Note: I’m not a lawyer, and this isn’t legal advice. This article is an educational overview of the legal frameworks that affect OSINT practice, based on publicly available statutes, case law, regulations, and guidance documents. It doesn’t replace consultation with a qualified attorney in your jurisdiction. If a collection activity puts you in gray territory, get legal counsel before proceeding.
Open-source intelligence operates inside a legal environment that most practitioners understand less well than they think. The phrase “publicly available” creates a false sense of permission. Information that anyone can see on a website, a social media platform, or a public records database isn’t automatically legal to collect, store, aggregate, or use for any purpose. The legal status of OSINT collection depends on who is collecting, what methods they use, what they do with the information afterward, and which jurisdiction’s laws apply to the people whose information is being collected. Those variables interact in ways that make blanket rules unreliable and context essential, and the consequences of getting collection wrong range from civil liability and professional discipline to criminal charges.
This article provides the full legal analysis: the statutes, case law, regulatory frameworks, and professional ethics rules that govern how open-source information can be collected, stored, and used across jurisdictions. It would be most useful for attorneys who advise clients on OSINT-related matters, in-house counsel at firms that conduct open-source investigations, compliance officers building collection policies, and legal professionals who need to evaluate whether evidence obtained through OSINT methods will hold up or create liability. It’s also a solid reference for investigators and analysts who want to understand the actual legal frameworks behind the rules they’re told to follow, rather than relying on secondhand summaries or assumptions about what “publicly available” permits.
Public Doesn’t Mean Permissible
The single most dangerous assumption in OSINT practice is that if information is available on the internet, it’s fair game for collection and use without restriction. That assumption is wrong, and enforcement actions have repeatedly demonstrated just how wrong it is. The French data protection authority fined Clearview AI €20 million for scraping publicly posted photographs from social media platforms, rejecting the company’s argument that individuals who posted photos publicly had consented to having those images processed through a facial recognition system (CNIL 2022). The Italian, Greek, and Dutch data protection authorities imposed similar fines totaling over €70 million combined (Privacy International 2021; ICLG 2024). In the United States, Clearview faced a class action under the Illinois Biometric Information Privacy Act that resulted in a $51.75 million settlement (National Law Review 2025). Every one of these enforcement actions involved information that was technically public. The legal violations arose from what was done with it, not from whether it was visible.
Several distinct principles explain why “it’s on the internet” provides no legal safe harbor. The method of collection matters independently of whether the underlying data is public. Scraping that violates a platform’s terms of service, while not criminal under the Computer Fraud and Abuse Act after the Ninth Circuit’s ruling in hiQ Labs, Inc. v. LinkedIn Corp. (2022), may still support breach of contract claims. The purpose of collection can transform otherwise permissible activity into a regulated one: a LinkedIn search conducted for competitive intelligence requires no compliance framework, but the identical search conducted to screen a job applicant triggers notice, consent, and adverse action requirements under the Fair Credit Reporting Act (FTC and EEOC 2016). And aggregation creates new obligations that don’t apply to any individual piece of information; under the EU’s General Data Protection Regulation, combining individual pieces of public information into comprehensive dossiers implicates data minimization and purpose limitation requirements even when each piece was publicly available (European Parliament and Council 2016, Arts. 5(1)(b)-(c)).
Different Actors, Different Rules
The legal framework governing OSINT collection varies dramatically based on who is doing the collecting. A CIA analyst, an Army intelligence officer, a state police detective, a corporate due diligence researcher, and a private investigator can all be looking at the same publicly available website, and each one operates under a different set of legal authorities, restrictions, and oversight requirements. Guidance written for one category of practitioner can be misleading or flatly wrong when applied to another.
Intelligence Community
Intelligence Community elements operate under Executive Order 12333, which authorizes the collection of information concerning United States persons “only in accordance with procedures established by the head of the Intelligence Community element concerned and approved by the Attorney General” (Exec. Order No. 12,333 1981, as amended). Those procedures define what IC agencies can collect, how long they can retain it, and under what conditions they can share it. ODNI is authorized to collect information only overtly or through publicly available sources, and when purchasing commercial data, may only acquire data that is generally available for purchase rather than exclusively available to government purchasers (ODNI Attorney General Guidelines 2021). The CIA operates under separate Attorney General Guidelines that authorize a broader range of collection techniques, including physical surveillance and concealed monitoring (CIA Attorney General Guidelines § 4.3.1). ICD203 requires that personally identifiable information appear in analytic products only when it relates to a specific analytic purpose consistent with the IC element’s mission (ICD 203 2015).
Military
Department of Defense OSINT activities are governed by DoD Directive 3115.12, which defines OSINT as intelligence produced from publicly available information that is “collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement” (DoD Directive 3115.12 2010). Military intelligence components face particular restrictions when collecting information on U.S. persons: collection must be necessary to an assigned function, must fall within one of thirteen authorized categories, and must use the least intrusive means available (Department of the Air Force 2023). Army regulations add that intelligence components must use government computers for internet access unless otherwise authorized (Headquarters, Department of the Army 2012). The legal landscape for military operations in the homeland differs from overseas operations, with specific restrictions and limitations on employing military intelligence domestically (Department of the Air Force 2023).
Law Enforcement
Law enforcement OSINT collection operates under constitutional constraints, statutory authorities, and departmental policies that vary by jurisdiction. The Fourth Amendment’s prohibition on unreasonable searches establishes the baseline. In United States v. Warshak (2010), the Sixth Circuit held that individuals have a reasonable expectation of privacy in the contents of emails stored with a commercial internet service provider, and the government may not compel disclosure without a warrant based on probable cause. The CFAA explicitly exempts “lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency” from its prohibitions (18 U.S.C. § 1030(f)), but that exemption doesn’t override constitutional protections or other statutory requirements.
UK guidance provides a useful framework for understanding how legal requirements scale with intrusiveness in law enforcement OSINT work. At the most basic level, conducting research across publicly accessible search areas is considered overt activity requiring no special authorization (Housego 2023). Core intelligence and investigation activities require active consideration of whether a directed surveillance authority is needed on a case-by-case basis. Advanced open-source work involving dedicated open-source units carries a higher likelihood of requiring authorization under the Regulation of Investigatory Powers Act (Housego 2023). The critical threshold is the distinction between simply viewing public information, which generally doesn’t amount to obtaining private information, and recording, storing, and using that information to build a profile of a person, which must be both necessary and proportionate (Housego 2023).
Federal regulation 28 CFR Part 23 governs criminal intelligence systems that receive federal funding, requiring standards for submission, security, inquiry, dissemination, and review-and-purge processes (United States Department of Justice 2003). The Department of Justice guidance recommends that agencies adopt these standards regardless of whether their systems receive federal funding, though compliance has been uneven; many agencies historically applied the standards only to information flowing through multijurisdictional systems while maintaining other files outside those requirements (United States Department of Justice 2003).
Private Sector
Private-sector OSINT practitioners operate in the most fragmented legal environment. There’s no single statute governing open-source research by non-governmental actors. Instead, practitioners navigate overlapping federal statutes, state laws, professional licensing requirements, industry-specific regulations, and, for international work, data protection frameworks like the GDPR. Activities that are clearly permissible in one context may trigger liability in another. The same research techniques that support legitimate due diligence may constitute prohibited conduct when applied to different subjects, for different purposes, or in different jurisdictions.
Legal Frameworks by Actor Type
How Authorization Requirements Scale with Intrusiveness
Legal requirements increase as collection methods become more intrusive. Viewing a public website is at one end of the spectrum. Intercepting private communications in real time is at the other. Between those poles, a series of thresholds mark points where the legal framework changes, new restrictions apply, or different authorization becomes necessary.
Viewing Public Information
At the least intrusive end, viewing publicly available information generally requires no special authorization across all actor categories. The Ninth Circuit’s decision in hiQ Labs v. LinkedIn confirmed that the CFAA’s “without authorization” prohibition doesn’t apply to public websites, reasoning that where a website permits public access without any authorization requirement, there are “no gates to lift or lower in the first place” (hiQ Labs, Inc. v. LinkedIn Corp. 2022). UK guidance reaches the same conclusion: viewing open-source information on a publicly accessible page does not amount to obtaining private information because that information is publicly available (Housego 2023). For a due diligence analyst reviewing a company’s public SEC filings, a private investigator checking public court records, or a corporate security professional reading a subject’s public social media posts, this is the baseline. The information is public, the viewing is unrestricted, and no authorization framework applies to the act of looking.
Systematic Collection and Storage
The legal picture changes when practitioners move from viewing to systematically collecting, storing, and building profiles from public information. UK guidance draws this line explicitly: recording, storing, and using open-source information to build up a profile of a person or group must be both necessary and proportionate and must comply with data protection requirements (Housego 2023). Under 28 CFR Part 23, criminal intelligence systems must meet standards for how information is entered, retained, and eventually purged (United States Department of Justice 2003). The GDPR applies these same principles globally; any processing of personal data relating to an identified or identifiable person requires a lawful basis regardless of whether that data is publicly available (European Parliament and Council 2016, Art. 6). A corporate intelligence analyst who screenshots a subject’s public LinkedIn profile has done something legally different from a corporate intelligence analyst who systematically scrapes and stores profile data from thousands of individuals to build a searchable database. The information is the same. The method and scale change the legal analysis.
Accessing Gated or Restricted Content
A significant threshold is crossed when practitioners access content that requires authentication or that sits behind privacy settings. Content visible only to logged-in users occupies uncertain legal territory. In the hiQ litigation, the court found that when hiQ’s contractors created fake LinkedIn accounts specifically to collect data visible only to logged-in users, the conduct was actionable on contract-based theories (hiQ Labs, Inc. v. LinkedIn Corp. 2022). UK guidance is direct: viewing restricted access information covertly will generally constitute covert surveillance, and because the information is not publicly available, it is likely that private information will be obtained; authorization as directed surveillance should be sought in these circumstances (Housego 2023). The principle applies to privacy-restricted social media content as well: even though users are responsible for their own privacy settings, “it is unwise to regard it as ‘open source’ or publicly available; the author still has a reasonable expectation of privacy if access controls are applied” (Housego 2023).
The Supreme Court’s decision in Van Buren v. United States (2021) clarified the CFAA’s “exceeds authorized access” provision in a way that matters here. Van Buren, a police officer, used his valid law enforcement credentials to run a license plate search for a private citizen in exchange for money. The Supreme Court reversed his conviction, holding that an individual exceeds authorized access only when they access areas of a computer that are off-limits to them, not when they misuse access they legitimately have for improper purposes. The practical implication for OSINT practitioners is that the CFAA focuses on technical access barriers rather than on whether the practitioner’s purpose for accessing the information is appropriate. But that narrowing of criminal liability under the CFAA doesn’t eliminate other sources of exposure: terms of service violations can still support breach of contract claims, and professional ethics rules may independently prohibit the same conduct.
The OSINT-HUMINT Boundary
The most consequential threshold in OSINT practice is the point where collection shifts from observing publicly available information to engaging with human targets. In established intelligence doctrine, OSINT is defined by its source material: publicly available information collected without requiring interaction with the target (SACLANT 2002). The moment a practitioner sends a friend request, initiates a conversation, poses questions, or elicits information through any form of engagement, the activity crosses into human intelligence territory regardless of what platform is used or where the interaction occurs.
The term “active OSINT” has spread through practitioner communities to describe activities that involve direct engagement with targets: sending connection requests on social media, messaging individuals to elicit information, and creating fictitious personas to interact with subjects. Those activities aren’t OSINT. They’re HUMINT: human intelligence collection conducted on a digital platform. The legal frameworks governing passive observation of public information differ entirely from those governing deceptive engagement with human targets, and calling the latter “active OSINT” doesn’t change which frameworks apply.
“Sock puppeting,” the creation of fictitious online personas to interact with investigation subjects, illustrates the problem. Practitioners describe it as an OSINT technique, but the activity involves deception directed at a human being. When an investigator uses a fake profile to send a friend request, gains the subject’s trust, and accesses information the subject has restricted to their connections, the investigator has deceived a human source into providing access. The fact that the interaction happened on a digital platform doesn’t transform human intelligence collection into open-source collection. Creating fake accounts violates the terms of service of virtually every major social media platform (Meta 2024). Under GDPR, collecting personal data through deceptive means may fail the fairness requirement regardless of whether other lawful bases exist (European Parliament and Council 2016, Art. 5(1)(a)). The UK’s RIPA Code of Practice on Covert Human Intelligence Sources makes the escalation explicit: creating a false persona and using it to follow people or like posts without forming a relationship does not require CHIS authorization, but if a relationship is established or maintained through that persona for a covert purpose, CHIS authorization becomes necessary (Home Office 2022).
Interception and Real-Time Surveillance
At the most intrusive end of the spectrum, intercepting communications in real time is subject to the strictest legal controls across every actor category. The Electronic Communications Privacy Act’s Wiretap Act prohibits the intentional interception of wire, oral, or electronic communications (18 U.S.C. § 2511(1)). The Stored Communications Act separately prohibits unauthorized access to stored communications (18 U.S.C. § 2701(a)). The distinction between accessing stored data and intercepting real-time communications determines which legal framework applies. In Warshak, the Sixth Circuit held that to the extent the SCA permits warrantless government access to stored emails, it is unconstitutional (United States v. Warshak 2010). UK law draws the same line through the Regulation of Investigatory Powers Act 2000, which regulates the interception of communications in the course of transmission, including web-based communications (RIPA 2000, Part I). For practitioners in any context, intercepting communications rather than viewing what is already stored and publicly accessible represents the highest level of legal exposure.
Legal Exposure by Collection Method
Federal Statutes That Shape Private-Sector Practice
Private-sector practitioners face a patchwork of federal statutes rather than a single governing framework.
The Computer Fraud and Abuse Act
The CFAA (18 U.S.C. § 1030) prohibits accessing protected computers “without authorization” or in excess of authorized access. For OSINT practitioners, the statute’s scope has been significantly clarified by two decisions. The hiQ Labs ruling established that scraping publicly available data from a website that permits public access without any authentication requirement does not violate the CFAA, because the statute’s concept of “without authorization” doesn’t apply where there are no access restrictions to bypass (hiQ Labs, Inc. v. LinkedIn Corp. 2022). Van Buren narrowed “exceeds authorized access” to situations where someone accesses areas of a computer that are off-limits to them, rather than situations where someone misuses authorized access for improper purposes (Van Buren v. United States 2021). Together, these decisions provide meaningful protection for practitioners collecting public data, but they leave important gaps. The hiQ holding is a Ninth Circuit decision, not universally followed. Other circuits have taken different approaches, and practitioners operating outside the Ninth Circuit shouldn’t assume identical protection (White & Case 2022).
The CFAA matters for civil exposure as well as criminal. The statute provides a civil cause of action: any person who suffers damage or loss from a violation may bring suit for compensatory damages and injunctive relief (18 U.S.C. § 1030(g)). And even where the CFAA doesn’t apply, platform owners have successfully pursued breach of contract claims based on terms of service violations. In Southwest Airlines Co. v. Kiwi.com, Inc. (2021), Southwest prevailed on contract-based theories against a company that scraped its website in violation of its terms of use. The hiQ litigation itself ultimately resulted in LinkedIn prevailing on breach of contract claims, even after the CFAA claims failed (hiQ Labs, Inc. v. LinkedIn Corp. 2022). The practical takeaway is that surviving a CFAA challenge does not mean surviving all legal exposure from the same conduct.
The criminal consequences of CFAA exposure are also real. In United States v. Nosal (2016), the Ninth Circuit held that former employees who used a current employee’s credentials to access a company database after their own access had been revoked were acting “without authorization” under the CFAA. In United States v. Auernheimer (2014), a security researcher was convicted and sentenced to 41 months for using an automated script to collect email addresses from publicly accessible AT&T servers; the Third Circuit later vacated the conviction on venue grounds, not on the merits of the CFAA claim. Aaron Swartz faced 13 federal charges carrying potential penalties of 35 years for bulk-downloading academic articles from a database he was authorized to use (EFF 2022). These cases demonstrate prosecutorial willingness to bring severe charges for conduct that didn’t involve traditional hacking.
The Stored Communications Act and Wiretap Act
The Stored Communications Act (18 U.S.C. §§ 2701-2713) prohibits unauthorized access to stored electronic communications and restricts when service providers can disclose communication contents. For OSINT practitioners, the practical impact is that private messages and restricted content on social media platforms are protected from civil subpoenas. In Crispin v. Christian Audigier, Inc. (2010), a federal court applied the SCA to social media for the first time, holding that private messages and restricted Facebook content are protected. Social media companies have embraced this interpretation. The result is an asymmetry: public posts remain accessible, but private messages and content behind privacy settings can’t be obtained directly from platforms through civil process. Practitioners must pursue such information through the account holder, either through voluntary disclosure, consent, or discovery directed at the party. The SCA’s “authorized user exception” provides one limited avenue: in Ehling v. Monmouth-Ocean Hospital Service Corp. (2013), a federal court held that when someone with authorized access to restricted content voluntarily shares it with an employer, the SCA isn’t violated. Content shared by a subject’s connections, captured by someone with legitimate access, may be usable even when direct subpoenas to platforms would fail.
The Wiretap Act (18 U.S.C. § 2511) prohibits the intentional interception of communications in transit. The Supreme Court in Bartnicki v. Vopper (2001) held that the First Amendment protects disclosure of illegally intercepted communications by parties who didn’t participate in the interception, provided the subject matter involves public concern. That holding is narrow, however, and does not protect the original interceptor. For OSINT practitioners, the Wiretap Act’s primary relevance is as a bright line: any collection method that involves intercepting communications in real time, rather than viewing stored or publicly posted content, crosses into territory where criminal penalties apply regardless of how the information is ultimately used.
The Fair Credit Reporting Act
The FCRA (15 U.S.C. §§ 1681-1681x) catches OSINT practitioners who may not realize they’re subject to it. The statute regulates the creation and use of “consumer reports” for specified purposes, and its definition of consumer report focuses on the purpose of the information rather than its source. When a company uses a third-party service to conduct background research on individuals for employment or tenant screening, the resulting reports typically qualify as consumer reports subject to FCRA requirements (FTC and EEOC 2016). The FTC has clarified that these requirements apply to social media background checks conducted by third parties; when a screening company examines candidates’ social media presence and reports findings to employers, the resulting reports are consumer reports regardless of the fact that the underlying information was publicly posted (FTC 2011). The consequences include notice and consent obligations before conducting the investigation, adverse action procedures if negative action results, and accuracy requirements that demand reasonable procedures to ensure maximum possible accuracy (15 U.S.C. §§ 1681b(b)(2)-(3), 1681e(b)).
Categorical Prohibitions
Some federal statutes impose bright-line prohibitions that can’t be circumvented regardless of investigation objectives. The Gramm-Leach-Bliley Act (15 U.S.C. § 6821) makes it a federal crime to obtain customer information from financial institutions through false pretenses, fraud, or deception. The Telephone Records and Privacy Protection Act (18 U.S.C. § 1039) criminalizes obtaining telephone records through fraudulent means, carrying penalties of up to 10 years imprisonment with enhanced penalties for violations committed in furtherance of domestic violence or stalking (18 U.S.C. § 1039(d)). That statute exists because of a specific enforcement action: Hewlett-Packard’s board chairwoman authorized private investigators to use pretexting, calling telephone carriers while impersonating board members and journalists, to identify the source of boardroom leaks. California filed felony charges against multiple individuals, and Congress responded by criminalizing the specific pretexting methods that HP’s investigators had employed (Proskauer 2006; California DOJ 2006). No client instruction, contractual provision, or assertion of investigative necessity overrides these prohibitions.
State Law and Professional Licensing
Most states and the District of Columbia require private investigators to obtain licenses before providing investigation services. Requirements vary significantly by jurisdiction: some states require thousands of hours of experience, while others have minimal prerequisites. The question that matters for OSINT practitioners is whether their work qualifies as “investigation” under the applicable state statute. In California, the statutory definition of private investigator includes anyone who investigates “the identity, business, occupation, character” of a person for compensation (Cal. Bus. & Prof. Code § 7521), language broad enough to encompass many OSINT activities. Many states haven’t specifically addressed whether pure desk-based OSINT research falls within their private investigator statutes. Practitioners shouldn’t assume exemption. Operating without required licensure creates exposure beyond criminal penalties for unlicensed practice: evidence obtained through unlicensed investigation may be inadmissible or subject to challenge, and civil liability may extend to both the practitioner and the client who engaged them.
State biometric privacy statutes present particular risk for practitioners working with facial recognition or biometric matching. The Illinois Biometric Information Privacy Act requires informed written consent before collecting biometric identifiers, mandates specific retention and destruction policies, and provides a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation (740 ILCS 14/20). Clearview AI has paid over $50 million in settlements for BIPA violations arising from scraping publicly posted photos to build facial recognition databases (Loevy & Loevy 2025; ACLU 2022). State recording laws add another layer: states are divided between one-party consent jurisdictions, where recording a conversation requires consent of only one participant, and all-party consent jurisdictions, where every participant must consent. California, Florida, Illinois, and several other states impose criminal penalties for recording without all-party consent. A practitioner conducting interviews across state lines needs to know which standard applies before any conversation that might be recorded.
International Frameworks
The GDPR applies to any organization processing personal data of individuals within the European Economic Area, regardless of where the organization is located (European Parliament and Council 2016, Art. 3). For OSINT practitioners based in the United States conducting research that involves EU residents, this means compliance obligations that have no domestic equivalent. Processing personal data requires a lawful basis. For commercial investigations, this typically means either consent from the data subject or a “legitimate interest” that is not overridden by the subject’s rights, supported by a documented balancing of interests (European Parliament and Council 2016, Art. 6(1)(f)). Data minimization requires that collection be limited to what is necessary for the specified purpose. Purpose limitation prevents data collected for one investigation from being repurposed for another without additional justification. In many circumstances, data subjects must be informed when their personal data is being processed, though exceptions exist for certain investigative activities. GDPR violations can result in administrative fines of up to 4% of global annual revenue or €20 million, whichever is higher, plus civil liability to affected data subjects (European Parliament and Council 2016, Art. 83).
The European Convention on Human Rights establishes that different methods of gathering information present varying degrees of interference with the right to privacy, and requires effective judicial or independent oversight for such measures to be lawful (OSCE 2017). The Council of Europe’s Convention 108 requires that personal data undergoing automatic processing be obtained and processed fairly and lawfully, stored for specified and legitimate purposes, and not used in ways incompatible with those purposes (OSCE 2017). These frameworks create obligations that apply to OSINT practitioners whether or not they have a physical presence in Europe, and enforcement actions against companies like Clearview AI and KASPR demonstrate that European regulators are willing to pursue organizations operating from other jurisdictions. KASPR was fined €240,000 by the French data protection authority for scraping contact details from LinkedIn profiles, including those of users who had restricted visibility to their connections (Octoparse 2025).
Civil Liability: How Practitioners Get Sued
Criminal prosecution and regulatory fines get the most attention, but civil litigation is the exposure most private-sector OSINT practitioners are likely to face. Subjects of investigations, platforms whose terms were violated, and employers who relied on improperly obtained information all have avenues to bring civil claims. The range of theories available to plaintiffs is broader than many practitioners realize, and the financial consequences can be severe even when no criminal statute was violated.
Breach of Contract and Platform Enforcement
When a platform’s terms of service prohibit scraping, automated access, or fake accounts, violating those terms creates breach of contract exposure even when no criminal statute applies. The hiQ Labs litigation illustrates the dynamic clearly: after the Ninth Circuit held that scraping public LinkedIn data didn’t violate the CFAA, LinkedIn prevailed on breach of contract claims arising from the same conduct (hiQ Labs, Inc. v. LinkedIn Corp. 2022). In Southwest Airlines Co. v. Kiwi.com, Inc. (2021), Southwest successfully pursued contract-based claims against a company that scraped its website in violation of its terms of use. For OSINT practitioners, this means that the CFAA’s narrowing after Van Buren and hiQ reduced criminal exposure but didn’t eliminate civil liability for the same collection methods. A practitioner who scrapes a platform in violation of its terms may not face prosecution, but may still face a breach of contract lawsuit, an injunction, and damages. State unfair and deceptive acts and practices statutes add another layer; using fake personas to obtain information for commercial investigations could trigger liability in jurisdictions with broad consumer protection frameworks (Troutman Pepper Locke 2022).
Privacy Claims by Investigation Subjects
Investigation subjects can bring civil claims against practitioners whose methods cross the line from lawful research into actionable intrusion. The specific theories vary by jurisdiction, but they include invasion of privacy, intrusion upon seclusion, and violations of state data protection statutes. In Campeau et Services alimentaires Delta Dailyfood Canada inc. (2012), a Quebec tribunal addressed a case where an employer created a fake Facebook profile designed to appeal to a specific worker: a woman who had studied at the same university and shared common interests. The employee accepted the friend request, and the employer used information from the restricted profile in disciplinary proceedings. The tribunal found the evidence was illegally obtained in breach of the employee’s privacy rights (Gratton 2014). The case arose under Quebec law, but the underlying dynamic, using a fabricated identity to gain trust and access restricted information, creates privacy exposure across jurisdictions.
BIPA’s private right of action has created a particularly active litigation environment. The statute allows any person aggrieved by a violation to bring suit and recover $1,000 per negligent violation or $5,000 per intentional or reckless violation (740 ILCS 14/20). Clearview AI’s $51.75 million class action settlement is the largest example, but the statute applies to any practitioner who collects biometric identifiers, including facial geometry from photographs, without the required written consent from the subject. The growing number of states adopting biometric privacy statutes means this exposure is expanding beyond Illinois. Practitioners who incorporate facial recognition tools, reverse image searches that rely on biometric matching, or any analysis that processes unique biological identifiers need to understand whether their collection requires consent under applicable state law, and that the failure to obtain it creates per-violation damages that plaintiffs’ attorneys are actively pursuing.
Evidence Exclusion and Downstream Liability
Even when a practitioner avoids direct civil liability, improperly obtained evidence can create problems for the clients who relied on it. Evidence collected through unlicensed investigation may be inadmissible or subject to challenge. Evidence obtained through deceptive methods may be excluded on fairness grounds. And evidence that a party should have preserved but destroyed, or instructed others to destroy, triggers spoliation sanctions. In Lester v. Allied Concrete Co. (2013), an attorney who instructed a client to “clean up” a Facebook page after receiving a discovery request faced a $542,000 penalty and disciplinary proceedings. Courts take social media spoliation seriously, and practitioners who collect evidence in litigation contexts should understand that preservation obligations attach as soon as litigation is reasonably anticipated.
Authentication failures create a different kind of downstream problem. Under Federal Rule of Evidence 901, social media evidence must be authenticated by establishing that the content came from the account attributed to the relevant person and hasn’t been altered. In United States v. Vayner (2014), the Second Circuit reversed admission of screenshots showing a social media profile because merely proving a post came from a particular account was insufficient without additional evidence that the account holder created the content. In Moroccanoil Inc. v. Marc Anthony Cosmetics Inc. (2014), the court excluded screenshots because the proponent failed to provide metadata establishing that the screenshots accurately reflected the posts at the time of capture. Practitioners supporting litigation should preserve full metadata and timestamps, maintain chain of custody documentation, use forensic collection tools that capture evidence in native format, and obtain corroborating evidence connecting the account to the individual. Simple screenshots without supporting metadata are increasingly insufficient.
Professional Ethics Constraints
Professional ethics rules independently shape what practitioners can do and how they do it, particularly when OSINT work supports litigation or is conducted at an attorney’s direction. Bar association ethics opinions have addressed the intersection of social media investigation and attorney responsibility with increasing specificity. The consistent position is that viewing public social media profiles is permissible, but using deception to access restricted content is not. The New York State Bar concluded that attorneys may access and review public social network pages of parties to search for potential impeachment material (NYSBA 2010). The Philadelphia Bar Association concluded that an attorney who uses a fake profile to friend a non-client violates Rule 8.4’s prohibition on deceptive conduct (Philadelphia Bar 2009). The New York City Bar found that attorneys may not use deception to access information from social networking pages (NYCBA 2012). Attorneys can’t insulate themselves from these rules by delegating to investigators: under ABA Model Rule 5.3, attorneys are responsible for the conduct of non-lawyers they supervise or direct, and the New York State Bar guidelines specify that an attorney shall not order an agent to engage in conduct that would violate ethics rules if the attorney performed it directly (ABA 2020; NYSBA 2019).
The Ohio Supreme Court disciplined prosecutor Aaron Brockler after he created a fake Facebook profile, using the identity of a woman the defendant’s girlfriend believed to be a romantic rival, to contact alibi witnesses and elicit incriminating statements in a murder case (Disciplinary Counsel v. Brockler 2016). Brockler argued that prosecutorial investigation deception should be treated analogously to traditional undercover tactics. The court rejected that argument and suspended him from practice, holding that the deception violated core ethical values regardless of investigative purpose. The case establishes that deceptive methods sometimes normalized in OSINT practice carry professional discipline risk for any practitioner working at an attorney’s direction, because the attorney bears responsibility for the methods their agents use.
Where This Leaves Practitioners
Viewing a public web page sits at one end of the legal spectrum; intercepting private communications sits at the other. Between those poles, every escalation in method, from passive viewing to systematic storage, from public access to authenticated access, from observation to engagement, from domestic subjects to international ones, introduces new legal requirements. The practitioner’s job is to know where those thresholds are before crossing them.
Some boundaries are bright lines. Pretexting for phone records or financial records is a federal crime. Intercepting communications in transit triggers criminal penalties. Collecting biometric data without consent in Illinois creates per-violation statutory damages. Others are contextual: whether FCRA requirements apply depends on the purpose of the research, not its method; whether GDPR applies depends on where the subject is located, not where the practitioner sits; whether a state licensing statute covers desk-based OSINT research depends on how broadly the statute defines “investigation.” Those contextual boundaries are where practitioners get into trouble when they assume that technical capability equals legal permission.
Quick Reference: Permissible, Prohibited, and Gray Areas
Generally Permissible: Viewing public social media without authentication, reviewing public records (court filings, corporate registrations, SEC filings), analyzing news, press releases, and patent filings, domain and infrastructure research (WHOIS, DNS), attending public events and conferences.
Gray Area (Analyze Before Acting): Accessing content visible only to logged-in users, systematic scraping that violates platform ToS, social engineering without explicit identity deception, OSINT on subjects in GDPR jurisdictions, desk-based research in states with broad PI licensing definitions.
Clearly Prohibited: Pretexting for phone or financial records, unauthorized computer access or credential misuse, recording calls in all-party consent states without consent, impersonating law enforcement or government officials, fake friending of represented parties in litigation, collecting biometrics without consent where BIPA applies.
Public records, open corporate filings, court documents, patent databases, news archives, and genuinely public social media content provide investigative value that doesn’t require any of the methods that create legal exposure. Practitioners who know where the lines are, document their compliance decisions, and decline work that requires prohibited methods are the ones who last in this field, because the consequences of crossing those lines fall on the practitioner, not on the client who asked for results.
References
American Bar Association (ABA). 2020. Model Rules of Professional Conduct. Chicago: ABA.
American Civil Liberties Union (ACLU). 2022. “In Big Win, Settlement Ensures Clearview AI Complies With Groundbreaking Illinois Biometric Privacy Law.” Press Release, May 9, 2022.
Bartnicki v. Vopper, 532 U.S. 514 (2001).
California Department of Justice. 2006. “Attorney General Lockyer Files Criminal Charges Against Former Hewlett-Packard Chairwoman Dunn, Four Others in ‘Pretexting’ Case.” Press Release, October 4, 2006.
Campeau et Services alimentaires Delta Dailyfood Canada inc., 2012 QCCLP 7666 (Commission des lésions professionnelles 2012).
Commission Nationale de l’Informatique et des Libertés (CNIL). 2022. “Facial Recognition: 20 Million Euros Penalty Against CLEARVIEW AI.” October 20, 2022.
Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010).
Department of the Air Force. 2023. Air Force Doctrine Publication 2-0: Intelligence. Washington, DC: Department of the Air Force.
Disciplinary Counsel v. Brockler, 145 Ohio St. 3d 270 (2016).
DoD Directive 3115.12. 2010. Open Source Intelligence. As updated.
Ehling v. Monmouth-Ocean Hospital Service Corp., 961 F. Supp. 2d 659 (D.N.J. 2013).
Electronic Frontier Foundation (EFF). 2022. “Scraping Public Websites (Still) Isn’t a Crime, Court of Appeals Declares.” July 6, 2022.
European Parliament and Council. 2016. Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union L 119/1.
Executive Order No. 12,333. 1981. United States Intelligence Activities. 46 Fed. Reg. 59,941, as amended.
Federal Trade Commission (FTC) and Equal Employment Opportunity Commission (EEOC). 2016. “Background Checks: What Employers Need to Know.” Washington, DC: FTC/EEOC.
Federal Trade Commission (FTC). 2011. “The Fair Credit Reporting Act & Social Media: What Businesses Should Know.” Washington, DC: FTC.
Gratton, Éloïse. 2014. “Using Fake Facebook Profiles in Investigations.” Éloïse Gratton Blog, October 19, 2014.
Headquarters, Department of the Army. 2012. AR 381-10: U.S. Army Intelligence Activities. Washington, DC: Department of the Army.
hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022).
Housego. 2023. Open Source Research Guidance.
Home Office. 2022. Covert Human Intelligence Sources Revised Code of Practice. London: Home Office.
International Comparative Legal Guides (ICLG). 2024. “Dutch Regulator Fines AI Firm EUR 30 Million.” September 9, 2024.
Lester v. Allied Concrete Co., 285 Va. 295 (2013).
Loevy & Loevy. 2025. “Judge OKs Loevy’s Innovative $51.75 Million Settlement in Clearview AI Class Action Lawsuit.”
Meta. 2024. Terms of Service.
Moroccanoil Inc. v. Marc Anthony Cosmetics Inc., No. CV 11-10615-DMG, 2014 WL 5765072 (C.D. Cal. Oct. 6, 2014).
National Law Review. 2025. “A First in BIPA Litigation: Class Members Receive Equity in Clearview AI.” March 2025.
New York City Bar Association (NYCBA). 2012. Formal Opinion 2012-2: Jury Research and Social Media.
New York State Bar Association (NYSBA). 2010. Committee on Professional Ethics, Opinion 843.
New York State Bar Association (NYSBA). 2019. Social Media Ethics Guidelines of the Commercial and Federal Litigation Section.
Octoparse. 2025. “What Does It Mean to Be GDPR Compliant? A Complete Guide for Web Scrapers.”
Office of the Director of National Intelligence. 2015. Intelligence Community Directive 203: Analytic Standards. Washington, DC: ODNI.
Office of the Director of National Intelligence. 2021. Attorney General Guidelines Fact Sheet.
Organization for Security and Co-operation in Europe (OSCE). 2017. Intelligence-Led Policing.
Philadelphia Bar Association. 2009. Professional Guidance Committee Opinion 2009-02.
Privacy International. 2021. “Challenge Against Clearview AI in Europe.”
Proskauer Rose LLP. 2006. “Senate Passes Federal Legislation Criminalizing ‘Pretexting.’” Proskauer on Privacy, December 2006.
SACLANT. 2002. Open Source Intelligence Handbook. Supreme Allied Commander Atlantic.
Southwest Airlines Co. v. Kiwi.com, Inc., No. 3:21-cv-00098 (N.D. Tex. Sept. 30, 2021).
Regulation of Investigatory Powers Act 2000, c. 23. United Kingdom.
Troutman Pepper Locke. 2022. “Ninth Circuit Provides Guidance on Web Scraping.” May 14, 2022.
United States Department of Justice. 2003. The National Criminal Intelligence Sharing Plan.
United States v. Auernheimer, 748 F.3d 525 (3d Cir. 2014).
United States v. Nosal (Nosal II), 844 F.3d 1024 (9th Cir. 2016).
United States v. Vayner, 769 F.3d 125 (2d Cir. 2014).
United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).
Van Buren v. United States, 141 S. Ct. 1648 (2021).
White & Case LLP. 2022. “Web Scraping, Website Terms and the CFAA.” April 2022.
This piece was first published on our Substack.
Read the original on Substack