Five OSINT mistakes that get investigators sued
Treating leads as conclusions, missing the FCRA notice, no chain of custody, no methodology disclosure, acting on stale data. The non-obvious ones.
Most OSINT mistakes are obvious in hindsight: don't trust the first match, verify before you publish, don't dox someone with bad data. Here are the less obvious ones — patterns that show up in actual settled cases.
1. Treating identifier reuse as identity proof
The big one. Two accounts share the email j.smith@example.com → therefore same person → therefore the report names them. This pattern has produced multiple defamation settlements in the last few years.
Why it fails: shared email is consistent with name collision, with family email accounts, with hacked accounts, with intentional impersonation.
The fix: distinguish between leads (identifier reuse) and conclusions (multi-source verified identity). Write the report with confidence intervals.
2. Skipping FCRA pre-adverse-action notice on borderline cases
The FCRA pre-adverse-action notice is required when an investigative report contributes to declining a candidate. It applies even on cases where the investigative report was just one factor.
Why it fails: employers think "we declined for other reasons; the OSINT report wasn't decisive." The FTC's interpretation is broader.
The fix: send the notice on every case where the OSINT report surfaced anything material. Statutory damages are $1,000 per applicant under §1681n; class actions are common.
3. No chain of custody on snapshot evidence
Investigator finds the smoking-gun gym photo on Instagram; takes a screenshot; closes the case. Six months later in deposition: post is deleted, screenshot has no metadata.
Why it fails: screenshots aren't evidence; they're images of evidence. The original artifact + its discovery context is what survives cross-examination.
The fix: snapshot evidence at discovery time with a tool that preserves URL, timestamp, response hash. Tracelight does this automatically — every evidence row stores the raw API response.
4. Manually generated reports without methodology disclosure
Expert is on the stand. "How did you find this?" "I did some online research." "Specifically what queries, in what order, against what databases?" "I don't recall."
Why it fails: methodology that can't be recalled isn't methodology — it's narrative. Daubert doesn't like this.
The fix: every report should include the methodology section — sources queried, date of query, identifiers used, audit log behind it.
5. Acting on stale data
OSINT findings have a shelf life. The breach record from 2018 doesn't represent current credentials. The address from 18 months ago may be wrong.
Why it fails: investigators present old findings as current. When the subject's lawyer points out the date, the work product loses credibility.
The fix: every evidence row carries an observed_at timestamp. Reports weight recent findings more heavily. When findings are older than ~90 days for time-sensitive use cases, flag explicitly.
The meta-mistake
Treating OSINT as a way to skip rigor instead of a way to apply rigor at scale. The investigators who get sued use OSINT to feel productive without showing their work. The ones who don't treat the citation trail as the deliverable.