Black OSINT vs White OSINT: The Dual-Use Dilemma in Open Source Intelligence

Introduction

Open Source Intelligence (OSINT), the collection and analysis of publicly available information, which has emerged as a potent tool with the potential for both good and evil, has seen an increase in usage for criminal activities and legitimate investigations[1]. While OSINT practitioners use publicly available information to investigate crimes, ensure compliance, and protect national security, criminals have also adopted OSINT techniques to exploit individuals and organisations. This dual-use nature of OSINT underscores the power and responsibility that comes with its use, raising ethical dilemmas and exposing grey areas, particularly when illegally collected data is involved. The divide between harmful uses, referred to by ‘The Coalition of Cyber Investigators[2]’ as Black OSINT, and ethical use, White OSINT, underscores the importance of setting strict policies and best practices to govern OSINT operations. This article explores these opposing uses, the moral grey areas, and the growing need for regulatory frameworks to ensure responsible OSINT practices.

Black and White OSINT: Defining the Ethical Divide

The distinction between Black OSINT and White OSINT underscores the ethical duality of open-source intelligence techniques. Black OSINT involves the unethical or illegal application of OSINT by malicious actors, such as criminals, hackers, and terrorist organisations. These bad actors exploit publicly available data for illicit activities like identity theft, cyber fraud, and doxing.

Often bypassing data protection regulations and ethical standards, Black OSINT abuses social media, public databases, and forums to gather personal information that can be weaponised for illegal purposes. It even extends to selling this stolen data on the dark web, where criminals profit from compromising sensitive information.

On the other hand, White OSINT is the ethical counterpart. Professionals such as law enforcement, journalists, corporate investigators, and cybersecurity experts use the same OSINT techniques within a legal framework, adhering to strict data protection laws and ethical guidelines. White OSINT aims to detect and prevent crimes, monitor security risks, and support legal investigations while respecting privacy rights and legal standards.

This fundamental split between Black and White OSINT highlights its dual-use nature, where the same methods and tools can be leveraged for harm or good, depending on intent and legality[3].

Black OSINT: How Criminals Exploit Open-Source Data

The line between ethical and unethical OSINT becomes particularly visible in the workings of Black OSINT. Malicious actors routinely exploit OSINT techniques for criminal gain. For instance, fraudsters and hackers use OSINT to gather intelligence on targets, making phishing attacks more sophisticated or identifying vulnerabilities to execute crimes like burglary or cyber-attacks. Personal information scraped from public records, social media, and forums serves as a valuable resource for further illegal activities such as identity theft, corporate espionage, or doxing.

Moreover, the dark side of OSINT extends into the deep and dark web, where criminals trade this harvested data. These underground platforms enable the sale of stolen personal information, credit card details, and other sensitive data, further driving illegal operations. In contrast to White OSINT’s ethical safeguards, Black OSINT flourishes in the shadows, driven by a blatant disregard for privacy laws and legal boundaries.

Exploring the world of Black OSINT reminds us of the importance of maintaining rigorous ethical standards in open-source intelligence, a point central to the responsible application of White OSINT techniques.

One final application of Black OSINT that is increasingly prevalent is disinformation, where malicious actors exploit publicly available information to create false narratives, manipulate public opinion, interfere in elections, and undermine trust in institutions. By carefully selecting and presenting data, these individuals can craft misleading or outright false stories that can be difficult to debunk. This can have serious consequences, as disinformation can lead to social unrest, political polarisation, and even violence.

Case Studies

Numerous examples exist of criminals exploiting OSINT to harm individuals and organisations. For instance, attackers have used public data to stalk individuals, plan physical attacks, or carry out fraudulent schemes. One notable case involves doxing, where criminals gather personal data like home addresses and contact information to harass or intimidate individuals. Similarly, corporate espionage often involves publicly available information about a company to gain a competitive advantage or plan a cyberattack[4].

Ethics and Legal Considerations

The illegality and lack of accountability in Black OSINT operations are significant concerns. Black OSINT disregards privacy laws and data protection regulations, such as the General Data Protection Regulation (GDPR). Unlike ethical intelligence practices, which operate within a legal framework and adhere to strict guidelines, Black OSINT takes advantage of the open nature of data without considering the legal or ethical consequences. This unethical exploitation of OSINT techniques highlights the darker side of freely accessible information, where criminal activities thrive without regulatory oversight.

While Black OSINT actors use many of the same tools as legitimate practitioners, this demonstrates the potential for publicly available data to be used for illicit purposes. This underscores the urgent need for stricter controls and awareness of how OSINT techniques can be misused for malicious purposes. The potential for misuse highlights the importance of regulating OSINT techniques to help prevent their exploitation for criminal activities.

White OSINT: The Ethical Use of Open-Source Intelligence

In contrast to the illicit activities associated with Black OSINT, White OSINT involves the ethical use of open-source intelligence to support legitimate investigations, enhance cybersecurity, protect individuals, and promote justice. OSINT professionals, including law enforcement, private investigators, and corporate analysts, rely on publicly available data to identify threats such as fraud, terrorism, and cybercrime. Additionally, White OSINT plays an essential in humanitarian activities such as disaster relief and is increasingly being used to counter disinformation through fact-checking, OSINT professionals should operate within clear ethical boundaries, ensuring that the information they gather complies with data protection regulations like the GDPR and other applicable laws. Moreover, White OSINT focuses on collecting admissible and verified data, supporting investigations and legal proceedings with credible, relevant information, and aligned with regulatory standards.

Case Studies

Numerous examples highlight the ethical use of White OSINT in solving crimes and promoting public safety. For instance, law enforcement agencies regularly use OSINT to track down cybercriminals, monitor terrorist organisations, and prevent potential attacks. A key example includes using White OSINT in counter-terrorism efforts, where investigators have successfully identified threats by monitoring public social media activity and other online sources. Similarly, corporate analysts use OSINT to investigate fraudulent activities, often uncovering illicit behaviour by piecing together publicly available financial and transactional data. In cybersecurity cases, companies employ OSINT to identify vulnerabilities in their systems by analysing threat actors’ communications on public forums, enabling them to take preventive actions before attacks occur[5].

Ethics and Legal Considerations

White OSINT embodies the ethical and legal side of intelligence gathering, conducted with proper authority and adherence to regulatory standards. OSINT professionals within this framework prioritise transparency, legitimacy, and accountability in their data collection efforts. This emphasis on ethics and legality ensures that the privacy rights of individuals are respected and that the data collected is limited to what is necessary for the specific investigation. The probative value of the data collected is also carefully weighed against potential privacy or human rights violations, ensuring that OSINT is used responsibly and within legal confines[6].

By focusing on these ethical considerations, White OSINT practitioners differentiate their work from the malicious exploitation seen in Black OSINT, ensuring that their intelligence-gathering activities remain legitimate and beneficial to society[7].

The Grey Areas

Three critical grey areas between Black and White OSINT arise when OSINT practitioners encounter illegally collected data, such as data from leaks or breaches, and when they use Sock Puppets and Human Intelligence.

Historically, English law, as illustrated by Crompton J's dictum in Leathem (1861)[8], has maintained a relatively lenient stance toward the admissibility of evidence, even when it is improperly or illegally obtained. The general principle is that a breach of rules during criminal investigations does not automatically render the evidence inadmissible. Unlike some other jurisdictions, English courts have not embraced the automatic exclusion of such evidence, emphasising instead that each case should be considered individually, weighing the interests of justice over procedural errors.

The use of data obtained from breaches presents numerous ethical and legal challenges:

• Illegality of the Source

  • Data obtained through breaches or leaks, while potentially valuable, can breach data protection regulations like the GDPR and the Data Protection Act (DPA), as seen in high-profile incidents such as the Panama Papers[9].

• Probative Value vs. Prejudicial Effect

  • Courts may admit this evidence if it is critical to the case; however, they may exclude it if the potential for unfair prejudice outweighs its relevance or value.

• Key Considerations

  • When deciding whether to admit such data, courts consider factors like credibility[10], relevance[11], significance, the circumstances[12] under which the data was obtained, fairness, and the potential impact on human rights. These elements are critical to balancing the probative value of evidence with ethical concerns.

Using sock puppets (fake online personas, aka legends) and human intelligence sources in OSINT investigations allows practitioners to gather information covertly, often without the subject's knowledge. While these methods can yield valuable intelligence, they carry significant ethical risks and legal implications, especially regarding privacy violations and data protection. The creation and use of false identities can blur the lines between legitimate investigation and deceptive practices, potentially infringing on privacy rights governed by regulations such as the GDPR[13].

To mitigate these risks, OSINT practitioners must follow clearly defined policies, procedures, and best practices that guide the ethical use of sock puppets and human intelligence. Transparency in decision-making, such as ensuring a legitimate legal basis for using these techniques, is crucial. Furthermore, regulatory frameworks like GDPR define how personal data should be collected, processed, and stored, reinforcing the need for ethical guidelines that ensure compliance with data protection laws while maintaining investigative integrity[14].

OSINT practitioners and legal professionals must navigate these complexities to ensure that such data does not compromise the integrity of investigations or individuals' rights.

The Importance of Policies and Best Practices

Developing clear and well-structured ethical frameworks is crucial to ensuring the responsible use of OSINT. Organisations must implement robust policies and procedures because of the potential for moral dilemmas, particularly in grey areas like using leaked data, sock puppets, and human intelligence sources. These frameworks should outline how OSINT tools and methods can be used legally and ethically. This includes documenting the legal basis for gathering data, as required by GDPR and other data protection laws, ensuring that every step taken is aligned with compliance standards[15].

Regular training and oversight are essential in ensuring OSINT practitioners remain within legal and ethical boundaries. According to the Authentic8 OSINT guide[16], the use of public data in investigations requires careful adherence to legal regulations like GDPR, and training ensures that practitioners understand these boundaries while effectively gathering intelligence.

Maintaining data integrity is another critical aspect of OSINT investigations. This is where enforcing a chain of custody becomes essential, particularly when evidence needs to be used in court. The Evidence Management Institute highlights that a well-documented chain of custody preserves the authenticity of data from when it is collected until it is presented in legal proceedings. This process ensures that no evidence is tampered with and is admissible in formal proceedings[17].

To ensure credibility and protect organisations legally, it is vital that OSINT tools are verifiable and that strict protocols are in place for data management. This ensures the accuracy of collected data and the accountability of those handling it.

Conclusion

In conclusion, the distinction between Black OSINT (criminal and unethical use) and White OSINT (legitimate, ethical use) highlights the need for thoughtful, ethical consideration in the field of OSINT. While OSINT offers immense value for intelligence gathering on both sides, its ethical use is paramount to ensuring that this intelligence serves justice, respects privacy, and adheres to legal standards.

The grey areas of OSINT, such as using leaked data or deceptive tactics, require ongoing discussion. As OSINT continues to evolve, so must the policies and procedures governing its use. This is essential to balance effective intelligence gathering with protecting individual rights. Organisations should commit to continually evolving their ethical frameworks to ensure they remain up-to-date.

By reaching a consensus and agreeing on a shared understanding of the boundaries between Black and White OSINT, practitioners can mitigate risk, help eliminate the grey areas, promote more use that is responsible and increase the levels of OSINT acceptability.

Authored by: The Coalition of Cyber Investigators

Paul Wright (United Kingdom) & Neal Ysart (Philippines)

© 2024 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator; and

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader.

With over 80 years of combined hands-on experience, Paul and Neal remain actively engaged in their field.

They established the Coalition to provide a platform to collaborate and share their experience and analysis of topical issues in the converging domains of investigations, digital forensics and OSINT. Recognizing that this convergence has created grey areas around critical topics, including the admissibility of evidence, process integrity, ethics, contextual analysis and validation, the coalition is Paul and Neal’s way of contributing to a discussion that is essential if the unresolved issues around OSINT derived evidence are to be addressed effectively. Please feel free to share this article and contribute your views.

[1] Waitt, T. (2018) Hiding in plain sight: Open source intel & the security professional - American Security Today. https://americansecuritytoday.com/hiding-plain-sight-open-source-intel-security-professional/ (Accessed September 23, 2024)

[2] https://www.linkedin.com/company/the-coalition-of-cyber-investigators/?viewAsMember=true

[3] F, R. (2024, June 14). Richard F. on LinkedIn: #osint #good #bad [Video]. https://www.linkedin.com/posts/richard-foster-security_think-you-dont-give-away-that-much-on-social-activity-7207273432558829570-obxK?utm_source=share&utm_medium=member_desktop (Accessed September 29, 2024)

[4] Service (2024) OSINT case study: Uncovering a hacker group | Social Links. https://blog.sociallinks.io/a-real-osint-case-uncovering-a-hacker-group/ (Accessed September 23, 2024)

[5] Solutions, B. (2024) Applying OSINT to fraud Prevention and Corporate Investigations. https://blackdotsolutions.com/blog/fraud-prevention/ (Accessed September 23, 2024)

[6] VirusZzWarning. (2023, July 15). Legal and ethical considerations in OSINT investigations - Hacker Academy. Hacker Academy. https://hackeracademy.org/legal-and-ethical-considerations-in-osint-investigations/ (Accessed September 29, 2024)

[7] Admin. (2024, July 8). Navigating Ethical and Legal Challenges in OSINT: A Comprehensive Guide - NOTIONES. NOTIONES. https://www.notiones.eu/2024/07/08/navigating-ethical-and-legal-challenges-in-osint-a-comprehensive-guide/ (Accessed September 29, 2024)

[8] Illegally or Improperly Obtained Evidence: does it matter how you get it? - Meg Gibson (Per Incuriam) | Cambridge University Law Society (CULS) (no date). https://www.culs.org.uk/per-incuriam/illegally-or-improperly-obtained-evidence-does-it-matter-how-you-get-it (Accessed September 23, 2024)

[9] Investigators, C. O. C. (2024, September 25). The Coalition of Cyber Investigators on LinkedIn: Ethical Dilemma of using data breach information in OSINT. https://www.linkedin.com/posts/the-coalition-of-cyber-investigators_ethical-dilemma-of-using-data-breach-information-activity-7244842561092108288-SCmB?utm_source=share&utm_medium=member_desktop (Accessed September 29, 2024

[10] Types of Evidence Used in Law UK | What is Evidence? (no date). https://www.draycottbrowne.co.uk/investigations/types-evidence (Accessed September 23, 2024)

[11] Criminal Justice Act 2003 - Explanatory notes (no date). https://www.legislation.gov.uk/ukpga/2003/44/section/100/notes?view=plain (Accessed September 23, 2024)

[12] Hearsay | The Crown Prosecution Service (no date). https://www.cps.gov.uk/legal-guidance/hearsay (Accessed September 23, 2024)

[13] SANS Institute. (2024, July 23). Sock Puppets in OSINT | SANS Institute. https://www.sans.org/blog/what-are-sock-puppets-in-osint/ (Accessed September 29, 2024)

[14] OSINT and GDPR - OSINT Central. (n.d.). https://www.osint-central.com/osint-gdpr/ (Accessed September 2024)

[15] Drzewiecki, D. (2023) 'Is OSINT legal? OSINT legal and ethical concerns,' Corma Investigations, 10 July. https://corma-investigations.com/uncategorized/is-osint-legal-the-legal-and-ethical-concerns-of-using-open-source-intelligence/ (Accessed September 23, 2024)

[16] What is OSINT? A definitive guide for law enforcement. (n.d.). Authentic8. https://www.authentic8.com/blog/what-osint-definitive-guide-law-enforcement?li_fat_id=4578c43e-47e4-467d-bb7a-de91eb4016c7 (Accessed September 29, 2024)

[17] Lee, H. (2024, May 21). The crucial role of chain of custody: Ensuring evidence integrity and quality assurance | Evidence. Evidence Management Institute. https://evidencemanagement.com/the-crucial-role-of-chain-of-custody-ensuring-evidence-integrity-and-quality-assurance/ (Accessed September 29, 2024)