When conducting open-source intelligence (OSINT) investigations, it is important to be aware of and comply with the laws and regulations that govern data protection and privacy.
Failure to do so can result in severe consequences, including legal action or reputational damage. In this guide, we will discuss the importance of adhering to these legal requirements and provide practical tips for compliance in OSINT investigations.
Understanding Legal Requirements in OSINT Investigations
In today’s digital age, organisations have access to vast amounts of information through open source intelligence (OSINT) collection. This powerful tool allows businesses to gather valuable insights and make informed decisions.
However, with this ability comes a responsibility to adhere to laws and regulations surrounding data protection and privacy and how it is collected, stored and used.
Depending on who the investigations are being conducted for, the relevant legislation can include the General Data Protection Regulation (GDPR), Data Protection Act (DPA), Investigatory Powers Act (IPA) and Regulation of Investigatory Powers Act 2000 (RIPA).
Whether a commercial organisation or a government entity, understanding compliance in OSINT collection is important not only to protect individuals’ privacy rights and maintain the integrity of your investigations and to demonstrate your understanding of the legislation to your customers.
What is Open Source Intelligence?
Open-source intelligence (OSINT) collection is a powerful methodology commonly used by individuals, organisations, businesses and government to gather information about their competitors, customers, and the overall industry for due diligence purposes, or as an intelligence product.
Governments use OSINT to gather information for a myriad of reasons ranging from criminal investigations to protecting UK national security.
OSINT is generally publicly available and legally accessible and involves gathering data from various open sources such as social media, news articles, public records, academic publications and online databases.
It is not always publicly available and understanding the difference between what is publicly available and that which requires a password or fee to access is important.
However, in the UK, it’s important for these organisations and businesses to be aware of and comply with the laws and regulations that govern data protection and privacy.
Key Points about OSINT
- OSINT generally relies on publicly available and legally accessible information sources, as opposed to classified or restricted sources.
- It leverages a wide range of open sources, including social media, news reports, government data, academic publications, commercial data, and grey literature.
- OSINT is used by governments, law enforcement, businesses, and other organisations for purposes like security intelligence, market research, investigative journalism, and academic research.
- The OSINT process involves collection, processing, analysis, and dissemination of open source data to generate actionable intelligence.
- OSINT offers advantages such as access to a wide range of sources, timeliness, cost-effectiveness, and transparency compared to other intelligence collection methods.
- Common OSINT techniques include social media intelligence, search engine data mining, public records checking, and information verification from data brokers.
As a valuable tool for gathering intelligence from publicly available sources, OSINT offers a cost-effective and transparent approach compared to other intelligence collection methods.
It is widely used by various organisations for a range of purposes including security, defence and intelligence to businesses and market researchers and organisations operating in high risk and complex environments.
Data Privacy Legislation in OSINT: Understanding UK GDPR and the Data Protection Act 2018
We commonly hear that ‘GDPR doesn’t apply’. Very significant to OSINT collection is the Data Protection Act 2018 and the UK GDPR.
The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that came into effect on 25 May 2018. The regulation was designed in order to harmonise data protection laws across the EU and to give individuals more control over their personal data.
GDPR applies to any company that processes the personal data of EU citizens, regardless of where the company is based.
UK GDPR
In the United Kingdom, GDPR was incorporated into UK law through the Data Protection Act 2018 (DPA). The withdrawal of the UK from the EU led to the formation of the new domestic data privacy law known as ‘UK GDPR’.
The DPA 2018 sets out the data protection framework in the UK. It contains three separate data protection regimes. Part 2 of the DPA sets out a general processing regime (the UK GDPR) and Part 3 of the DPA sets out a separate regime for law enforcement authorities.
The UK GDPR essentially does not differ much from GDPR. It is made in line with the GDPR law text but amended to substitute the parts of the text that read ‘EU’ and ‘Union law’ with ‘UK’ and ‘domestic law’. Most importantly, the core provisions of the GDPR remain the same under UK-GDPR.
Both the DPA and UK GDPR work in tandem and affect all organisations processing personal data on UK citizens, whilst the EU GDPR relates to the processing of personal data in the EU.
The presence of the UK GDPR (post Brexit) essentially harmonises GDPR across Europe including the UK. But different countries within the eU have different rules in respect of GDPR, so do not expect to gather data in France for instance and assume the law is the same as the UK.
Complying with DPA and UK GDPR for Safe Data Collection
The DPA and UK GDPR set out rules for the handling and processing of personal data, which may be relevant to OSINT collection if it involves the gathering of personal information relating to data subjects (defined as ‘an identified or identifiable natural person’ Section 3(5) DPA 2018).
The legislation outlines that organisations must have a lawful basis before collecting and processing personal data and must take steps to protect the security of that data.
This means that organisations must be transparent about their data collection practices or risk substantial regulatory fines from the Information Commissioners Office (ICO) – up to £17.5 million or 4% of the breaching companies’ global turnover.
It is therefore important for organisations to have a clear understanding of the legal and regulatory requirements for OSINT collection under data protection legislation.
This includes conducting regular audits of their data collection practices as well as implementing policies and procedures in accordance with ICO guidance and data protection legislation.
Investigatory Powers and RIPA
Also relevant to OSINT collection is the Investigatory Powers Act 2016 (also known as the “Snooper’s Charter”) and Regulation of Investigatory Powers Act 2000 (RIPA).
Both legislation provide legal oversight for the use of investigatory powers by law enforcement and intelligence agencies. They regulate the use of certain types of surveillance and intelligence-gathering techniques, including those that may be used in OSINT collection.
RIPA was originally enacted to legislate the way in which public bodies, such as the police, GCHQ, and the Government itself, intercepted and monitored communications. Increasingly we are seeing private companies supporting these agencies and falling under RIPA.
RIPA is enhanced through a Code of Practice which explains how RIPA is to be used by those exercising the powers available to them through the Act. The Code requires that authorities using the powers under RIPA must justify their surveillance activities to be necessary and proportionate.
The types of activities covered by RIPA are:
- Conducting covert surveillance in public places
- Collecting communications data
- Intercepting communications
- Using covert human intelligence.
Businesses, too, can be subjected to the powers under RIPA.
Public bodies may use private contractors for activities that require to be authorised to act under RIPA. The general legal position is that RIPA does not apply to activities of a private company, however, that position is different when a private company is contracted by a government entity to carry out an activity that may amount to directed surveillance activities.
To protect human rights, any public body or business seeking to utilise the powers available to them under RIPA must seek approval to do so. Authorisation can only be given once the authority can demonstrate that their proposed activities are necessary and proportionate.
Importantly, RIPA and DPA 18 have significant overlaps and companies carrying out work under RIPA authorisations, must be compliant with GDPR also. This is a complex area of law.
Ensuring Compliance in OSINT Investigations
Whether you are an organisation or a government entity, there is a certain level to which activity by an analyst or investigator would not amount to requiring authorisation under RIPA.
That threshold is crossed when that activity starts to, for instance, build a pattern of life on an individual, monitor them generally, or extract and save information for a record. The threshold, therefore, is quite low.
Adhering to laws and policies is therefore crucial when conducting OSINT research for the following reasons:
- Ensure Legal Compliance: OSINT practitioners must comply with relevant laws and regulations, such as data protection laws, privacy laws, and intellectual property rights. Failure to do so can result in legal consequences, fines, or even criminal charges.
- Maintain Ethical Standards: OSINT research should be conducted ethically, respecting individual privacy rights and avoiding actions that could cause harm or infringe on personal liberties. Adhering to ethical guidelines helps maintain the integrity and credibility of the OSINT community.
- Protect Individuals’ Rights: Laws and policies related to data privacy and protection are designed to safeguard individuals’ rights to privacy and control over their personal information. OSINT researchers must respect these rights and avoid violating them.
- Ensure Admissibility in Court: To use OSINT findings as evidence in legal proceedings, they must be collected and handled according to laws and regulations. Failure to comply may render the evidence inadmissible in court.
- Maintain Transparency and Accountability: By following established laws and policies, OSINT organisations demonstrate transparency and accountability in their operations, fostering trust with stakeholders, clients, and the general public.
- Avoid Reputational Damage: Unethical or illegal practices can severely harm the reputation of OSINT practitioners and organisations, undermining their credibility and potentially leading to loss of business or legal consequences.
- Promote Responsible Information Sharing: Adhering to laws and policies facilitates responsible sharing of information within the OSINT community and with relevant stakeholders, while protecting sensitive or confidential data.
As OSINT is often used for investigations, compliance with laws and ethical guidelines is essential for OSINT researchers to maintain the integrity, credibility, and legal standing of their work, while respecting individual rights and promoting responsible information sharing practices.
Consequences of not adhering to data protection laws when conducting OSINT research can be severe, highlighting the importance of remaining compliant and ensuring that all activities are necessary and proportionate.
Key Practices to Comply with Legal Requirements in OSINT Investigations
While conducting OSINT research may seem like a simple and straightforward process, it is essential for practitioners to be aware of the legal requirements that must be followed. Failure to comply with these laws can result in severe consequences.
To ensure compliance in OSINT investigations, here are some key practices that must be followed:
- Know the Laws: Familiarise yourself with relevant laws, regulations, and policies that pertain to OSINT research in your jurisdiction. This includes data protection laws, privacy laws, and intellectual property rights.
- Obtain Consent: When collecting personal information from individuals, ensure that you have their consent to do so. This can include obtaining consent through methods such as email or using public information sources where it is clear the individual has made the information publicly available.
- Be Transparent: It is essential to be transparent about your intentions and actions when conducting OSINT research. This includes clearly stating how the collected data will be used and providing individuals with an opportunity to opt-out of having their information collected.
- Respect Privacy: Respect individual privacy rights and avoid collecting or sharing sensitive or confidential information unless it is necessary and proportionate for the investigation.
- Stay Updated: Stay informed about any changes or updates to relevant laws and policies that may impact your OSINT research practices.
- Data Security Measures: Ensure that all collected data is securely stored and handled to prevent unauthorised access or data breaches.
- Consult with Legal Experts: If you are unsure about the legality of your OSINT research practices, consult with legal experts who can provide guidance on compliance requirements.
By adhering to these practices, OSINT practitioners can ensure compliance with legal requirements while conducting their investigations ethically and responsibly.
Conculsion
OSINT collection is a powerful methodology to gather information, but it is important to be aware of and comply with the laws and regulations that govern data protection and privacy.
Adhering to legislation ensures that investigations are conducted in a legal and ethical manner, respects individual’s privacy rights, and protects individuals’ personal information, it also demonstrates entities carrying out the investigations know what they are doing.
If you need any advice surrounding GDPR, Data Protection Law, RIPA, or the IA, Proelium Law has an expert team who can help and support you through your OSINT activities and ensure compliance with relevant laws and regulations. Contact us here to learn more.
