LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Where exactly is the line between legitimate OSINT and illegal data collection?

OSINT crosses the line when it violates proportionality, changes purpose without legal basis, involves mass scraping, or lacks transparency toward data subjects.

Legal OSINT Problematic OSINT
Serves a legitimate, stated purpose. Excessive collection beyond what's needed.
Scope is proportional to the goal. Purpose changes without new legal basis.
Methods are transparent and documented. Mass scraping that violates platform terms of service.
Justified by law, consent, or overriding interest. High-risk profiling without adequate safeguards.
Data subjects can be informed if required. Subjects are not informed despite legal obligation.

Three scenarios that clearly cross the line:

1. Proportionality violated. Conducting a comprehensive social media analysis, covering years of posts across multiple platforms, for a simple job application. The depth of investigation far exceeds what's necessary for the hiring decision.

2. Purpose deviation. Collecting publicly posted vacation photos for commercial profiling, targeted advertising, or behavioral analysis. The users shared these images with friends and followers, not with data brokers building consumer profiles.

3. Information duty violated. Systematically collecting and analyzing personal data from public sources without ever informing the data subjects. Under both the DSGVO and revDSG, there are situations where you must notify people that you're processing their data, even if you obtained it from public sources.

From Quiz: PRIVACY / TOM and OSINT | Updated: Jul 14, 2026