Open-source intelligence and privacy by design

As demonstrated by other papers on this issue, open-source intelligence (OSINT) by state authorities poses challenges for privacy protection and intellectual-property enforcement. A possible strategy to address these challenges is to adapt the design of OSINT tools to embed normative requirements, in particular legal requirements. The experience of the VIRTUOSO platform will be used to illustrate this strategy. Ideally, the technical development process of OSINT tools is combined with legal and ethical safeguards in such a way that the resulting products have a legally compliant design, are acceptable within society (social embedding), and at the same time meet in a sufficiently flexible way the varying requirements of different end-user groups. This paper uses the analytic framework of privacy design strategies (minimise, separate, aggregate, hide, inform, control, enforce, and demonstrate), arguing that two approaches for embedding legal compliance seem promising to explore in particular. One approach is the concept of revocable privacy with spread responsibility. The other approach uses a policy mark-up language to define Enterprise Privacy Policies, which determine appropriate data handling. Both approaches are tested against three requirements that seem particularly suitable for a 'compliance by design' approach in OSINT: purpose specification; collection and use limitation and data minimisation; and data quality (up-to-dateness). For each requirement, the paper analyses whether and to what extent the approach could work to build in the requirement in the system. The paper concludes that legal requirements cannot be embedded fully in OSINT systems. However, it is possible to embed functionalities that facilitate compliance in allowing end-users to determine to what extent they adopt a 'privacy-by-design' approach when procuring an OSINT platform, extending it with plugins, and fine-tuning it to their needs. The paper argues that developers of OSINT platforms and networks have a responsibility to make sure that end-users are enabled to use privacy by design, by allowing functionalities such as revocable privacy and a policy-enforcement language. (C) 2013 Bert-Jaap Koops, Jaap-Henk Hoepman and Ronald Leenes. Published by Elsevier Ltd. All rights reserved.