If I told you that you could have predicted the Russian invasion a few weeks in advance via Google Maps, know where to meet David Beckham during each of his trips to Paris, or how to find that handsome guy you met on Tinder, would you believe me? Impossible without being the perfect stalker? A first response to these questions: open source intelligence.
You have to keep in mind that data is not only marketing, linked to your browsing history on a battery of disreputable sites. Any information can be considered as exploitable data: vacation photos on Instagram, Facebook event address, fingerprints, license plates on Gumtree/Craigslist…
So many things, exploitable without your knowledge, but that you diffuse, sometimes, voluntarily. Obviously, it is not desirable that this information falls into just anyone’s hands, and it is likely that online protection will also be played out in this field, which is part of what is known as “OSINT”.
In the beginning: An economic and military issue
OSINT, the acronym for Open Source INTelligence, is a type of intelligence obtained through the collection and analysis of open sources of information available in the media, on the internet, in government reports and academic publications. Though its emergence remains unclear, the first modern mentions date back to 1941 as a tool for evaluating the success of sabotage during WW2. Since then, and especially thanks to the rise of the internet, OSINT has been professionalized to the point of becoming a dedicated intelligence object.
In 2022, OSINT is, for example, a Californian academic who noticed Russian military movements at the borders of Ukraine thanks to the traffic jams generated and identified on Google Maps. It is a community of Twitter accounts accumulating all kinds of photos and videos of Russian and Ukrainian fighters broadcasted on the networks. Not for their personal pleasure or for archival frenzy, but to get all the information possible on the location of these fighters. How? By scrutinizing the details of each photo and video taken on the front (orientation of shadows, sun, colors of buildings, type of weaponry, vegetation …) as a game of GeoGuessr. It is also these troops of Russian soldiers geolocated on Tinder during the invasion. Since then, Google has committed to blurring Ukrainian areas so as to not reveal sensitive information on Zelensky’s troops. OSINT is therefore a real war discipline.
As with some military innovations, as well as the internet, the democratization of tools first goes through a community experiment of enthusiasts. This is where 4chan comes into play – a site that can be considered as a gathering of the dregs of the Internet, as well as being one of the last bastions of online freedom of expression. True professionals of doxxing, some of their members are masters in open source intelligence.
The most famous example dates back to 2017 in a newly Trumpist America. The actor Shia Laboeuf wanted to live broadcast throughout the quadrennium a white flag with the words « He will not Divide Us ». It did not take more than this for a part of the forum to decide to track down the unknown location of the stream.
The objective is simple: remove this flag. The task is more complex. The location of the actor’s tweets, the triangulation of the trails of planes passing through the stream, can be compared to flight routes or the study of constellations. Determining the orientation of the camera, and use of Google Maps, allowed them to find the precise location of the live stream. The flag capture operation was a success: A real practical case of OSINT.
Now, open source intelligence is something everyone exploits without even realizing it. Consulting the national archives to trace your family tree: OSINT. Following the flight itinerary of PSG jets on flightradar24 to find out which club Mbappé will sign for: OSINT. Stalking your date’s Instagram and Linkedin to find out if he’s a good fit: SOCMINT (SOCial Media Int.). On a daily basis, Welsh police officers are able to use photos of fingerprints on WhatsApp as additional evidence against drug dealers. The discipline has also helped to identify rioters at the US capitol and their social accounts. So, what does this have to do with you? It is important to keep in mind that if everyone can potentially use these techniques, then everyone can potentially be a victim.
As you can see, the more you expose yourself, the more clues you leave, and the more reliable the identification is. The best way to protect yourself is to keep your private life private.
Multiplying email addresses, pseudonyms, avoiding activating geolocation, making requests for dereferencing: many possibilities of protection are accessible to the general public with little effort.
Like anonymity on the Internet, OSINT is legal by definition, but ethical only by what you do with it. Consider that everything online is no longer yours, the choice to post, on the other hand, will always belong to you.
Jérémy Petitcolin, Performance Consultant