Careful With That OSINT: No Tipping Off!
Operational security measures and best practices to prevent unintentional disclosures in investigations.
Authors: Paul Wright and Neal Ysart (The Coalition of Cyber Investigators)
Open source intelligence (OSINT) practitioners must tread carefully when managing various risks and procedural grey areas, such as ethics, legality, and privacy. One of the least discussed but most concerning risks is inadvertently alerting a suspect that they are the subject of an investigation.
This risk could not only jeopardise a successful investigation but, in certain circumstances, expose an OSINT practitioner to criminal charges, such as when “tipping off” a suspect in an Anti-Money Laundering (AML) or Terrorist Financing investigation—even if unintentional.
This article examines the legal risks of compromising an investigation, including potential personal ramifications for investigators, and discusses safeguards that can be implemented.
Digital Footprint Dangers
Most investigators are aware that every online action leaves a trace. However, even experienced practitioners can unintentionally alert their subjects if proper safeguards are not in place. For instance, using a personal social media account to browse a suspect’s profile, accidentally engaging with their content, or repeatedly accessing the same online account can raise suspicion.
Such missteps can compromise covert internet investigations, as the subject may detect unusual activity and realise they are under scrutiny. Ensuring anonymity and operational security (OPSEC) is vital to minimising risks. Experienced practitioners often rely on tools and techniques like fake online persona research accounts, commonly known as “sock puppets” to interact with target accounts discreetly. Other essential measures include using virtual machines, virtual private networks (VPNs), and encrypted storage to further obscure the investigator’s identity.
Blurring the lines between a covert research account and an investigator’s real identity, or failing to integrate these safeguards into standard operating procedures (SOPs), poses significant risks. By default, professionals must adopt these practices to maintain the covert nature of their investigations.
Tipping Off in Investigations
Ethical Conflicts and Tipping Off Risks
Ethical conflicts of interest are a significant concern in investigations, particularly when investigators may have conflicting duties. For instance, in an insider trading investigation, if the subject is a client of a company subsidiary, it is crucial to implement "Chinese Walls." This measure ensures the separation of conflicting investigative and business interests, thus preserving the integrity of the investigation.
The Risk of Tipping Off in Undercover Operations
Another common risk is tipping off during undercover operations. Investigators may inadvertently reveal their role or intentions, which can compromise their cover. For example, an investigator posing as a participant in a financial crime network might deviate from the agreed narrative, raising suspicion among the targets. Even the smallest deviation from the script or inconsistency in their story can alert the suspect to the investigation.
Risks in Test Purchases
Similarly, test purchases—often used to verify illegal activities—carry their own risks. If investigators fail to conceal their methods or reveal their identity during the transaction, the entire investigation can be jeopardised. For example, using traceable payments or failing to use false contact details can alert the subject to law enforcement’s interest in the operation.
Covert Internet Investigations and OPSEC
The importance of operational security (OPSEC) cannot be overstated, especially in covert internet investigations where investigators may be working remotely or in digital environments. A lack of attention to detail—such as viewing a suspect’s profile multiple times without masking the investigator’s identity, using traceable accounts, or conducting redundant searches on the same target—can raise red flags. These oversights emphasise the necessity of maintaining anonymity, for example, through the use of sock puppets and VPNs, to ensure the integrity of the investigation.
Managing the Risk of Tipping Off with HUMINT
When working with human intelligence sources (HUMINT), the risk of tipping off can increase if investigators do not handle their sources carefully. If an investigator’s interaction with a source becomes known to the target, it could lead to retaliation against the source or cause disruption in the investigation. To mitigate this, proper compartmentalisation and source protection protocols are essential. These safeguards prevent unintentional disclosures and protect both the investigation and the sources involved.
Witness Interviews: A Potential Risk
Witness interviews are another critical component of investigations, yet they too can inadvertently tip off suspects. If the subject learns of the information provided by a witness, they may become aware of the ongoing investigation. To avoid this, careful planning is required when managing witness interviews. Conducting interviews in neutral locations, carefully sequencing them, and ensuring that the questioning does not directly reference the suspect or investigation details can help prevent raising suspicion.
The Coalition of Cyber Investigators and other professional bodies provide extensive resources on maintaining operational security and avoiding tipping off. Practitioners are encouraged to use these resources to continually refine their methodologies. From adopting secure technologies to developing robust SOPs, the OSINT community offers a wealth of knowledge to support covert and ethical investigations.
In all cases, failing to implement safeguards creates liability, risks the success of operations, and endangers the safety of investigators and sources alike.
Legal Frameworks for Preventing Tipping Off
Tipping off is explicitly prohibited under many jurisdictions’ laws. Below are examples of relevant legislation and core provisions from various regions.
In Australia, the AML and Counter-Terrorism Financing Act 2006 prohibits tipping off. Disclosing information about a Suspicious Matter Report (SMR) can interfere with investigations and potentially alert individuals involved in criminal activities. Violations can lead to criminal penalties, emphasising the importance of confidentiality in financial intelligence reporting.
In the UK, the Proceeds of Crime Act 2002 (POCA) defines the offences of "tipping off" (section 333A) and "prejudicing an investigation" (section 342). It outlines the defences available and provides practical examples to help navigate these hazards. The legislation requires that interactions with clients after submitting a Suspicious Activity Report (SAR) must avoid prejudicing ongoing inquiries.
Other jurisdictions, such as the EU with the 6th Anti-Money Laundering Directive (6AMLD) and the United States under the Bank Secrecy Act, emphasise the importance of SAR confidentiality. Both frameworks prohibit sharing SAR-related information except under specific conditions to maintain the integrity of investigations and protect whistleblowers and informants.
Further articles relating to 'tipping off' someone subject to investigation, particularly in the context of AML or terrorist involvement, include:
- "Money laundering offences—tipping off and prejudicing an investigation" by LexisNexis.
- "What is Tipping Off? As an Estate Agent, do I need to be aware of it?" by London Law.
- "Anti-money laundering tipping off" by ICAEW.
- "Tipping off and prejudicing an investigation" by LexisNexis.
- "The Bank Secrecy Act: Scope of The SAR 'Privilege" by Severson.
Legal Consequences of Compromised Investigations
If an investigation is compromised due to an OSINT practitioner’s actions, legal consequences can arise, often leading to personal liability, particularly for practitioners working in public sector roles or regulated industries.
These consequences could include charges for obstruction of justice or even perverting the course of justice, especially if the evidence is destroyed due to a suspect becoming aware of the investigation. Further negative outcomes include lawsuits for privacy violations and civil claims for professional negligence, especially if the practitioner provides commercial services to a third party and fails to exercise due care.
Global legal frameworks vary, and the precise nature of potential proceedings will depend on the case’s circumstances, location, and applicable laws. Practitioners are advised to seek legal counsel in their jurisdiction, as while general principles often share common characteristics, significant variations exist in different parts of the world.
One of the more explicit legal risks is tipping off a suspect under investigation for money laundering or terrorist financing, particularly for those in regulated sectors like financial services. SARs or equivalent reports must be submitted to the relevant authorities, and legislation protects these reports from being disclosed.
It’s easy to imagine a scenario where an inexperienced OSINT investigator conducts further searches after a SAR has been filed, potentially tipping off the subject.
Penalties
In severe cases, practitioners could face criminal charges, with penalties under Section 342 of the POCA 2002 in the UK, for example, carrying up to five years imprisonment and a fine.
In Australia, submitting or being required to submit an SMR about a customer prohibits disclosure of any information related to the report, except in certain circumstances. Tipping off is a criminal offence, punishable by up to two years imprisonment or 120 penalty units.
Such incidents can also have long-term consequences on an OSINT practitioner’s career, including the revocation of professional licences, prohibition from future investigative work, and damage to reputation within the investigations or OSINT community.
Although cases of this severity are rare, they underscore the importance of ensuring safeguards are in place to prevent OSINT activities from alerting a suspect.
Some Suggested Operational Safeguards
OSINT practitioners should implement a range of safeguards to mitigate this risk, which could include:
- Secure Technology Stack: Use dedicated investigation devices running specific virtual machines (VMs) to isolate investigative activities from regular tasks. VPN services with kill switches, privacy-focused browsers, and anti-fingerprinting extensions help maintain anonymity and minimise digital footprints.
- Curated Libraries of Sock Puppets: Develop specific online personas for investigations, using burner phones for verification to maintain separation between the investigator and their research. Assignment-specific research accounts should be used wherever possible to help prevent cross-contamination between investigations. Regular audits of an investigator’s digital footprint can help identify potential risks but access to assignment data should be strictly controlled on a need-to-know basis and procedurally documented.
- Rigorous Investigation Protocols: Implement thorough risk assessments and document objectives before starting investigations, including predetermined stop protocols based on agreed risk thresholds. Maintain detailed logs of decisions and actions, and ensure transparency and accountability through comprehensive audit trails. Peer reviews for high-risk investigations offer an additional layer of oversight.
Administrative Safeguards to Manage Risk
In addition to operational safeguards, OSINT practitioners should consider administrative safeguards. Professional indemnity insurance, for example, can cover the costs of defending negligence claims and compensating clients when cases are lost. Many professional service providers now include this as a mandatory factor in their procurement criteria.
Defensive Company Formations: Lawyers specialising in corporate law should be consulted to identify the most appropriate business structure, such as a Limited Liability Company (LLC) or sole proprietorship, to best protect investigators and their assets from legal challenges or negligence claims. This is particularly necessary when practitioners engage in high-risk investigations, such as those involving organised crime, corruption, public officials, and other politically exposed persons (PEPs).
Client Agreements: Contracts should clearly outline scope, objectives, and risk mitigation measures, including limitations of liability, indemnification clauses, and applicable legal jurisdiction. For high-risk investigations, ensure that stop criteria and escalation procedures are clearly defined.
Conclusion
The consequences of unintentionally alerting a suspect to an investigation can be severe, with potential personal liability, particularly in AML and Terrorist Financing investigations. However, experienced practitioners can manage these risks effectively by embedding rigorous operational and administrative safeguards. Since personal liability could extend beyond professional embarrassment to criminal penalties in certain jurisdictions, risk management is not just the best practice for OSINT practitioners, it is essential for survival in the field.
At The Coalition of Cyber Investigators, we firmly believe that the most valuable OSINT investigations are not just those that uncover critical information or identify previously unavailable evidence but are those that do so while leaving no trace of the investigator's presence.