A Tale of Two Identity Trends: Minimizing privacy for criminals & maximizing our own

Never before have our identities been so publicly available, minimizing privacy.

From our exact location (mobile phone GPS) to evolving physical appearances (Instagram) and even our internal thoughts (X, formally-Twitter), the internet is a treasure trove for validating and attributing identity and intentions.

The birth of the OSINT expert

The explosion of Open Source Intelligence (OSINT) professionals shows us that a lot of skill and effort is involved to weave together all this personal exposure into an actionable piece of intelligence. If there was a magic button to profile an identity, we wouldn’t need OSINT experts. Far from falling victim to automation, the OSINT expert community is actually booming.

The OSINT community is full of helpful ‘How to’ guides and libraries showcases 100s of tools to help finding people. Yes, Social Media is a primary source, but from wedding gift registries, flight records, archived webpage capture, vehicle history and electoral rolls, there’s plenty more to keep an investigator busy when identifying someone.

OSINT done right is a highly specialized and laborious task. And it’s only getting harder.

Criminals are painting us into a corner – minimizing privacy

Meta recently stopped API access to Facebook Groups, and in 2023 X started what many deem as phase one of monetizing or gating API access to its rich content.

This comes just as End-2-End Encryption (E2EE) is being rolled out in earnest across all remaining social messengers. A perfect storm for OSINT investigators. Less data (or exclusionary data) equals less intelligence.

For the sake of privacy, many welcome these initiatives, and indeed privacy is often the trigger for these policies in the first place. But you don’t need to go far to find investigators, especially tasked with unmasking criminals, unhappy with this direction.

Such is the reaction from OSINT community that one start up even became a privacy champion in response to X’s API restrictions , switching from consuming X … to protecting users from X.

This response from the market is to be expected. Without co-dependence between platforms and 3rd parties, a quasi-adversarial culture of VPNs, privacy tools and takedown services have sprung up in response.

Identity: A weapon for criminals

But a boom in any market brings with it fraudsters and manipulators. There are criminals in all walks of life. Ironically, the privacy industry can’t escape identity thieves.

For example, Brian Krebs (with the help of Constella) recently investigated various consumer data brokers and people-search providers – such as OneRep and Radaris – both of which have links to Belarus and Russia… respectively raising suspicions.

Criminals have more options: more privacy tools at their disposal…to fight an increasingly disjointed enemy of manual OSINT investigators, regulators and privacy activists.

Identity: A weapon for us

Here’s where we believe exposed identity data – that is, the mass dumps of identity information found online – can changes things for the better.

Apart from the obvious protection that being aware of exposed credentials offer individuals and business (social engineering, ATO and synthetic ID fraud remain top threat vectors of attack), exposed identity data fills the gap for an OSINT investigator searching for an effective response to new online profiling obstacles.

As outlined by Krebs above, and in countless other OSINT investigations, aliases identified in breached datasets join the dots between people and networks the surface web cannot resolve by itself. What’s more, it’s a dataset which, by its nature, can’t be put back in the box and subject to takedown. It’s a decentralized and uncontrolled treasure chest. There’s nothing a criminal can do to stop it.

By Lindsay Whyte