Social media is an incredibly powerful source for OSINT building, but researchers need to broaden their scope — and hone their tradecraft — to turn scrolling into real intelligence.

Soon after Russia invaded Ukraine in late March, publications were quick to label the conflict as the "Tik-Tok War" due to the ubiquitous streaming of events via smartphones. The world has been granted front-row seats to a full-scale war without editors or filters. Social media has enabled everyday citizens to provide nearly continuous coverage of everything from troop movements to weapon identification — all due to a technological evolution that facilitates the capture and sharing of events in real time. The state of multimedia has genuinely achieved a 'constant stare' through its streaming capabilities and has spawned a new class of digital sleuths.

This rapid expansion of open-source information is one pillar of the OSINT revolution underway. The practice of open-source intelligence gathering has been around for decades, but only recently is OSINT receiving the attention and respect of the other “INTs” (HUMINT, GEOINT, MASINT). Government and intelligence agencies are utilizing OSINT for a variety of missions and standardizing how it can be used. Teams across the private sector are using it to uncover everything from cyberthreats to financial fraud and brand misuse

But with a wider interest in OSINT, there are some growing pains in this revolution. 

  1. Confusion between information consumption and sharing with the corroboration and verification process that put the “INT” in OSINT
  2. Poor tradecraft which could affect the veracity of intelligence
  3. Lack of awareness of the dangers of OSINT to researchers and/or their organizations and how to combat them

Nowhere are these growing pains felt more than on the “OSINT” coming out of social media. 

OSINT is more than social media

As an internet researcher, I couldn't help but notice the remarkably large the amount of information that had become available in relation to the Russian invasion of Ukraine. Virtually every social media platform has people sharing videos and images at a high rate. But it seems that the majority of opinions and judgments have been based on single videos without any corroboration with other trusted sources. The veracity of those opinions quickly came into question as the information explosion reached levels never before seen in war. In an attempt to legitimize the information being shared, the online investigation world quickly started co-opting the term “OSINT” from the intelligence community (IC), aligning itself with an established military doctrine. 

The term OSINT started as an IC acronym to describe a collection discipline for any material that a government entity hasn't classified. Inherent in this definition is social media; however — let's be clear — social media is indeed OSINT, but OSINT isn't exclusively social media. 

To assume that this social media content is the primary source of open-source information ignores the wealth of “off-platform” sources — namely, (most of) the rest of the internet. While social media is a valuable component to building OSINT, other sources are needed to corroborate and verify collected information. Without these crucial steps, would-be researchers may only be adding to the noise at best and supporting disinformation campaigns at worst.

Inexperience and lax protocols can ruin an investigation

OSINT requires the researcher to collect, analyze, evaluate, interpret, produce and disseminate their judgments, typically without assistance from a team of professionals. As opposed to other collection disciplines (SIGINT, GEOINT, etc.), the analyst is capturing their own data using simple web browsers and mobile phones. 

Without proper security and tradecraft, researchers could be putting their investigation, device and themselves at risk.

Learn more: What is managed attribution, and how does it improve online investigation? 

In contrast to OSINT collection, GEOINT (geospatial intelligence) uses sophisticated technical collection platforms (e.g.,remote-sensing satellites) and other clandestine means to avoid detection. These systems are operated by teams of people who go to painstaking lengths to protect orbital ephemeris data to ultimately avoid detection by their investigative targets. Because the last thing you need is to let the source of your information know you are actively collecting it. 

Once an adversary becomes aware of your intent to capture data, you won't know if the information you have is reliable. 

Denial and deception (D&D) is a common tactic in warfare, and the internet is not immune. Again, using GEOINT as an example, all space capabilities are made up of a ground segment and a space segment, as well as the communication (or link) that ties them together. The jamming of satellite equipment is a challenge that these systems must overcome. Otherwise, the data may become corrupt and unusable. The same risk is true in OSINT: if the information is somehow compromised, it can spoil the invetistigation.

Dangers of OSINT collection 

To the newly anointed online researcher, this stuff must have seemed easy. All I have to do is watch Twitter feeds, and I get the whole picture. This obviously is an oversimplification, as the need for other sources becomes paramount for objective results. The truth is, the majority of publicly available information (PAI) is not on social media and may be hosted on sites that want to steal your information.

The internet has near-infinite sources to use in your investigation, but not all are visitor-friendly. Take most of the websites that exist in China. Most Chinese websites (suffix .cn) do not use HTTPS protocol. HTTPS is an extension of the Hypertext Transfer Protocol (HTTP) that is used for secure communication over a computer network, and is widely used on the internet. Without HTTPS, a third party can intercept traffic and manipulate the results you're seeking, making gathered information unreliable. 

Example of Chinese statistical website
Example of Chinese statistical website

For example, some government-run websites presenting statistical data may be presented differently to foreign visitors. This is done as a means to project a different reality than what’s going on within their borders or to act as a honeypot and see who’s curious.

Even private websites in countries with strong censorship or dissent laws could be revealing visitor information to the government. If an unwanted visitor is identified by their digital fingerprint, the visitor could be:

  • Blocked from the site or presented with an alternate version of the site
  • Identified personally or in affiliation with the organization they represent
  • Targeted with malware (including trackers) or retaliated against in the real world

Learn more: What’s in your digital fingerprint and how to control it >

Temporal and spatial tradecraft considerations

To combat these risks, a researcher may decide to use a VPN (virtual private network) to hide their location. A VPN may be an effective way to spoof locations, but it won't keep your computer safe from viruses or malware. Also, do you trust that the VPN provider will keep your browsing history safe? Marketers will almost always use some kind of metrics to identify and distinguish you — such as a user agent (browser type, OS, etc.) to a fingerprinting profile — something which a VPN can do nothing to prevent.

Learn more: What VPN and Incognito Mode still give away in your online identity >

VPNs are great for watching censored Netflix movies in your country but are not time machines. If you’re accessing a foreign site in the middle of the night for their average visitor but the middle of the workday in D.C., your VPN can do nothing to manipulate this and undercuts the “location narrative” you’re trying to build. 

Using purpose-built platforms for online investigations can go a long way in supporting tradecraft and help researchers hide in plain site:

  • Leverage a global network of points of presence (internet egress nodes) can give you the appropriate access location and type (e.g., data center, mobile) to appear as an in-region visitor
  • Use cloud-based browsers maintains complete isolation between the device and the site visited — no web code renders on the device, protecting against malware infection
  • Manipulate details of the digital fingerprint (e.g., browser, OS, language, keyboard settings, time zone) via a managed attribution solution to blend in with average site visitors
  • Automate collections to run at appropriate times for the target site

The new OSINT army

There has no doubt been unprecedented intelligence to come out of social media in recent months, and social media has proved pivotal to understanding the Russian invasion of Ukraine. But it’s important to remember that OSINT is more than just scrolling Twitter feeds. OSINT exists to take advantage of the vast wealth of information — on and offline — to make sense of things and drive effective decision making. 

By broadening the scope of where OSINT comes from; education on the risks of information gathering and how it can impact intelligence outcomes; and utilizing best-practice tradecraft, the new class of researchers can be a powerful force in the ongoing OSINT revolution.