SOCMINT (Social Media Intelligence) is a sub-discipline of OSINT frequently used by law enforcement agencies, but also by private companies, journalists and human rights researchers. The practice involves extracting information about individuals from user profiles, interactions between internet users, or metadata associated with the content posted on social media platforms.
In Canada, there is no legal text that directly addresses this discipline. By studying other laws, such as those applicable to protecting personal information – the Privacy Act in Canada’s Criminal Code, plus certain provisions in Quebec law about establishing a legal framework for information technology, one can try to trace the legal contours of this discipline.
Facebook, Instagram… Public or private spaces?
Those engaged in SOCMINT are often stepping into a minefield. In social networks, the notion of information being “public” is actually more complex than it seems. However, precious few people pay much attention to the potential risks of this practice, as illustrated by the number of lawsuits related to the collection of information from platforms.
“Information found on social media is regularly brought into the court, especially in relation to employment law,” states Nicolas Vermeys, Associate Director of the Cyberjustice Laboratory, and Professor in the Law department at the Université de Montréal. Much of the time, the crux of the challenge lies in the settings applied to the virtual profiles. If a piece of information is public, it is more difficult to consider its collection intrusive than if data are extracted from a private profile.
Yet there is a still a snag, warns Nicolas Vermeys: “The word ‘public’ leads to confusion. A piece of public information on social media is ‘public’ in the sense that anyone can see it. However, it is not ‘public’ in the sense that anyone can use it. ” Nor that it can be used for any purpose.
It is also important to stress that collecting personal data from third-party platforms, without the consent of the person concerned, is against the law. “According to Quebec and Canadian laws that directly or indirectly touch on protecting personal information, personal data about a third party must only be collected with the person’s knowledge and through contact with them – irrespective of the reason for collection,” Nicolas Vermeys explains.
Nevertheless, establishing illegality in this kind of practice is a completely different ballgame. In order to hold someone liable for an offence and be able to demand compensation, it is first necessary to show that a law has been infringed or that a reasonable person would not have acted in such a way. Next, it must be successfully proved that harm has occurred. Finally, it must be possible to establish a link between the offence committed and the harm.
However, exceptions do exist, particularly for journalists, who are authorised to gather and share information in the public interest. The exceptions are, nevertheless, limited, as Nicolas Vermeys muses: “For example, you’re not allowed to park a car in front of where I live and start filming inside my house! The same thing sort of applies to social media: did you go and look for information that really is public, or did you have to rummage to find it? ”
The profession of the people targeted also plays a major role in determining whether information has been collected using inappropriate methods. For example, the digital footprint of an influencer, who earns a living by building their popularity on social media, will have less legal protection than the footprint of a university lecturer; in the latter case there is a higher expectation of privacy.
Data scraping : legal or not?
Data “scraping”, which involves using an application to extract useful information from a website, is a technique used by many “OSINTers”. Also, numerous scraping tools devised by open-source researchers are shared free of charge on GitHub.
In Quebec, the practice of data scraping is subject to article 24 of the law concerning the legal framework for information technology. This article states that “The use of extensive search functions in a technology-based document containing personal information which is made public for a specific purpose must be restricted to that purpose.”
Here’s an example of an illegal data scraping practice: the defunct website Globe24h, which offered access to legal rulings collected via different case law websites all over the world, and also listed them on Google. “If you are divorced and you googled your name, the first entry on the results list would be your divorce judgement,” says Nicolas Vermeys, by way of illustration. The company, which was deemed to be fraudulent – it insisted that individuals pay management fees in order to retrieve documents – was subjected to sanctions by the Federal court.
While the wait for a clearer legal framework continues, engaging in SOCMINT is akin to walking a tightrope. This lesson was learned the hard way by the Israeli firm Voyager Labs, whose activities are a perfect example of SOCMINT gone bad: accused of scraping data on 600,000 Facebook and Instagram users through thousands of fake accounts, the surveillance firm is currently being sued by Meta (parent company of Facebook and Instagram), and is itself in the dock for many scandals related to the privacy of its users.