When OSINT isn't OSINT

In early January the data broker Gravy Analytics had a huge cache of data stolen with a sample published on the web. The breach included location data from consumer phone apps and games.

Tech Crunch reported analysts noting more than 30 million leaked data points, including location data points associated with sensitive premises such as the White House, Kremlin, and so-on. You can read a great thread on X/Twitter from Baptiste Robert on his analysis of the leak.

News of the breach, along with surprise at the richness and depth of the data revealed, has spread like wildfire. A simple Google search turns up dozens of articles on the hack - and while the breach itself is interesting - the coverage has invariably focused on just how intrusive the data is. Robert’s work is often referenced, highlighting how with a little pattern-of-life analysis the data can be easily de-anonymized.

Why am I relating this story? Well, as I’m sure a few OSINT experts reading know, location rich data like this is something several OSINT vendors offer as part of their product suites. This has long been a concern of mine as there has been a tendency to present advertising data as just another flavour of OSINT. Clearly it is not.

I’m not going to argue whether or not an organisation should use Ad Tech data, nor whether it should be bundled and shared by OSINT vendors – there are missions and mandates where good, location-rich data like this saves lives and prevents harm. Indeed, Ad Tech is just one of many commercial data sources organisations may subscribe to.

But I am going to ask that OSINT tool customers carefully consider exactly what capabilities and accesses they are bringing in-house. For example, imagine your organisation was found out to be using Ad Tech data – are you confident your mission and mandate permits you to be as intrusive into people’s personal privacy as this data allows? Do you have the controls, auditing, and checks in place to ensure the data is used appropriately? One can only imagine what sort of damage an aggrieved ex-partner could do with unfettered access to the sort of analysis Ad Tech data can enable.

The benefits of what you do for the public when compared to the privacy cost your work may inflict must be considered and carefully balanced to reduce the chance of organisational harm from a damaged reputation, review, or inquiry.

And ask yourself regularly – is my OSINT really OSINT?