Publicly available information: Risks, benefits, and ‘why there needs to be a change’
October 18, 201911:23 am
4 min read
Publicly available information is becoming increasingly important in the fields of intelligence analysis, cybersecurity and criminal investigations, among others. Making use of that information is a process known as Open Source Intelligence. But along with PAI and OSINT comes an increasing understanding that, in certain positions, analysts need to protect themselves while gathering PAI.
“Across the Department of Defense, there’s a term that we used called the essential elements of friendly information. And that is a set of information that when pieced together can become extremely useful to those who are interested in learning more about our capabilities, or areas of interest within the department,” said Sean Heritage, head of platform adoption federal at Authentic8. “People are beginning to understand that the aggregation of web searches coming from an unclassified IP space can be especially damaging, which is one reason I believe the department is pushing for non-attribution tools to conduct what seems on the surface to be benign web browsing.”
A non-attribution tool is something that obfuscates your identity, keeping other parties from tracking your activities or whereabouts online. That kind of tracking usually happens through browser software, and is usually fairly benign. Your browser collects cookies from everywhere you’ve been; those cookies are aggregated and sold to third parties who usually use it to target advertising. That’s why, after searching for a particular item, you are more likely to see advertisement for that or similar items in the near future.
But because those cookies are also tied with some identifying information, like IP addresses, it can be dangerous in certain circumstances. For example, web searches for hotels, restaurants and venues could potentially reveal in advance the locations or schedules of highly ranked government officials. It can also hint at the true identities of undercover law enforcement.
That’s why, in June, the DoD released directive 311518 on the use of PAI.
“It does three primary things,” Heritage said. “First thing it does is it elevates and operationalizes the use of publicly available information for the Department of Defense to users outside of the traditional open source, intelligence and investigative realms.”
That means PAI is no longer strictly the concern of intelligence analysts, cyber analysts and investigators.
“Second, it concisely defines what publicly available information is, and the importance of leveraging specific tools to access it. For example, not your commercially available web browser,” Heritage said.
That definition includes information that is:
Published or broadcast for public consumption.
Available on request to the public, such as through Freedom of Information Act requests.
If it is accessible, online or otherwise, to the public.
If it is available to the public through purchase or subscription.
If it is made available at a meeting open to the public, or if it’s obtained by visiting a place or attending an event that is open to the public.
“And third, it establishes a PAI Advisory Council that will ultimately provide that governance and develop additional clarity as PAI continues to play an increasingly important role in national defense,” Heritage said.
Heritage said he believes the focus of this group will be how to deal with, access and use PAI, and what tools should be used to leverage it.
Currently, the directive falls into a similar category as guidance or best practices, Heritage said. It’s not yet law or mandate. What it does, Heritage said, is lay down the path to get to that point.
“I believe that what this this directive does so far, is it communicates why there needs to be a change. And what that change needs to be,” he said. “What we have not yet done is firmly committed to a how. So to me, this directive is about shaping a how over time.”
Another effect of this directive will be to bring numerous different creative problem solvers together to figure out how to deal with this issue. As different people and organizations interpret the directives in their own ways, a set of best practices, shared tactics, techniques, procedures and even technologies will begin to emerge, as some look to protect PAI, while others look to leverage it.
“I think there are a lot of times we frame this conversation around privacy and security as a balance,” Heritage said. “And I think this is one of those cases where you can do both simultaneously. As we more deliberately leverage publicly available information, we will become more knowledgeable about the world around us, thereby allowing us to take actions that will enhance our security. And if we do so in keeping with the intent of this directive, we will simultaneously enhance the privacy of the individuals and organizations engaging with the outside world from their desktop.”