Information Security: The Dark Side of OSINT

In 2015, an ISIS headquarters building in the Middle East was destroyed by US forces using location information found in a selfie posted on social media. According to USAF General Hawk Carlisle, airmen at Hurlburt Field, Florida, found an image posted online with a person bragging "...about command and control capabilities for ISIS." The photo’s background apparently gave away the location of the building, which was reduced to rubble by an air strike a mere 22 hours later.


In 2007, troops at a US base in Iraq took photographs of newly-arrived AH-64 Apache helicopters and uploaded them to social media sites. Little did they realize that insurgents were able to extract the location data (geotags) from the images and use it to launch an accurate mortar attack that destroyed four helicopters. US forces were subsequently warned that they should disable geo-location on their phones and avoid taking any photographs while in operational locations.


...consider the amount and the nature of the personal information that you share online, and how it might disclose more than you had bargained for.

What can we learn from these examples? And how does this apply to your life and your work? In a previous article, we discussed the power of Open Source Intelligence (OSINT) to help us find out all there is to know about a person, organization or issue of interest, at least as far as publicly-available data is concerned. Yet the above examples show us the other side of the OSINT coin, where critical information is inadvertently handed over to an adversary, with dire consequences.


Now consider the amount and the nature of the personal information that you share online, and how it might disclose more than you had bargained for. To put it differently, if a stranger was to search for you on Google, Facebook, LinkedIn and elsewhere, how much could they learn about you as a person, your family and friends, and your coworkers? Could they discover where you live? Where you work? Where you attended school? Your hobbies, interests and daily routines?

In 2019, a stalker managed to track down and sexually assault a young pop star in Japan after identifying a local train station reflected in the victim’s eyes in a selfie she posted online. According to reports of the incident, the attacker waited at the station until he saw his victim and followed her home.


From the business side of things, consider what information an outsider could glean about your company simply by looking at its online presence? For example, if they wanted to learn about the systems and software used by the company, then job ads and employee resumes are a good place to start, as these often include a wealth of (“insider”) information. Once enough ads and resumes have been gathered and analyzed, a much more detailed picture may emerge.


The phenomenon of small bits of seemingly insignificant or unrelated data revealing a more vivid picture in aggregate is known as the “mosaic effect,” and it is one of the key methods of intelligence gathering. The power and danger of this approach, is that even anonymized data may become vulnerable to re-identification if enough datasets containing similar or complementary information are released.

The Mosaic Effect, turning bits of data into useful intelligence

Another danger of the mosaic effect, is that given enough data points about a person (or an organization), certain undisclosed details may nonetheless be exposed or “predicted” using statistics and algorithms. One such example is the case of retail store chain Target whose data analysis department used customer demographic data (much of which is available in the public domain) and purchase patterns to create a “pregnancy prediction” algorithm that could tell, with a high degree of accuracy, if a particular customer was pregnant and even predict her due date. In one case, Target discovered that a high-school girl was pregnant even before her family did.


...given enough data points about a person (or an organization), certain undisclosed details may nonetheless be exposed or “predicted” using statistics and algorithms.

Who’s after your data? and why? The answer to the first question depends on who you are and what you do, but it is safe to say that a (partial) list of the usual suspects will include one or more of the following: government agencies, law enforcement organizations, terrorists, hackers, criminals, stalkers, insiders (e.g. disgruntled employees), competitors, marketers and advertisers, and the nosey. As to the why, the motives range from guarding national security to selling you chewing gum and socks, and everything in between, including hacking your personal data and accounts and stealing your identity.