OSINT: what is the legal basis for it? (1/4)
Content of the case: 4 articles
- OSINT : what are the legal grounds for it (1/4)
- OSINT: lawfulness of the collection and use of information (2/4)
- OSINT: what compliance with the RGPD? (3/4) – Upcoming publication
- OSINT : what admissibility of the collected information ? (4/4) – Upcoming publication
OSINT (Open Source INTelligence), consists in retrieving and analyzing resources that are open and free to access, this in itself, constitutes an intelligence activity. OSINT allows for the creation of a database which facilitates the analysis and understanding of a complex subject, by associating data together. This intelligence practice is used by investigators, journalists, information security and IT professionals. If OSINT is not exclusively done using Internet sources as the development of new technologies over the last 20 years has greatly enhanced the practice.
Why use OSINT?
OSINT is used to obtain information on a situation or a specific environment or topic, that is relevant to one’s business or interests. For example, in business, OSINT allows for strategic positioning vis-à-vis the competition. OSINT is also essential to protect data and to detect flaws likely to penalize the company. For instance, a company can use data leak research to uncover data breaches within the organization. Ultimately, OSINT allows access to essential information to maintain a certain influence and to assert one’s interests.
In this context, processing personal data as part of an OSINT activity can be justified by :
– the legitimate interest of the client company,
– based on the consent of the data subject (when the client, an individual, calls upon an OSINT company to find out information on his or her own person),
– or even based on a legal obligation, when the client is subject, in specific cases, to an obligation to carry out an investigation.
The legal Governance of the OSINT activity is complex because there is currently no legal framework dedicated to this subject in French law. Thus, it is necessary to first look at the conditions in which the OSINT activity is performed (see the article OSINT, what legal basis justifies it?), then identify the rules applicable to the collection and processing of data (see the articles OSINT: lawfulness of the collection and use of information and OSINT: what compliance with the RGPD?) Secondly, it is important to define the conditions of admissibility of OSINT reports as evidence in the context of litigation. Finally, when an OSINT software is used, it is essential to ensure that it meets certain conditions (see the article OSINT: what admissibility of the collected information in litigation?).
OSINT: What are the legal grounds?
OSINT does not appear to be prohibited in principle, as we have not identified any rule in French law that formally prohibits a person/private company from consulting and compiling sources in the form of an intelligence practice. Therefore, it is possible to understand the rules that apply to OSINT according to the regime applicable to the context of the client’s request.
For example, if the client is an organisation subject to the Sapin II law, in the event of an alert, the client must conduct an internal inquiry or investigation phase. The investigation phase of an alert is understood as the period starting with the receipt of the alert by the organisation and ending with the decision on the follow-up. This phase allows the organization to investigate the facts reported. During this period, a secured log system can be used to document the steps taken by the organisation in this respect (legal and technical analysis of the facts, collection of evidence, exchanges with various stakeholders, hearing of witnesses, carrying out of expert acts, etc.)1 .
Regarding the collection of evidence, the organisation may wish to use the services of an OSINT provider. The activity of the OSINT provider will therefore be conditioned by the Sapin II law regime, i.e. the contract between the organisation and the provider will have to include a reinforced confidentiality obligation. The service provider will have to respect the company’s internal investigation procedure to carry out its investigations and the procedures for handling personal data protection will have to be respected.
In one case, the CJEU2 found that the profession of real estate agent is a regulated profession in Belgium. The activity of private investigators acting on behalf of the “Professional Institute of Real Estate Agents” (IPI), which is responsible for ensuring compliance with the ethics of this regulated profession, falls within the exception provided for in Article 13(1)(d) of Directive 95/46/EC. Indeed, since that Directive does not specify “the arrangements for investigating and detecting breaches of the rules, it must be considered that this Directive does not prevent such a professional organisation from asking specialised investigators, like private detectives responsible for this kind of investigation and detection, in order to accomplish its task (CJEU, 7 Nov. 2013, Case C-473/12, IPI v. Geoffrey E., Grégory F.)”.
Today it is Article 23 of the GDPR3 “Limitations” that governs these exceptions. By analogy, in the context of research and detection of breaches of regulations, the GDPR allows personal data processing to be subcontracted and the use of an OSINT provider would be entirely possible.
Genealogy activities can also be assimilated to OSINT as it requires to access resources and retrieve personal data on someone’s family history. This activity is however subject to more regulation than that of OSINT. A genealogist can, indeed, investigate to various archives institutions where information and documents related to a deceased and his or her family history are held. He can also search through wills held by fiscal authorities.
Thus, under article L. 106 of the Tax Procedures boor, statements extracts can be issued, as part of inheritance genealogy research, directly to the notary in charge of the estate or to the person acting on his behalf (i.e. a mandated genealogist). Previously, this communication could only be established through an order from the district court judge. However, it is to be outlined that the genealogist can only obtain such information with a warrant from a notary.
Regarding civil records dating back less than 100 years, consultation is prohibited without an authorization from the public prosecutor (L. n° 79-18, 3 janv. 1979, art. 7 ; D. n° 62-921, 3 août 1962, art. 8, mod. par D. n° 68-148, 15 févr. 1968). A circular from the Ministry of Justice dated September 29, 2004 established a few recommendations regarding the consultation of civil records less than a 100 years old. It states a certain number of criteria and invites to only deliver to genealogists short term authorizations that only allow them to access records related to one case at a time.
Durations of authorizations are not uniform. On one hand, some prosecutor issue authorizations for a few months, while others issue permits that remain valid up to two years. On the other hand, some prosecutors continue to issue global authorizations while others issue restrictive authorizations that only apply to specific cases.
Moreover, according to article 30, decree n° -2017-890 of May, 6th 2017 relating to civil statuses : “Genealogists practicing outside the cases provided by the 5th paragraph can only obtain the full transcription of a birth certificate, a recognition certificate, a marriage certificate or a death certificate through an authorization issued by the public prosecutor. If the latter refuses, genealogists can refer to the president of the court by referral order.
They can also obtain an extract including parentage certificates, birth certificates and marriage certificates, provided that they have an authorization to consult civil records issued by archives institutions and that they are mandated by a notary, an insurance company or any other person with a direct and legitimate interest (article 32). Other people and genealogists practicing outside theses cases provided by the 4th paragraph can only obtain that kind of extracts under specific conditions, provided by the 7th paragraph of article 30.
Finally, it is important to specify that in all cases, the rules relating to respect for privacy (in civil and criminal law), as well as those relating to the processing of personal data, should apply.
How to establish the conditions for the legal exercise of OSINT?
The activity of OSINT by a private actor can be assimilated to the activity of private detective (private investigator) insofar as both activities focuses on the search for information by a private actor on behalf of a client.
However, as mentioned in the introduction to this article, the activity of OSINT is not, for the time being, subject to any authoriation, such as a licence, as it is indeed the case for private research agents.
Thus, “the private detective or private investigator or private research agent (PRA), which is now the official term, is a liberal professional who carries out, in complete independence, an activity which aim is to gather information or intelligence intended for third parties, with a view to defending their interests. The activity includes, in general, any person carrying out investigations on behalf of third parties without holding a judicial mandate.
Since the modification of law n° 83-629 of 12 July 1983 relating to private security activities, the profession of private research agent is regulated by the CODE DE LA SECURITE INTERIEURE – Livre 6 -Titre 2. Access to the profession is subject to certain conditions, in particular obtaining an authorisation issued by an administrative authority, the CNAPS (Conseil national des activités privées de sécurité – National council for private security activities), and proving a professional qualification. The PRA acts as an agent for their client under Articles 1984 to 2010 of the Civil Code. The PRA is subject to an obligation of means and not of results, as well as to professional secrecy due to the confidentiality of the consultations and acts that are requested of them”4 .
Thus, apart from cases where the OSINT provider carries out investigations on behalf of a client without holding a court order or where it carries out investigations based on a legal obligation of its client (for example, in the context of the alert procedure of the Sapin II law), it could be interesting to make the OSINT activity subject to the issue of an authorization preceded by specific training.
The establishment of a code of conduct
Furthermore, the establishment of a code of conduct for OSINT professionals could be an alternative or complementary solution to accreditation.
Compliance with a GDPR code of good practice
Finally, as OSINT activities involve the processing of personal data, it would be interesting to work in cooperation with the CNIL (Commission Nationale Informatique et Libertés – National IT and Liberties Commission) in order to establish best practice guidelines that do not hinder the core of the activity, while providing a framework that respects privacy (see the article OSINT: what compliance with the GDPR?).
While there is no shortage of legal grounds to justify the need for OSINT, the absence of a specific legal framework for this activity is an obstacle that must be removed, not only to ensure the integrity of the profession but also to guarantee respect for privacy and the principles of the GDPR.
1 Guidelines for the processing of personal data for the purpose of implementing a business alert system, adopted on 18 July 2019.
2 European Court of Justice
3 General Data Protection Rules