way a person sees fit. Individual privacy needs to be respected.
In addition, aggregating disparate data points can ultimately reveal information that a consumer never intended to be shared publicly. How an OSINT investigation handles such information can push the boundaries of privacy and consent. Here is another way to put it: just because a cybersecurity team can use data in a certain way does not mean that doing so is right or ethical.
Intentional Limits
Concerns over privacy and consent suggest setting intentional limits for how information is used. A basic framework would dictate that OSINT data only be used for its original justified purpose. OSINT investigations should not repurpose data for applications unrelated to the original investigation. Otherwise, the risk of ethical breaches increases.
Verification of Data Accuracy
The next ethical concern relating to OSINT resources is data accuracy. We are all familiar with the tongue-in-cheek acknowledgement that ‘you can’t believe everything you read online’. Though we bandy the sentiment about lightly, it is actually true. It is especially true in the field of OSINT investigations.
Proper ethics dictate verifying data accuracy before employing it for cybersecurity and other purposes. Unfortunately, OSINT investigations can inadvertently spread misinformation that ultimately harms innocent third parties.
A third party could be an individual who faces false accusations as a result of misinformation. It could be a small business or enterprise faced with adverse outcomes because misinformation damages the brand.
Analyzing Data in Context
Along the same lines as data verification is the ethical mandate to analyze data in context. Unfortunately, data aggregation can lead to a loss of context with devastating consequences. It is imperative that OSINT investigations use old or out-of-context data sparingly so as to protect those individuals who might otherwise be harmed by it.
Legal and Regulatory Compliance
Multiple jurisdictions around the world have begun implementing regulations designed to address the ethical concerns of using free OSINT resources. Perhaps the most well-known among them are Europe’s GDPR protection laws. Organizations have an ethical responsibility to adhere to regulations – along with the legal requirements of each regulatory scheme.
Transparency and Accountability
The glue that binds all these ethical concerns together is the combination of transparency and accountability. Ethical OSINT investigations demand transparency about the parties collecting information, their motivations, and their purposes for the data.
Investigators need to be held accountable through regular audits and documentation. Without accountability, investigators confine themselves to engaging in some of the same sorts of behaviors they are trying to uncover through OSINT.
OSINT investigations benefit a great deal from not having to pay for information. Investigators can get free data from publicly available sources. But the data does not represent a wild west investigative environment. It is governed by certain ethics that OSINT investigators are bound to. Step outside the ethical boundaries and there are new problems to worry about.
