Last updated:

⚖️ Is OSINT Legal?

Yes — mostly, and the exceptions are specific rather than vague. Here is where the line actually falls in 2026: the cases that define it (hiQ, Van Buren, Meta v. Bright Data, Clearview), why GDPR bites harder than the CFAA, and the one rule that catches out more people than hacking ever does.

Quick answer: Collecting genuinely public information is legal in the US, UK and EU. OSINT turns unlawful at three specific moments: when you bypass an access control, when you process personal data without a lawful basis (GDPR — which applies even though the data was public), or when you use lawful data for an unlawful purpose such as stalking, harassment or an FCRA-regulated decision. The technique is almost never the crime. The access method and the purpose are. This page is information, not legal advice — and we are not lawyers.

The single most useful thing on this page: the case that everyone cites — hiQ v. LinkedIn — is cited wrongly about half the time. hiQ won the CFAA argument and still lost the case. Understanding why is the difference between safe practice and a consent judgment. Jump to it.

The three lines that actually matter

Almost every OSINT legal question collapses into one of three tests. If you can answer these three honestly, you have answered 90% of the question for your own situation.

The testSafe sideUnsafe side
1. Access
How did you get it?
Open to anyone. No login, no paywall, no credentials. You typed a URL or ran a search. You logged in, bypassed a rate limit or anti-bot control, used someone's credentials, or opened a door that was shut. This is where the CFAA and the UK Computer Misuse Act live.
2. Data
What is it about?
Non-personal: infrastructure, corporate filings, prices, domains, technical records. Personal data about identifiable people. GDPR applies even if it was public. You need a lawful basis and a documented balancing test.
3. Purpose
What are you doing with it?
Journalism, security research, due diligence, self-checks, authorised investigation. Stalking, harassment, doxxing — or an eligibility decision (employment, tenancy, credit, insurance), which drags you under the FCRA whether you meant to or not.
Notice what is missing from that table: the tool. There is no such thing as an illegal OSINT tool in any of these frameworks. Nothing on this site — or on Maltego, or SpiderFoot, or Google — is unlawful to possess or run. The law cares how you got the data, what the data is, and why you wanted it.

The case everyone cites, and gets wrong

If you have read one thing about OSINT legality, it was probably "hiQ v. LinkedIn made scraping legal." That is half the story, and the missing half is the part that would actually have saved hiQ.

2021Van Buren v. United States (Supreme Court)SCOTUS held that a person "exceeds authorized access" under the CFAA only by obtaining information from areas of a computer that are off-limits to them — not by using authorised access for a disapproved purpose. This foreclosed purpose-based CFAA liability. Using data in a way the owner dislikes is not hacking.
2022hiQ Labs v. LinkedIn (Ninth Circuit) — hiQ WINS the CFAA pointApplying Van Buren, the Ninth Circuit held that scraping pages open to anyone without credentials is not "unauthorised access". Where there is no authorisation gate, there is nothing to breach. A site owner cannot unilaterally criminalise access to its own public pages by saying so in its terms.
Late 2022hiQ LOSES the case anywayThe court found hiQ had breached LinkedIn's User Agreement — which it had accepted by creating accounts. The case ended in a consent judgment and a permanent injunction. hiQ won the hacking argument and lost on contract. The CFAA protected it from a hacking claim; nothing protected it from a contract it had signed.
Jan 2024Meta v. Bright Data — the line sharpensA court declined to find Bright Data liable for scraping public, logged-out Facebook and Instagram pages. The contract claim survived only for the window in which Bright Data had an actual contractual relationship with Meta. Browsewrap terms you never clicked were treated as a much weaker basis than clickwrap you actively accepted. Settled in 2024; Bright Data continues to operate.
Late 2025 →Reddit v. Perplexity AI — the new frontReddit sued Perplexity and several data-collection providers, invoking DMCA §1201 and alleging circumvention of technological measures including rate limits and anti-bot systems. Pending as of early 2026. Watch this one: it tests whether defeating a bot control is circumvention, which would matter far more to OSINT practice than the CFAA ever did.
The operative lesson, in one line: logging in is the act that changes your legal position. Logged-out collection of public pages sits on the strongest ground US law currently offers. The moment you create an account you accept a contract, and that contract — not the CFAA — is what will be used against you. hiQ lost on exactly this.

GDPR bites harder than the CFAA

US practitioners tend to fixate on the CFAA. If your subject is in the EU or UK, that is the wrong thing to worry about. GDPR governs personal data — and it does not care that the data was public.

  • "It was public" is not a lawful basis. There is no public-data exemption. You need one of the six lawful bases, and for OSINT it is almost always legitimate interests — which requires a documented balancing test weighing your interest against the subject's rights. Write it down before you collect, not after you are asked.
  • The fines are not theoretical. The Clearview AI actions — built on scraping publicly posted photographs — drew penalties across multiple European regulators reaching into the tens of millions of euros. Every photo Clearview took was public. That was not a defence.
  • Special-category data is a hard stop. Data revealing health, sexuality, religion, political opinion, trade union membership or biometrics carries a much higher bar. Facial recognition on a public photo is biometric processing.
  • It applies to your subject, not your office. GDPR follows the data subject. A US investigator profiling an EU resident is in scope.

The rule that catches more people than hacking ever does

Here is the genuinely under-appreciated risk, and it has nothing to do with computers. In the US, if you use information to make a decision about employment, tenancy, credit or insurance, you are inside the Fair Credit Reporting Act — regardless of whether you paid a service or found it free on Google.

FCRA imposes permissible-purpose, notice, consent, accuracy and adverse-action duties. A landlord who googles a prospective tenant and declines them over what they find has stepped into a regulated activity without complying with it. This is why virtually every free OSINT tool — including this one — carries an explicit FCRA prohibition in its terms. It is not boilerplate. It is the most commonly tripped wire in the entire field, and it does not require you to touch a single access control.

Know your statutes

JurisdictionWhat binds you
United StatesComputer Fraud and Abuse Act (unauthorised access) · Fair Credit Reporting Act (eligibility decisions) · Stored Communications Act · state anti-stalking statutes · CCPA/CPRA and the state privacy laws · DMCA §1201 (circumvention — see Reddit v. Perplexity)
United KingdomComputer Misuse Act 1990 · UK GDPR + Data Protection Act 2018 · Protection from Harassment Act 1997 · Investigatory Powers Act (for the regulated sector)
European UnionGDPR · ePrivacy Directive (relevant the moment you deploy a tracking pixel or honeypot) · national implementing law, which varies more than people expect

What defensible practice actually looks like

  1. Stay logged out. The strongest position in US law is collection of public, logged-out pages. If a task requires an account, understand you have just accepted a contract and moved onto weaker ground.
  2. Never bypass a control. Rate limits, anti-bot systems, paywalls and logins are the gate. Walking through an open door is not the same as picking a lock, and courts have been consistent about the difference.
  3. Respect robots.txt. Not binding, but it is a good-faith signal that colours every other fact if a dispute escalates.
  4. Document your lawful basis before you start if any subject may be in the EU or UK. A legitimate-interests balancing test written after a complaint is worth very little.
  5. Write down your purpose. Purpose is a legal element, not a formality. If you cannot articulate it in a sentence, stop.
  6. Never touch eligibility decisions without an FCRA-compliant process and a consumer reporting agency. This is the one most likely to bite you.
  7. Capture defensibly if it might ever be evidence — timestamps, hashes, capture logs. A bare screenshot is weak. See our OPSEC guide for the operational side.
  8. Get advice when it is sensitive. Genuinely — the cost of an hour of a lawyer's time is trivial against a consent judgment.
The ethical line sits inside the legal one. The same tradecraft that protects a journalist protects an abuser, and the difference is entirely purpose and authorisation. Plenty of things on this site are perfectly legal and still wrong to do to someone. Legality is the floor, not the standard.

Frequently asked questions

Is OSINT legal?

In general, yes. Collecting information that is genuinely public — published web pages, public social posts, court records, corporate filings, WHOIS data — is lawful in the US, UK and EU. OSINT becomes illegal at the point you bypass an access control, obtain data you are not authorised to hold, or use lawful data for an unlawful purpose such as stalking or harassment. The activity is rarely the crime; the access method and the purpose usually are. This page is not legal advice.

Is Google dorking illegal?

Constructing a search query is not illegal — a dork is just an advanced search using operators that Google itself documents. What matters is what you do with the results. Google returned the URL, but acting on exposed credentials, entering a system you have no authorisation for, or downloading data you know was not meant to be public can engage the Computer Fraud and Abuse Act in the US or the Computer Misuse Act 1990 in the UK. The search is lawful; the intrusion is not.

Does scraping a public website break the law?

In the US, not under the CFAA. In hiQ Labs v. LinkedIn the Ninth Circuit held that scraping pages open to anyone without credentials is not "unauthorised access", applying the Supreme Court's reasoning in Van Buren v. United States (2021). But hiQ still lost — in late 2022 the court found it had breached LinkedIn's User Agreement, which it had accepted by creating accounts, and the case ended in a consent judgment and permanent injunction. The lesson is precise: the CFAA protects you from hacking claims on public pages; it does not protect you from a contract you agreed to.

What is the difference between browsewrap and clickwrap?

Clickwrap is where you actively agreed — you ticked a box or created an account. Browsewrap is a terms link sitting in a footer you never clicked. Courts treat them very differently: clickwrap is a strong contractual basis, browsewrap is much harder to enforce. In Meta v. Bright Data (January 2024) the court declined to block scraping of public, logged-out Facebook and Instagram pages, and let the contract claim proceed only for the period when Bright Data had an actual contractual relationship with Meta. Logging in is often the single act that converts a defensible collection into a contract breach.

Does GDPR apply to OSINT?

Yes, and it is usually the bigger constraint. GDPR governs personal data regardless of whether that data was public — "it was on the internet" is not a lawful basis. If you process personal data about people in the EU or UK you need a lawful basis, most often legitimate interests, and you must be able to document the balancing test. The Clearview AI enforcement actions are the clearest warning: regulators across several EU states issued fines into the tens of millions over scraping public photographs. Public does not mean unregulated.

Is it legal to use a sock puppet or fake account?

Creating a pseudonymous research account is generally lawful in itself, but it almost always breaches the platform's terms of service, and terms breach is a contract issue rather than a crime. The risk escalates sharply if the persona is used to deceive someone into disclosing information, to gain access to a private group, or in anything resembling entrapment. Note also that logging into an account is exactly what converted hiQ's defensible public scraping into an enforceable contract breach.

Is OSINT legal for background checks on job applicants or tenants?

This is where people most often get it wrong. In the US, using information to make decisions about employment, tenancy, credit or insurance brings you under the Fair Credit Reporting Act, regardless of whether you found the data for free. FCRA imposes notice, consent, accuracy and adverse-action duties, and most OSINT tools — including this site — explicitly prohibit FCRA use in their terms. Doing an informal Google search on a candidate and acting on it can put you inside a regulated activity you have not complied with.

Can I get in trouble for looking up my own data?

No. Checking your own exposure is the safest possible use of these tools and is what most privacy guidance actively recommends. Running your own name, email and phone through people-search sites, breach checkers and username tools shows you what a stranger can already see, which is the necessary first step before filing removal requests.

Is honeypotting or using a tracking pixel legal?

It varies by jurisdiction and it is one of the sharpest lines in OSINT. Deploying a trackable link to capture someone's IP address is treated as lawful in some US contexts but is far more restricted in the EU, where it engages both GDPR and ePrivacy rules. Unlike passive collection, this is an active technique that touches the target's device — treat it as needing legal review before use, not after.

What about robots.txt — is ignoring it illegal?

Robots.txt is not legally binding in most jurisdictions; it is a request, not an access control. But respecting it demonstrates good faith and materially reduces the chance of a dispute escalating. Ignoring it will not by itself make you liable, yet it is the kind of fact that colours everything else in a courtroom. The related tort, trespass to chattels, requires you to actually impair the server — courts set that bar high, and a few thousand requests a day rarely meets it.

Is OSINT admissible as evidence?

It can be, but only if collected defensibly. Courts want provenance: when it was captured, by whom, from where, and proof it has not been altered since. A screenshot with no hash, no timestamp and no capture log is weak. This is why professional investigators use forensic capture tools rather than the browser's screenshot key, and why chain-of-custody discipline matters more than the cleverness of the technique.

Which laws should I actually know?

In the US: the Computer Fraud and Abuse Act (unauthorised access), the Fair Credit Reporting Act (eligibility decisions), the Stored Communications Act, state anti-stalking statutes, and state privacy laws such as CCPA/CPRA. In the UK: the Computer Misuse Act 1990, UK GDPR and the Data Protection Act 2018, the Protection from Harassment Act 1997. In the EU: GDPR and ePrivacy. Sector rules may also bind you — the FCRA point catches out more people than every hacking statute combined.