Legal Scrutiny of OSINT Evidence and the Access to Digital Devices in Court: Key Case Law and Best Practices

Open-source intelligence (OSINT) evidence is increasingly used in the judicial process, from criminal investigations to civil proceedings. However, one of the main issues that the courts have been grappling with is how to handle requests from parties of interest for access or forensic analysis of devices used to gather evidence. This article looks at key cases where OSINT evidence and how it was gathered were contested in court, as well as the stance taken by courts on access to digital devices.

EARLY CASE LAW ON OSINT EVIDENCE COLLECTION AND AUTHENTICATION

Lorraine v. Markel American Insurance Co. (2007)

In this determining case, Judge Grimm outlined a comprehensive framework for authenticating Electronically Stored Information[1] (ESI), directly relevant to OSINT practitioners. The court emphasised five key considerations for ensuring the authenticity and admissibility of OSINT-derived evidence:

1. Method of ESI creation, preservation, and custody

2. Evidence of data integrity

3. Identification of authorship/ownership

4. Consistency of metadata[2]

5. Completeness of documentation

This ruling underscored that OSINT practitioners must be able to demonstrate how data was collected, ensure no alterations occurred during collection, establish a transparent chain of custody, and explain the tools and methods used in the process (Lorraine v. Markel American Insurance Co., 241 F.R.D. 534, D. Md. 2007[3]).

Capitol Records v. Thomas-Rasset (2011)

This case set essential standards for collecting and using OSINT evidence, particularly in intellectual property disputes. The court ruled that:

• Collection methods must be reproducible

• Results should be verifiable by third parties

• Technical limitations of tools should be disclosed

• The methodology should adhere to industry standards

These rulings emphasise the importance of ensuring the reliability and replicability of OSINT methodologies (Capitol Records v. Thomas-Rasset, 799 F. Supp. 2d 999, D. Minn. 2011[4]).

United States v. Farrad (2017)

In United States v. Farrad, the court addressed the authentication of social media evidence collected through OSINT methods. Two significant rulings emerged:

1. Screenshots alone may be sufficient if adequately authenticated

2. The collector must explain how they accessed the content, what tools were used, the steps taken to preserve data integrity, and any limitations of their methodology

These holdings further reinforce the need for transparency and robust verification methods when collecting OSINT evidence from social media platforms (United States v. Farrad, 499 Fed. Appx. 441, 6th Cir. 2017[5]).

In re Facebook, Inc. Consumer Privacy User Profile Litigation (2019)

This case, though primarily focused on data privacy, has important implications for OSINT investigations. The court stressed:

• The need for transparency in collection methodology

• The importance of data minimisation and privacy considerations during collection

• Documentation of the scope and purpose of data collection

As privacy laws tighten, OSINT practitioners must be mindful of their collection methods and transparent about the data they gather, especially when handling personal information (In re Facebook, Inc. Consumer Privacy User Profile Litigation, 2019[6]).

COURT RULINGS ON ACCESS TO PROSECUTION DEVICES

R v. Bowman (2006)

This case dealt with the disclosure of digital forensic evidence. The court ruled that while full access to forensic devices used by the prosecution was not automatically granted, the defence must be allowed reasonable access to verify the integrity of evidence. This case highlights the balancing act courts must perform when deciding on access to prosecution devices

• Defence requests for access to prosecution devices must be considered reasonably and not arbitrarily denied (R v. Bowman, (2006) EWCA[7] Crim 417[8]).

Montanez v. Future Vision Brain Bank, LLC (2021): Social Media OSINT in Civil Litigation

Montanez v. Future Vision Brain Bank, LLC, 536 F. Supp. 3d 828 (D. Colo. 2021) is a good example of OSINT techniques for gathering social media evidence in civil proceedings and the legal challenges such evidence may face. The case highlights the importance of ensuring that evidence gathered through OSINT is admissible under evidentiary principles, particularly regarding authenticity and reliability.

Case Background

In this, plaintiff Jessica Montanez filed a class action complaint against Future Vision Brain Bank, LLC, under the Telephone Consumer Protection Act (TCPA). She alleged that the defendant had sent unsolicited texts through an Automatic Telephone Dialling System (ATDS). To be part of the evidence, OSINT methods were applied to collect social media data and ascertain the defendant's use of automated tools for retrieving and sending messages in sequence from a list of stored numbers[9].

The defendant challenged the admissibility of this evidence, arguing that the methods and devices used for OSINT collection should be scrutinised for reliability and compliance with legal standards. The court had to determine whether the OSINT collection process adhered to evidentiary requirements such as authenticity, chain of custody, and proportionality[10].

Key Legal Issues

1. Admissibility of Social Media Evidence: The court examined whether the social media evidence collected through OSINT met the standards required for admissibility under the Federal Rules of Evidence (FRE). This included verifying metadata and timestamps and ensuring the content was not altered or tampered with[11].

2. Scrutiny of Investigative Methods: The defence argued that the investigator’s device and tools for OSINT collection should undergo forensic review to ensure data integrity. This reflects growing concerns about whether digital evidence collected through OSINT is reliable enough for court proceedings.

3. Compliance with Evidentiary Standards: The court emphasised that digital evidence must be authenticated and relevant to the case. It also noted that investigators must balance thoroughness with privacy when collecting social media data.

Court Findings

The court denied the defendant’s motion to dismiss. Still, it acknowledged that challenges to the reliability of OSINT evidence could be revisited later, such as during summary judgment or trial. Key findings included:

• Reliability of Evidence: The court highlighted that while OSINT can provide valuable insights, its admissibility depends on demonstrating reliability through proper documentation and verification processes.

• Proportionality in Evidence Collection: Investigators must ensure that their methods are proportionate to the case's needs and do not unnecessarily infringe on privacy rights.

Broader Implications

The ruling in Montanez v. Future Vision Brain Bank has broader implications for how social media evidence is collected and presented in legal contexts:

1. Challenges to OSINT Evidence: This case demonstrates how opposing parties may challenge OSINT-gathered evidence by questioning its authenticity or requesting forensic reviews of collection devices.

2. Forensic Review of Devices: Courts may consider a request to examine investigators’ devices forensically if they are concerned about potential tampering or errors during data acquisition.

3. Best Practices for OSINT Collection: Legal practitioners are encouraged to use tools that capture metadata, maintain the chain of custody, and provide verifiable records of digital evidence collection.

4. Future Litigation Trends: As OSINT becomes increasingly prevalent in civil and criminal cases, courts will likely continue refining standards for its admissibility, particularly concerning social media evidence.

Practical Takeaways

• For Investigators: Ensure all digital evidence is collected using legally compliant tools capable of preserving metadata.

• For Legal Practitioners: Be prepared to defend or challenge OSINT evidence by focusing on its authenticity, reliability, and compliance with privacy laws.

• For Courts: Maintain a balanced approach by considering the probative value of social media evidence and potential privacy concerns.

INTELLIGENCE INTO EVIDENCE

R v. Hamdan (Canada): A Landmark Case on OSINT and Digital Evidence

The Supreme Court of British Columbia's decision in R v. Hamdan (2017 BCSC 1770)[12] is a pivotal ruling that underscores the importance of proper procedures when transitioning OSINT from intelligence gathering to admissible evidence in legal proceedings. This case has become a reference point for how digital evidence, particularly from social media, should be handled to meet legal standards.

Case Background

Othman Ayed Hamdan, a Palestinian refugee in Canada, was charged with terrorism-related offences based on 85 Facebook posts. These posts allegedly supported the Islamic State of Iraq and Syria (ISIS) and were deemed to incite terrorist acts. The Royal Canadian Mounted Police (RCMP) investigators captured these posts using tools like "Snagit" and "Awesome Screenshot," and the Crown sought to admit them as evidence in court. The case concerned whether these posts met the evidentiary standards required for criminal prosecution[13].

Key Legal Issues

The court addressed some of the most significant questions regarding OSINT and digital evidence:

1. Social Media Evidence Admissibility:

The defence questioned the admissibility of screenshots as evidence, stating that these methods did not incorporate sufficient controls against manipulation or alteration. The court asked whether the RCMP's minimalist screenshot software employed best practices for preserving digital evidence.

2. Intelligence to Evidence Transition:

The most important aspect of the case was whether it was possible to translate OSINT collected during an investigation into admissible evidence safely. The court confirmed that having passed this initial hurdle, OSINT must also meet stringent evidence requirements: authenticity, reliability, and chain of custody.

3. Proportionality in Evidence Collection:

In this regard, the court also considered the equilibrium of public security and individual privacy rights, but now, it is regarding how electronic evidence is obtained and produced.

Court Findings

The British Columbia Supreme Court ultimately acquitted Hamdan on reasonable doubt of his intent to incite acts of terrorism. Although the court maintained that one of the posts could be inciting, it maintained that the Crown was unable to prove beyond a reasonable doubt that Hamdan had the intent to incite terrorism. The decision did provide significant guidance, though, on how OSINT is to be treated in legal proceedings:

• Integrity and Reliability: The court criticised the police for using tools like screenshots without employing higher-level methods of preserving digital evidence, such as metadata capture or hashing techniques.

• Procedural Standards: It has stressed that law enforcement agencies must have procedural standards for gathering and delivering OSINT admissible in court.

Broader Implications

The ruling in R v. Hamdan has had a lasting impact on how OSINT is treated in legal settings:

1. Influence on Law Enforcement Practices: Law enforcement agencies increasingly adopt tools to ensure OSINT investigations are defensible in court. These tools help capture metadata, maintain the chain of custody, and verify the integrity of digital evidence[14].

2. Legal Precedent for Digital Evidence: Subsequent rulings have cited this case as an example of how improper procedures undermine a prosecution’s case. It underscores the importance of using advanced tools and methods that meet evidentiary standards[15].

3. Guidance for Practitioners: The case cautions prosecutors and investigators about the risks of collecting digital evidence using inadequate methods. It also highlights the need for training in OSINT methodologies to ensure compliance with legal requirements[16].

RETENTION, INSPECTION, AND DISCLOSURE OF ELECTRONIC RECORDS IN CRIMINAL CASES

Key Court of Appeal Ruling

The Court of Appeal (Criminal Division), led by Vice-President Lord Justice Fulford, reviewed two otherwise unrelated cases to address critical issues concerning the retention, inspection, copying, disclosure, and deletion of electronic records held by prosecution witnesses.

The decision in R v. Bater-James & Mohammed (2020) EWCA Crim 790[17] is of great significance regarding how courts should proceed with applications for access to electronic devices in criminal proceedings. While issues regarding complainants' mobile phones are typically found in sexual offence cases, the decision applies broadly to any criminal case.

Major Legal Principles

1. Proportionality and Justification:

• The defence must request specific, relevant, and proportionate access to electronic devices in the prosecution's possession.

• The courts will reject requests for wholesale general access to a complainant's phone unless there is compelling evidence to justify them.

2. Balancing Privacy and Fair Trial Rights:

• Courts must balance the right of privacy of witnesses and complainants against the defendant's right to a fair trial.

• Finding electronic witness data isn't free, even though the unit will likely contain evidentiary content.

3. Effect on the Investigators and the Prosecution:

• Prosecutors and investigators must bring electronically stored information reasonably apt to be helpful to their sight for inspection and replication.

• It should all be adequately documented by the digitally stored evidence, and deletion must be justified.

This ruling is significant for criminal law defence and prosecution counsel. It maintains the integrity of principles of disclosure in digital evidence and has influenced disclosure arguments on digital evidence in subsequent cases and policymaking. We're sharing with you an overview of its applicability and relevance in future rulings.

The judgment, delivered in R v. Bater-James & Mohammed (2020) EWCA Crim 790[18], provides essential guidance on how courts should handle requests for access to electronic devices in criminal cases. While these issues often arise in cases involving complainants' mobile phones in sexual offence prosecutions, the ruling has broader implications for all criminal proceedings.

Key Legal Principles Established

1. Proportionality and Justification:

• Defence requests for access to prosecution-held electronic devices must be specific, relevant, and proportionate to the case.

• Courts will reject blanket requests for full access to a complainant's device unless there is a clear evidential basis to justify it.

2. Balancing Privacy and Fair Trial Rights:

• Courts must balance the privacy rights of witnesses and complainants against the defendant’s right to a fair trial.

• Unfettered access to a witness’s digital data is not automatically granted, even if the device contains potentially relevant material.

3. Obligations on Investigators and Prosecution:

• The prosecution and investigators must retain, inspect, and disclose electronic material that may be reasonably considered relevant.

• Any digital evidence retained must be documented appropriately, and any deletions must be justified.

This ruling is particularly significant for criminal defence and prosecution lawyers, reinforcing the importance of disclosure obligations in digital evidence cases[19]. It has influenced legal discussions on digital evidence disclosure in subsequent cases and policies. Below is an analysis of its impact and potential applications in later rulings.

THE IMPACT OF R V. BATER-JAMES & MOHAMMED (2020) ON DIGITAL EVIDENCE DISCLOSURE

The ruling in R v. Bater-James & Mohammed (2020) EWCA Crim 790[20] has extensively affected digital evidence management within criminal cases, particularly disclosure obligations. The case has shaped subsequent legal discussion, policy, justification, and proportionality for intrusion into digital devices. The following overviews its impact on digital disclosure policies, subsequent case law, and practice implications for practitioners.

Impact on Digital Disclosure Policies

The decision in R v. Bater-James also put formalised channels of digital disclosure at the forefront. The role of police and prosecutors is to ensure that applications to seize digital material need to be for reasonable grounds, not for speculation. That has been reaffirmed in important policy updates:

• Attorney General’s Guidelines on Disclosure (2022): These guidelines stress proportionality and require clear justification for examining digital devices. They also encourage better engagement between prosecutors and defence teams at pre- and post-charge stages[21].

• Crown Prosecution Service (CPS) Guidance on Digital Evidence: The CPS has updated its guidance to balance privacy protections with fair trial rights, ensuring that only relevant material is disclosed while safeguarding personal data[22].

Subsequent Case Law Developments

The principles established in R v. Bater-James have been applied and expanded upon in several subsequent rulings:

1. R v. CB (2023) EWCA Crim 516 – Limits on Device Access Requests: The defence argued that failing to review the complainant’s phone data constituted unfair disclosure. The Court of Appeal rejected the request, reaffirming that access to an entire device is not a default right and must be supported by specific evidential justification[23].

2. R v. L (2022) EWCA Crim 837 – Prosecution’s Duty to Review Digital Evidence: The defence successfully challenged the prosecution for failing to properly review a complainant’s phone data, which contained exculpatory evidence. The court ruled that investigators must conduct reasonable reviews of digital records and cannot rely solely on the complainant’s assurances about relevant content. This case reinforced the obligation of prosecutors to assess digital evidence rather than selectively disclose it actively.

Practical Consequences for Criminal Practitioners

The evolving landscape of digital evidence disclosure presents new challenges and responsibilities for legal professionals:

• For Defence Lawyers: Disclosure requests must be narrowly framed and justified to avoid court rejection.

• For Prosecutors: Documentation of review processes is critical to demonstrate compliance with disclosure obligations while respecting privacy rights.

• For Judges: Courts continue to adopt a case-by-case approach, balancing fairness with proportionality in digital disclosure requests.

LEGAL DEFENSIBILITY AND BEST PRACTICES FOR OSINT INVESTIGATORS

To mitigate the risk of device access demands and ensure the defensibility of OSINT evidence in court, investigators must adhere to several best practices:

• Document Everything: Tools, methods, time, and collection date must be meticulously recorded to prove data integrity and avoid challenges.

• Maintain Detailed Logs: To ensure transparency, all access attempts, tool configurations, and errors must be logged.

• Use Industry-Standard Tools: It is crucial to maintain current versions of OSINT tools and ensure they are validated and configured correctly.

• Establish Clear Procedures: Written methodologies, quality control checks, and error handling protocols should be in place for every investigation.

• Consider Privacy Implications: OSINT practitioners must respect privacy considerations, adhere to data minimisation principles, and enforce access controls.

CONCLUSION

These cases illustrate the complicity levels ongoing with all these new expectations for guiding OSINT-based evidence throughout the adjudicative process. Courts now demand an extra layer of transparency for all OSINT practitioners, as well as transparent data handling and robust safeguards to protect privacy. Access to procedural tools is usually instituted or disallowed; however, such access, to either a full or partial extent, may be allowed to ensure fairness in the proceedings. This shows the tension between privacy protection and the administration of justice.

Consequently, OSINT analysts should create documented, reproducible procedures and be able to demonstrate a clear and complete chain of custody. With the law still developing regarding digital evidence, calibration must occur while troubleshooting best practices to help ensure that evidence is admissible and reliable. In doing so, investigators can avoid bias, ensuring that their credibility remains intact.

Montanez v. Future Vision Brain Bank shows the subtlety of obtaining social media as an essential aspect to address in a civil trial. It provides valuable lessons to investigators and attorneys by emphasising fundamental evidence requirements involving reliability, proportionality, and adherence to privacy laws. It is a good example that reminds us of this civil litigation that electronic evidence must be scrutinised before one can say it is admissible.

R v. Hamdan will be remembered as a landmark case that continues to shape the processing of OSINT and digital evidence in Canada and worldwide. It provides further impetus to the procedure regarding OSINT in the technical processes, from gathering intelligence to proof for court presentation. The ruling has provided valuable precedents in dealing with digital evidence in criminal investigations, focusing on reliability and proportionality.

These cases illustrate the need for OSINT practitioners to take the initiative and update their legal knowledge. By checking off those boxes globally, OSINT-derived evidence stands an increased chance of resisting court challenges and being deemed admissible.

Authored by: The Coalition of Cyber Investigators.

© 2025 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator; and

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader.

With over 80 years of combined hands-on experience, Paul and Neal remain actively engaged in their field.

They established the Coalition to provide a platform to collaborate and share their expertise and analysis of topical issues in the converging domains of investigations, digital forensics and OSINT. Recognising that this convergence has created grey areas around critical topics, including the admissibility of evidence, process integrity, ethics, contextual analysis and validation, the coalition is Paul and Neal’s way of contributing to a discussion that is essential if the unresolved issues around OSINT derived evidence are to be addressed effectively. Please feel free to share this article and contribute your views.

[1] Cole, B. (2023, September 18). electronically stored information (ESI). Search CIO. https://www.techtarget.com/searchcio/definition/electronically-stored-information-ESI#:~:text= (Accessed 17 February 2025)

[2] Kranz, G. (2021, July 12). metadata. WhatIs. https://www.techtarget.com/whatis/definition/metadata (Accessed 17 February 2025)

[3] Lorraine v. Markel American Ins. Co., 241 F.R.D. 534 (D. Md. 2007) https://casetext.com/case/lorraine-v-markel-american-ins-co (Accessed 17 February 2025)

[4] Capitol Records, Inc. v. Thomas-Rasset, 799 F. Supp. 2d 999, 100 U.S.P.Q.2d (BNA) 1183 (D. Minn. 2011) https://casetext.com/case/capitol-records-inc-v-thomas-rasset-2 (Accessed 17 February 2025)

[5] Farrad v. United states, 3:19-CV-434-TAV-DCP (E.D. Tenn. Jul. 26, 2021) https://casetext.com/case/farrad-v-united-states-2 (Accessed 17 February 2025)

[6] In re Facebook, Inc. Consumer Privacy User Profile Litig., 655 F. Supp. 3d 899 (N.D. Cal. 2023) https://casetext.com/case/in-re-facebook-inc-consumer-privacy-user-profile-litig-2 (Accessed 17 February 2025)

[7] EWCA - England and Wales Court of Appeal.

[8] UK reports: R v Bowman (2006) EWCA Crim 417 - 2 March 2006. (n.d.). http://netk.net.au/UK/UK115.asp (Accessed 17 February 2025)

[9] Montanez v. Future Vision Brain Bank , Civil Action No. 20-cv-02959-CMA-MEH (D. Colo. Apr. 7, 2021) https://casetext.com/case/montanez-v-future-vision-brain-bank-llc( Accessed 17 February 2025)

[10] “Authenticity and Admissibility of Social Media Website Printouts” by Wendy Angus-Anderson. (n.d.). https://scholarship.law.duke.edu/dltr/vol14/iss1/2/ (Accessed 17 February 2025)

[11] Patzakis, J. (n.d.). Social media evidence key factor in estimated 500,000 litigation cases last year. https://blog.pagefreezer.com/social-media-evidence-500000-litigation-cases (Accessed 17 February 2025)

[12] ICD - R. v. Hamdan - Asser Institute. (n.d.). https://www.internationalcrimesdatabase.org/Case/3306/ (Accessed 17 February 2025)

[13] Canadian court admonishes police for submitting Facebook screenshots as evidence. (2020, September 17). Next Gen eDiscovery Law & Tech Blog. https://blog.x1discovery.com/2017/07/11/canadian-court-admonishes-police-for-submitting-facebook-screenshots-as-evidence/( Accessed 17 February 2025)

[14] Post, M., & Post, M. (2019, November 1). OSINT Tools: Capturing Evidence & Notetaking. Forensic Notes. https://www.forensicnotes.com/osint-tools/ (Accessed 17 February 2025)

[15] Metadata and Hashing: Creating Court-Admissible Evidence from OSINT https://www.skopenow.com/news/metadata-and-hashing-creating-court-admissible-evidence-from-osint Accessed 17 February 2025)

[16] Duguay, J. (2024, December 4). Understanding OSINT: What it is and Why You Need a PI. Shadow Investigations. https://www.shadowinvestigationsltd.ca/understanding-osint/ (Accessed 17 February 2025)

[17] Bater-James & Anor v R. (2020) EWCA Crim 790 (23 June 2020). (n.d.). https://knyvet.bailii.org/ew/cases/EWCA/Crim/2020/790.html (Accessed 17 February 2025)

[18] Bater-James & Anor v R. (2020) EWCA Crim 790 (23 June 2020). (n.d.). https://knyvet.bailii.org/ew/cases/EWCA/Crim/2020/790.html (Accessed 17 February 2025)

[19] Talia. (2024, October 28). Obligations in relation to electronic records and devices: fresh guidance from the Court of Appeal (Criminal Division) - Park Square Barristers. Park Square Barristers. https://www.parksquarebarristers.co.uk/obligations-in-relation-to-electronic-records-and-devices-fresh-guidance-from-the-court-of-appeal-criminal-division/ Accessed 17 February 2025)

[20] Complainant’s mobile phone. (n.d.-b). Law Gazette. https://www.lawgazette.co.uk/law-reports/prosecution-evidence-complainants-mobile-phone/5104909.article/ (Accessed 17 February 2025)

[21] Office, A. G. (2024, February 29). Attorney General’s Guidelines on Disclosure updated. GOV.UK. https://www.gov.uk/government/news/attorney-generals-guidelines-on-disclosure-updated( Accessed 17 February 2025)

[22] Disclosure Manual: Chapter 30 - Digital Material | The Crown Prosecution Service. (n.d.). https://www.cps.gov.uk/legal-guidance/disclosure-manual-chapter-30-digital-material (Accessed 17 February 2025)

[23] Prosecution evidence: Complainant’s mobile phone. (n.d.). Law Gazette. https://www.lawgazette.co.uk/law-reports/prosecution-evidence-complainants-mobile-phone/5104909.article( Accessed 17 February 2025)