Defending an OSINT report in deposition: a 6-question playbook
Opposing counsel will ask the same 6 questions about your OSINT methodology in every deposition. Here's how to answer them — and why the answers should be in the report before you walk in.
Every OSINT investigator who's testified in deposition knows the script. Opposing counsel asks the same six questions about methodology, in roughly the same order, in every deposition. The investigators who do well are the ones who already have answers in the report. The ones who do badly are the ones who try to remember on the stand.
Question 1: "Walk me through how you found this."
The bad answer: "I did some online research." Daubert hates this; opposing counsel knows it.
The good answer: "I queried the following sources, in the following order, with the following identifiers as inputs. Each query has a timestamp + a stored response. Here's the audit log." Then point to the methodology section of the report.
If the methodology isn't in the report, the answer is whatever you can remember under pressure — which usually isn't enough.
Question 2: "Can you reproduce this finding right now?"
The bad answer: "Probably." This is a trap; counsel will then demand you do it.
The good answer: "Yes — by re-running the lookup against the same source. The original API response is preserved with a hash; here's the evidence row + the raw response." If you can produce the response under oath, the finding is hard to attack.
If you used a screenshot, the screenshot is what counsel will spend the next 30 minutes attacking.
Question 3: "Did you verify this finding from a second source?"
The bad answer: "I think so." Vague verification gets thrown out.
The good answer: "Yes — this finding type was independently produced by [N] OSINT workers, all of which are listed in the citation appendix. Specifically: [worker A] returned [output A]; [worker B] returned [output B]." Multi-source verification is what makes a finding survive cross-examination.
Single-source findings are okay if you say so explicitly. Single-source findings dressed up as multi-source are perjury territory.
Question 4: "What's the FCRA permissible purpose for this report?"
If your case is employment-related and you don't know the answer, the deposition is the wrong place to find out.
The good answer: "The report was generated for [hiring / promotion / continuing employment] under §1681b(a)(3)(A). Consent was captured on [date] from [source]. Pre-adverse-action notice was sent on [date]." The system that generated the report should record all of this — Tracelight does, and refuses to generate FCRA-flagged reports without consent capture.
Question 5: "Who else has seen this report?"
The bad answer: "I don't know." This reads as sloppy chain of custody.
The good answer: "Here's the audit log — every viewer + download is recorded, with timestamps." Names + emails of every person who accessed the report. If your tool doesn't audit-log this, your testimony is weaker than it needs to be.
Question 6: "How recent is this data?"
The bad answer: confidence about a finding without checking the observed_at date.
The good answer: "The finding was observed on [date]; recency-grade signals (social media, recent breach exposure) are typically valid for 30-90 days from observation. Older signals (court filings, corporate registry data) age more slowly. Each row in the citation appendix has the observed_at timestamp."
The meta-answer
Six questions, six audit-trail-driven answers. The investigators who do well in deposition are the ones whose tooling produces the audit trail by default — methodology section, multi-source verification badges, FCRA consent record, audit log, observed_at timestamps. The ones who don't are improvising under pressure with screenshots.
The cost of the right tooling is small. The cost of the wrong tooling is the case.