By Sarah Womer, Senior Analyst, Plessas Experts Network Inc.  

Prior to sharing OSINT products, research techniques, or related information, it is important to gauge whether the information should be shared in the first place. 

Traditionally, although OSINT is created from publicly available sources, the end product is often proprietary and, in some instances, classified based on the collection requirement, tradecraft, and methodologies used. Today, OSINT products are still often proprietary, confidential, and classified. Government Intelligence, Law Enforcement, Business Intelligence, and Private Investigators all create OSINT that may not be for public consumption. In addition, the definition of what is public differs between nation-states, agencies, organizations, and individuals. 

The OSINT Landscape has also radically changed with the open sharing of tradecraft, tactics, techniques, and tools since the early and mid-2000s with the changing digital ecosystem. OSINT practitioners now often collaboratively share inadvertently and directly. Oddly, even OSINT practitioners that may be at odds on a nation-state level through their governments may share tradecraft techniques through Social Media platforms simply by making a social media post on a topic. Investigative journalists have also increasingly become engaged in the OSINT field, as have non-profits, NGOs, and hobbyists. There are still government OSINT practitioners from a variety of governments that most likely lurk and passively collect versus post and engage. Many OSINT practitioners also engage collaboratively outside of work, but their work production remains proprietary.  I also sometimes wonder how many, if any, OSINT hobbyists or non-transparent OSINT social media accounts are government sock HUMINT puppets, as it is a plausible scenario. In addition, social media accounts pretending to be OSINT are engaged in influence activities versus OSINT creation, Fake OSINT. There is also confusion by non-OSINT practitioners on what OSINT is. I have seen many posts where a non-OSINT practitioner will refer to a Google Query as I “OSINTed” it versus I queried it. Researching something, as OSINT practitioners know, is not OSINT; it is a part of the process of creating OSINT.  

Regardless, not just OSINT, but in some instances, the sharing of OSINT tactics, techniques, procedures (TTPs), tools, tradecraft, and research should not be shared in an informal setting on social media as consideration should be given to how data is shared and what the data is.    

In the age of Social Media, where so many things can and are taken out of context, it is critically important to think about what is shared. Depending on the platform, there may be no paralinguistics to gauge, no tone, no physical tells, and sometimes just text. There is much room for miscommunication as one party may interpret the text differently than another. 

There is an opposite extreme - sharing nothing on Social Media. I have been there and practiced the art of passive collection before 2019, in which collection only occurred for research on social media with little to no sharing (because you are always at risk of a response). I did a test a decade ago to see what people would share with an overt sock puppet and found that many people are comfortable sharing information with a non-threatening persona, such as a dog. It was insightful as it showed what others would share, but I was still comfortably unnoticeable online. After the study, I then used that dog for animal rescue activities and made some wonderful friends. Today, there are thousands of dogs, cats, capybaras, and other “fake-identity” social media accounts. Some sock puppet social media accounts even have over a million followers and chat with influencer billionaires and politicians online, which amplifies their narratives.    

However, the art of not sharing in today’s digital environment as an OSINT practitioner may not be advisable for some, as many professional connections are now made on social media. Even though the number of followers should not impact the credibility and reliability of an OSINT practitioner, I suspect that it may. In some instances, the number of followers does reflect the expertise of the person, but in other instances, it does not. For example, there have been some fake OSINT accounts with high numbers of followers engaged in influence activities on social media resulting in far-reaching spread of misinformation. 

The hide-at-your-desk OSINT analyst in today's environment may be ignored simply for not speaking up, which equates to the concept of “if a tree falls in the forest but no one heard it, does it actually exist?” Unless, of course, that analyst is employed at an organization that celebrates a greater level of secrecy and social media silence. Ironically, this can also backfire as someone may then question why there is an absence of social media posts for that person. 

Multiple OSINT practitioners share on social media through the use of a fake persona or a sock puppet, which then raises the question of whether it is Cyber HUMINT and OSINT. If a research account engages with audiences, it is no longer simply an OSINT account, which brings the ongoing debate of where OSINT stops and HUMINT begins. Sometimes, this sock puppet use makes sense, and other times, it also raises the question of motivation. For example, is that OSINT sockpuppet from an adversarial state hiding because of fear of that government, or is that Social Media account a government entity? 

I remember my first feeling of exposure on social media in 2008. I shared a draft report on the potential of Terrorist Use of Twitter that was disseminated to a group of people via official email that had access to “For Official Use Only” who then shared it with larger groups of people within the same community. Someone then shared that report outside of the community and it was sent to the Federation of American Scientists (FAS), Wired, CNN, BBC, and a multitude of other channels. It was also shared on early social media, and pundits commented both for and against the draft report. Regardless, I was mortified and did not engage in social media. Fortunately, my client at the time got to have a wonderful interview with Defense News and received positive feedback for the product. I later got a letter of commendation from a really cool organization. At that time, OSINT analysts were not expected to publicly share collaboration, tools, means, and methodologies online.  We generally had small OSINT cluster communities of interest where we shared with each other, and there was an emphasis on not sharing on social media. 

I have gone back and forth on the limitations of sharing information. Recently, I was reminded that thoughtful consideration should occur before sharing information, and there is still something to be said about the art of not sharing. It does not mean analysts should hide behind a desk, although that is less threatening for some. I have come up with some suggested tips that collaborative community members can consider prior to sharing. 

Please note if you make a social media post it is not an OSINT Product but the OSINT collaborative community on Social Media does share- fact-checking, research techniques, resources, data, and other information that can be used for OSINT. OSINT communities will also sometimes share a product but the full product is generally not the post. For example, Bellingcat shares some outstanding products on Social Media by hotlinking.

Tips

• If the shared data does not represent your company or organization and if it is a personal social media account, make sure to always state on the account that it does not represent anyone other than yourself. Generally, a disclaimer in the social media profile should work. 

• If an observation is made on a resource before sharing, such as an article, it is typically not a stand-alone product and is usually from a larger resource. Always check that resource and cite it.

• If you comment or make an observation on an article, gauge how that hosting resource or other sources may react to it. For example, Elon Musk has sued the Center for Countering Digital Hate (CCH) for presenting research and data. In this instance, the CCDH gauged the risk of presenting the research and decided that sharing was worth the risk. 

• Consider the social media platform that you are on and the sharing limitations. Twitter, now X, as a platform, has a limited character set. If the context for the share can’t be added to a single post, don’t share it, or clearly mark and indicate that it is part of an organized thread. 

• Separately, if someone shares with you on X or another platform, check prior posts and whether they relate to the recent post. 

• LinkedIn generally ties directly to a person's place of employment, and personal opinions should be sparingly shared or shared with greater caution. Information that is shared should be supportive of professional goals and interests. 

• Each platform has a different culture and structure that impacts what and how a user should share. 

• If sharing information from a tool, don’t share the tool’s query response without citing it. If the tool may be unknown to the audience, explain how the tool works and why it is of interest. A tag to the tool may not suffice, as that can just be interpreted as a highlighted address. 

• Reference what intelligence gaps may exist when presenting data from a tool. It does not matter how good the tool is. It can be the best tool, and there is always room for error as humans create tools and humans make errors.

• If additional tools are used for information verification, then go back to the first point on whether the findings should be shared in the first place. Is the verified information important? What will the readers gain or interpret from it? How could it be misconstrued? 

• If the information to be shared is a vulnerability that could help protect others but possibly reflect negatively on a source, consider contacting the source directly versus posting it on social media. Sometimes, this may also backfire as the source of the vulnerability may not react positively. For example, in 2021, the Government of Missouri threatened to sue a journalist for sharing an open public vulnerability with a site. 

• In addition, if a vulnerability is noted but not fixed, highlighting it on social media can lead others to possibly exploit it. The vulnerability may still be exploited by someone at some time, even if not highlighted, as vulnerabilities often are exploited if left unfixed. However, instead of sharing the vulnerability on social media, contact the source of the vulnerability first to give the source a chance to fix it. If the source does not want to fix the vulnerability, then it may not be your problem. There is an exception to this concept, which is when a vulnerability is noted that could harm others, and the source won’t or can’t fix it. Then consideration should be given to whether there is another venue to provide the information to that is not public but that may fix the problem. A personal judgment also needs to be made on the degree of harm.  For example, if a domain had a vulnerability that could allow a visitor to receive a cryptojacker on their visiting operating system, a personal judgment would be made on whether to publicly share the observed vulnerability if it remains unfixed.

• There are instances where a vulnerability can’t or won’t be fixed. This exception is actually not unique and has been observed by multiple members in OSINT, INFOSEC, and hacking communities. I, and other analysts, often have examples of this, but we choose to responsibly not share our 2020, 2021, 2022, etc. epiphany on social media if it were to lead to adversarial exploitation. The important action is that the analyst contacted the appropriate venue to try and fix it. 

• If the observed vulnerability relates to national security, law enforcement, or military activities on Social Media, then the appropriate government channel should be contacted. For example, on August 26, 2021, I, and most certainly, other analysts, noted that there were live updates on Twitter from a user that was providing incremental consistent updates from claimed contact with ISIS-K, including passing a Taliban checkpoint, up to their attack on the Kabul airport with the last Tweet stating that it was to late to stop the attack. Reporting that type of information is a responsibility, even if you think it may have been reported, as you can’t assume it was. However, if the issue is reported in the news, such as BBC or CNN, then a judgment can be made that it does not have to be reported as the mainstream media are already covering it. For the observation on August 26, 2021, it was not reported in the news, and eventually, the account that claimed to be in contact with ISIS K was taken down. 

• Provide the context for why the information is shared. Data without shared context can be and is often misinterpreted. 

• One thing that many people forget in today’s media environment is what Marshall McCluhan said in 1964: “The Medium is the Massage” (sic) in which is meant the “Medium is the Message.” Is the medium that you are sharing the information on the best place to share? In many instances, a good old-fashioned phone call or email may be better than a public share.  Even if someone intends to be helpful, this can be seen as non-helpful to others who may interpret a social media post based on their cognitive biases or worldview.

Find Sarah on LinkedIn.