OSINT Deep Dives: The Impact of GDPR on OSINT
The General Data Protection Regulation (GDPR) was introduced in May 2018 as a response to the UK’s General Data Protection Regulation (GDPR). The aim of GDPR is to give individuals more control over their personal data and to protect them from organisations that do not handle this data responsibly. This blog identifies the impact of GDPR on OSINT investigations and how its handled.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in the European Union in the area of data protection. It replaces the Data Protection Directive 95/46/EC, which was introduced in 1995. The GDPR was adopted on April 14, 2018, and came into force on May 25, 2018.
The GDPR regulates the handling of personal data by controllers and processors. A controller is defined as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
What Comes Under the GDPR Act?
Under the GDPR, all data processing must be carried out in a fair, transparent and lawful manner. Personal data must be collected for specific, explicit and legitimate purposes and must be limited to what is necessary in order to achieve those purposes. Personal data must be accurate and, where necessary, kept up to date. Personal data that is no longer necessary for the purposes for which it was collected must be deleted.
Organisations that process personal data must disclose their contact information to individuals who request it. They must also inform individuals of their right to access their personal data, request rectification of inaccurate data, and exercise the right to be forgotten.
What is the Impact of GDPR on OSINT?
Organisations that carry out OSINT investigations must take into account GDPR when collecting and processing personal data. This includes ensuring that personal data is only collected for specific, explicit, legitimate purposes and that it is limited to what is necessary in order to achieve those purposes. In addition, organisations must take steps to ensure that personal data is accurate and up to date and that it is deleted when it is no longer needed.
The GDPR has a significant impact on OSINT investigations. Organisations that carry out these investigations must take care to comply with the GDPR when collecting and processing personal data. This is a crucial policy for OSINT investigators.
Welcome to another DarkInvader Deep Dive. On today's OSINT podcast, I have Liam, one of our senior researchers joined with eagle, the identity has been obscured for privacy. Today's topic is the impact of GDPR on open source intelligence. If you're OSINT investigation involves personal data of an EU citizen, you will probably have to take the GDPR into account as GDPR is pretty extensive. Our researchers will only be discussing the parts that you will deal with as an outside investigator. So guys do you both want to talk us through the key GDPR principles relevant for businesses using OSINT?
Yeah, I mean, I think the the entire topics rather fascinating. And I appreciate it prior to this, myself legally we're kind of touching upon this is that generally, when people think of open source intelligence, we're normally talking about information that's been publicly disclosed online. So that would normally be via social media, or maybe somebody's own personal blog, or maybe something that they've ended up online by virtue of a contact of theirs or somebody that they've been speaking to, or somebody else that they know, that has a presence online. And generally, the assumption from there is, is that well, because you've, you've disclosed it yourself, that GDPR wouldn't, wouldn't come into effect, which is certainly back way back when when I was just getting into open source intelligence. Prior to my work at Dark Invader when I was a penetration tester, or it was kind of security research before that. That was certainly the stance I had, I thought it didn't really matter what information we found during GDPR. Or in that instance, it was so long ago, that was actually the Data Protection Act that I was more concerned about. And what actually transpired is that the GDPR is very intrinsically linked to the research that we do at DarkInvader, Eagle obviously performs the bulk of the investigative work now.
Im nothing more than a pretty face or not such a pretty face as it turns out.
But I think that the key elements of the general data protection regulation that do start to come into play around how we process and store that information, we have to be incredibly careful about how we present findings back to clients, because sometimes this pertains to personal information to people. So naturally, if one of your senior members of staff is publishing, or posting, or any way espousing kind of vitriolic or or kind of hate fuelled views online that could damage your brand's reputation. And that is naturally something that as a business, you want to know about your interview you have made aware of prior to it coming, or God forbid, hitting the papers or something like that. However, that's still information that is very personal to an individual. And as the lovely Eman so eloquently explained in our introduction here, because they are private individuals within European Union, these laws start to come into effect. And that these, these loads applied all across the world that functionally has some form of, of GDPR. It's a bit different in say, America, or Europe or Asia. But again, functionally similar.
As a result of that, the care that you have to take, I mean, it varies country to country, as I just alluded to, but functionally, it's very simple, you end up having to not obscure information. But be careful about how you store and process information because you don't know how an individual you haven't necessarily got the individuals concerns.
And whilst admittedly, you may not necessarily need it, because it would be owned by a business. And again, they published it online, if you still receive their email address, or pictures that they believe here or that I have put online, there is still a grey area there, which is quite difficult to navigate at times. I'm sure my colleague, Eagle will have a have a few stories of times where he's uncovered, you know, potentially personal or sensitive information about clients. And, and then well, hopefully, I'll be able to explain a little bit more about how we navigated the sensitivities around that.
Often at times, in these OSINT investigations, a lot of employees can post things on their personal social media accounts, that whilst may not be an obvious link to their business, it's not hard to connect the dots between them. An example that springs to mind is a Twitter account that was found through this employee's LinkedIn account. There was obviously a clear a business connection to them. This Twitter account was posting some very choice content involved in the sale of male enhancement pills. I think the final point to really make here is that whilst GDPR does come into play with a lot of the kind of information that we find,I think businesses that would rely on the GDPR to protect them in any way, from people collecting this information, storing it, processing its for lack of a better term, it would be naive, you really have to understand that the criminals aren't necessarily following the same rules that we do. Like we're incredibly careful not to store and process personal information in excess of what we absolutely have to for conducting ourselves as a business. But threat actors are not quite so well mannered, and can just take and store this information. So anything you do put out there publicly, it is public forever.
That was very informative on how to deal with GDPR regulations and being an excellent investigator. Thank you, Liam, and Eagle for discussing the key elements. Join us next week on another deep dive podcast. Thank you.