Insights

Is corporate intelligence at a regulatory crossroads?

Share

Amid rapid technological advancement and changing regulatory frameworks, the ethical implications of OSINT investigations have never been more relevant. As highlighted in a recent Bellingcat article, analysts are often faced with the dilemma of meeting intelligence requirements while also considering privacy concerns.

In the absence of clear ethical guidelines, privacy laws such as European GDPR, and ethical protocols such as the 2020 US Stanley Centre for Peace and Security Protocol, offer some direction. However, these standards are not universally mandatory, leaving the corporate intelligence industry to navigate an ethical “grey area”.

In recent years, the lack of regulation in OSINT has led to some high-profile privacy violations. Back in 2014, data analytics firm Cambridge Analytica infamously used OSINT techniques to collect data from millions of Facebook users without their consent. In 2016, private intelligence firm Black Cube was hired by the convicted Hollywood producer Harvey Weinstein to gather sensitive information online on individuals involved in exposing his sexual misconduct.

Neon’s approach

At Neon, we follow best practices to avoid violating privacy rights. First and foremost, we dedicate time to setting the direction and scope of the investigation with our clients. This helps both sides ensure that the provided intelligence is proportional to the initial brief, and not in breach of existing regulations.

If the intelligence comes from data breaches, we do not share unnecessary sensitive information such as passwords, home addresses, and telephone numbers if outside the scope of the investigation. When collecting data from social media, we make sure to include only information that is already public in the reports. Practices such as joining private online groups, using false identities, or befriending people on social media to gather additional intelligence might be deemed unethical from an OSINT perspective. Finally, when using third-party service providers to help our work, we verify that they gather and manage their data responsibly, as clients often use our findings in legal settings.

Last year, Neon was tasked by an Italian client with mapping out a network of several individuals suspected of acting against their interests. To be able to establish connections, we had to initially gather a large amount of public data on these individuals’ professional and private lives. This included their family, friends, whereabouts, contact details, personal interests, and social media activity.

For the majority of the subjects, we did not include any of this contextual information in the final product. However, one of the key individuals’ sons ended up being the main link between him and the other subjects. Therefore, we deemed it critical to the client’s request to include some intelligence on this individual. This example illustrates how Neon balances thoroughness and ethical responsibility, which is crucial in maintaining the integrity of our OSINT work.

The discussion about the ethical implications of OSINT investigations is gaining traction. Stricter regulation will likely affect private intelligence firms due to factors such as the potential implementation of GDPR-like regulations on a global level, AI development, and increasing exposure to OSINT due to geopolitical events. It is certainly encouraging to see that experts already offer viable solutions to tackle the problem.

At Neon, we regularly engage in team discussions about the potential ethical implications of our intelligence, and take all the necessary steps to protect our analysts and clients from potential legal, regulatory, and reputational risks.

By Sara Ferrari

Related News

error: Content is protected !!