The Legal Landscape

Key Principle: Just because information is publicly available doesn't mean you can do anything with it.

Major Privacy Laws Affecting OSINT

1. GDPR (General Data Protection Regulation) - European Union

GDPR Compliance Checklist for OSINT:

2. CCPA (California Consumer Privacy Act) - California, USA

3. Computer Fraud and Abuse Act (CFAA) - USA

Ethical Framework for OSINT

The OSINT Ethics Test - Ask Yourself:

  1. Is it legal?

  2. Is it necessary?

  3. Is it proportionate?

  4. What's my intent?

  5. Would I be comfortable if this were done to me?

Passive vs Active Reconnaissance

Passive Reconnaissance (OSINT-Safe):

Active Reconnaissance (NOT OSINT):

Common Ethical Dilemmas and Solutions

Dilemma 1: Finding Mental Health Information

Dilemma 2: Children in Photos

Dilemma 3: Leaked/Hacked Data

Responsible Disclosure

When You Find Security Issues:

  1. Document the vulnerability

  2. Don't exploit it

  3. Notify the organisation

  4. Give a reasonable time to fix

  5. Consider coordinated disclosure

Template for Disclosure:

Subject: Security Vulnerability Disclosure

Dear [Organization],

I've identified a potential security issue:
- Type: [Exposed database/credentials/etc.]
- Location: [URL/specific location]
- Potential Impact: [What could happen]
- Discovered: [Date]

I have not accessed any data beyond confirming 
the vulnerability exists. Please confirm receipt 
and provide expected timeline for resolution.

Best regards,
[Your name]