OSINT (Open Source Intelligence) refers to the collection, processing, and transformation of publicly available data into actionable knowledge for clients. There are multiple definitions, but the core distinction between traditional and modern interpretations lies in legality—whether the access to data is authorized or not. The modern Anglo-American approach leans toward the idea that data accessible to everyone can, within certain boundaries, also be processed and analyzed.
Classical OSINT sources include published books, scientific papers, and conference materials. Today, while these are still relevant, OSINT typically refers to the processing of online content—text, images, videos, and audio materials. Hobbyists often rely on social media as their primary source, but professional researchers extend far beyond that.
OSINT often overlaps with other intelligence disciplines, such as:
However, proactive actions like hacking are explicitly not part of OSINT. OSINT can target virtually anything: companies, scientific findings, people, events, or news coverage.
In the broadest sense, anyone who collects data from public sources is engaging in OSINT. However, several sectors use OSINT professionally:
The OSINT toolkit ranges from basic web searches to advanced AI-driven technologies. Training programs on professional OSINT usage are widely available, with their depth varying based on the legal authority and role of the user—from private citizens to sworn officers. Such courses are accessible online in or from Hungary, aimed at hobbyists, detectives, academic researchers, and seasoned professionals.
There are two fundamental constraints to OSINT:
When it comes to privacy, U.S. and EU practices differ significantly. In the U.S., the general principle is: if someone publishes content online—text, images, videos—they implicitly allow others to use it. The EU, however, imposes stricter limitations under GDPR, making privacy a central consideration in OSINT practices. In the EU, gathering data on individuals is more sensitive than investigating companies or military operations.
The key principles include:
Crucially, it’s not enough to be compliant; compliance must also be demonstrable during potential audits. This requires careful documentation of OSINT work—an often tedious but necessary administrative process.
OSINT must strike a balance between individual privacy and the public interest. For example, a pedophile cannot claim privacy protections when their activity is being investigated via social media. Legally, the target of the investigation should consent to the data collection. However, it’s questionable how “voluntary” this consent is—especially for, say, an employee fearing for their job.
Necessity underpins lawful grounds for OSINT use—e.g., investigating suspected cartel activity. The inquiry must serve a legitimate interest, such as pursuing embezzlement allegations. GDPR requires that methods be legal and proportional—which excludes theft, social engineering, or hacking, the latter being foreign to the OSINT philosophy anyway.
Additional GDPR expectations:
Important caveat: GDPR applies to law enforcement agencies, but not to national security services. A particularly tricky area is whether an OSINT researcher is considered a data controller or just a data processor. If the researcher has operational freedom, they cannot simply claim they’re only acting under client instructions.
The reader may decide how strongly they believe GDPR is upheld in real-world OSINT operations. We can assume that large corporations’ HR departments make an effort to comply. But it’s far less likely that every private investigator or amateur OSINT enthusiast seeking incriminating data for a civil lawsuit is deeply immersed in GDPR compliance.
