Legal Boundaries of OSINT: What You Can and Can't Do

OSINT has legal limits. CFAA, GDPR, terms of service, and state laws shape what investigators can collect and publish. A practical primer.

OSINT operates in a legal environment that most practitioners learn about only after making a mistake. "It was public" is not a legal defense in every jurisdiction, and "I didn't know" is not a defense anywhere. This post maps the doctrines that matter, with practical implications for everyday collection.

Disclaimer: All techniques described on this site are intended for lawful purposes only. Users are responsible for compliance with applicable laws in their jurisdiction. This site does not encourage or endorse unauthorized access to computer systems, private data, or protected information. OSINT techniques should be used within legal boundaries. Consult a legal professional if you are unsure about the legality of a specific technique in your jurisdiction.

The Five Doctrines That Constrain OSINT

1. Computer Fraud and Abuse Act (US) and Equivalents

The CFAA criminalizes access to a computer "without authorization" or in excess of authorization. The 2021 Van Buren decision narrowed the statute — using authorized access for unauthorized purposes is not itself a crime — but bypassing technical access controls still is.

Practical line:

  • Reading a public page: fine.
  • Scraping at a rate that triggers a block, then rotating IPs to evade the block: potentially over the line.
  • Registering a fake account to view members-only content: almost certainly over the line in hostile jurisdictions.
  • Using credentials that are not yours, regardless of how you got them: criminal.

Most investigators never encounter CFAA risk because they never try to bypass access controls. The trouble starts when scraping infrastructure is built to route around rate limits or login walls.

2. General Data Protection Regulation (EU) and Similar Regimes

GDPR applies to processing personal data of EU residents, regardless of where the processor is located. "Personal data" is broad — names, email addresses, IPs, and online identifiers all qualify. Journalistic and academic exemptions exist but are narrow and jurisdiction-specific.

Practical line:

  • Collecting publicly posted information about a private EU resident and storing it in a database without a lawful basis: likely a GDPR violation.
  • Publishing the same information as part of a journalistic investigation in the public interest: usually covered by the journalism exemption, but not automatically.
  • Selling or commercializing that data: almost never covered.

The UK, California (CCPA/CPRA), Brazil (LGPD), and a growing list of jurisdictions have analogous regimes. Investigators working cross-border should assume the strictest applicable law governs.

3. Terms of Service and Contract Law

Violating a site's terms of service is rarely criminal post-Van Buren, but it can be a contract breach and, more practically, a trigger for account bans and civil suits. LinkedIn, Meta, and X have all sued scrapers.

Practical line:

  • Manual browsing of a public profile: fine.
  • Automated scraping in violation of robots.txt or TOS: exposes you to civil action and, in some jurisdictions, criminal liability.
  • Aggregating scraped data into a commercial product: the most dangerous combination.

4. Defamation and Privacy Torts

OSINT produces findings about named people. Publishing those findings carries defamation risk if the findings are wrong, and privacy risk (false light, public disclosure of private facts, intrusion) even if they are right.

Practical line:

  • Private figures receive stronger privacy protection than public officials.
  • Truth is a defense to defamation but not always to privacy torts.
  • Publishing personal information (home address, family members' names, medical history) about a private person without a clear public interest is a privacy tort in many jurisdictions.

Journalists with legal support handle this through pre-publication review. Independent investigators often do not have that support, which is why OSINT advice routinely emphasizes public figures and public conduct.

5. Sector-Specific Rules

  • Health information (HIPAA in the US) — even public-looking medical data may be regulated.
  • Financial information (GLBA, FCRA) — pulling consumer credit reports for investigative purposes without permissible purpose is illegal.
  • Minors (COPPA and equivalents) — collecting data on identifiable minors triggers special rules.
  • Voter records — legal to obtain in some US states, restricted in others, and often restricted to specific uses.

What You Can Do Without Much Worry

  • Read public web pages
  • Search public court records, corporate registries, and FOIA-released documents
  • View and document public social media posts
  • Run WHOIS, DNS, and Shodan against public infrastructure
  • Archive public pages to preserve evidence (see /tools/wayback-machine/)
  • File FOIA and equivalent requests (see /tools/foia/)

What You Cannot Do, Full Stop

  • Access accounts that are not yours
  • Bypass paywalls, logins, or CAPTCHAs using technical means
  • Buy data from known breach brokers
  • Impersonate someone to obtain information (pretexting)
  • Use purchased or scraped personal data for commercial purposes without consent
  • Publish findings that identify private people without a public-interest justification

Jurisdictional Variation

Laws differ sharply:

  • Germany and France interpret GDPR more strictly than Ireland.
  • The US First Amendment protects publication more broadly than UK or Australian law.
  • Russia, China, and the UAE have national security provisions that criminalize OSINT activity that would be routine elsewhere.
  • For investigators documenting civil rights violations in the US, the constitutional environment is specific enough that dedicated guides exist — see the ICE Encounter rights guides for an example of how rights documentation intersects with OSINT workflows.

Investigators operating across borders should document the jurisdictions involved in their planning phase and avoid collection methods that are illegal in any of them.

Practical Guardrails

  1. Document intent. A written investigative plan showing public-interest purpose is a meaningful defense.
  2. Prefer pull over push. Reading a page is safer than bulk-scraping it.
  3. Minimize. Collect only what answers your question. Over-collection creates GDPR exposure and storage risk.
  4. Preserve correctly. Use the Wayback Machine and document hashes (see /tools/metadata/) to show you did not alter evidence.
  5. Get legal review before publication when findings name private people or allege wrongdoing.

The Ethics Layer

Legal compliance is a floor, not a ceiling. The /ethics/ page walks through the ethical framework — proportionality, harm minimization, source protection — that sits on top of legal requirements. An investigation can be legal and still unethical.

Bottom Line

OSINT is legal in every jurisdiction this site covers, provided it stays within the boundaries above. The investigators who get into legal trouble are almost always the ones who treat "it's public" as a complete analysis. It is not. The question is always: public how, to whom, under what conditions, and for what purpose.

Build legal review into your methodology. Every investigation benefits from it, and the ones that do not have it tend to be the ones that end badly.

More from the blog