Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

The Evolution of Digital Intelligence

As both government and private sector agencies outside of the police and intelligence communities come to realize the incredible advantage open source intelligence (OSINT) can provide, there has been a proliferation of OSINT teams within those organizations and a host of contractors offering OSINT services. After having created one of the first and best OSINT investigative units in Canada, I have learned that while I do not have all the answers in this era of growing privacy regulation, there are critical questions every organization must ask.

 

Privacy concerns and legislation like the Personal Information Protection and Electronic Documents Act (PIPEDA) and Privacy Act now set strict ground rules for how Canadian organizations collect, use, and disclose personal information. Today, AI-driven tools can collect thousands of data points from sources like the Dark web that lack clear attribution, making the landscape more complex than ever. Even organizations with defined investigative mandates struggle with how far their OSINT work can reach before legislation, privacy concerns, or internal policy limits their collection.

 

Guiding Principles and Policy Alignment

A practical way to guide collection is to treat online activities as a different medium to which you apply your current physical world policies. This consistency is essential for maintaining organizational integrity.

• An organization that cannot engage in undercover operations and attend real world physical meetings of extremists should think twice about creating a fake online moniker and joining an extremist web forum.
• If an organization is not going out in public and interacting with subjects, it should likely avoid active OSINT techniques like attempting to befriend a subject on Facebook to view non-public information.
• This internal policy alignment is especially critical when considering the scope of your team. Organizations must decide if they really want their own internal OSINT group to dig into the online footprint of their own executives.

 

Operational Readiness and Risk Management

Beyond legal compliance, the practical concerns of OSINT work are too often ignored until a malware infection is running amuck on a corporate network or an employee is in crisis.

• Infrastructure Security: Looking for threats online involves going to places where those threats flourish. Is your IT department prepared to hide and defend your systems against these external threats?
• Human Resources: HR must be prepared to assist employees who may suffer negative mental health consequences or crises from viewing threat-related material.
• Data Sovereignty: Since access to automated tools and third-party repositories is essential, you must decide if you are comfortable with providers potentially seeing and aggregating your activities.

 

The Build vs. Buy Decision

The choice between an internal team or using a contractor is unique to each organization, but both paths have distinct trade-offs.

 

• Internal Capabilities Building an internal team can be complicated, time-consuming, and expensive. It is often harder to flex internal capability to take advantage of the rapid change in tools, and ingesting large data sets internally can represent significant privacy concerns regarding the retention of personal identification information (PII).

• External Contractors A trusted contractor can elevate an organization's limits on viewing data that contains PII unrelated to their investigations by providing only the analyzed and filtered material required. This is useful for organizations that cannot obfuscate their affiliation and do not want providers to see their activity. However, a contractor is an extension of your organization. You must ensure they understand the Criminal Code of Canada, PIPEDA, and foreign regulations like the GDPR.

 

The Hybrid Solution

It does not necessarily need to be one or the other. A hybrid module allows an organization to maintain its own day-to-day capability while contracting out cases where a specialist can be more flexible, efficient, or successful. The one thing I am sure of is if your organization doesn’t have a formal OSINT capability, in-house or contracted, you’re missing out on a significant investigative ability, threat detection capacity, and business intelligence tool.

 

Ryan Zorn – CyberAGroup (Cyber Analysis Group)