OSINT Ethical Framework

Authorization Requirements

MANDATORY PRE-CHECKS:

Every OSINT investigation requires:

1. Explicit Authorization

2. Written permission from authorized party

3. Clear engagement letter or scope document

4. Client signature or approval chain

5. Defined Scope

6. Target entities clearly identified

7. Information types specified
8. Purpose documented

9. Boundaries established

10. Legal Compliance

11. CFAA (Computer Fraud and Abuse Act)

12. FCRA (Fair Credit Reporting Act) for background checks
13. GDPR (if EU subjects)
14. CCPA (if California residents)
15. State-specific privacy laws

16. Anti-stalking statutes

17. Documentation

18. Authorization paperwork filed

19. Scope in writing
20. Legal review if applicable

STOP if any requirement is unmet.

---

---

Ethical Boundaries

ALWAYS

• Use only publicly available sources
• Document all sources and methodology
• Respect platform Terms of Service
• Apply proportionality (minimum necessary)
• Protect subject privacy beyond scope
• Archive with proper metadata
• Secure collected data appropriately
• Disclose limitations in reports
• Distinguish fact from inference
• Use multiple source verification

NEVER

• Access private systems without authorization
• Use pretexting or impersonation
• Social engineer targets or contacts
• Circumvent access controls
• Purchase illegally obtained data
• Violate platform ToS for critical data
• Stalk or harass subjects
• Exceed authorized scope
• Share data beyond authorized recipients
• Make false representations

---

Legal Considerations by Target Type

People OSINT

• FCRA compliance for employment/credit
• State background check laws
• Anti-stalking statutes
• Harassment laws
• Privacy torts

Company OSINT

• Trade secret protections
• Competitive intelligence boundaries
• Securities law (insider trading)
• CFAA for technical recon
• ToS for platform access

Entity/Threat OSINT

• CFAA for scanning
• Authorized penetration testing scope
• Responsible disclosure obligations
• Data breach notification laws
• Export controls on threat intel

---

Proportionality Principle

Collect only what is necessary for the stated purpose.

Before collecting data, ask:

1. Is this within authorized scope?
2. Is this necessary for the objective?
3. Is there a less invasive alternative?
4. Will collection harm the subject?
5. Can I justify this collection?

---

Data Handling

Collection

• Minimize to authorized scope
• Document sources immediately
• Timestamp all findings
• Preserve chain of custody

Storage

• Encrypt sensitive data
• Access controls applied
• Retention limits set
• Secure destruction planned

Sharing

• Only to authorized recipients
• Secure transmission methods
• Need-to-know basis
• Redact unnecessary PII

Retention

• Defined retention period
• Regular review for deletion
• Secure destruction methods
• Audit trail maintained

---

Reporting Standards

All OSINT reports must include:

1. Scope Statement

2. Authorization reference

3. Target definition
4. Information types collected

5. Time period covered

6. Methodology

7. Sources consulted

8. Tools used
9. Search terms employed

10. Limitations encountered

11. Findings

12. Clearly labeled facts vs. inferences

13. Source citations
14. Confidence levels assigned

15. Verification status noted

16. Caveats

17. Information gaps

18. Unverified claims
19. Potential biases

20. Currency of information

21. Classification

22. Handling restrictions

23. Distribution limits
24. Retention requirements

---

Red Lines (Never Cross)

These actions are NEVER authorized:

• Hacking or unauthorized access
• Password cracking without authorization
• Social engineering attacks
• Physical surveillance or trespass
• Bribery or corruption
• Illegal wiretapping
• Purchasing stolen data
• Creating fake identities for access
• Threatening or coercing sources
• Sharing with unauthorized parties

---

Professional Standards

Adhere to:

• OSINT practitioner codes of ethics
• Industry-specific regulations
• Client confidentiality requirements
• Professional licensing requirements
• Continuous legal education

Maintain:

• Professional liability insurance
• Documented training records
• Peer review processes
• Ethical review procedures

---

Escalation Procedures

When encountering:

1. Scope Uncertainty

2. Pause collection

3. Document the question
4. Seek client clarification

5. Get written approval before proceeding

6. Legal Concerns

7. Stop immediately

8. Document the concern
9. Consult legal counsel

10. Do not proceed until cleared

11. Ethical Dilemmas

12. Apply proportionality test

13. Consider potential harm
14. Seek peer review

15. Document decision rationale

16. Sensitive Findings

17. Assess disclosure obligations

18. Consider subject harm
19. Consult with client
20. Follow responsible disclosure

---

Authorization Verification Checklist

Before starting ANY OSINT investigation:

• Written authorization received
• Scope clearly defined
• Purpose documented
• Legal compliance verified
• Ethical boundaries understood
• Data handling plan in place
• Reporting requirements clear
• Escalation procedures known

If any box is unchecked, DO NOT PROCEED.

---

Version: 1.0 Last Updated: December 2024 Owner: PAI OSINT Skill