This is the practical companion to Legal Boundaries of OSINT Collection, which provides the full legal analysis with case law, statutes, and regulatory frameworks. This article covers what those frameworks mean for your day-to-day work.

Note: I’m not a lawyer, and this isn’t legal advice. This article is an educational overview of the legal frameworks that affect OSINT practice, based on publicly available statutes, case law, regulations, and guidance documents. It doesn’t replace consultation with a qualified attorney in your jurisdiction. If a collection activity puts you in gray territory, get legal counsel before proceeding.

The more intrusive your collection method, the more legal requirements apply. Reading a public web page is at one end of the spectrum. Intercepting someone’s private messages is at the other. Everything between those poles sits on a sliding scale, and each threshold introduces new statutes, new authorization requirements, or new categories of liability.

The biggest mistake practitioners make is treating “publicly available” as synonymous with “legal to collect and use.” Clearview AI scraped publicly posted photos from social media and built a facial recognition database from them. European regulators (France, Italy, Greece, Netherlands) fined Clearview over €90 million under GDPR. An Illinois class action under BIPA cost another $51.75 million in the US. The photos were public. The violations came from what Clearview did with them: the method of collection, the scale of aggregation, the biometric processing, and the absence of consent. Method, purpose, scale, and jurisdiction all determine legality independently of whether the underlying information was visible to anyone with a browser.

This guide walks through five levels of escalating legal exposure, seven real-world scenarios, and the questions you should ask before every collection activity. The legal analysis here is US-focused, with coverage of EU and UK frameworks where they apply to US-based practitioners, so a note on jurisdiction before we get into the framework.

A Note on Jurisdiction. US federal statutes (CFAA, SCA, FCRA, Wiretap Act, GLB Act) and US case law form the backbone of this guide. State-level requirements (PI licensing, BIPA, recording consent laws) vary across US states and are flagged by state where relevant.

EU/EEA regulations (GDPR) are covered because they apply to US-based practitioners who collect data on EU residents. UK guidance (RIPA) is referenced where it provides useful frameworks on how legal requirements scale with intrusiveness.

If you operate outside the United States, your jurisdiction has its own data protection laws, computer access statutes, licensing requirements, and privacy frameworks. The escalation principle (more intrusive methods carry more legal requirements) holds everywhere, but the specific statutes and thresholds differ. Consult local legal counsel before applying this guidance outside the US.

Five Levels of Legal Exposure

Every OSINT activity falls somewhere on this ladder. As you move up, legal requirements increase, authorization becomes necessary, and the consequences of getting it wrong get worse. Jurisdiction tags [US], [EU/EEA], [UK], [State] indicate where each regulation applies.

LEVEL 1Viewing Public Information

Reading public websites, viewing social media profiles that don’t require a login, pulling court records, SEC filings [US], Companies House records [UK], patent databases, news articles, corporate registrations, and WHOIS/DNS records all fall here, along with attending public events. Across jurisdictions, this is generally unrestricted. The Ninth Circuit held that accessing public websites doesn’t violate the CFAA because there are “no gates to lift or lower in the first place” (hiQ v. LinkedIn [US, 9th Cir.]). UK guidance reaches the same conclusion: viewing open-source information on a publicly accessible page “does not amount to obtaining private information” (Martin & Boutcher 2013 [UK]).

Purpose changes the legal analysis even at this level. A LinkedIn search for competitive intelligence is unregulated in the US, but the identical search to screen a job applicant triggers FCRA notice, consent, and adverse action requirements [US federal]. Copyright law applies to reproduction in all jurisdictions.

LEVEL 2Systematic Collection, Scraping, and Profiling

Once you move from viewing public data to systematically collecting, storing, and building profiles from it, you’re in a legally different activity even when the underlying information is public. Automated scraping, building databases or dossiers, bulk collection, and monitoring subjects over time all sit here. GDPR [EU/EEA] requires a lawful basis for processing EU residents’ data regardless of public availability, and that applies to US-based practitioners collecting data on EU subjects. Platform terms of service frequently prohibit scraping, and ToS violations can support breach of contract lawsuits in the US even where they don’t create criminal liability after hiQ and Van Buren [US]. UK law requires that systematic profiling be “both necessary and proportionate” under RIPA and the Data Protection Act [UK]. US criminal intelligence systems receiving federal funding must comply with 28 CFR Part 23 retention and purge standards [US federal].

BIPA [Illinois] applies if you process facial geometry or other biometric identifiers, with statutory damages of $1,000–$5,000 per violation. GDPR [EU/EEA] fines can reach 4% of global revenue. KASPR was fined €240,000 by France’s CNIL for scraping LinkedIn contact details [EU]. Southwest Airlines won a breach of contract claim against Kiwi.com for scraping its website in violation of its terms of use [US].

LEVEL 3Accessing Gated or Login-Required Content

Using your own authentic account to view content that’s only visible to logged-in users, or accessing content behind privacy settings through legitimate connections, puts you in uncertain legal territory across jurisdictions. When hiQ’s contractors created fake LinkedIn accounts to access login-required data, the conduct was actionable on contract-based theories [US, 9th Cir.]. The CFAA’s “exceeds authorized access” provision was narrowed by Van Buren [US] to focus on technical access barriers rather than purpose, but UK guidance goes further: “viewing restricted access information covertly will generally constitute covert surveillance” and directed surveillance authorization should be sought [UK] (Martin & Boutcher 2013). Content behind privacy settings shouldn’t be treated as publicly available. As one UK practitioner guide puts it, “it is unwise to regard it as ‘open source’; the author still has a reasonable expectation of privacy if access controls are applied” (Housego 2023 [UK]).

Creating fake accounts violates platform ToS and may support breach of contract claims [US]. The hiQ CFAA holding is a 9th Circuit decision, not universally followed across US circuits [US]. Under GDPR [EU/EEA], content behind access controls carries stronger privacy protections. Professional ethics rules [US, varies by state bar] independently prohibit deceptive access methods when working at an attorney’s direction.

LEVEL 4Engaging with Targets: Fake Personas, Friending, Elicitation

Sock puppet accounts, friend requests under false pretenses, messaging subjects to elicit information, joining private groups through deception, and any interaction where you misrepresent your identity or purpose all carry high risk across jurisdictions, and they aren’t OSINT. Intelligence doctrine defines OSINT by its source: publicly available information collected without interacting with the target (SACLANT 2002). The moment you engage with someone using a fake identity, you’ve crossed into human intelligence collection on a digital platform, with different legal frameworks, different ethics rules, and different exposure. UK guidance makes the escalation explicit: creating a false persona alone doesn’t require RIPA authorization, but establishing or maintaining a relationship through that persona triggers the requirement for Covert Human Intelligence Source (CHIS) authorization (Martin & Boutcher 2013 [UK]). Under GDPR [EU/EEA], collecting data through deceptive means may fail the fairness requirement (Art. 5(1)(a)).

In the US, attorney ethics rules [US, varies by state bar] prohibit fake friending, and attorneys bear responsibility for investigators they direct (ABA Model Rule 5.3). A Quebec tribunal [Canada] ruled evidence illegally obtained when an employer created a fake Facebook profile to befriend an employee (Campeau 2010). An Ohio prosecutor [US, Ohio] was suspended from practice for creating a fake profile to contact witnesses (Brockler 2016). The SCIP Code of Ethics [international] requires disclosure of identity prior to interviews.s.

LEVEL 5Interception and Unauthorized Access

Intercepting communications in real time, accessing accounts with stolen or borrowed credentials, exploiting security vulnerabilities, hacking, and recording conversations without legally required consent are criminal across jurisdictions. In the US, federal criminal penalties apply under the Wiretap Act (18 U.S.C. § 2511) [US federal], the CFAA (18 U.S.C. § 1030) [US federal], and the Stored Communications Act (18 U.S.C. § 2701) [US federal]. UK law regulates interception under RIPA Part I [UK]. The European Court of Human Rights requires judicial oversight for surveillance measures [ECHR/Council of Europe]. No investigation objective justifies these methods for private-sector practitioners.

Pretexting for phone records carries up to 10 years imprisonment [US federal, Telephone Records Act]. Pretexting for financial records is a federal crime [US federal, GLB Act]. Recording calls without all-party consent is criminal in California, Florida, Illinois, and several other states [US, varies by state]. Using someone else’s credentials after your access has been revoked is a CFAA violation (Nosal [US, 9th Cir.]). State computer crime statutes may impose additional penalties [US, varies by state].

Scenarios

Each scenario below starts with a question practitioners actually face, followed by the legal risk assessment and the specific considerations that apply.

I need background on a potential business partner. Their LinkedIn profile is fully public. Can I review their employment history, connections, and posts?

Yes. Viewing public profiles that don’t require authentication is unrestricted in the US and under UK guidance. Save your screenshots with timestamps and metadata for potential future use. If the subject is an EU resident and you’re building a dossier, GDPR obligations apply to how you store and process the data [EU/EEA].

I’m investigating a workers’ comp claim. The subject’s Instagram is set to private. Can I create a fake account and send a follow request?

No. Creating a fake profile to access restricted content is deceptive engagement with a human target, which falls outside OSINT entirely and into HUMINT tradecraft. In the US, if this case goes to litigation, evidence obtained this way may be excluded, and if you’re working for an attorney, they face ethics exposure under state bar rules for your methods. Under UK law, this would likely require CHIS authorization for law enforcement. Under GDPR [EU/EEA], deceptive collection may fail the fairness requirement. Look for public posts, tagged photos on other public accounts, or other public sources instead.

My company wants to monitor a competitor’s public pricing page daily using an automated scraper. Is that okay?

It depends on the terms of service and your jurisdiction. Automated scraping sits in legal gray area: the underlying data may be public, but systematically collecting it introduces legal exposure that passive viewing doesn’t. In the US, scraping that violates a site’s ToS can support breach of contract lawsuits even where it doesn’t create criminal liability after hiQ and Van Buren [US, 9th Cir.]. Southwest Airlines won a contract-based claim against Kiwi.com for exactly this [US]. If the competitor is EU-based and pricing pages contain personal data, GDPR data minimization applies [EU/EEA]. Manual periodic checks carry less legal exposure than automated scraping.

HR asked me to check a job candidate’s social media before we extend an offer. Can I just look at their public profiles?

You can view public profiles, but the purpose of the search triggers additional legal requirements. If you’re a third party conducting this search for a US employer, the resulting report is a “consumer report” under the Fair Credit Reporting Act [US federal]. That triggers written notice and consent before the search, adverse action procedures if the employer decides against hiring, and accuracy requirements. If you’re an in-house employee doing your own search, FCRA doesn’t apply, but US anti-discrimination laws still do [US federal/state]. In the EU, employment screening is subject to GDPR and national employment law [EU/EEA]. In the UK, similar requirements exist under the Data Protection Act and Equality Act [UK].

I’m supporting a civil litigation matter and need to preserve a party’s public social media posts as evidence. How do I do that correctly?

Public posts are fair game to collect, but how you collect them determines whether they’re admissible. Simple screenshots may fail authentication requirements in US courts. The Second Circuit reversed admission of profile screenshots that lacked evidence the account holder created the content (Vayner [US, 2d Cir.]). A California court excluded screenshots without metadata establishing they accurately reflected the posts at time of capture (Moroccanoil [US, C.D. Cal.]). Use forensic collection tools, maintain chain of custody documentation, and preserve native format data. Once litigation is reasonably anticipated, US preservation obligations attach; an attorney who told a client to “clean up” Facebook after a discovery request was sanctioned $542,000 (Lester v. Allied Concrete [US, Virginia]).

My due diligence target is based in Germany. Can I compile publicly available information about them from German corporate registries, news, and social media?

You can, but GDPR applies to you even though you’re based in the US [EU/EEA]. You’re processing personal data of an EU resident, which means you need a lawful basis, usually “legitimate interest” for investigations, supported by a documented balancing test. You need to minimize collection to what is actually necessary for the specific investigation, and you can’t repurpose data collected here for a different matter without additional justification. The French CNIL, Italian Garante, Greek DPA, and Dutch AP have all taken enforcement action against US-based companies processing EU residents’ data. Those enforcement actions totaled over €90 million for Clearview alone [EU/EEA].

My client is unhappy with what public sources turned up and wants me to “get creative.” What do I do?

“Get creative” is where careers end. Ask the client to specify exactly what they want. If what they’re describing involves pretexting, fake accounts, unauthorized access, or deception directed at a human target, decline the work and document the conversation. The consequences of crossing legal boundaries, including criminal charges, regulatory fines, professional discipline, and excluded evidence, fall on the practitioner rather than the client who asked for results. HP’s investigators were criminally charged in California [US, California] for pretexting phone records at the board chairwoman’s direction, and Congress responded with a new federal statute [US federal].

Licensing Requirements [US]

Licensing requirements for investigators vary by country; this section covers US state requirements. Practitioners outside the US should check their national and local frameworks.

Over 40 US states require PI licenses for investigation services, and the question that matters is whether your OSINT work falls within the state’s definition of “investigation.” California’s statutory definition covers anyone who investigates “the identity, business, occupation, character” of a person for compensation, which is broad enough to encompass many OSINT activities. North Carolina explicitly excluded digital forensics from PI licensing. Many states haven’t addressed OSINT at all, and practitioners shouldn’t assume they’re exempt without checking. Operating without required licensure exposes you to criminal penalties for unlicensed practice, challenges to the admissibility of your evidence, and civil liability that extends to both you and the client who engaged you.

The OSINT Boundary

The term "active OSINT" has spread through practitioner communities to describe activities like creating sock puppets, direct messaging targets, and infiltrating private groups. In doctrine and in law, those activities aren't OSINT at all. They're HUMINT: human intelligence collection conducted on a digital platform. Read my article on that topic here:

For quick reference, the table below shows some of the questionable activities and where they fall on the legal spectrum (generally).

Intelligence doctrine defines OSINT by its source: publicly available information collected without interacting with the target (SACLANT 2002). The moment you send a friend request, initiate a conversation, or create a fictitious persona to interact with a subject, you've moved into HUMINT tradecraft. Calling it "active OSINT" doesn't change the legal frameworks that apply, the ethical obligations that attach, or the authorization that should be required. A fake friend request on Facebook is functionally the same as showing up at someone's door with a fake business card; the legal analysis follows the deception, not the platform.

Real World Cases

Every boundary described in this guide has been tested in court, before a regulator, or in a disciplinary proceeding. HP's board leak investigation led to criminal charges for the investigators who pretexted phone records. Clearview AI's scraping of public photos produced over €90 million in EU fines and a $51.75 million US settlement. An Ohio prosecutor lost his license for a year over a fake Facebook profile. The table below shows these cases and others, with the jurisdiction where each enforcement action or ruling occurred.

Quick Reference Guide

This table sorts common OSINT activities into three categories: go (generally unrestricted), slow down (regulated depending on jurisdiction and purpose), and stop (criminal or high-liability exposure). "Slow down" doesn't mean don't do it. It means you need to identify which specific legal requirements apply before proceeding: FCRA [US federal], GDPR [EU/EEA], BIPA [Illinois], PI licensing [US, varies by state], or platform terms of service. Get a legal opinion if the answer isn't clear.

Five Questions To Ask Before Every Collection Activity

Before you start collecting, ask yourself whether the content is truly public or sits behind authentication, whether the purpose of your collection triggers regulations that the method alone wouldn't, whether you're observing or interacting with a person, whether your jurisdiction requires a license for this work, and whether you'd describe this method in a court filing or a report to legal counsel.

1. Is the information truly public, or does accessing it require authentication, deception, or circumventing controls?

Public viewing is generally unrestricted across jurisdictions. Anything requiring login, fake accounts, or bypassing access controls moves the activity up the escalation ladder. In the US, this may trigger the CFAA or SCA. In the UK, it may require directed surveillance authorization under RIPA. In every case, it changes the legal analysis.

2. What is the purpose of this collection, and does that purpose trigger specific regulations?

FCRA [US] applies for employment and tenant screening. GDPR [EU/EEA] applies for EU subjects. BIPA [Illinois] applies for biometric processing. UK DPA [UK] applies for profiling. The same collection method can be unrestricted for one purpose and regulated for another, and the applicable regulations depend on both your jurisdiction and your subject’s jurisdiction.

3. Am I observing, or am I interacting with a person?

Observation of public information is OSINT. Interaction with a human target is human intelligence collection. Every jurisdiction treats these differently, even where the specific statutes vary. If you’re sending messages, friend requests, or using a fake identity, you’ve crossed into a different legal and ethical framework.

4. Does my jurisdiction require a license for this work?

Over 40 US states license private investigators, with statutory definitions broad enough to cover OSINT in several of them. Other countries have their own licensing or registration requirements. Unlicensed practice may be criminal, and evidence collected without a required license may be inadmissible.

5. Would I describe this method in a court filing or in a report to my client’s legal counsel?

HP’s pretexting [US], Clearview’s scraping [US/EU], Brockler’s fake profile [US, Ohio], and the Quebec employer’s fake friending [Canada] all looked like reasonable investigative techniques to the people doing them until they became public. If you wouldn’t describe the method to a judge or opposing counsel, the method is likely outside the boundaries covered in this guide.

Working Inside the Boundaries

Public records, open corporate filings, court documents, patent databases, news archives, and genuinely public social media provide more information about people and organizations than has been available at any previous point in history. The investigative value of those sources is real and substantial, and accessing them requires none of the methods that create legal exposure. Practitioners who know where the legal boundaries sit in their jurisdiction can work confidently within them; practitioners who treat “publicly available” as a blanket authorization will eventually encounter one of the thresholds described in this guide, and the consequences, whether criminal charges, regulatory fines, professional discipline, or excluded evidence, will follow the practitioner rather than the client who asked for results.

When a client pushes toward methods that create legal exposure, name the specific risk and offer what you can deliver within bounds. The conversation is easier when you can point to the statute, the case, or the enforcement action that applies. That’s what the companion article, Legal Boundaries of OSINT Collection, provides: the full legal analysis with case law, statutory text, and regulatory frameworks behind each of the thresholds covered here.