Commercially Available Information is Absolutely Not a Part of OSINT
General appreciation of the American Intelligence Community’s (IC’s) OSINT Strategy 2024-2026 aside, a serious flaw is inherent when it defines OSINT as intelligence that is also exclusively obtained from Commercially Available Information (CAI) and not just Publicly Available Information (PAI).
In essence, the American IC contends that derivatives of CAI or PAI constitute OSINT.
Before I discuss why this is fundamentally flawed, we need to examine definitions in the IC’s Data Management Lexicon that were first published by the Office of the Director of National Intelligence (ODNI) in 2022.
PAI is basically how the world generally understands OSINT, but CAI's definition merits particular attention:
To make it even more clear, the ODNI adds that CAI "is not necessarily PAI which is accessible to the general public". This point in itself is enough to suggest, strongly, that the apparent flaw in the American IC’s conceptual understanding of the OSINT paradigm is intentionally designed to include private information within collection duties.
Allow me to explain.
Public information (PAI according to the ODNI) is information that was, by design, published or made available for consumption other than the entity concerned. I have touched upon this issue in my earlier blog, 'Are Leads from Data Dumps Part of OSINT?'
On the other hand, CAI is not only data leaks but also proprietary information held by application developers, big tech corporations telecom service providers and so on. The vast troves of data these companies harvest from end users, willingly or otherwise, are made available to the American IC. The ODNI tries to sugarcoat the actual notion of this entire process by suggesting that private companies are eager to 'volunteer' or 'sell' data upon which they capitalise.
Sound familiar?
This soft language is a more nuanced way of rephrasing and integrating three particular provisions in the Chinese government’s National Intelligence Law of 2017 (amended in 2018):
Article 7: All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.
The State is to protect individuals and organizations that support, assist, and cooperate with national intelligence efforts.
Article 12: In accordance with relevant State provisions, national intelligence work institutions may establish cooperative relationships with relevant individuals and organizations, and retain them to carry out related work.
Article 14: National intelligence work institutions lawfully carrying out intelligence efforts may request that relevant organs, organizations, and citizens provide necessary support, assistance, and cooperation.
A reasonable question would question how the American IC is any different to their much-maligned Chinese counterpart. Essentially, they aren’t. I’ll recommend that readers study this very insightful publication by the Centre for Democracy & Technology titled 'Legal Loopholes and Data for Dollars’.
I'm not delving into the ethics or legality of such data collection by intelligence agencies because each nation state has their own vested interests to pursue. But what is deeply troubling is the ludicrous manner through which CAI has been conjoined with PAI as a constituent element of OSINT. Here are some reasons why I consider this senseless:
- A state's declared interest in CAI tends to incentivise criminals to breach more systems and put them up for 'auction' (or direct anonymous sale) in the deep and dark webs. The malicious actor(s) may not be aware that the buyer of a particular dataset is an authorised officer from the IC, but with publicised interest in data commerce, they will hope to 'strike gold' by 'being noticed'.
- It is an established fact that big tech is already cooperating extensively with the American IC. Data brokerage encourages them to amass as much data as possible for commercial and legal leverage.
- CAI gives unfair advantage to the American IC simply because big tech is by and large headquartered in the US and hence has to comply with requests for cooperation. This discreet access to CAI for America's 18 intelligence agencies cannot represent the actual strengths and capabilities in the OSINT realm. Outside the US government, will anyone be able to determine the proportionality of PAI versus CAI that constituted an analytical product? How will this help gauge the overall performance of open source collection officers?
The reason why OSINT has traditionally been treated as a complement to HUMINT, SIGINT etc is because of its limitations. This is why All-Source Intelligence is a paradigm unto itself; where data from one discipline falls short, it is acquired as best as possible from others to develop a decent mosaic.
Establishing a channel to communicate requirements to corporate entities and/ or cyber criminals (independent data brokers) is in essence a form of Virtual HUMINT and should be viewed accordingly. An OSINT practitioner collects data discreetly and never establishes contact with the target themselves.
By this logic, Social Engineering i.e. willful manipulation of a subject working in a private company for information extraction might also be declared CAI.
To conclude, while the ODNI is clear about the potentials and pitfalls of OSINT, it is indirectly on the path of triggering a 'data arms race' that will eventually encourage contemporaries to follow suit.
Intelligence agencies in countries other than the US routinely engage in data commerce with multiple brokers. On the pretext of 'OSINT’, if these agencies are unsuccessful in securing cooperation from American big tech, they may resort to having the corporation banned and access to its platform denied in their respective countries.
In the end, the question is not about who wins but who ultimately loses.
