Legal & Ethical Collection Boundaries

OSINT collection operates within legal and ethical boundaries that must be understood before building source systems. Legal boundaries: terms of service compliance, rate limiting respect, personal data regulations (GDPR, CCPA), and computer access laws. Ethical boundaries: no deception in data collection, no impersonation, no exploitation of non-public access. The rule is simple: collect only publicly available information through legitimate channels. If accessing the data requires deception, unauthorized access, or terms of service violation, it is not OSINT — it is something else.

1. Terms of Service Compliance Review and comply with the terms of service for every source. Many platforms explicitly prohibit automated data collection. Violating ToS creates legal risk and can result in access being permanently revoked. If ToS prohibits scraping, use the API. If there is no API and ToS prohibits scraping, find an alternative source.
2. Rate Limit Respect Even when ToS permits access, aggressive collection can trigger IP bans or degrade the source for other users. Respect documented rate limits. When no rate limit is documented, collect conservatively — spread requests over time, use polite crawling headers, and monitor for throttling signals.
3. Personal Data Boundaries Competitive intelligence about organizations is distinct from intelligence about individuals. Collecting executive names and public professional activities is standard CI practice. Collecting personal information, private social media activity, or location data crosses into surveillance. The boundary is the public/professional distinction.