OSINT and Privacy Concerns

By Ambreen Shabbir

The internet has forayed into almost all aspects of human life. While it has rendered life easier, it also has a downside. The major drawback of its increased penetration is privacy concerns which the masses are not even aware of completely. With everything getting digitized and increasing social media usage (where personal information is shared voluntarily online), digital space has become a treasure of information. 

Information online can be mined and manipulated for different purposes. Open Source Intelligence or OSINT is one way to go about it. OSINT is used as a tool for state security and intelligence agencies for attaining information and gauging the narrative. It has become a widely prevalent practice in the US and other countries where state infrastructure is properly developed. 

However, in Pakistan, though it’s used by state agencies, there is still a vacuum. Over time, OSINT  has been trespassed by non-state entities across the world. The same has happened in Pakistan, where a significant part of the OSINT landscape is now claimed by the non-state entities, filling the vacuum. Due to an already frail legislation on privacy rights and cybercrimes, the unbridled use of OSINT is alarming especially when many people are not familiar with the process and threats it can pose.

What is OSINT? 

Open source intelligence garners public available information, be it online or offline. Open source information is the data provided by a person or group without expectation of privacy. It also includes data that can be accessed on request by any individual regardless of the profession. It can be anything that is seen or heard legally or uploaded at a venue open to the general public. It covers the information provided through media, academic journals, blogs, and anything shared publicly on blogs, social media, and video streaming sites. However, not all of this information can be used unrestrained. Consent to use this data is required before using it in case of social media sites, internet videos, and so on. Personal open source information has become readily available since the advent of the World Wide Web (www). Now, platforms like Facebook, Twitter, Skype, WhatsApp, or WeChat are like a goldmine for data researchers and intelligence agencies, be it public or private. These venues can provide unique information about millions of individuals that was not available before. That is why open source intelligence is becoming pervasive in several sectors. 

With the digital landscape getting wider and wider, this form of intelligence holds immense utility for intelligence organizations, marketing agencies, and other entities. To gather intelligence, this open source information (raw data), which exists as a tweet, a photograph, or an interview, is assessed, filtered, edited, and utilized or disseminated. The process involves collecting, organizing, and analyzing torrents of raw data. Machine learning, workbenches, and algorithms have sped up the process and rendered it more accurately. The tools and services of this intelligence framework are growing with each passing day. The image below shows the reach of OSINT and various tools/sites used to dig out the relevant information. 

                                                               Source: https://osintframework.com/

The OSINT framework shows the occurrence of  ‘information explosion’ inundated cyberspace. It would have been quite hard to sift through piles of data and make sense of it to extract the required information. OSINT has rendered this process simple. Fields like research, journalism, marketing, corporate intelligence, and even political planning have been transformed because of it. 

OSINT offers high utility in business intelligence, investigative journalism, and even humanitarian relief. Corporations use publicly sourced market intelligence and political information to identify and prepare for risks. Many international Non-Governmental Organizations (NGOs) use the OSINT tools to keep tabs on human rights and social issues as well as verify the news and reports. Some of these NGOs use these tools to remain aware of the security situation in the areas they operate in.  Think tanks and research institutes use OSINT to report on developments and changes in the militant groups’ strategies and orientation. All these uses seem harmless on the outlook (given that they are being used by authentic, credible entities for positive usage), but they can be manipulated and have the potential to violate human rights by privacy invasion of individuals. 

Use of OSINT 

As mentioned earlier, several non-state entities utilize OSINT in their various pursuits. Earlier, organizations needed foreign correspondents or human resources to debrief business people and collaborate with academics. But now, one only needs to collect data or information in a web browser with a  stable internet connection. Because of OSINT’s convenience, accessibility, and low costs, it is favored by consultants, be it business or political. However, the same traits offer benefits to rather illicit entities as well. 

According to Muhammad Saad, an OSINT researcher, “This intelligence is also used by scammers, hackers, and terrorists. Scammers garner personal information of individuals like email address  or contact numbers for phishing.” The infamous scams like texts mentioning the Benazir Income Support Program, Jeeto Pakistan, and calls from individuals posing as intelligence agencies or bank representatives to gather more information are examples of this. Even if not scams, texts from various companies promoting their products or deals even when one has not provided them with their contact numbers is also an example of information loss.”

He adds that this information can be misused dangerously, i.e., by terrorists. In the Bombay attacks, terrorists were not only monitoring the actions of the rescue forces but also attaining information of the hostages to decide how to deal with them. In Pakistan, geospatial data has been used by terrorists to gather updated information for their plans. These entities unanimously classify as vile or illegal. However, certain organizations seem to be innocent and are legit, but their use of OSINT cannot be classified as entirely legal. Several companies and agencies use intelligence tools to gauge the public opinion and create personal profiles to target their ad campaigns or propaganda narrative. People are not aware of this profiling and are likely to change their behavior/perception about certain issues unknowingly. This act specifically hits the aspect of privacy, i.e., freedom from undue restraints on a person’s attempt to construct their identity. 

OSINT and Privacy 

Imagine someone looking you up online and gathering every bit of information about you. This information can be very basic but sensitive like your date of birth, email address or even your CNIC (if you have given it somewhere online), current address, and hometown. These details can be misused by hackers or terrorists. It can lead to Identity theft, hacking,access to personal accounts, and blackmailing.

Farhan Jeffrey, an OSINT researcher, states, “OSINT tools can be manipulated by a variety of non-state actors, such as stalkers, pedophiles, rapists, etc.” He adds, “To be honest, if you want even 95% privacy, you shouldn’t be on the internet in the first place. People who use the internet in any way – and especially those who use social media apps – should fully understand that there’s no such thing as 100% privacy. Everything you share on the internet stays on the internet. People who frequently use social media apps like Facebook, Instagram, etc. should know that besides the fact that their information is being used by these companies to make more profit, their information is also out there for many others to see, which includes non-state actors.” 

“If you’re sharing pictures of your family, friends, neighborhood, town, all of those images can be used by anyone who has access to them to pinpoint your location, find out your routine, know where you work, track your colleagues, even accurately track you down by identifying your surroundings, and so much more. There are OSINT tools and guides for this kind of thing.” 

Other information like one’s opinion on certain issues, orientation, and preferences can also be gauged by OSINT. This information is used by marketing agencies or corporations to formulate their advertising strategy like personalized or targeted ads. The same information is utilized by propaganda agencies to promote or delineate narratives, and even by terrorist outlets for their recruitments and indoctrination. 

Data aggregators sell the information to other organizations as well. Such data can be manipulated to influence the elections. This case can be exemplified by the Cambridge-Analytica scandal. The firm had collected the data of millions of Facebook users and used it to influence the elections. Gathering information that is publicly available is not illegal. However, the way this information is used places OSINT in a grey area. The landscape presents a conundrum. Some of its applications qualify as hacking, but they are not recognized as such under the ambit of OSINT. However, many experts negate this premise. Zaki Khalid, an OSINT expert, maintains, “OSINT has multiple uses. It can be used by the state for national security objectives, by corporations and the private sector to generate business insights against competitors or new market opportunities, and also by the media fraternity to boost investigative journalism. 

Privacy concerns can be removed simply by adopting adequate privacy and security settings. If a user has not enabled their information to be visible outside their circle, nobody can access it. Hacking etc. is of course not OSINT.”

Since it is publicly available information, there is a prevailing assumption that one needs not to address the responsible data issues like obtaining consent before using someone’s information. Organizations presume that since the individuals have uploaded something publicly, using it would not come under the violation of privacy rights. The issue aggravates further because of people’s oblivion to this. 

Many practices under the open source intelligence header cannot be deemed as entirely legal. But lack of understanding regarding this issue and a vacuum in the legislative structure renders these practices continue uninhibited. The major example of the use of OSINT for shady pursuits in Pakistan is its utility in scandalizing or defaming certain individuals, especially journalists. Twitter trends usually start with a share of someone’s videos or other information dating years back. OSINT tools have a huge role in the lineation of such trends. Such data can also be used for harassment or blackmail. 

“Entities that could exploit OSINT in Pakistan include political parties and/ or practitioners who use OSINT to advance their research interests. For example, a researcher on terrorism might routinely share his findings about different groups or their updates with their followers. Mostly, OSINT is employed by independent enthusiasts. Users who are concerned about privacy violations should thoroughly read and implement privacy and security guidelines shared by their relevant platform. Once this is done, OSINT analysts will be unable to access such content,” says Zaki.

OSINT tools to garner information via different online platforms. https://osintframework.com/ 

OSINT aggravates these concerns and issues, as it makes the availability of information easier and simpler. The above images contain a set of tools that are easier to access and use to attain information, location, and even pictures and videos through instant messaging apps, social media platforms, and even dating apps.

OSINT and Gender 

Just as with many other things, OSINT’s influence varies based on gender. The privacy concerns are relatively higher for women and gendered minorities, hence this intelligence is more impactful for them. According to rights experts, women constitute the majority of people facing privacy rights violations. The perpetrators are both institutions and individuals. The major driver of such violations is perceived unacceptable or immodest behavior of the individuals. Women journalists and activists face this issue commonly where their personal information and even pictures are extracted and then disseminated online as a means to harass them and malign them. These pictures or information can incite violence from certain groups that deem their views as contrary to socially acceptable behavior. 

OSINT: Boon and the Bane

The utility of OSINT cannot be negated or downplayed. It is indeed an effective tool whose benefits encompass various fields. It is not only cheap, quick, and easily accessible but also provides additional information that might be difficult to extract otherwise. “OSINT is like a knife. It has high functionality but poses risks as well. It can be quite useful in curbing disinformation and rectifying fake news. It helps retrieve old and overall uncommon information so can be used to authenticate any claim.” 

Farhan Jeffrey, a renowned name in OSINT landscape also maintains this stance. “OSINT is just like any other tool and how it is used depends on the user. It has both civilian and military applications. As far as non-state actors are concerned, they can manipulate anything that is in the public domain. Such actors already use applications like Telegram to put out their propaganda. We live in a global village and we as a society have to strike a balance between privacy, freedom and security. As we dive deeper into the technological age, there are always going to be some things that would be at risk of manipulation by violent non-state actors. But at the same time, the pros outweigh the cons, and so we choose to be proactive while also allowing technology to evolve,” he says. 

Farhan puts more emphasis on educating the masses to avoid any untoward circumstances. “I think it is important for the general public to understand what they should post on the internet and what they should never post on the internet – and then how to post what they can post. I think this knowledge should be made known to the general public in order to better educate them on how to keep their private information secure. Simply put, the right education on how to use a tool – or a piece of technology – is very important for the user.”

“The point is, the more information you share online, the more risk that information is at. At the same time, it is important to remember that there’s a lot of positive use of OSINT tools too. For example, law enforcement agencies can track down criminals and even attempt to stop crimes before they happen. Intelligence agencies can also use these tools to gain easy access to information on a subject of interest in an enemy state with a few clicks – information that used to cost a lot more before OSINT became a thing.”

Because of its utility, the general discussion or even academic literature pays little attention to its downside. However, this aspect needs immediate consideration by the authorities and lawmakers. Several agencies have been engaged in social media monitoring for different purposes. Regardless of the motive behind this monitoring, the fact that people’s information is being used or accessed without consent is a violation of a fundamental human right, the right to privacy. 

As the information on social media platforms is intended to be seen by others, attaining it is not deemed as violation. However, even this information is intended for a limited audience. Mere sharing of information cannot be considered as consent or willingness for this content to be aggregated, disseminated, or scaled. And when OSINT is undertaken by private entities for commercial purposes or influencing people’s preferences and orientations (political, social, or religious), it is a blatant violation of human rights. That shouldn’t mean to slap a ban on OSINT’s use. One cannot outrun or suppress technology. We have to adapt and minimize its repercussions. There has to be proper checks and balances—an accountability structure. 

“The cyber laws already lag behind. There should be a protective framework to ensure the integrity of citizens’ privacy. Currently, there is a huge scope of improvement vis-a-vis rules and regulations on the use of personal information.” The cybercrime regulations prevalent presently are controversial and limited to certain issues. There is no dedicated data protection policy altogether, which is the need of the time. OSINT’s use should be recognized and the resulting risks or concerns need to be addressed by the law and policymakers. Only then the use of OSINT can be deemed as fruitful and not risky.