Our article “Balancing National Security and Privacy: Examining the Use of Commercially Available Information in OSINT Practices”, co-authored by myself and Sander Langenhuijzen, is now published in open access in the International Journal of Intelligence and CounterIntelligence! Of course, a .pdf is also available. You can also listen to the automatically generated podcast below, which I created with Google’s Notebook LM.

Summary

In our article, we critically examine how intelligence and security services utilize commercially available information from OSINT tools and consider its impact on data protection rights. Our analysis builds on the work of the Dutch oversight committee on intelligence and security services and the U.S. Office of the Director of National Intelligence.

It was fascinating to discover that while this OSINT practice is seen as a national security threat in the United States, it is perceived more as a privacy threat in continental Europe (particularly in the Netherlands). Despite these differing perspectives, the recommendations from oversight authorities and existing legal provisions on lawful information processing are remarkably similar.

We propose the following four steps to ensure necessary safeguards are in place to prevent the abuse of personal information in modern OSINT practices:

1. Prior to using OSINT tools or acquiring commercially available information, intelligence and security services must be aware: (a) how data are processed, (b) what data are processed, and (c) why the data are processed, in order to identify risks of abuse of these data. In other words, intelligence and security services should first assess their impact in a data protection impact assessment and take measures to mitigate risks.
2. The intelligence community should set up standards and procedures and implement safeguards, such as identifying the need for and value of the use of these data (while balancing this with the impact on fundamental rights), analyze the vendor and data quality, apply acquisition mechanics (such as procurement procedures), and periodically evaluate these standards. Then, intelligence and security services should implement safeguards when processing commercially available information, such as data minimization approaches and techniques, as well as limits on retention, access, querying, other use, and the dissemination of commercially available information.
3. OSINT practitioners must be appropriately educated and brought up to speed with the “do’s and don’ts” with OSINT tools. Intelligence and security services should periodically evaluate their policy and guidelines and review their practices.
4. An independent and effective oversight authority should scrutinize whether legislation and internal policies are respected.

Finally, we suggest that the use of commercially available data in other contexts, especially in the cybersecurity and the financial sector, warrants further research.