Ethical issues for journalists in OSINT, investigation, and online verification
* This post is based on a recent talk given at Trusted Media Summit 2020 that is also part of workshops on online investigation and verification given to journalists worldwide. It consists of thoughts and anecdotal examples arising from a decade of working in the field, and is not to be taken as legal advice.
Over the past few years, increasing numbers of people have become aware of the possibilities of digging up online information. Although not an entirely new phenomenon, it has been given a huge boost by some high-profile efforts.
Journalists, activists, and investigators have been thrilled by the exploits of maverick operators such as Bellingcat, as well as more established players like the New York Times and the BBC (Warning: Some of the content linked to contains distressing images).
Netflix, meanwhile, captured the public imagination with the documentary Don’t F**k WIth Cats, which chronicled the efforts of a group of everyday people whose online sleuthing contributed to the unmasking and apprehension of a killer.
Clearly, we can do many things in the pursuit of information that not so long ago would have been impossible. The question that is maybe not often enough asked is “Should we?”
The Spying Game
OSINT — Open-Source Intelligence — is a term that has gained increased currency in recent years. It can mean a lot of things, depending on who you ask — even the title of my own website uses it in a somewhat less than fully earnest way.
Dictionary definitions of “Intelligence” largely connect it with military or political use, or in terms of something to be applied when dealing with enemies. Cambridge, for example, defines it as:
secret information about the governments of other countries, especially enemy governments, or a group of people who collect and deal with this information
The internet has of course broken down many such walls and restrictions. Judging by conversations I’ve heard over the years, however — with references to “infiltration” and “targets” — a lot of the military or espionage mindset has at least caught the imagination of the civilian world. I also think it’s safe to say that when someone sees themself as operating in such an environment, there is a temptation to test ethical limits.
What is “open” anyway?
There is also some disagreement about what constitutes an open source. Take for example the following:
- Official published documents
- Documents accidentally made public
- Private citizens’ social media
I think we can all agree that the first of these is quite clearly open. Such material is created and published with the intention of being available to all.
It’s not uncommon, however, to find documents left exposed online and carryig designations like:
Often, these are innocuous. But what if they carry sensitive information such as patient details, passwords, or financial information?
Social media has become a seemingly never-ending trove of details about people whose existence you would otherwise be unaware of. Of course, don’t think it’s all one-way. Ask yourself (honestly):
Do you really know just how much of your own online presence is open to the public? Are you certain?
Before we move on, let’s be clear: Information acquired by hacking or otherwise compromising a source, or deceit, subterfuge or misrepresentation — even if justified — is not open-source. “Social engineering”, while undeniably an often useful approach for the investigator, is a conversation for another day.
There will inevitably be times when we have to ask ourselves how far we feel justified in going in the pursuit of information. Many approaches, while not illegal, will throw up ethical questions.
First of all, it is important to be aware of what is actually illegal in the jurisdiction in which you are operating. In some countries, for example, the use of email tracking pixels, or publishing someone’s photo in order to crowdsource identification efforts, may have legal implications.
But how about trawling someone’s social media accounts? At what point do you deem it justifiable to go beyond checking out someone’s profile section and start digging into photos of their family and friends?
Making judgments on the following three criteria may help next time you are confronted with doubts over whether to proceed:
How essential is the information to the task of verification? Could the information be acquired in another, less ethically questionable way?
How important is the information that will come as a result? Is it a matter of public importance (a government minister involved in massive corruption)? Or simply entertainment or titillation (a celebrity’s girlfriend looks like she may be pregnant)?
What is the potential fallout of acquiring the information in this way? Even if it is legal, is there a risk to the trust, integrity and dignity of the journalist or news outlet when the public becomes aware of the approach taken?
“If they’re too dumb or lazy to read the terms and conditions that’s not our problem”
The idea that anyone who overestimates their online privacy is “fair game” is an insidious one. Ask yourself:
- What online services do you use?
- When you signed up, have you ever fully read terms of service?
Call me cynical, but it seems pretty obvious that the endless verbiage that confronts you for a few seconds before you mindlessly click “I agree” is pretty obviously designed overwhelmingly for the benefit of the service provider, not the end user. In fact, it’s poignantly amusing to see the regular appearance of bombastic but utterly futile posts aping the jargon used:
Years of dealing with owners of amateur content, and contacting people through social media have left me in no doubt that vast numbers of people do not know fully what they have consented to when signing up to online services.
Adding to this is the cavalier approach taken by many media outlets when contacting content owners and trying to acquire permission or rights. If you are involved in this part of your employer’s operations, please read my tips on taking a healthier approach.
We’ve all seen it— the shocking post on the social media account of a celebrity or high-profile public figure. Whether it’s a conservative politician “liking” a pornographic image, a Hollywood star retweeting a wild conspiracy theory, or someone straight-up posting an unhinged screed, there’s no shortage of embarrassing material out there.
But before we rush to publish, it’s worth remembering the difference between “X said…” and “a post appeared on X’s verified account saying…”
Sure, the “I was hacked” defence has been used often enough that people are pretty sceptical of it by now — but it may well be true.
Equally, it’s not all that difficult to perform certain actions accidentally. Have you ever double-tapped to zoom in on a photo, forgetting that on Instagram that registers a “like”. Have you ever tried to open an individual tweet and liked it instead (not all that unusual with short tweets in the limited space of a phone screen)?
The two questions to ask yourself before proceeding are:
- Could it have been an accident?
- Was the person in control of their account or device?
The deluge of information that has come with near global access to the internet has accelerated massively with the advent of social media. Ethical dilemmas are nothing new to journalism, and many of the time-tested attitudes will still be crucial. But there are new minefields out there. Tread carefully.