Navigating the world of open source intelligence (OSINT): challenges, compliance, and ethical considerations
OSINT, a technique that has been used for many years, both in civilian and state domains, for purposes of law enforcement or administration. Some entities use the acronym ROSO (open source intelligence). These techniques have been in use for many years and align with the democratization of the internet.
This type of open source research was already discussed as early as 1994, within the framework of economic and strategic intelligence because it involved the collection and analysis of information, as defined by a circular from the Prime Minister dated September 15, 2011. It has also been used for many years by journalists, who quickly realized the potential of digital technology for accessing and utilizing information.
These types of research are increasingly utilized due to the proliferation of tools, their accessibility, and their use in various crises that have occurred in recent years (such as the Covid pandemic, the war in Ukraine, or more recently, the terrorist attack in Israel) to obtain or verify information, as well as for various investigative purposes. Some companies also use it to monitor and identify patterns of fraud and proactively respond to them.
These searches can cover a wide range, from simple inquiries about individuals, companies, and locations (e.g., determining the location where a photograph was taken) to files (e.g., determining the distribution of a file) and other types of data, particularly in the context of Cyber Threat Intelligence (CTI) to gather information about attackers or to search for security vulnerabilities, as described by one specialist in the field, Christophe DECHAMPS [1].
In certain circumstances, these searches conducted by companies are justified by legal requirements, with a focus on compliance. This can include Due Diligence and M&A or KYC (Know Your Customer), where it is essential to "gather information about the economic, commercial, industrial, or financial environment" of a company to "protect against risks that may threaten its economic activity, assets, and/or reputation." This information search can serve strategic purposes, such as facilitating business development and decision-making.
In this situation, a comprehensive environment is established, often supplemented by paid databases on a company's financial strength (e.g., ALTARES), which goes beyond the scope of OSINT. Nevertheless, even without access to these databases, it is possible to identify a company's foreign subsidiaries, determine potential sanctions through sites like open sanctions [2] or open corporates [3].
While we are currently in an era of Open Data where a multitude of datasets are available [4], not all data that can be accessed and retrieved through OSINT techniques are necessarily in this category. This can result from various factors, such as data indexing that shouldn't have occurred due to configuration issues or security vulnerabilities, as well as the deliberate actions of malicious individuals.
Indeed, some individuals may intentionally share files containing phishing data or data resulting from intrusions (referred to as Leaks), such as the data published by LockBit in September 2022 regarding the CORBEIL-ESSONNES hospital center [5], some of which may have included health data.
In the latter case, it's important to remember that if the incriminated data results from an intrusion into an automated data system (Godrain Law), possessing such data (Article 323-1 of the Penal Code) constitutes an offense, apart from data theft in other situations.
The ease of access to certain information results from the proliferation of tools and the capabilities they offer to target specific sources and aggregate information, as well as the increasing emphasis on OSINT in the communication sphere, and the market that has emerged in response to the need for security and compliance (such as the sale of solutions, training, and service offerings to protect executives or companies through subscriptions, etc.).
However, many individuals mistakenly believe that since information is accessible, it can be collected, stored, and used without any restrictions, whereas it may be subject to specific regulations related to privacy, intellectual property, copyright, trade secrets, or database rights, for example.
It is important to be very vigilant about the nature of the data collected and the manner in which it is collected. It should not be obtained through fraudulent, unfair, or illegal means, such as collecting data without people's knowledge (e.g., email addresses) to comply with the provisions of Article 226-18 of the Penal Code.
This vigilance also applies to the tool used and its functionalities, which can be highly invasive both in terms of the technique used to retrieve information and the type of information accessed. In fact, the term "OSINT" is often used loosely, and some tools sold or identified as such go beyond its scope.
For example, some tools allow the verification of whether an email address is associated with an account on certain websites, with a process that may not necessarily be understood by the user (e.g., password recovery procedures). Some of these queries concern pornographic websites, information that could lead to discrimination by an employer.
领英推荐
Another example is the querying of websites related to weapons. Such queries could be used for malicious purposes because they can suggest that a third party is placing orders on these sites and thereby possesses weapons at their residence, contributing to the preparation of a criminal act.
When this data collection serves a legitimate purpose, such as internet research following data breaches, it must be conducted in compliance with the requirements of the CNIL (French data protection authority) on the RIFI [6] and should focus on data related to the company that has suffered a data breach. This necessitates a well-defined policy for how such operations are to be carried out.
In this regard, it is also necessary to carefully analyze the conditions of such data processing, establish organizational and technical measures as provided for in Articles 24, 25, 30, and 32 of Regulation (EU) 2016/679 of April 27, 2016, and comply with the provisions of Article 5 to establish rules for data retention duration, minimization, pseudonymization in a storage and archiving policy, and also define information classification to prevent indiscriminate dissemination.
Depending on the techniques used by a company, it may be necessary to conduct an impact assessment if at least two of the criteria are met (systematic monitoring, large-scale data collection, and data cross-referencing) [7]. All of these actions, especially when handling personal data or certain strategic information, also lead to the establishment of a risk control device (DMR) that includes documentation (on the process), employee training (to regulate the use of the process), and most importantly, control measures to verify the effectiveness of the measures put in place, in addition to a potential risk analysis.
In conclusion, while practicing OSINT is accessible to everyone, it nonetheless requires adherence to a set of rules to comply with current regulations. This is especially important when it is conducted within a company or through a service provider. In such cases, it is important to require a detailed description of the methods used, the obligation to provide security audits, and to base the contractual relationship on clauses derived from Article 28 of the GDPR [8]. A code of conduct can also be beneficial. It is imperative to have individuals conducting such processing sign legally binding responsibilities regarding their actions [9].
At present, two French companies offer a tool with multiple features that stand out in the market due to their approach and accessibility: OWLINT [10] and ELEPHANTASTIC [11]. Unlike some solutions, they take into account many of the aspects mentioned above.
?
[5] https://www.it-connect.fr/cyberattaque-de-lhopital-de-corbeil-essonnes-les-pirates-de-lockbit-3-0-ont-mis-en-ligne-des-donnees/
[7] https://www.cnil.fr/fr/analyse-dimpact-relative-la-protection-des-donnees-publication-dune-liste-des-traitements-pour
[8] https://www.cnil.fr/fr/clauses-contractuelles-types-entre-responsable-de-traitement-et-sous-traitant
Written by Vincent L. .