What we talk about when we talk about OSINT

What is OSINT? Defining a term for a living, evolving practice can be a challenge, subject to who you ask, what you’re referring to and a whole lot of nuance.

There’s a lot of buzz around open source intelligence, or OSINT, these days. From industry, to current and former intelligence community (IC) leaders, and members of Congress, there is no shortage of takes on how important OSINT is to the future of our national security. As we’ve seen during the Russian invasion of Ukraine, private citizens and journalists are doing incredible OSINT work.

OSINT as an activity isn’t new, but its recognition as a valuable intelligence discipline is relatively recent. Just about every component of the U.S. government’s national security apparatus collects open source data, but they all do it in their own way. Developing common OSINT standards, policies and tradecraft — putting it on par with other foundational INTs like SIGINT, HUMINT and GEOINT — starts with a common definition.

OSINT definition

Just recently, Congress called on the intelligence community to do just that. Section 309 if the Intelligence Authorization Act for Fiscal Year 2022 (passed as part of the FY22 omnibus spending bill signed in March 2022) directed the Director of National Intelligence and the Under Secretary of Defense for Security and Intelligence to jointly develop and publish definitions for a number of terms relating to intelligence, including open-source intelligence. This follows provisions in the FY21 Intelligence Authorization Act which called on the DNI and other IC leaders to conduct a number of comprehensive assessments on the IC’s open-source intelligence plans, strategies and capabilities, as well as studying the feasibility of creating a separate IC element dedicated to OSINT.

OSINT is an activity or practice, not the information in a vacuum or out of context.

While just about everyone can agree OSINT is valuable, there’s less clarity on what exactly “OSINT” is. Is a video of Russian tank maneuvers OSINT if no one puts it into context? Or is OSINT another step further, taking that information and conducting analysis to meet an intelligence requirement? The tank video becomes OSINT if the information it conveys is used to answer a question, even if it's a question you didn’t know to ask until you saw it. The distinction here is more about the “INT” portion of OSINT rather than the “OS” (we’ll dive deeper into the more complex debate about what “open source” is shortly). Broadly speaking, OSINT encompasses that practice of collecting, processing, exploiting, analyzing and/or disseminating open-source information. OSINT is an activity or practice, not the information in a vacuum or out of context.

OSINT vs. PAI

What constitutes an “open source” is generally considered publicly available information (PAI). Before discussing what’s publicly available, it may be helpful to cover what we know is definitely not an open or public source.

From a government perspective, classified collection capabilities are “closed sources,” such as spies or satellites. Another “closed source” is legally authorized collection, such as wiretaps or electronic surveillance. While not necessarily a classified collection capability, those sources are (legally) unavailable to those outside the government.

Government definitions of publicly available information (PAI) generally cover the same bases. While OSINT and PAI are closely associated, PAI has utility outside the context of an intelligence mission and can be leveraged by agencies that do not have legal intelligence authorities. The Department of Defense, for example, issued a directive (DoDD 3115.18) in 2019 on “DOD access to and use of publicly available information” that includes on guidance PAI for non-intel purposes. The term “open-source intelligence” is never mentioned.

The following are definitions from USG agencies:

• Department of Defense: information that has been published or broadcast for public consumption, is available on request to the public, is accessible online or otherwise to the public, is available to the public by subscription or purchase, could be seen or heard by a casual observer, is made available at a meeting open to the public, or is obtained by visiting a place or attending an event that is open to the public.
• Department of Homeland Security: unclassified information that has been published, posted, disseminated, broadcast, or otherwise made available to the general public, is available to a significant portion of the public, is available to any interested individual who opts to receive the information, is available to members of the public by subscription or purchase, could lawfully be seen or heard by a casual observer, is made available at a meeting open to the public, or is obtained by visiting any place or attending any event that is open to the public.

These days we think of PAI primarily as information accessible via the internet or even from traditionally non-internet native sources such as newspapers. And while a vast majority of the PAI gathered is from the digital realm, PAI can still be collected on the ground and in-person.

It’s the nuances of the online availability of information that presents the biggest challenges to not only defining what’s considered “public,” which leads to thornier issues of privacy and legality. Note that a lot of these constraints are unique to the USG, as private citizens or corporations are not subject to the same legal authorities or scrutiny (applicable state and federal laws notwithstanding) on issues like collecting US persons information.

Gray area of what's really private, public and commercial

As the amount of valuable data available online grows exponentially, the ability to quickly classify information as publicly available becomes more challenging. Setting your social media profile to “private” and available to only those you approve is still going to fall under the definition of “publicly available.” And we can easily accept that paying for a subscription to a technical publication still falls under the umbrella of publicly available information, but what about massive data bundles sold to advertisers? It’s not gathered via illegal means and it’s available for purchase — but there aren’t many organizations with the capacity to purchase and capability to parse through it. This is where newer terms such as “commercially available intelligence” or “commercially available information” pop up. These are distinct from commercial intelligence — essentially OSINT but for businesses gathering competitive intelligence.

The creation of new INTs or sub-INTs is bound to happen as OSINT evolves but it’s important to remain cognizant of the big picture to avoid confusion.