ZeroTrace OSINT
Legal & Ethics
The legal and ethical lines OSINT runs up against — what the toolkit lets you do, what you should think about before you do it.
The toolkit is a capability. The decision about whether to use a particular capability against a particular subject is yours. This page is the framing investigators use to make those decisions defensibly.
What the toolkit will let you do
The toolkit will let you investigate any subject you point it at. It does not enforce a permission system, an authorisation check, or a target whitelist. The trust model is: the user is a professional acting in their own jurisdiction, against subjects they have a lawful reason to investigate.
What "lawful reason" means
The lawful reasons vary by jurisdiction and by professional role. Common categories:
| Role | Typical lawful reasons |
|---|---|
| Investigative journalist | Public-interest reporting; right-of-reply preparation; due diligence on public figures or public companies. Country-specific shield laws often apply. |
| Legal investigator | Court-authorised discovery; pre-litigation due diligence; service-of-process research. |
| Compliance / fraud team | Internal investigations of own employees, customers, vendors; due diligence as part of KYC / AML obligations. |
| Security researcher | Authorised penetration testing; coordinated vulnerability disclosure; threat-intelligence research within your organisation's purview. |
| Self-investigation | Researching exposure of your own identity, business, infrastructure. |
If your role does not appear above, the relevant question is: can I defend this investigation in writing to a judge, an editor, or a regulator? If the answer is "yes, I can show a clear professional reason," proceed. If the answer is "I am curious," pause.
Specific legal considerations
The list below is not legal advice. Consult a lawyer in your jurisdiction for the cases that matter.
| Activity | Common legal frame |
|---|---|
| WHOIS / DNS lookups | Public data; rarely regulated. |
| Reading publicly-available web pages | Generally legal; some jurisdictions restrict scraping at scale or scraping behind a logged-in barrier. |
| Reading social-media public profiles | Generally legal; subject to the platform's terms (which may contractually prohibit automated access). |
| Active port scanning | Restricted in many jurisdictions. Authorised tests only. |
| Brute-forcing paths or subdomains | Restricted in many jurisdictions. Authorised tests only. |
| SQL-injection probing | Effectively always restricted; authorised tests with written permission. |
| Storing scraped personal data | Subject to GDPR (EU), UK GDPR, CCPA (California), PIPEDA (Canada), and analogous laws. Investigators are generally subject to the same data-handling rules as anyone else. |
| Searching paste sites for credentials | Reading is permitted; using a discovered credential is not. |
| Reverse image search | Permitted; the use of identified information is regulated separately. |
Cyber-crime laws (US CFAA, UK Computer Misuse Act, EU NIS2 / Cybersecurity Act, equivalent laws elsewhere) are broad and aggressively enforced. The threshold for "unauthorised access" is often lower than non-lawyers expect. When in doubt, seek written authorisation before testing.
GDPR / privacy law specifically
For investigators based in or operating against subjects in the EU / UK:
- Personal data includes IP addresses, email addresses, phone numbers, and many other identifiers.
- Processing personal data for investigation purposes is permissible under several lawful bases (legitimate interest, legal claims, journalistic activity, public interest).
- Storing personal data in your investigation profile is itself processing — it falls under the same regime.
- Subject access rights mean an investigated person may, in some contexts, request what data you hold on them.
- Journalistic exemption in many EU member states partially exempts journalistic processing from full GDPR strictness, with conditions.
The toolkit does not transmit your investigation data anywhere, which simplifies your data-controller responsibilities considerably. But the data you collect is still subject to your local law.
Ethical considerations beyond the law
Things that are legal but worth thinking about:
| Question | Why it matters |
|---|---|
| Is this investigation in the public interest, or am I scratching curiosity? | Curiosity is not a defence against the harm of having been investigated. |
| Could my findings be used to harm the subject disproportionately to the wrongdoing alleged? | An accurate investigation that produces a 100x amplified consequence is still a harm caused. |
| Is the subject able to defend themselves? | Investigations of public figures and companies are different from investigations of private individuals. |
| Will my report cause collateral damage? | Publishing connected identifiers (a target's family, employer, neighbours) may create harm beyond the target. |
| Am I confident in my findings? | Severity-tagging your findings as confirmed vs. pending is the discipline that prevents over-claiming. |
These are professional-judgment calls. Most established investigative-journalism organisations and many compliance teams have written ethical-decision frameworks; if your organisation does, use them.
What the toolkit deliberately does not include
A short list of capabilities the toolkit does not ship — for legal, ethical, or both reasons:
- Face recognition. Regulated in many jurisdictions; ethically fraught everywhere.
- Paid people-search aggregators. PimEyes, Spokeo paid, BeenVerified — out of scope.
- Active social-engineering tooling. No phishing-page generators, no pretexting templates.
- Live exploitation tooling. The recon command builders generate commands; they do not run exploitation themselves.
- Cryptocurrency tracing without scope. The IOC extractor parses crypto addresses but does not run wallet-graph tracing.
The "deliberately does not include" list is intentional. The toolkit is for finding publicly-available information about subjects you are authorised to investigate.
In short
The toolkit gives you capabilities. The rules about when to use them come from your jurisdiction, your profession, and your judgment. When in doubt, seek written authorisation, consult a lawyer, or do not run the query.