home/ osint/ ethics
LodgeOSINT · Ethics

The guardrails.

OSINT is powerful and easy to misuse. This page documents the ethical framework I've built into my research practice — not as a disclaimer, but as the actual operating principles that determine what I will and won't do, and why.

← Hub Tools Guides Workflows Ethics Contact
"The most dangerous thing about OSINT isn't the tools — it's researcher confidence. The faster you move, the easier it is to confuse 'publicly accessible' with 'mine to act on.' The ethical framework isn't a constraint on effectiveness. It's what makes the work defensible."
Before Every Investigation

The Three Questions I Ask First

01
Is this information genuinely public — not just technically accessible?
There's a difference between a page indexed by Google and a misconfigured server that's technically reachable. OSINT works with information intended to be public, not information that happens to be exposed.
02
Is my purpose defensive, journalistic, or protective — not punitive or retaliatory?
Verifying a vendor, protecting a community, documenting a pattern of public harm — these are legitimate purposes. Satisfying curiosity about a private individual, or building a dossier for leverage, are not.
03
Would this hold up if the subject could see exactly what I was doing?
Not "would I get caught" — "would I be comfortable explaining this action, in this sequence, to a journalist covering OSINT abuse?" If not, stop.
Core Principles

The operating framework.

🎯

Minimum Necessary Data

Collect only the information required to answer the specific question. Every piece of data about a person that you collect beyond what the question demands is a privacy cost with no corresponding benefit. OSINT is not stamp collecting.

📋

Document Everything, Including Your Reasoning

A research log that only records findings is not sufficient. Document the pivots you chose not to pursue and why. If your methodology is ever challenged, the reasoning matters as much as the findings.

🛑

Insufficient Evidence Is a Finding

"I could not find public information sufficient to answer this question" is a legitimate and honest research conclusion. Never fill an evidence gap with inference presented as fact. The temptation to connect dots is where most OSINT investigations go wrong.

🔒

Handle Findings Appropriately for the Purpose

How findings are shared, stored, and used must match the stated purpose of the research. Evidence gathered to verify a journalistic claim is not appropriate for public posting. Evidence gathered for personal safety is not appropriate for sharing with third parties without consent.

🚫

Private Individuals Have a Different Standard

Public figures — politicians, executives, public organizations — have reduced privacy expectations regarding their public roles. Private individuals, including family members of public figures, do not. Apply a substantially higher burden of necessity before researching a private individual.

Scope Boundaries

What this work is not.

not OSINT

Stalking or Surveillance

Building ongoing location profiles, monitoring an individual's movements, or tracking someone's daily activity — regardless of whether the data is technically public. Purpose matters more than method.

not OSINT

Doxxing

Aggregating and publicly posting personal information with the intent or likely effect of enabling harassment. This is harm facilitation, not research, regardless of whether every individual piece of data was public.

not OSINT

Competitive Intelligence Espionage

Using public data to facilitate corporate theft, IP appropriation, or targeted competitive harm. The techniques may overlap; the purpose determines whether the work is legitimate research or an attack vector.

not OSINT

Unauthorized System Access

OSINT is a passive discipline. The moment you interact with a system beyond what any public user would encounter — including exploiting misconfigurations — you have left the domain of OSINT and entered unauthorized access territory.