August 3, 2015 Sam Lincoln

It’s in the public domain so it’s fair game right?

I have to go outside my house into the ‘public domain’ unless I am incapacitated or wish to be a hermit.

When I exit my front door I know that anyone else can see me whether or not I can see them. Some will have a fleeting sight whilst passing in a car; others may watch me for slightly longer from behind a window. Whether or not their gaze or interest lingers (or even if they register my presence at all) depends mostly on recognition … unless, of course, they are simply nosey. For most, the sight of me may not register long enough for them to recall the instance later and it’s unlikely that they will record my activity for later use. I’m in the public domain and can be seen, so what’s the concern?

Focus

Being seen going about my normal daily life – in public – is of no concern because my expectation is that there’s no one focusing on me. Even so-called CCTV cameras are of little concern because I expect them to be used for the purpose declared – general observation and protection – not focused (in terms of specific attention) on me for any great length of time.

If, however, I’m followed by one or more persons or by unseen camera operators – especially if I don’t know that this is happening – I am less comfortable. Who are they? Why are they focusing on me? Why are they noting where I go, what I do, which shops I visit, magazines I browse or products I buy? Why are they noting who I speak to and associate with over a cup of coffee? If I’m not engaged in a crime – when clearly any reasonable expectation of privacy is lost – I would not expect to be the subject of specific attention; especially in a way that is recorded for later analysis.

The situation changes if I elect to broadcast my thoughts by demonstration, protest or ranting from a soap box in the town square. In this case I want everyone in the vicinity to notice me and hear my views whether or not I know them or they me.

Does the situation change when I conduct my affairs in the digital world?

Well, if I choose to broadcast my personal details and thoughts to all and sundry I’ve reduced my claim to privacy. So if, for instance, I use social media to hold conversations with associates without activating privacy settings then I’m allowing anybody else in the world to see those conversations. That’s my choice.

But what if I have no choice? What if my associates decide to disclose things about me without asking my permission? What if those providing a digital service to me disclose (or do not prevent access to) data about me or my activities without my permission? Do I even know what so-called meta data is revealed? What if my employer reveals my contact details because that is business and not personal information? And what if the Government compels me to provide information online that I would prefer not made public? I am forced to surrender my choice and consent to the trust of others.

If that data is then available to others – deliberately or in error – details about me are in the ‘public domain’. Is this data, revealed without my consent or knowledge, fair game to those who wish to focus on me?

My assertion is that it’s unwise to believe that the off-line and on-line public domains are identical. In the former we have more control over what is known about us and what we do is not retained potentially forever. The ease with which online information about me can be obtained, recorded and retained enables far more to be known about me, in a shorter period of time, and by anyone in the world than would be possible in the off-line world. Many of the real world constraints are removed – it’s easier and cheaper. Profiling me, my locations, movements, interests, vulnerabilities and strengths is easy. Whether or not the profile is accurate and contemporaneous depends on the skill of the analyst but that’s another story.

Because it’s easier, rather than saying ‘the Genie’s out of the bottle … live with it’, I believe there should be more constraint and, where appropriate, more intrusive management. ‘Just because we can do something does not mean we should’ is oft quoted but relies entirely on self-discipline; and which investigator will willingly forego an opportunity to find something out about a person of interest? I have to say that some of the presentations I witnessed at the last OSIRA Conference conveyed worryingly cavalier attitudes to the obtaining, recording and disclosure of personal data. Membership of OSIRA will mean that a practitioner understands the limitations and ethics associated with so-called open sources.

So, I contend that there is a difference between on-line and off-line public domains. My premise is that it’s not where the activity is (or has) taken place or even how the surveillance is conducted that matters but why it is conducted. And yes … before you ask … if you are a UK citizen researching on-line you are not ‘doing intelligence’ but conducting surveillance. You are monitoring, observing, listening to or recording persons, their movements, their conversations or their other activities or communications with the assistance of a surveillance device (your computer).

In the UK, public authorities must comply with relevant surveillance law. If you, as an OSINT practitioner, provide a service to or act on behalf of a UK public authority, you are obliged to comply with the law. In very simple terms this means that surveillance conducted covertly – that is in a manner where the subject of surveillance is unaware that it is or may be taking place – should be constrained to the parameters of an authorisation granted by a designated Authorising Officer. Overt surveillance may not require prior authorisation but remains subject to the Data Protection and Computer Misuse Acts.

If you’re not providing a service to a UK public authority then you’re free to do as you wish right? Well, technically yes providing you’re not breaching the Data Protection Act or Computer Misuse Act. But, as a member of OSIRA, there is an expectation that you will go about your business ethically.

If you accept my argument, let me know in the comments below what you understand an ethical approach to mean?

If you don’t accept my argument, let me know why not … we’re all here to develop our understanding.

 

, , ,

Leave a Reply