The “open source” dimension of OSINT may seem to confer on it a de facto lawfulness. However, while obtaining and consulting information from an open-source database is not, in principle, an illegal act, the conditions under which it is carried out may be detrimental.
The principle of privacy
When investigations are carried out against individuals, the main issue for OSINT is privacy.
The civil concept thus protects privacy against any infringement of the right to name, address, burial, image, voice, honour, religious and philosophical opinions, love, romantic friendships, divorce, marriage or health.
According to the case law of the European Court of Human Rights, a person’s religious, philosophical, moral or political convictions, as well as their health, family life and all emotional relationships that the person may have, without limiting them to family or marital relationships, are thus part of private life. Privacy also concerns the gender and sexual life of individuals. It extends above all to professional and material life, which is usually considered part of public life. This position is in fact based on a subjective conception of privacy that recognises the power of the individual to include in the framework of private life an activity that is nevertheless public when they wish to keep it secret.
In criminal matters, the Paris Court of Appeal has thus specified that “private life means the intimacy of the human being in its various elements relating in particular to their family life, their emotional life, their image or their state of health, which must be respected insofar as they relate to the most secret aspect of the person.”
The conditions of data collection
In criminal matters, Article 226-1 of the Criminal Code condemns the violation of the privacy of others by any means. It defines a certain number of activities for this purpose: the first paragraph incriminates various forms of acoustic espionage; the second paragraph targets visual espionage.
The acts referred to in Article 226-2 of the Criminal Code protect privacy against the retention, disclosure or use of any recording or document obtained through any of the acts referred to in Article 226-1 of the Criminal Code.
Thus, when collecting information, the OSINT provider must ensure that it does not process and disseminate/use content that would constitute a violation of Article 226-1 of the Criminal Code (unlawful recording) in order not to incur the penalties of the offence provided for in Article 226-2.
Furthermore, Article 323-3 of the Criminal Code punishes the fact of fraudulently introducing data into an automated processing system, or fraudulently extracting, holding, reproducing, transmitting, deleting or modifying the data contained therein, and Article 321-1 punishes the offence of concealing, holding or transmitting something, or acting as an intermediary in order to transmit it, in the knowledge that this thing is the result of a crime or offence.
Thus, if the OSINT provider knowingly collects information from a data theft and passes it on to their client, they could be prosecuted for receiving information violating Article 323-3.
The OSINT provider must therefore be extremely vigilant about the origin of the data they collect in order not to be guilty of the offences outlined above. Also, attention should be paid to the means by which the OSINT provider accesses the information, including the creation of fake accounts.
For example, in order to access information from a private account on a social network, the OSINT provider may be tempted to create a false account, using a false identity. Such an act may be classified as identity theft, which is punishable by law (Article 226-4-1 of the Criminal Code).
The use of a false account to access information from a private account could also, depending on the circumstances, lead to civil liability on the part of the OSINT provider.
Therefore, social networks sometimes include a prohibition on such behaviour in their terms and conditions. For example, Instagram’s T&Cs state:
“How you can’t use Instagram. Providing a safe and open Service for a broad community requires that we all do our part.
You don’t have to disclose your identity on Instagram, but you must provide us with accurate and up-to-date information (including registration information), which may include providing personal data. Also, you may not impersonate someone or something you aren’t, and you can’t create an account for someone else unless you have their express permission.“
Even in the case of OSINT research based on a legitimate basis, the means used to collect and use the information therefore determines its lawfulness. It is therefore essential that the OSINT provider is vigilant in their practice.