Welcome to NeedleStack, the podcast for professional online researchers
I'm your host, Matt Ashburn, a cybersecurity professional, and OSINT aficionado.
And I'm Jeff Phillips, tech industry veteran and curious to a fault. Today, we have a special guest who's here to talk about the role of OSINT in law enforcement, specifically in regards to civil liberties and privacy laws.
Richard Denholm, welcome to the show.
Thank you very much. Happy to be here.
Awesome. Well, let me give a little background here on Richard, before we jump in. Richard is a law enforcement and legal expert, with nearly three decades of experience as a US government official. Now he currently serves as a director with A1C Partners, but he's also an adjunct faculty member at George Mason University's Department of Criminology, Law and Society. And interestingly enough, you've recently published a textbook on intelligence studies, Richard. What's the title of that?
Yes, I have. It's called, An Intelligence Studies Anthology: Foundational Concepts and Case Studies for the 21st Century. Published by Cognella.
That's super interesting. People can check that out. Richard, we've told people that this episode's going to be about OSINT within a law enforcement context, and a lot of your background stems from your time with the FBI. Can you tell us a little bit about your different experiences there?
Absolutely, yeah. I started with the FBI back in 1995. I was hired as a special agent then, and I began my career in the Washington field office working high level public corruption investigations.
And eventually, moved out to Ohio, went to Youngstown where I landed, did all types of FBI investigations. But a lot of corruption work, and we eventually investigated the US Congressman from that congressional district and we got him convicted. He went to prison and he was expelled from Congress. He actually was only the second US Congressman since the Civil War to be expelled.
I continued my career at the FBI working, mostly corruption, between Ohio and DC. And then I eventually, the last five years of my career at the FBI, I was the deputy director of the OCDETF Fusion Center, which is one of the largest federal law enforcement intelligence sharing platforms in the government.
And we did a lot of open source intelligence work at that center.
And then I know currently you serve as a director at A1C Partners. What's your focus in that role?
Well, A1C Partners provides open source analysts to the government. We work with different agencies to help them close the gaps from their government information that they have.
Our analysts are experts in conducting open source research, writing reports, disseminating those reports and working with government officials.
My role, since I retired from the FBI about four years ago, has been working as a director with A1C Partners. I also am an attorney, and I blend that experience between the law and my law enforcement special agent background. And I provide legal privacy and policy advice to the analysts and to the government officials that we work with, because there are a lot of different hurdles as we work in this environment.
One of the things that's very important, obviously, is that law enforcement not only enforces the law, but they're also compliant with the laws that are out there and the Constitution. So could you cover some of the top things that folks may not know with regards to OSINT and how privacy and civil liberties can be affected by that?
Absolutely. I mean, one of the main things to keep in mind, first of all, is that information that people freely and fully put out in the public domain is accessible by anyone. If you want your friends, neighbors, coworkers, to know information about you or about things you've done and you put it out there publicly and you do not protect the privacy of that information, that's fair game for everybody, including the government, including law enforcement. So there's an obligation under the law that if you want to keep something private, you have to work to make it private.
So obviously, if you're fully, freely putting information out there, you're not protecting that privacy.
And therefore, anybody could take a look at it, use it as required. But even with that, government officials, all that I know, all that I've worked with are careful with that information and careful not to abuse that as well.
Interesting. And you mentioned that a lot of your experience is with the federal government, are there any differences in OSINT and the collection of OSINT between the federal space and the state and local law enforcement agencies?
For the most part, in general, no. Because the fourth amendment of the US Constitution applies equally between federal, state, and local government.
So you have to be careful not to violate individuals rights under the fourth amendment. Also, they have rights under the first amendment, obviously as their free speech rights as well, right? So government at any level cannot interfere with that.
However, it's very important to know that there are different laws at each level and in each jurisdiction that could impact research for open source and it applies to developing any type of intelligence in law enforcement in the government. You need to understand the laws in the jurisdictions that you're working in. So you may work in a state or a city that has particularly restrictive limits on what law enforcement can do with open source intelligence, or any other intelligence.
Or you may work in one that gives law enforcement much more free rein to collect it. So the key to know, is understand the law in your jurisdiction. And usually you can work... in my case, when I was with the FBI, we would work with the US attorney's office. We worked with assistant US attorneys every day. They knew the law, they could advise us. Another mechanism in the FBI is we had what were called chief division councils, usually special agent/ lawyers as well, who worked to advise agents on the law.
And also, I would note that even as a federal agent, you have to pay attention to the law in your state that you're working in. Obviously the US court system has different circuits, which are the appellate level, and those circuits could have different rulings on how intelligence is collected and used, especially as it goes to open source intelligence.
I remember during the pre- show chat that we were doing, we were talking a lot about some of the challenges, and one of those being resources and constraints, especially at the state local level.
Can you talk a bit about how resource constraints can affect open source collection within law enforcement, and some of the considerations there?
Well, absolutely. A key thing I've noticed recently too, is it seems that there are many, many people who say that they're experts in open source intelligence and the collection of it.
I think there's a lot of people who dabble in it and sort of understand it. Our practitioners at A1C Partners work a lot in it, and have much more expertise because there are particular tools that are more useful than others that can be used in this open source intelligence realm. There's some freeware out there that some people are really good at using it, but what I've seen is the technical tools created and run by all kinds of different companies nowadays are often much, much better at helping to collect information.
And they're often very expensive.
So depending on the jurisdiction you're in, that cost always plays a factor and you have to weigh what tools you can purchase, what your budget is, et cetera.
That's super interesting, Richard. We'd be remiss if we didn't bring up, there's a lot going on right now, unfortunately, with Russia and Ukraine. Can you give us some of your thoughts on world events and how that's impacting OSINT practices?
Absolutely. Well, and when I teach my course at George Mason as well, I tell my intelligence students that the problem nowadays is not too little information, it's too much information.
So especially when you look in the open source environment, there is just so much information out there.
The former director of the FBI once called it," Looking for needles in stacks of needles." And I think that's a very good description of what you have to do, because everything often looks alike.
Then the big problem too nowadays, especially if you look at the Russia and Ukraine situation, the Russians are masters at disinformation and they put a lot of fake... they literally put fake news out there.
They use it as a weapon, and they have for decades and they're very, very good at it. So especially if you're an open source intelligence analyst, you have to be very discerning of what you're looking at. We even saw recently, in recent days, widely reported in the media, some disinformation from Ukraine.
I think I saw one situation with a ghost jet that was flying around. I saw that that wasn't true. It was made up. I saw another snip on the news about somebody jumping... like a paratrooper jumping out of a plane. And floating down like he was invading or rappelling, whatever he was doing. But it turned out later that clip was actually seven years old. So analysts have to know their technical tools, know the technology they're working with, and really dig down into the metadata of these things to verify.
And if you notice, even in recent of days, many of the major news networks that we're watching have really started to put notes in all their reports that we have verified this video.
We know from metadata that it's this.
So that's even developed even more in the last few weeks. And it's really fascinating to watch right now.
It is. And you commented, you quoted the former FBI director saying that open source is like finding a needle in a stack of needles. And that's really where even the name of our podcast comes from, NeedleStack, right?
That is a big challenge. And as you touched on, verifying the information and the analysis is a big part of this. When you look at open source as an intelligence discipline, it's not just going out and grabbing a screenshot from Twitter or looking at a map or downloading a video. It's that information and data, plus the subsequent analysis that sets it apart from just a casual collection of information.
Absolutely. And that brings to mind for me, as you say that, as also part of my course at George Mason, I teach a lot about the Ghost Army during World War II. And every country, every military uses what it's good at.
Well, what was the United States good at from the 20s to now, I would say? But we had Hollywood. We had actors, we knew how to build stage sets.
And as part of a strategy in World War II, they created a fake army that looked like tanks and guns. And they were just air balloons. But at that time, the Germans and the Japanese were not very good at discerning what was fake, what was real.
So it looked to them, from their very rudimentary ability, that there were different armies in different places.
They really weren't there. So those techniques are still used today. I mean, I think that's a very basic, early way of understanding what we're talking about.
And just imagine now how far we've come, over 70 years later, and how sophisticated it is. And that's why we're seeing all these different platforms and hackers and everything else getting really, really good at creating disinformation and fake reports and fake media.
Because now it seems like a lot of the battlefield is not only being waged in cyberspace as far as hacking, but it's information warfare at a whole new level.
You asked what we were good at in the 20s and 30s. And actually the first thought that came to mind was bootlegging during Prohibition. So that probably wasn't the answer you were looking for.
So I'm glad that you clarified that with the Hollywood reference.
Hey, Richard, an equal amount of our listeners are in the private sector. Can you talk a little bit about OSINT as it applies to commercial enterprises, as well as we've been talking about on the government side?
Absolutely. So clearly on the private side, there are privacy laws that apply. And anybody in corporate business analysis needs to be aware of the ramifications, still of the Constitution and laws in their jurisdiction.
But business intelligence can and does really benefit in the open source environment, right?
You could imagine... again, a very simplified way to put this and look at it. But to really make the point, is that if I'm the CEO of Coca- Cola maybe, and one of my folks comes to me and says, hey, it'd be a really good idea to build a new plant in Eastern Ukraine.
What do you think about that? And if you're not paying attention, you don't watch the news, you might think, hey, that's a great idea. We should do that. But you could see a very basic way of saying that is how using intelligence today from the news media to social media, to anything we would also call public available information. It's not just what you see on Twitter or Instagram or Facebook. There are literally millions of sources of information that are publicly available, that don't involve just social media.
So you need to have good analysts and good expertise reviewing all of that. So if I'm the CEO of a company and I want to put a plant somewhere, probably one of the first things I'm going to do, obviously I'm going to analyze the economic benefits of it.
But what's key to those economic benefits is understanding the geopolitical environment where I might be landing. What are the labor issues, et cetera. And open source intelligence can provide a lot of very valuable information to help you make those decisions and inform your decisions. So business analysts are really critical nowadays as well.
Sorry. As a follow up, does PAI, or publicly available information, do those rules... are they going to vary in the private sector versus the government sector?
Or is that all the same?
They could. And again, you should understand... and when we talk about businesses, we're always talking about corporate law. So corporate law is going to be very, very important, and contracts are going to be very, very important in whatever you're doing. And then you need to be though, thinking about, am I violating somebody's rights? California, nowadays, instituted very strict laws to protect its citizens' privacy. And there's a lot of implications for the Facebooks and the Twitters of the world and that sort of thing, that they have to be very careful how they collect data from people to, again, what do they want to do?
But they need to be aware of in their jurisdiction, are there very strict requirements on that? And what can they collect? How can they use it? And really most importantly, how do they have to protect the information of their customers?
So not only legally, but then you'd have to think about it too, from a corporate decision making standpoint. If you get found out as repeatedly violating people's privacy or civil rights, whether it was true or whether it was just perceived, you could lose a lot of customers that way, right?
So that would be a very bad thing and very dumb for your bottom line. So those items are key in the corporate and business world, but again, that's why they have their own general counsel's offices who provide advice to them on these issues.
Well, Richard, really appreciate the conversation today. Real quick, any final thoughts for 30 seconds here? What would you like to leave our listeners with?
I'd like them to understand how much open source intelligence is out there. And that finding the right analysts to help them, either in business or law enforcement is critical.
And again, understanding the laws in your jurisdiction, how they apply to you, but not to feel too constrained in this environment. Don't be afraid of it.
There are ways to navigate it. And there's a lot of folks out there, like us at A1C Partners, who can help.
Yeah. That's all great advice, and really appreciate the time today. And thanks to those that are out there in the audience for tuning into the show today. If you liked what you heard, you can subscribe, as always, to our show wherever you get your podcast. You can also watch episodes on our YouTube channel, and also view transcripts and other information about our podcast on our website. That's authenticate... authentic, with the number eight. Now, next week, we'll be back with even more on our tour of OSINT, and look at how it applies to trust and safety teams in the technology sector.
We'll see you then.