In the past, becoming a Canadian spy meant joining the Canadian Security Intelligence Service (CSIS); today, it often means opening an X account. Intelligence has become heavily democratized, and intelligence agencies in democracies themselves now often rely heavily on open-source intelligence — that is, scouring publicly available information, such as social media, to generate insights.
Canada’s signals intelligence agency, the Communications Security Establishment, is hardly alone in “acquiring, analyzing, retaining, and disclosing” OSINT in furtherance of its mandates, as its enabling statute permits. The Privy Council Office’s Intelligence Assessment Secretariat also uses OSINT in its intelligence briefs, such as the one that led to the ban on TikTok on government-issued devices.
Global Affairs Canada also monitors OSINT for the safety of its missions abroad. The sergeant-at-arms uses it to watch for threats against members of parliament. And the burgeoning field of “research security” involving entities such as CSIS, Public Safety, and Innovation, Science and Economic Development is heavily reliant on it.
But even though OSINT is, by definition, publicly available information, the intelligence products created with its aid often remain classified. This reflexive secrecy flows from a deeply entrenched view that “strength lies in secrecy.”
However, it raises an important question regarding government transparency: If the information is already public, how can it be treated as sensitive?
The Transparency Dilemma
Traditionally, intelligence was secret because the sources themselves were secret. OSINT flips that script. Today, government officials piecing together tiles of public data are not finding secrets; they are, instead, making mosaics of publicly available information that often become secrets themselves.
The arguments for secrecy over such intelligence products remain the same. Many in government feel that transparency would hamper their operational decision making. They argue that the public may not be able to understand or contextualize the information, or they might even feel that there is already enough transparency.
But none of these arguments hold much weight when talking about OSINT. Traditional freedom of information frameworks operate by simply redacting exempt (in other words, secret) information in processing requests for government records. With OSINT, the content is not secret; if anything, it is the method, not the content, that is the most important secret.
Protections of trade secrecy can be overridden in the public interest when they harm security, safety or the environment.
The lack of a clear framework for OSINT has several consequences. It may mean that government officials are uncertain about what is subject to disclosure, creating chilling effects on their work. They may also have legitimate fears of reverse-engineerability of government tradecraft or techniques used to gather and analyze OSINT, since such disclosures could then be worked into operational security of adversaries.
However, that brings us back to the core problem: Without a proper framework, the government’s inclination toward secrecy often goes into overdrive unjustifiably.
OSINT intelligence products are routinely withheld in their entirety. Just try asking any of the government institutions listed above for any of those intelligence products. The Privy Council Office has literally redacted Hansard in responding to access to information requests. When I requested OSINT products under public records access legislation, I had to go to court just to obtain disclosure of redacted information that was, in essence, already public.
We need a better framework. Justice Marie-Josée Hogue made this clear in her final report on the Public Inquiry into Foreign Interference in Federal Electoral Processes and Democratic Institutions. Three of her final recommendations focused on OSINT, although they were light on ideas for implementation.
Strengthening Canada’s Security
One way to develop a framework is by analogizing the secrecy we give to OSINT products with the trade secrecy protections we offer to private companies. Just as the government uses its national security prerogative to assert secrecy over certain OSINT products, companies sometimes assemble public ingredients into novel products that we recognize as trade secrets.
But protections of trade secrecy can be overridden in the public interest when they harm security, safety or the environment. OSINT secrecy should likewise always be subject to limits. These overrides need to be reasonable, clear and workable.
Perhaps most importantly, the government also needs to drop any pretense that it is doing intelligence alone. Just as law enforcement agencies circulate images of criminal suspects to benefit from collective intelligence, the work of average citizens in OSINT can help achieve many of the objectives of national security.
Of course, there are promises and pitfalls to this approach. OSINT groups, such as Bellingcat, have high standards for verifying information prior to publication and have played a critical role in breaking news and combating disinformation. At the same time, many “OSINT”-styled accounts on social media have been known to farm misinformation and disinformation.
On balance, it is evident that the government cannot and does not operate alone in this domain. The government itself relies on a mature consultant industry doing OSINT. When former CSIS director David Vigneault resigned, he joined Strider, an American company specializing in OSINT. The Canadian government recommends using Strider’s services to conduct due diligence to identify research security risks.
Notably, none of the companies that the federal government recommends alongside Strider for identifying such risks are Canadian. We have essentially outsourced the responsibility for national security in this domain to foreign companies.
That could change, but first, Canada will need to create safe harbours for civic-minded Canadians to do their part with OSINT. Because OSINT often involves scanning vast amounts of publicly available information, such as social media, using this information can create numerous liabilities — including potential copyright infringement, violation of terms of service agreements or allegations of invasion of privacy.
Safe Harbours or Stifled Innovation?
These days, American technology companies, emboldened by US President Donald Trump, need hardly worry about feeble Canadian laws and even more enfeebled Canadian regulators clamping down on their activities, such as mining or scraping publicly available data. After all, they were able to get Canada to dismantle its flawed Digital Services Tax in return for basically no concessions.
Unfortunately, researchers and public-interest innovators in Canada do not operate under such favourable circumstances. They need safe harbours, but they lack them.
This deliberate policy choice is on display in Ottawa’s recent call to create AI-powered tools utilizing OSINT to identify research security risks. It is intended “to position Canadian innovators at the forefront of OSINT-driven due diligence methodologies while safeguarding national interests.”
That will not happen at the level expected by the government, though, because Ottawa’s recent call to build prototypes requires innovators to respect every single platform’s terms of service, licensing rules, prohibitions on website scraping and any other restrictions on the use of their public content.
For example, the call requires prototypes to consider scraping sources such as CanLII. But that requirement must reconcile with CanLII’s tactics of suing those who scrape it without its permission. Nothing dampens innovation like having to ask for permission to innovate. At the same time, established actors who are comfortable with the status quo have little incentive to give it up.
Canadian government officials have refused to provide researchers or innovators working in the public interest with safe harbours — such as protection from liability when they scrape or mine public information — to do the work they are asking them to do. Asking them to respect every rule concerning the use of publicly available data, when it is clear that foreign technology companies and the government itself do not follow all of these rules, is naive thinking.
English philosopher Jeremy Bentham described this fundamental quandary in his treatise, Political Tactics: “A nation too numerous to act for itself, is doubtless obliged to entrust its powers to its deputies. But will they possess in concentration all the national intelligence?” The answer is obviously no, but our laws have so far failed to recognize this reality — and prevented us from expanding an intelligence capability of growing importance.
