For several years now, the CNIL has been carefully studying a discipline called Open Source Intelligence (ROSO or OSINT). It consists of cross-checking information available online about an individual in order to identify them.
While few French people seem to pay attention to the protection of their personal data, the CNIL is once again sounding the alarm regarding a practice which is becoming more and more widespread. Cross-checking information online. It is practiced by many actors: journalists, cybercriminals or security actors, investigation services or recruiters. We must see the digital presence of a person as a puzzle: each piece of information taken individually does not necessarily allow the person to be identified. However, once you collect several of them, it is possible to put them back together and easily identify an Internet user.
A digital puzzle with real consequences
The ROSO therefore consists of a meticulous assembly of various data publicly available on the internet. The slightest piece of information, no matter how trivial, can be used to complete this famous puzzle: photographs posted on a social network, comments on a blog, on an e-commerce site, etc.
This data, once collected, makes it possible to draw up a portrait of almost anyone with precision and to collect personal information about them: work and home address for example. For the CNIL, this overlap represents a danger for the average Internet user, who is not particularly aware of this type of risk.
A practice situated between legitimate use and surveillance
Even if the CNIL recognizes the usefulness of ROSO in certain areas, it reminds us that the reuse of publicly available information must be done while scrupulously respecting the principles of data protection in the GDPR. This reuse must also be done in compliance with the Data Protection Act.
However, she still considers that cross-checking information via the ROSO remains an intrusive process on an individual level. On the page of her site concerning this practice, she recalls: “ For example, using ROSO to reveal information relating to a person’s private, family or professional life or allowing them to be identified or located and exposing them to a direct risk, which cannot be ignored, of harm to one’s person or family, is punishable by 3 years’ imprisonment and 45,000 euros (article 223-1-1 of the penal code) “.
Protect yourself effectively
As usual, the CNIL suggests a series of behaviors to adopt in order to counter or minimize the risks linked to ROSO. Most of them are still common sense but it never hurts to remember them. She recommends differentiating emails according to accounts used on different sites and (still!) the use of pseudonyms. Although it may seem obvious, posting sensitive information such as home address, license plate or identity documents is strictly not recommended. If the CNIL points out this, it is because this type of practice has not disappeared.
A little less known, she also advises against posting a similar photo on different platforms. Another very good habit to also put in place: take an interest in the confidentiality settings of frequently used applications. A fairly frequently overlooked aspect. In short, nothing should be left to chance! Every detail counts in maintaining your (relative) anonymity online.
Source : CNIL
1