The Dark Side of OSINT: Risks and Challenges of Misuse

Some individuals have been at the battlefront, releasing the most explicit details about the war through social media, except that they aren't at the battlefront but are OSINT amateurs flexing their espionage skills.

The crisis in Ukraine has been a hot topic, with the most detailed updates pouring in through TikTok videos, Tweets, and even Facebook posts. However, amidst the flood of information, concerns have been raised about the disclosure of highly sensitive information, particularly during a war, and has sparked debates about the necessity of OSINT.

Suit up, as we dive into the darker side of OSINT, discussing the risks and challenges that could arise from its use.

The Risks of Misusing OSINT

While using OSINT applications in various industries is undeniably beneficial, it raises some serious societal concerns. These difficulties can lead to legal and ethical issues that harm individuals, organizations, and the community's reputations. This section will discuss the evil sides of OSINT.

Privacy Invasion

Unrestricted access to vast amounts of information can lead to serious political, economic, and even diplomatic complications. For example, the tensions between the United States and Iran have been fueled by OSINT, which has been used to track each other's military movements and assess each other's capabilities. This information has contributed to a sense of mistrust and suspicion, leading to increased tensions and the possibility of conflict. Hackers use OSINT to obtain sensitive information like home addresses, phone numbers, and financial information. This information can be used to stalk, harass, or even commit identity theft against the individual.

To the average OSINT enthusiast, OSINT is a common tool, but to an expert user or government official, it is a potent tool to protect economic and political interests through undiplomatic maneuvers. The 2014 hack of the US Office of Personnel Management is a good example. The event resulted in the theft of sensitive personal information of over 21 million current and former federal employees. The breach is believed to have been conducted by Chinese hackers, who compromised data such as social security numbers, fingerprints, and background investigation records.

OSINT is also used in geolocation tracking, which involves following people's movements, social relationships, and online activities, which can result in stalking and harassment. These actions can have serious psychological and emotional consequences for the victim and sometimes lead to physical violence. Each year, 7.5 million people in the United States are stalked, according to the National Center for Victims of Crime. Alison Killing and her team used geolocation tracking to investigate the Xinjiang Detention Centers, and they obtained information from the Chinese government without consent.

Cyberbullying

As technology progresses, bullying has expanded beyond its conventional environments and to the internet. This modern form of bullying, called cyberbullying, proves to be more evil, with a staggering 36.5% of individuals reporting having experienced it at least once. Bullies now have easy access to a lot of personal information online, which they can use as weapons to blackmail, harass, and emotionally distress their victims.

The Cyberbullying Research Center study shows that 35.5% of middle and high school students were victims of cyberbullying in 2022, an increase from 26.4% in 2016. Furthermore, victims of cyberbullying are more likely to suffer from depression, anxiety, and other mental health issues, according to the American Academy of Pediatrics. Similar to Amanda Todd’s case is that of the 15-year-old Canadian girl who committed suicide in 2012 after being cyberbullied relentlessly. The case sparked international outrage, prompting calls for increased awareness and anti-cyberbullying measures.

Cybercrime and Fraud

OSINT provides cybercriminals easy access to valuable information such as passwords, bank account information, or social security numbers. Cybercriminals use this information to conduct fraudulent activities such as phishing, identity theft, and ransomware attacks. Cybercriminals frequently use social engineering to gather personal information about their potential victims via social media profiles or online activity to tailor their attacks.

OSINT can also be used to avoid detection by reviewing publicly disclosed intelligence. Threat actors can use this information to learn about an organization's defense lines and look for alternative attack methods. Hackers use Google Dorking to identify system flaws or sensitive information. They can, for example, search for documents that contain specific phrases like "sensitive but unclassified information" or scan the code of a website for misconfigurations or security gaps.

Source: Accenture

In terms of cybercrime and fraud against businesses, the 2017 Equifax data breach is a notable example. Hackers infiltrated the credit reporting agency's systems and stole the personal data of over 143 million consumers, including names, birth dates, social security numbers, and driver's license numbers. The breach is believed to have been conducted by state-sponsored hackers from China, who were seeking to obtain sensitive financial and personal information for intelligence purposes. The stolen data was then sold on the dark web and used in various fraudulent activities such as identity theft, account takeover, and tax refund fraud.

There was also a story about Ramon Abbas, popularly known as Hushpuppi. A cybercriminal was arrested by the FBI for diverting government money meant for windows into his account and other scams involving top teams. He was able to successfully mastermind all of his plots because he had access to the information he required about his victims; simply put, the OSINT facilitated his schemes.

Discrimination and Bias

OSINT can perpetuate discrimination and bias by amplifying stereotypes and reinforcing social inequalities. Algorithms are used by social media platforms and search engines, for example, to personalize content and search results based on user data. It has the potential to exaggerate pre-existing biases and stereotypes.

People can be discriminated against based on race, gender, religion, or sexual orientation using OSINT. Employers, for example, may screen job applicants using social media, resulting in discriminatory hiring practices. OSINT may also be used by law enforcement agencies to unfairly target specific communities, resulting in discriminatory policing practices.

Biased OSINT algorithms can also lead to inaccurate or unfair hiring and law enforcement decisions. For people with darker skin tones, facial recognition technologies are less accurate, potentially leading to misidentification and harm. Similarly, predictive policing algorithms have been accused of reinforcing existing discrimination patterns and perpetuating racial biases.

According to research, using biased algorithms, can have a significant negative impact on marginalized communities. For example, a National Institute of Standards and Technology study discovered that when using facial recognition technology, African American and Asian faces had higher false positive rates than white faces. It emphasizes the importance of thoroughly evaluating OSINT algorithms to ensure that discrimination or bias is not perpetuated.

Misinformation and Propaganda

Misinformation and propaganda can be spread using OSINT, often maliciously, due to access to an oasis of data and information. For example, hackers can use bots, fake news, and deep fakes to disseminate false or misleading information on social media platforms. This disinformation campaign can manipulate public opinion, sow division, and influence elections.

Deep fakes, in particular, can be a powerful tool for spreading disinformation. They altered videos or audio recordings to make it appear that someone said or did something they did not say or do. This technology feeds on information/data obtained about the victim via OSINT. The OSINT server generates all of the victims' personal information. It can be used to disseminate false information about politicians or other public figures and generate fake news stories that go viral on social media. The deep fake technology has been used to spread false information by impersonating many public figures, including Barack Obama, Donald Trump, Tom Cruise, and Hillary Clinton, and it has all gone viral.

Hackers use social media bots to spread misinformation by automating accounts and using them to spread false or misleading information on a large scale, making it difficult for users to distinguish legitimate from fraudulent accounts.

Disinformation campaigns can cause social unrest, political polarization, and violence. False vaccine information, for example, has increased vaccine hesitancy and the resurgence of preventable diseases. False election information, on the other hand, can undermine trust in democratic institutions and even lead to violence.

Conclusion

OSINT has become an indispensable tool in many fields, and its increased reliance has raised concerns about its misuse. Clear regulations that respect privacy and data protection laws are required to reduce the negative consequences of OSINT and promote ethical use.

A cybersecurity expert must follow ethical practices and verify the information before making it available. It is critical to balance the benefits and risks of OSINT to maximize its ability to generate valuable insights while minimizing harm.

Companies that provide OSINT tools and platforms must also encourage ethical use of OSINT by developing policies and tools to prevent misuse and protect privacy. For example, social media platforms can implement privacy controls that enable users to control who has access to their personal information and limit the use of their data for OSINT purposes. Companies can also work with regulators and law enforcement to develop guidelines and best practices for using OSINT.

Understanding the risks associated with OSINT and taking the necessary precautions to protect sensitive information is critical. It includes limiting the amount of personal information shared online, implementing strong password policies, regularly updating software and systems, and conducting regular security audits. We can harness the power of OSINT for its benefits while ensuring responsible use to avoid causing harm or negative consequences.