Intelligence notes

OSINT Legal & Jurisdictional Framework

12 min read

OSINT Legal & Jurisdictional Framework

BLUF

OSINT’s power rests on its exploitation of publicly available information — but “publicly available” is not a legal safe harbor. The legal constraints on OSINT practice vary by jurisdiction, target type, collection method, and the analyst’s institutional affiliation. What is legally permissible for a journalist in Germany differs from what is permissible for a US government contractor, a Brazilian civil-society researcher, or a corporate due-diligence firm in the UK. This guide maps the five major regulatory frameworks affecting OSINT practitioners globally, identifies the most significant legal risks by collection technique, and provides a jurisdiction-sensitive decision framework for operational OSINT work.

Three threshold questions that determine which legal constraints apply:

  1. Who is the analyst? Journalist, academic, government intelligence officer, corporate investigator, or independent practitioner? Institutional role determines available legal protections (journalist shield, research exemptions, intelligence authority).
  2. Who is the subject? EU resident (GDPR applies regardless of analyst location), public figure, private individual, corporate entity, or government body?
  3. What collection method? Passive observation of public data, authenticated-platform access, web scraping, or covert collection?

The answers determine the applicable legal framework. There is no universal “OSINT is legal” principle.

United States — CFAA and Parallel Statutory Framework

Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030

The CFAA is the primary US statute governing unauthorized computer access. It criminalizes “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.”

Key ruling — Van Buren v. United States (SCOTUS 2021): The Supreme Court narrowed the CFAA’s “exceeds authorized access” prong. The Court held that the phrase means accessing a computer in a part of the system to which the user does not have access permission — not accessing a permitted system for an improper purpose. Practical effect: a user with legitimate access to a system who accesses data in areas they are authorized to access does not violate the CFAA, even if their purpose violates Terms of Service. This significantly reduced the risk of CFAA liability for ToS-based access.

Key ruling — hiQ Labs v. LinkedIn (9th Cir. 2022): The Ninth Circuit held that scraping publicly accessible LinkedIn profile data — data visible without authentication — does not constitute unauthorized access under the CFAA. The court reasoned that data on public-facing servers, accessible without a login, is not “protected” for CFAA purposes. This is the strongest judicial authority for the legality of scraping public-facing websites.

Remaining CFAA risks:

  • Accessing password-protected systems without authorization remains criminal — the hiQ ruling protects only public-facing data
  • Exceeding authorized access by accessing restricted database sections remains criminal post-Van Buren
  • Dark web access to criminal marketplaces may create CFAA exposure depending on how access is obtained

Stored Communications Act (SCA), 18 U.S.C. § 2701

The SCA prohibits unauthorized access to stored electronic communications — private messages, emails, and cloud-stored files. Unlike the CFAA, the SCA applies specifically to communications stored by service providers. Practical application: accessing someone’s private messages, even if technically obtainable via platform vulnerability, creates SCA exposure. Public posts are not SCA-protected.

Carpenter v. United States (SCOTUS 2018) — Location Data Trajectory

The Supreme Court held that warrantless government collection of persistent cell-site location information (CSLI) from telecommunications providers constitutes a Fourth Amendment search. The ruling applies to government actors, not private OSINT practitioners — but it establishes the direction of privacy jurisprudence: persistent location data, even when collected from third parties, carries Fourth Amendment protection. Commercial OSINT firms collecting mobile device location data as CAI (Commercially Available Information) from data brokers operate in a legal grey zone that is under active regulatory scrutiny.

For US government intelligence officers, a parallel statutory framework applies: FISA (Foreign Intelligence Surveillance Act) governs collection targeting foreign powers and their agents; EO 12333 governs overseas collection. These authorities are not available to non-government OSINT practitioners and create legal exposure for private actors who attempt to replicate them.

European Union — General Data Protection Regulation (GDPR)

Jurisdiction

GDPR (Regulation EU 2016/679) applies whenever the data subject is an EU resident — regardless of where the analyst is located. A Brazilian researcher using OSINT to profile an EU-resident politician processes GDPR-covered personal data. Jurisdictional reach is extraterritorial.

Six Lawful Bases for Processing (Article 6)

BasisApplication to OSINT
Consent (Art. 6(1)(a))Impractical for OSINT — the subject is unaware of collection
Contract (Art. 6(1)(b))Not applicable to investigative OSINT
Legal obligation (Art. 6(1)(c))Applies where processing is required by law (compliance, AML)
Vital interests (Art. 6(1)(d))Emergency humanitarian contexts only
Legitimate interest (Art. 6(1)(f))Primary basis for OSINT — requires three-part balancing test
Public task (Art. 6(1)(e))Available to public authorities; limited for private analysts

Legitimate Interest — the three-part test (Article 6(1)(f)):

  1. Purpose test: Is the purpose legitimate? Accountability journalism, academic research, and security intelligence are generally legitimate. Commercial competitive intelligence requires more careful framing.
  2. Necessity test: Is processing necessary for the purpose? If less intrusive means achieve the same result, the necessity test fails.
  3. Balancing test: Do the subject’s fundamental rights and freedoms override the legitimate interest? Public figures exercising public functions fail this test (their public conduct is fair game); private individuals generally pass it (their privacy interests prevail).

Special Category Data (Article 9)

Processing of special category data requires explicit consent or a specific exception. Special categories:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data (used for unique identification)
  • Health data
  • Sexual orientation or sex life

OSINT implications: A geolocation investigation that reveals an individual’s attendance at a religious service or political meeting processes special category data (religious beliefs, political opinions). Conflict-zone investigations that work with imagery of wounded or deceased individuals may process health data. These require careful legal justification beyond the standard legitimate interest basis.

Journalism and Research Exemptions (Article 85)

EU Member States may provide exemptions for journalistic, academic, artistic, and literary purposes. The exemptions must be proportionate and include adequate safeguards. In practice:

  • Professional journalists employed by recognized news organizations have the strongest Article 85 protection
  • Independent researchers with institutional affiliation have intermediate protection
  • Independent OSINT practitioners without institutional affiliation have the weakest position

Data Subject Rights

  • Right of access (Art. 15): Subjects can request confirmation of what data is processed
  • Right to erasure (Art. 17): Subjects can demand deletion — creates tension with OSINT archival and evidence preservation
  • Right to object (Art. 21): Subjects can object to legitimate-interest processing — processor must demonstrate compelling grounds to continue

Practical note for OSINT practitioners: The right to erasure means that an OSINT investigation that processes personal data about EU residents creates an ongoing legal obligation. Evidence preservation requirements may conflict with erasure demands in accountability investigations — the Berkeley Protocol recommends coordinating with legal counsel before processing large personal-data datasets in accountability contexts.

United Kingdom — UK GDPR and Data Protection Act 2018

Post-Brexit, the UK operates under UK GDPR — a retained version of EU GDPR with UK-specific amendments — plus the Data Protection Act 2018. The substantive regime is functionally similar to EU GDPR for most OSINT purposes.

Key UK-specific elements:

  • Journalism exemption (Section 26, DPA 2018): Explicitly extends exemptions to journalism where processing is carried out for the special purposes of journalism, academic, artistic, and literary work, with a reasonable belief of public interest.
  • ICO enforcement: The Information Commissioner’s Office has issued high-profile fines. ICO has enforcement authority over processors handling UK residents’ data.
  • Post-Brexit adequacy: The EU granted UK adequacy in June 2021 — data can flow freely UK↔EU. The adequacy decision is subject to review; UK regulatory divergence from EU GDPR may threaten it.

Brazil — Lei Geral de Proteção de Dados (LGPD)

Fact: LGPD (Lei 13.709/2018) entered into force September 2020. The Autoridade Nacional de Proteção de Dados (ANPD) is the enforcement authority. LGPD is structurally modeled on GDPR with Brazilian-specific adaptations.

Key Provisions

Ten lawful bases (Article 7): LGPD provides ten bases, more numerous than GDPR’s six. Most relevant for OSINT:

  • Legitimate interest (Article 7, IX): Available for the legitimate interests of the controller or third party. Less developed jurisprudence than GDPR — ANPD is in early enforcement stage.
  • Journalistic and academic research (Article 7, V): Processing for journalistic, historical, scientific, or academic purposes is permitted with appropriate safeguards.
  • Protection of credit (Article 7, X): Relevant for financial OSINT and credit investigation.

Security, national defense, and public safety exception (Article 4): Processing by public authorities for national security, defense, public security, and criminal investigation purposes is largely exempt from LGPD’s protective provisions. The scope of this exception is broader than GDPR equivalents.

Sensitive data (Article 11): Equivalent to GDPR special categories — racial/ethnic origin, religious belief, political opinion, health/sexual life, genetic/biometric data. Extra legal bases required.

ANPD enforcement (2024 status): ANPD began active enforcement in 2023–2024. Sanctions include warnings, fines (up to 2% of revenue in Brazil, capped at R$50M per violation), and suspension of processing activities. ANPD has been active in education and healthcare sectors.

Relevance for Brazilian OSINT practitioners: Brazilian civil-society researchers, investigative journalists, and security analysts conducting OSINT on Brazilian subjects must comply with LGPD. The journalism exception (Article 7, V) provides meaningful protection for journalists with institutional affiliation; independent analysts face greater exposure.

Canada — PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organizations collecting personal information in the course of commercial activities. Key elements:

  • Meaningful consent principle: Collection of personal information without consent requires a “legitimate business purpose” — OSINT collection for commercial intelligence, corporate due diligence, or competitive intelligence falls within this framework
  • Privacy Commissioner of Canada: Advisory and investigative enforcement; no punitive fines (unlike GDPR/LGPD)
  • Journalism exemption: The Privacy Act provides limited exemptions for journalistic purposes; PIPEDA’s commercial-activity scope limits its direct journalism application
  • Relevance: Lower enforcement risk than GDPR/LGPD for most OSINT use cases; compliance is nonetheless required for Canadian-regulated organizations and for processing data about Canadian residents
TechniqueUSEU/GDPRUKBrazil/LGPDPrimary risk
Scraping public websites (no authentication)Low (hiQ)Medium (legitimate interest required)MediumMediumToS civil liability; GDPR if EU personal data processed
Scraping authenticated platformsHigh (CFAA)HighHighHighCFAA criminal exposure (US); GDPR controller obligations
WHOIS/DNS lookupsNegligibleNegligibleNegligibleNegligiblePublic technical data; minimal personal-data content
Company registry lookupsNegligibleNegligible (statutory disclosures)NegligibleNegligibleRegulatory-mandated public disclosure
EXIF metadata from public imagesLowMedium (location data = personal data under GDPR)MediumMediumGPS coordinates are personal data; additional basis required
Leaked data analysis (Panama Papers type)Medium (receipt risk)Medium (special category data risk)MediumMediumCFAA receipt of hacked data; GDPR processing of leaked personal data
Dark web passive researchLowMediumMediumMediumInfrastructure access; potential conspiracy risk in some jurisdictions
Social media monitoring (public accounts)LowMedium (aggregate profiling = personal data processing)MediumMediumAggregate profiling creates GDPR controller obligations
Cryptocurrency on-chain analysisLowMedium (pseudonymous ≠ anonymous under GDPR)MediumLowGDPR treats blockchain addresses linked to identified persons as personal data
Physical surveillanceHighHighHighHighState tort law; Article 8 ECHR/LGPD equivalent privacy rights
Drone imagery of urban areasHigh (FAA airspace)HighHighMediumAirspace regulations; GDPR if persons identifiable in footage
Facial recognition against scraped imagesHighVery High (biometric special category)Very HighHighBIPA (Illinois); GDPR Article 9 requires explicit consent

Berkeley Protocol — Legal Standard for OSINT Evidence

The Berkeley Protocol on Digital Open Source Investigations (2022) establishes the legal-grade standard for OSINT evidence in international accountability proceedings (ICC, ICJ, UN bodies). Key legal requirements:

Evidence admissibility prerequisites:

  • Chain of custody documentation: Every piece of evidence must have a documented collection chain from original source to submission, including collector identity, collection method, tool versions, and storage path
  • Hash verification: Cryptographic hashing (SHA-256) of all evidence at collection time, with re-verification at every transfer point
  • Metadata preservation: Original metadata (EXIF, creation timestamps, platform metadata) must be preserved in original form; analysis goes to derived copies only
  • Source documentation: Original source URL, archive capture date (Wayback Machine or archive.today), and evidence that the source was public at the time of collection

International tribunal standards: ICC Rules of Evidence require that digital evidence be authenticated, that its chain of custody be established, and that its integrity be verifiable. Berkeley Protocol compliance maps directly onto these requirements — OSINT investigations that apply the Protocol’s standards produce evidence that is structurally admissible before international bodies.

The Platform Terms of Service Problem

Platform ToS impose contractual obligations broader than statutory law. After Van Buren and hiQ, ToS violations are generally not CFAA crimes for public-facing data. But ToS violations remain:

  • Grounds for civil lawsuit (breach of contract): Platforms have sued scrapers — LinkedIn v. hiQ (after remand), Ticketmaster v. Prestige Entertainment — but large-scale litigation is resource-intensive and typically targets commercial competitors, not individual analysts
  • Grounds for account ban and IP block: Immediate and near-certain consequence of detected scraping
  • Grounds for platform-initiated takedown: For content hosted on platforms, ToS violations enable removal of both content and accounts

Practical implication: Professional-grade OSINT programs maintain dedicated collection infrastructure — separate accounts, API access where available, rotating proxies — to avoid burning research accounts on routine collection.

Before executing any OSINT collection operation involving personal data:

  1. Identify the subject’s jurisdiction: EU resident → GDPR applies globally. Brazilian resident → LGPD applies globally. US resident → CFAA applies to method; Privacy Act to government actors only.
  2. Identify your legal basis: Journalist with institutional cover → journalism exemption available. Academic researcher → research exemption available. Independent practitioner → legitimate interest basis, apply three-part test.
  3. Assess the collection method: Public-facing web scraping → legally lower-risk (post-hiQ). Authenticated-platform access → higher CFAA/breach risk. Dark web → jurisdiction-dependent.
  4. Apply special category check: Does the data involve health, political opinion, religion, biometrics, sexual orientation? If yes, stronger legal basis required.
  5. Document the legal basis before collection begins. Post-hoc rationalization is not a legal defense.

Key Connections

Ethical complement: OSINT Ethics — legal permissibility and ethical permissibility are distinct standards; this note addresses both independently

Collection framework: OSINT | Open-Source Intelligence Manual

Verification standard: Source Verification Framework

Practitioner tradecraft: IIA Ch. 9 — Legal Exposure and Liability Management | IIA Ch. 8 — OPSEC

Sub-discipline legal exposure: Financial Intelligence (FININT: AML/KYC, beneficial ownership disclosure law) | Social Media Intelligence (SOCMINT: platform ToS, scraping law) | Cyber Threat Intelligence (CTI: CFAA, dark web, criminal infrastructure)

Graph View

Backlinks