Laws and Ethics for Government OSINT / III in the UK

This post outlines legal and ethical guidelines for UK government and police use of OSINT and Internet Intelligence Investigations.

Category
Guides & Information
Date
August 24, 2024
Author
Redacted

Open Source Intelligence (OSINT) and Internet Intelligence Investigations (III) involve collecting and analysing publicly available information from the internet to inform decision-making. While these methods are valuable for various governmental and security purposes, they must be conducted lawfully. 

To ensure internet investigations are conducted lawfully within public sector organisations, training and policy documents are implemented within the relevant organisations to outline an internal process that adheres to relevant laws. This article outlines key UK laws and considerations governing OSINT/ III.

Regulation of Investigatory Powers Act (RIPA) 2000

RIPA regulates public authorities' surveillance and interception of communications, ensuring that any intrusive investigative methods are legally justified and proportionate, protecting individual privacy rights. Key provisions include:

  • Covert Surveillance: Regulates surveillance in public places
  • Covert Human Intelligence Sources (CHIS): Regulates the use of informants and undercover agents

Investigatory Powers Act (IPA) 2016

IPA, building on and superseding the lawful interception of communications data section of RIPA, grants law enforcement and public authorities powers to legally access and retain communications data for legitimate purposes:

  • Lawful Interception: Requires warrants from the Secretary of State or Scottish Ministers justified by national security, serious crime prevention, or economic well-being related to national security.
  • Data Retention and Acquisition: Allows mandated data retention by telecommunications operators
  • Bulk Warrants: Enables extensive data collection under strict safeguards
  • Equipment Interference: Authorises equipment interference (hacking) under specific warrants with judicial oversight

Data Protection Act (DPA) 2018 and UK General Data Protection Regulation (GDPR)

DPA and GDPR operate in conjunction to govern the processing of personal data. Key principles include:

  • Lawfulness, Fairness, and Transparency: Data must be processed legally and transparently.
  • Purpose Limitation: Data should only be used for specified purposes.
  • Data Minimisation: Only necessary data should be collected.
  • Accuracy: Data must be accurate and kept up to date.
  • Storage Limitation: Data should not be kept longer than necessary.
  • Integrity and Confidentiality: Data must be processed securely.

OSINT / III practitioners must ensure data collection and processing have a lawful basis, respect individuals' rights, and implement robust security measures.

Human Rights Act (HRA) 1998

HRA incorporates the European Convention on Human Rights (ECHR) into UK law. Relevant rights include:

OSINT/III activities must respect these rights, ensuring justified and proportionate interference with privacy and admissible evidence collection.

Computer Misuse Act (CMA) 1990

This Act criminalises unauthorised access to computer systems. OSINT / III practitioners must avoid hacking and unauthorised data scraping, complying with platform terms of service. Key offences include:

  • Unauthorised Access: Illegal to access computer material without permission.
  • Further Offences: Unauthorised access with intent to commit further crimes is prohibited.
  • Impairment of Systems: Illegal to impair the operation of computer systems.

Relevant Case Law

Several cases illustrate the practical application of these laws:

Best Practices and Ethical Considerations

In addition to relevant legislation, OSINT practitioners must also consider ethics when collecting personal data. To ensure that internet investigations are conducted lawfully, public sector organisations should consider the following:

  • Civil Rights and Liberties: Prioritise ethical considerations throughout the investigative process.
  • Transparency and Accountability: Maintain clear records of investigative steps, decisions, and justifications.
  • Training and Awareness: Conduct regular training on legal updates, ethical standards, and technical skills.
  • Risk Assessment and Management: Continuously assess and manage legal, ethical, and operational risks.

Internet Intelligence & Investigations Covert Profiles

Internet investigators working for public sector organisations may use covert profiles, online accounts created under an alias, to obfuscate that they are used for policing purposes. This is done to ensure that criminals cannot operate freely online but this activity must be conducted in a controlled manner.  Key considerations for creating and managing covert profiles include:

Purpose: Facilitate covert access to social profiles and online groups to gather evidence and intelligence, and conduct online surveillance.

Creation and Management: Prior to the creation and use of covert accounts, practitioners must establish an investigative strategy and conduct a risk assessment

Recording and Compromise: All activities must be meticulously documented all activities and any compromises must be promptly recorded and addresses

Summary

OSINT / III techniques offer powerful investigative capabilities but require a careful balance between operational needs and legal and ethical obligations. By adhering to relevant laws, maintaining ethical standards, and following best practices, OSINT/III practitioners can conduct effective and lawful investigations while respecting individual rights and privacy.

Continuous training, risk management, and compliance with evolving legal frameworks are essential for the responsible use of OSINT/III in public sector contexts. As the digital landscape evolves, so too must the practices of OSINT / III professionals.

"
An outstanding atmosphere and an amazing gathering of professionals
Daniel Heinen
Founder, GeoSpy
Bridging industry
gaps to create a real community
Stephen Adams
Founder, Intelligence With Steve
Synergy between different minds and tradecraft
William R
Founder, The Aracari Project
The first meet-up was informative, engaging, and community-driven.
Peter Allwright
Head of Suntera Forensics
Prev
Next