ThreatBites 04 - The Effects of GDPR on OSINT

The General Data Protection Regulation (GDPR) was introduced in May 2018 as a response to the UK’s General Data Protection Regulation (GDPR). The aim of GDPR is to give individuals more control over their personal data and to protect them from organisations that do not handle this data responsibly. This blog identifies the impact of GDPR on OSINT investigations and how its handled.

OSINT Deep Dives: The Impact of GDPR on OSINT


The General Data Protection Regulation (GDPR) was introduced in May 2018 as a response to the UK’s General Data Protection Regulation (GDPR). The aim of GDPR is to give individuals more control over their personal data and to protect them from organisations that do not handle this data responsibly. This blog identifies the impact of GDPR on OSINT investigations and how its handled.

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in the European Union in the area of data protection. It replaces the Data Protection Directive 95/46/EC, which was introduced in 1995. The GDPR was adopted on April 14, 2018, and came into force on May 25, 2018.


The GDPR regulates the handling of personal data by controllers and processors. A controller is defined as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

What Comes Under the GDPR Act?

Under the GDPR, all data processing must be carried out in a fair, transparent and lawful manner. Personal data must be collected for specific, explicit and legitimate purposes and must be limited to what is necessary in order to achieve those purposes. Personal data must be accurate and, where necessary, kept up to date. Personal data that is no longer necessary for the purposes for which it was collected must be deleted.


Organisations that process personal data must disclose their contact information to individuals who request it. They must also inform individuals of their right to access their personal data, request rectification of inaccurate data, and exercise the right to be forgotten.

What is the Impact of GDPR on OSINT?

Organisations that carry out OSINT investigations must take into account GDPR when collecting and processing personal data. This includes ensuring that personal data is only collected for specific, explicit, legitimate purposes and that it is limited to what is necessary in order to achieve those purposes. In addition, organisations must take steps to ensure that personal data is accurate and up to date and that it is deleted when it is no longer needed.

Conclusion

The GDPR has a significant impact on OSINT investigations. Organisations that carry out these investigations must take care to comply with the GDPR when collecting and processing personal data. This is a crucial policy for OSINT investigators.


Transcript

Welcome to another DarkInvader Deep Dive. On today's OSINT podcast, I have Liam, one of our senior researchers joined with eagle, the identity has been obscured for privacy. Today's topic is the impact of GDPR on open source intelligence. If you're OSINT investigation involves personal data of an EU citizen, you will probably have to take the GDPR into account as GDPR is pretty extensive. Our researchers will only be discussing the parts that you will deal with as an outside investigator. So guys do you both want to talk us through the key GDPR principles relevant for businesses using OSINT?


Yeah, I mean, I think the the entire topics rather fascinating. And I appreciate it prior to this, myself legally we're kind of touching upon this is that generally, when people think of open source intelligence, we're normally talking about information that's been publicly disclosed online. So that would normally be via social media, or maybe somebody's own personal blog, or maybe something that they've ended up online by virtue of a contact of theirs or somebody that they've been speaking to, or somebody else that they know, that has a presence online. And generally, the assumption from there is, is that well, because you've, you've disclosed it yourself, that GDPR wouldn't, wouldn't come into effect, which is certainly back way back when when I was just getting into open source intelligence. Prior to my work at Dark Invader when I was a penetration tester, or it was kind of security research before that. That was certainly the stance I had, I thought it didn't really matter what information we found during GDPR. Or in that instance, it was so long ago, that was actually the Data Protection Act that I was more concerned about. And what actually transpired is that the GDPR is very intrinsically linked to the research that we do at DarkInvader, Eagle obviously performs the bulk of the investigative work now.


Im nothing more than a pretty face or not such a pretty face as it turns out.


But I think that the key elements of the general data protection regulation that do start to come into play around how we process and store that information, we have to be incredibly careful about how we present findings back to clients, because sometimes this pertains to personal information to people. So naturally, if one of your senior members of staff is publishing, or posting, or any way espousing kind of vitriolic or or kind of hate fuelled views online that could damage your brand's reputation. And that is naturally something that as a business, you want to know about your interview you have made aware of prior to it coming, or God forbid, hitting the papers or something like that. However, that's still information that is very personal to an individual. And as the lovely Eman so eloquently explained in our introduction here, because they are private individuals within European Union, these laws start to come into effect. And that these, these loads applied all across the world that functionally has some form of, of GDPR. It's a bit different in say, America, or Europe or Asia. But again, functionally similar.

As a result of that, the care that you have to take, I mean, it varies country to country, as I just alluded to, but functionally, it's very simple, you end up having to not obscure information. But be careful about how you store and process information because you don't know how an individual you haven't necessarily got the individuals concerns.


And whilst admittedly, you may not necessarily need it, because it would be owned by a business. And again, they published it online, if you still receive their email address, or pictures that they believe here or that I have put online, there is still a grey area there, which is quite difficult to navigate at times. I'm sure my colleague, Eagle will have a have a few stories of times where he's uncovered, you know, potentially personal or sensitive information about clients. And, and then well, hopefully, I'll be able to explain a little bit more about how we navigated the sensitivities around that.


Often at times, in these OSINT investigations, a lot of employees can post things on their personal social media accounts, that whilst may not be an obvious link to their business, it's not hard to connect the dots between them. An example that springs to mind is a Twitter account that was found through this employee's LinkedIn account. There was obviously a clear a business connection to them. This Twitter account was posting some very choice content involved in the sale of male enhancement pills. I think the final point to really make here is that whilst GDPR does come into play with a lot of the kind of information that we find,I think businesses that would rely on the GDPR to protect them in any way, from people collecting this information, storing it, processing its for lack of a better term, it would be naive, you really have to understand that the criminals aren't necessarily following the same rules that we do. Like we're incredibly careful not to store and process personal information in excess of what we absolutely have to for conducting ourselves as a business. But threat actors are not quite so well mannered, and can just take and store this information. So anything you do put out there publicly, it is public forever.


That was very informative on how to deal with GDPR regulations and being an excellent investigator. Thank you, Liam, and Eagle for discussing the key elements. Join us next week on another deep dive podcast. Thank you.


blog

Related articles

Is My Email on the Dark Web? How To Tell & What To Do

February 9, 2024

Read

An Introduction to AI-based Audio Deep Fakes

February 8, 2024

Read

Apprenticeship Journey's at DarkInvader

February 5, 2024

Read

Deep Vs. Dark Web: What's the Difference?

January 24, 2024

Read

Open Source Intelligence for External Attack Surface Management

January 23, 2024

Read

What is Typo Squatting?

January 15, 2024

Read

How IT Teams Can Identify Unknown Public Attack Vectors Through OSINT Gathering

January 11, 2024

Read

Why Should Businesses Scan The Dark Web?

January 9, 2024

Read

What is a Dark Web Scan?

January 8, 2024

Read

The Role of Domain Security in Phishing Prevention

January 4, 2024

Read

Unveiling The Positive Potential of The Dark Web

January 3, 2024

Read

How Threat Actors Choose Their Victims

December 21, 2023

Read

The Problem with Social Media and the Risk in 2024

December 20, 2023

Read

Unmasking Threat Actors: Safeguarding Your Business in the Digital Battlefield

December 19, 2023

Read

Risk Mitigation Strategies for Modern IT Teams

December 4, 2023

Read

The Crucial Role of Vulnerability Management in External Attack Surface Management

November 29, 2023

Read

How to Detect and Respond to Dark Web Threats?

November 23, 2023

Read

A Guide for Executives Faced with Cyber Extortion

November 22, 2023

Read

Why External Attack Surface Management is Important in Today's Digital Landscape

November 13, 2023

Read

How Deploying an EASM Solution Strengthens Your Security Posture

November 8, 2023

Read

Enhancing Cyber Defence: The Role of External Attack Surface Management

October 26, 2023

Read

The Imperative of Monitoring the Dark Web: Protecting Our Digital World

October 26, 2023

Read

10 Ways to Protect Your Online Identity

October 18, 2023

Read

Navigating Cybersecurity Breaches: Lessons from Sony’s Recent Incident

October 16, 2023

Read

What is Human Attack Surface?

September 25, 2023

Read

OSINT Tools & Techniques

September 12, 2023

Read

What is Quantum Computing?

September 12, 2023

Read

Dark Web Forums Vs Illicit Telegram Groups

August 18, 2023

Read

What is Attack Surface Mapping?

August 10, 2023

Read

LockBit Ransomware Gang

July 31, 2023

Read

What is The Dark Web?

July 24, 2023

Read

The Cyber War - Russia & Ukraine

July 17, 2023

Read

Attack Surface Reduction Rules (ASRR)

June 30, 2023

Read

Protecting Your Digital Identity: Essential Cybersecurity Practices

June 23, 2023

Read

Whistle Blowing & The Art of Online Privacy

June 21, 2023

Read

How Does Attack Surface Management Work?

June 16, 2023

Read

Why is Attack Surface Management Important?

June 13, 2023

Read

Cyber Criminals: Being Anonymous Online

June 12, 2023

Read

Exploring The Deep Web and Debunking Myths

June 7, 2023

Read

New Ransomware Group: Akira Ransomware

May 23, 2023

Read

New Form of AI: Deep Fakes

May 23, 2023

Read

Capita Hack

May 19, 2023

Read

The Monopoly Market Attack

May 17, 2023

Read

The DarkInvader Insider Video

May 15, 2023

Read

New Ransomware Strain ‘CACTUS’ Exploits VPN Flaws to Infiltrate Networks

May 12, 2023

Read

Chat GPT - What Happened?

May 11, 2023

Read

Dark Pink APT Group Deploys KamiKakaBot Against South Asian Entities

May 10, 2023

Read

Black Basta Cyber Attack Hits Capita

April 25, 2023

Read

Genesis Market and Breached Website Shut Down

April 17, 2023

Read

3CX Attack - What Happened?

April 14, 2023

Read

How Geopolitical Tensions Impact Cyber Security

April 12, 2023

Read

How to Detect and Respond to Dark Web Threats?

April 3, 2023

Read

What is Threat Intelligence?

March 29, 2023

Read

'TikTok Due to be Blocked From Parliamentary Devices and Network Over Cyber Security Fears'

March 27, 2023

Read

How Can Hackers Destroy Your Business?

March 23, 2023

Read

Top Emerging Cyber Threats for Businesses in 2023

March 20, 2023

Read

How Can Wide Digital Intelligence Overcome Challenges to Solve Crypto Crimes?

March 6, 2023

Read

DarkNet Drug Markets - Breakdown

March 2, 2023

Read

Dark Web Market Revenues Sink 50% in 2022

February 20, 2023

Read

Are Cyber Criminals Offering Jobs on The Dark Web?

February 10, 2023

Read

ThreatBites 08: Dark Web Stories & Forums

January 31, 2023

Read

Why Has There Been a Recent Spike in Ransomware Attacks

January 24, 2023

Read

A Glimpse Into the Dark Web: What You Can Find In the Marketplaces and Forums

January 9, 2023

Read

Why Should Businesses Actively Search for Threats?

December 20, 2022

Read

ThreatBites 06 - Christmas Cyber Scams

December 2, 2022

Read

ThreatBites 05 - Improving Phishing Campaigns with OSINT

November 23, 2022

Read

ThreatBites 04 - The Effects of GDPR on OSINT

November 11, 2022

Read

ThreatBites 03 - Credential Stuffing

November 7, 2022

Read

ThreatBites 02 - Technical Threats

November 4, 2022

Read

ThreatBites 01 - OSINT Overview

November 4, 2022

Read

The Ultimate Guide to OSINT and Google Dorking

October 17, 2022

Read

It’s Time to Update Your Privacy Settings

October 14, 2022

Read

OSINT and Technical Threats: The Shift in Peoples Threat Landscapes and the Increase in Ransomware Attacks

October 5, 2022

Read

Discover What Threat Intelligence Is and Why its Crucial

October 5, 2022

Read

Introduction to Open Source Intelligence Gathering (OSINT)

September 8, 2022

Read

Why Should you Monitor the Dark Web?

September 8, 2022

Read

Is it Illegal to Browse the Dark Web?

September 8, 2022

Read

What Makes DarkInvaders DarkWeb Scanning Superior?

September 7, 2022

Read

How are Hackers Using the Dark Web to Attack Businesses?

September 7, 2022

Read

How do Credentials Leak to The Dark Web & What are The Risks?

September 7, 2022

Read

What is Dark Web Monitoring?

September 3, 2022

Read

Dark Web Monitoring Questions

August 29, 2022

Read