Is OSINT Legal in My Country? A Practitioner's Guide to the Legal Floor

By Soren Vega ·

OSINT is mostly legal because it works from public material — but the legal floor is different in every country. The five areas where OSINT projects most often run into trouble, with a checklist for the jurisdictions that matter most.

OSINT is mostly legal because it works from public material. The legal floor, however, is different in every country, and the cases where OSINT runs into trouble are usually the cases where the practitioner forgot to check the floor before they started. This is a practitioner's guide to the five areas where projects most often run into trouble, with a working checklist for the jurisdictions that matter most.

This is not legal advice

I am not a lawyer, and this article is not legal advice. The legal floor for OSINT varies by country, and it changes. The checklist at the end of this article is a starting point for a conversation with a lawyer, not a substitute for one. If your project is high-stakes — financial, legal, public-interest — pay for an hour with a lawyer who knows your jurisdiction.

Warning

Area 1: Computer-misuse laws

In many jurisdictions, accessing a system you are not authorized to access is illegal even if no password is set. The relevant test is often "would a reasonable person believe the system was public," and the answer is rarely "yes" for:

  • A personal inbox, even if you can guess the address
  • A private server, even if it returns useful errors
  • A closed forum you were emailed an invite to, but the invite was meant for someone else
  • A corporate intranet, even if you found a URL

The Computer Fraud and Abuse Act in the US, the Computer Misuse Act in the UK, and equivalents in most other jurisdictions make unauthorized access a criminal offense, not a civil one. A project that accidentally crosses this line is a project that ends.

The working rule: stay on the open web. If a page is indexed by a major search engine, or is reachable through a normal browser without authentication, you are on the open web. If a page requires you to log in, even with a free account, you are on a service, and the service's terms apply.

Area 2: Data-protection law

In the EU, the UK, and a growing list of countries (Brazil, India, South Africa, California, others), "personal data" of identifiable people is regulated even if it is public. The relevant rules vary, but the working principles are:

  • A spreadsheet of public posts by a private individual may be lawful to read and unlawful to publish. The act of aggregation can be the trigger.
  • Pseudonymous data is still personal data if re-identification is reasonably possible. A dataset of public posts stripped of names is still personal data if the posts are unique enough to identify the author.
  • "Legitimate interest" is a defense, not a free pass. Even legitimate-interest processing has to be necessary, balanced, and documented.

A project that aggregates public social media posts about a private individual is much more legally exposed than a project that aggregates public filings about a public company. The first is a privacy question; the second is a research question.

Open does not mean free to republish. A press release is open; printing a 1,000-word excerpt in a brief is usually fine under fair use; printing the full text in a post is not. A photograph is open to view; republishing it without permission is often not.

A few rules of thumb:

  • Quote briefly and link to the source. A short quote with attribution and a link is almost always defensible.
  • Do not republish full documents. A 1,000-page filing is open to read, not open to mirror on your own server.
  • Do not scrape a site faster than a normal user. Even when scraping is legal, it can violate the site's terms and trigger a takedown.
  • Be cautious with images and video. A single image embedded in a brief is usually fine. A gallery of images is usually not.

Area 4: Defamation

A false statement of fact that harms a person's reputation is treated differently from an opinion. The legal standard varies by country, but the working principles are:

  • Truth is an absolute defense. If the statement is true, it is not defamation, even if it is damaging.
  • Opinion is generally protected. "I think the CEO is incompetent" is opinion. "The CEO committed fraud" is a statement of fact.
  • Public figures have a higher bar. In the US, a public figure must show "actual malice" — knowledge of falsity or reckless disregard for the truth. In most other countries, the bar is lower.
  • A reasonable reader test helps. Would a reasonable reader, given the same evidence, come to the same conclusion? If the answer is "no, the reader would have to take my word for it," the conclusion is not yet supported.

A short, hedged, sourced statement is usually safer than a long, confident one. The longer the brief, the more places there are to be wrong.

Area 5: Platform terms of service

Every social platform has terms of service. Breaking them is not the same as breaking the law, but it can lose your access, and the platforms have become more aggressive about enforcement.

A few rules of thumb:

  • Do not scrape at scale. Most platforms prohibit automated scraping at scale, even of public data. Use the platform's official API where it exists.
  • Do not republish a user's private data. A user who marks a post private has expressed a preference; republishing it is a terms violation, and in some jurisdictions a privacy violation.
  • Do not circumvent rate limits. A polite sleep between requests is good citizenship. A bypass of rate limits is a terms violation.
  • Do not aggregate to identify. A dataset of public posts is usually fine. A dataset of public posts that re-identifies anonymous accounts is usually a terms violation.

The practitioner's checklist

Before publishing, run this list:

  • Every claim is linked to a public record the reader can verify.
  • No claim required accessing a system that was not clearly public.
  • No private individual's data is republished in a way that puts them at risk.
  • No full document is republished without permission.
  • No claim is made that the writer would not be willing to defend in public.
  • The legal review for your jurisdiction is on file.

A "no" on any of these is not a reason not to publish. It is a reason to look at the answer more carefully.

What to do when the project is high-stakes

If your project is financial, legal, or public-interest, the working rules above are not enough. A few additional moves:

  • Pay for an hour with a lawyer. A lawyer who knows your jurisdiction will save you more time than they cost. The cost of a one-hour consult is much less than the cost of a takedown.
  • Document the chain of custody. A research project that can show where every record came from is much easier to defend than one that cannot.
  • Name the limits on the page. A brief that says "we did not aggregate individual-level data; the analysis is at the aggregate level only" is more defensible than a brief that does not.
  • Have a takedown plan. A project that has a plan for what to do if a record is challenged is much more durable than one that does not.

OSINT is a powerful research method, and a legal one when done carefully. The legal floor is not a barrier; it is a constraint that, respected, makes the work more durable.

Frequently Asked Questions

Mostly yes, because OSINT works from public material. The legal floor is different in every country, but the working rule is universal: stay on the platform, do not bypass technical access controls, do not aggregate in a way that re-identifies private individuals, and do not publish the dataset in a way that puts people at risk. Always check the specific laws in your jurisdiction before publishing.

The biggest risks are computer-misuse laws (accessing a system you are not authorized to access, even without a password), data-protection law (in the EU, the UK, and a growing list of countries, 'personal data' of identifiable people is regulated even if it is public), defamation (a false statement of fact that harms a person's reputation), and copyright (open does not mean free to republish).

Related Guide

Open Source Intelligence

Read guide