Skip to content

Ethically Controversial Practices in OSINT

Published by hatless1der on March 22, 2021

Last updated on November 16, 2021

Legality, morals, and ethics while conducting online investigations. There, I said it!
Feels about as comfortable as being called on by the teacher to read aloud, during grade school health class.
If open source investigating has an elephant in the room, this is definitely it. Well kids, plug your noses, because we’re not just going to acknowledge that elephant, we’re going to get up close and personal with him, which of course means staying 6 feet away and wearing a mask.

There is no shortage of hotly-debated topics in the world of online investigations, but there are a few which really ignite the moral fires of people across the board. If you’re newer to this kind of work, you may not even realize that such controversy exists. I’m going to give you a little peek behind the curtain on a few of the more polarizing issues, so you can make an informed decision when you find yourself face to face with one. We will only be talking about OSINT related topics here, not hacking, not closed source information, not human sources, social engineering, or anything else.

Now, I have to say a few things before I get too far along here, because no matter how many times I say it, someone somewhere will read just the title, skim the headines, get all spun up, and then go make it into a thing…
I am not giving legal advice, and I am not giving instruction on how to conduct yourself online, period. Hell, I’m not even telling you my own opinions! Everyone has unique personal and professional boundaries, and until US Space Force becomes judge and jury for our entire galaxy, our Countries all have different legal standards as well.


I will simply be presenting some viewpoints from both sides of these particular topics, so that you may form your own opinion, and go die on the hill of your choosing. For me, there’s only 1 hill worth dying on, and that is that Will Ferrell not even remotely funny.

Before we jump into the specific topics, we need to get just a little bit of groundwork out of the way. This is the part where other, not nearly as cool blogs, would give you a patronizing copy and paste definition of terms from some place like dictionary.com, and then reference it by name as if you have no idea where definitions of words can be found. Well, I’m not that guy! We do need to clarify a few things though, and for that, I did have to do some research… Shit, maybe I am that guy!
We’re going to talk about things that call attention to legality, ethics and morals here, and it’s important to know where each fits in. Do you know the difference between morals and ethics? No? That’s ok, neither does pretty much anyone else from what I gathered. Trust me, I read plenty of explanations of each, and left that research more confused than when I started. Most of the time, people use them interchangeably, much like the Baldwin brothers that aren’t Alec.

No matter, because the real question you’ll ultimately be trying to answer for yourself as you read along is “would I do this?”, and in order to answer that question, you’ll need to consider:

Is it legal? (Does it conform with all laws?)
Is it ethical? (Does it conform with guidelines either imposed or inferred by your employer, peer group, or society?)
Is it moral? (Does it conform with your own personal beliefs about right and wrong?)

Now on to the fun stuff! It’s time to light some fires, but first remember the age-old saying… “Opinions are like…” yeah, you know the rest. I want you to think about that every time you want to email or DM me with yours, after you’re done reading this. Remember, I’m not telling you what to think, what I think, or how to act. I just want you to know these minefields exist before you start talking at Thanksgiving dinner about how you’re an online researcher, and your one Amstel Light drinking Uncle in a T-shirt that says Property Of Spring Break 1992 calls you part of The Surveillance State in front of Grandma.

Password Knocking/Reset Attempt Tactic
This is the tactic of going to a particular website, clicking on “forgot password”, and using someone else’s email address to see what information is offered about them. Depending on the platform, you may be given a peek at a profile photo, a username, contact information, or some redacted version of one or more of those things. You may also trigger an alert to the actual account holder and if you go too far, could actually lock someone’s account.


The “for it” arguments:

  • It’s a veritable treasure-trove of information! You can verify the person has a profile, perhaps find it, and potentially gather or corroborate identifiable data points about them, all in one shot!
  • You’re not actually going through with the reset, so you’re not really pretending to be that person.
  • The option is public facing and you’re not accessing secret or protected details, besides, it’s the website’s job to protect that information.


The “against it” arguments:

  • It’s you literally pretending to be someone you’re not, even if just to a website.
  • You’re no longer just gathering information, now you’re physically using it for something.
  • Depending on the site and the user’s settings, you may be notifying a person that someone is attempting to reset their password, which can cause all sorts of problems depending on the situation.

Breach Data Usage
This is a big one, like really big. Breach data, in this context, refers to data (often email addresses & passwords) that was stolen from a site or business via some type of breach or compromise, and later made available online. There are some who collect and/or buy this breached data, and then provide access to search it, sometimes for a fee. It’s a well known fact that many people reuse the same passwords on various different sites, therefore, someone with a large set of breach data can identify not only identify an account holder’s password, but potentially identify other accounts they own based on a common password shared. Your subscription to KittenCuddlerCollective.com under the alias MegaBeefcake4000 could be given away by your password “qwertyValderamma”, which you also used on LinkedIn back in 2012.


The “for it” arguments:

  • Once the data is posted online, it’s now basically publicly available information.
  • It’s good practice to get this information out because useful services leverage it to notify people that they’re using a pwned password, including your overly intrusive iPhone.
  • If the bad guys have access to it and can go after good people with it, good people should get to use it as well.


The “against it” arguments:

  • Whether or not it’s widely available now, the original source was still theft, and the data is still highly private, therefore everyone who possesses and shares it is propagating the fruits of those crimes. Those who sell it are even worse.
  • If you’re a law enforcement agency, or a representative of a company that was previously affected by a data breach, it looks especially bad if you are now leveraging that kind of stolen information in your work.
  • By possessing, distributing, or paying to use this data, you’re encouraging more breaches to happen.
  • This kind of ecosystem enables other breach-type activity, for example, making lists of the thousands of most commonly used passwords which are then leveraged by others to brute-force attack accounts on other websites. (hint: qwertyValderamma didn’t make the cut)

Doxxing
Doxxing is the act of publishing the private personal information about a person or organization online. It could mean taking something like my phone number, relatives, home address, or the fact that Missing You by John Waite is one of my all time favorite songs, and putting it out there for the world to see. (don’t lie to yourself either, it’s an absolute jam) Doxxing is now expressly forbidden on many platforms, and (usually) gets vehemently shamed when observed, so it’s safe to say that one side is probably winning the argument here. I still think it’s relevant to cover this topic, especially for those just starting to get involved in OSINT. What you do with gathered information can have real consequences for real people out in the real world. Sometimes, that’s forgotten when people get behind the keyboard.

The “for it” arguments:

  • The major argument in favor usually centers around who the person is and what they have done to deserve said doxxing (even if not always proven). Think criminals… pedophiles… even polarizing political figures.
  • Some say that because doxxing often includes publishing information that is publicly available in whole or in part, the act of aggregating it and putting it out to the world does not rise to the level of any kind of legal or ethical violation.
  • Doxxing someone evil like a convicted pedophile is justified, and they deserve whatever comes their way, and more.

The “against it” arguments:

  • Publicly dumping a dossier of someone’s information is a disgusting invasion of privacy.
  • Semi-public or not, you’re now opening the door and enabling god-knows-who to do god-knows-what to someone. Stalking, threatening, identity theft, the list goes on.
  • Doxxing can ruin people’s lives, businesses, relationships and more, depending on the context.

OSINT in General
Of course, the very idea of conducting any kind of online research on someone else is controversial. You know what is not controversial though? Those disgusting, squishy, yellow, marshmallow Easter candies that look like little chickens, and taste like a sponge soaked in sweat wrung out of my high school gym socks. Nasty.


What you do and who you’re doing it for makes a difference here. Police officers or Feds investigating criminals, businesses protecting their assets, ex-lovers looking to rekindle or to sabotage, insurance companies investigating claims, spouses and private investigators searching for infidelity, political parties doing competitive research, journalists investigating corruption & scandal, internet sleuths trying to identify criminal suspects, analysts protecting the reputation and assets of their clients… there are just so many different ways open source investigating is being used, and for a myriad of reasons by people around the world. You could take all these examples just given, and easily go find 2 people who feel strongly and completely opposite about each one. The truth is, when you start talking about information and privacy, you’re going to spark some debate.

These debates go far beyond the handful of examples we discussed today. The use of covert sock-puppet accounts, providing fake information to websites, OSINT-ing social and political activism, vigilantism, even the use of tools can all bring out controversy, just to name a few.

At the end of the day, when you set out to conduct open source research, you’re digging up information on people’s personal lives. Information they may not even know is out there, or perhaps did a crappy job of protecting. The questions of boundaries and responsibilities are all around. Beyond just the imposed legal and ethical responsibilities one may feel from their employer or government, they have a moral responsibility to be true to themselves, whatever that may mean.
Getting it wrong is a really big deal, and a topic for another day.

I hope this article helped you consider the different points of view on these, and perhaps other topics, relevant to the world of OSINT investigations. One thing I’ll leave you with to consider for yourself is this:

Just because you can, should you?

Published inUncategorized