Key Principle: Just because information is publicly available doesn't mean you can do anything with it.
1. GDPR (General Data Protection Regulation) - European Union
Scope: Applies when handling EU residents' data
Key Requirements:
Lawful basis for processing
Data minimization
Purpose limitation
Storage limitations
Right to erasure
GDPR Compliance Checklist for OSINT:
Document lawful basis (legitimate interest)
Collect only the necessary data
Set retention periods
Secure data storage
Plan for deletion
2. CCPA (California Consumer Privacy Act) - California, USA
Scope: California residents' personal information
Key Points:
Right to know what's collected
Right to deletion
Right to opt out
Non-discrimination
3. Computer Fraud and Abuse Act (CFAA) - USA
Critical: Prohibits unauthorised access
OSINT Implication: Never bypass authentication
Safe Practice: If it requires a password you don't have, stop
The OSINT Ethics Test - Ask Yourself:
Is it legal?
Am I complying with all applicable laws?
Am I respecting the terms of service?
Is it necessary?
Do I really need this information?
Is there a less intrusive way?
Is it proportionate?
Does the benefit outweigh the potential harm?
Am I collecting minimal data?
What's my intent?
Am I investigating for legitimate purposes?
Could this information cause harm?
Would I be comfortable if this were done to me?
Apply the "golden rule"
Consider the subject's perspective
Passive Reconnaissance (OSINT-Safe):
Viewing public social media profiles
Reading news articles
Searching public databases
Using search engines
Viewing public websites
Active Reconnaissance (NOT OSINT):
Port scanning
Sending friend requests to targets
Creating fake personas to gain access
Direct contact with targets
Any form of hacking
Dilemma 1: Finding Mental Health Information
Scenario: Target's blog discusses depression
Ethical Response: Note blog exists, don't include health details unless directly relevant to the investigation objective
Dilemma 2: Children in Photos
Scenario: Target's family photos include minors
Ethical Response: Never include children's photos or information in reports; blur faces if images are necessary
Dilemma 3: Leaked/Hacked Data
Scenario: Finding the target in the leaked database
Ethical Response: Consider legality in your jurisdiction; if used, note the source and potential legal issues
When You Find Security Issues:
Document the vulnerability
Don't exploit it
Notify the organisation
Give a reasonable time to fix
Consider coordinated disclosure
Template for Disclosure:
Subject: Security Vulnerability Disclosure Dear [Organization], I've identified a potential security issue: - Type: [Exposed database/credentials/etc.] - Location: [URL/specific location] - Potential Impact: [What could happen] - Discovered: [Date] I have not accessed any data beyond confirming the vulnerability exists. Please confirm receipt and provide expected timeline for resolution. Best regards, [Your name]