Laws and Ethics for Government OSINT / III in the UK
This post outlines legal and ethical guidelines for UK government and police use of OSINT and Internet Intelligence Investigations.
Open Source Intelligence (OSINT) and Internet Intelligence Investigations (III) involve collecting and analysing publicly available information from the internet to inform decision-making. While these methods are valuable for various governmental and security purposes, they must be conducted lawfully.
To ensure internet investigations are conducted lawfully within public sector organisations, training and policy documents are implemented within the relevant organisations to outline an internal process that adheres to relevant laws. This article outlines key UK laws and considerations governing OSINT/ III.
Regulation of Investigatory Powers Act (RIPA) 2000
RIPA regulates public authorities' surveillance and interception of communications, ensuring that any intrusive investigative methods are legally justified and proportionate, protecting individual privacy rights. Key provisions include:
- Covert Surveillance: Regulates surveillance in public places
- Covert Human Intelligence Sources (CHIS): Regulates the use of informants and undercover agents
Investigatory Powers Act (IPA) 2016
IPA, building on and superseding the lawful interception of communications data section of RIPA, grants law enforcement and public authorities powers to legally access and retain communications data for legitimate purposes:
- Lawful Interception: Requires warrants from the Secretary of State or Scottish Ministers justified by national security, serious crime prevention, or economic well-being related to national security.
- Data Retention and Acquisition: Allows mandated data retention by telecommunications operators
- Bulk Warrants: Enables extensive data collection under strict safeguards
- Equipment Interference: Authorises equipment interference (hacking) under specific warrants with judicial oversight
Data Protection Act (DPA) 2018 and UK General Data Protection Regulation (GDPR)
DPA and GDPR operate in conjunction to govern the processing of personal data. Key principles include:
- Lawfulness, Fairness, and Transparency: Data must be processed legally and transparently.
- Purpose Limitation: Data should only be used for specified purposes.
- Data Minimisation: Only necessary data should be collected.
- Accuracy: Data must be accurate and kept up to date.
- Storage Limitation: Data should not be kept longer than necessary.
- Integrity and Confidentiality: Data must be processed securely.
OSINT / III practitioners must ensure data collection and processing have a lawful basis, respect individuals' rights, and implement robust security measures.
Human Rights Act (HRA) 1998
HRA incorporates the European Convention on Human Rights (ECHR) into UK law. Relevant rights include:
- Article 8 (Right to Privacy): Protects private and family life, home, and correspondence
- Article 10 (Freedom of Expression): Protects the right to receive and impart information
- Article 6 (Right to a Fair Trial): Ensures a fair and public hearing
- Article 14 (Prohibition of Discrimination): Ensures rights are protected without discrimination
OSINT/III activities must respect these rights, ensuring justified and proportionate interference with privacy and admissible evidence collection.
Computer Misuse Act (CMA) 1990
This Act criminalises unauthorised access to computer systems. OSINT / III practitioners must avoid hacking and unauthorised data scraping, complying with platform terms of service. Key offences include:
- Unauthorised Access: Illegal to access computer material without permission.
- Further Offences: Unauthorised access with intent to commit further crimes is prohibited.
- Impairment of Systems: Illegal to impair the operation of computer systems.
Relevant Case Law
Several cases illustrate the practical application of these laws:
- Locke v Stuart and AXA Corporate Solutions: Demonstrated the use of social media in fraud investigations
- Smyth v St Andrew's Insurance Plc: Used social media messages as evidence
- Game Retail Ltd v Laws: Addressed employee dismissal for offensive tweets
- Bucknor v R: Confirmed the admissibility of internet-sourced evidence
Best Practices and Ethical Considerations
In addition to relevant legislation, OSINT practitioners must also consider ethics when collecting personal data. To ensure that internet investigations are conducted lawfully, public sector organisations should consider the following:
- Civil Rights and Liberties: Prioritise ethical considerations throughout the investigative process.
- Transparency and Accountability: Maintain clear records of investigative steps, decisions, and justifications.
- Training and Awareness: Conduct regular training on legal updates, ethical standards, and technical skills.
- Risk Assessment and Management: Continuously assess and manage legal, ethical, and operational risks.
Internet Intelligence & Investigations Covert Profiles
Internet investigators working for public sector organisations may use covert profiles, online accounts created under an alias, to obfuscate that they are used for policing purposes. This is done to ensure that criminals cannot operate freely online but this activity must be conducted in a controlled manner. Key considerations for creating and managing covert profiles include:
Purpose: Facilitate covert access to social profiles and online groups to gather evidence and intelligence, and conduct online surveillance.
Creation and Management: Prior to the creation and use of covert accounts, practitioners must establish an investigative strategy and conduct a risk assessment
Recording and Compromise: All activities must be meticulously documented all activities and any compromises must be promptly recorded and addresses
Summary
OSINT / III techniques offer powerful investigative capabilities but require a careful balance between operational needs and legal and ethical obligations. By adhering to relevant laws, maintaining ethical standards, and following best practices, OSINT/III practitioners can conduct effective and lawful investigations while respecting individual rights and privacy.
Continuous training, risk management, and compliance with evolving legal frameworks are essential for the responsible use of OSINT/III in public sector contexts. As the digital landscape evolves, so too must the practices of OSINT / III professionals.