What Counts as an Open Source? A 10-Point Test for Public Information
By Soren Vega ·
- osint
- definition
- open-source
- methodology
The line between 'open source' and 'not a source for OSINT' is the line that makes your brief defensible. A 10-point test for whether a piece of information is in scope, with the most common edge cases and how to handle them.
What Counts as an Open Source?
The line between "open source" and "not a source for OSINT" is the line that makes your brief defensible. A claim that rests on a stolen inbox looks exciting on a blog and crumbles the first time a serious reader asks to see the chain of custody. The 10-point test below is the working version of the line, with the most common edge cases and how to handle them.
The simplest test InfoIf you can show a stranger the exact URL, document, or dataset your claim comes from — and they could read it themselves tomorrow — you are doing OSINT. If you cannot, you are doing something else.
The 10-point test
For each piece of information you want to use as a source, run it through the 10 points below. The more points that fail, the weaker the source. A source that fails three or more is not in scope for a defensible brief.
1. Is it reachable without authentication?
A page indexed by a major search engine, or reachable through a normal browser without logging in, is on the open web. A page that requires a free account is on a service; the service's terms apply. A page that requires a paid account is on a paid service; your access is conditional, and the source is weak.
The test: open a private/incognito tab and try to reach the page. If you can read it without logging in, point 1 passes.
2. Is it not behind a paywall or login?
Same idea, harder test. A page that is reachable through a search engine but is actually paywalled when you click through is a weak source. A page that loads a preview but asks for money to read more is a weak source. The information you can read is in scope; the information behind the paywall is not.
3. Is the original author the source, or are you?
A page that reprints a press release is a secondary source. The press release is the primary source. Cite the primary source where possible, especially for precise claims. The secondary source is useful as a pointer and as a date stamp, not as a citation.
4. Is the document publicly distributed, or was it stolen?
A leaked document that is in wide circulation on the open web is a soft kind of open source — defensible, but with a higher standard of care. A leaked document that is still in limited circulation, or that was obtained by hacking, is not an open source, no matter how widely it has been re-shared. The chain of custody determines the weight.
5. Is the data on a platform, or on the open web?
A public Instagram account is a license to look at the public Instagram account. It is not a license to download every post, run face recognition on them, and publish the result as a dataset. The platform's terms of service are a contract, and breaking them can lose your access.
6. Is the data personal, or institutional?
A spreadsheet of every social post by a private individual is a different kind of dataset than a spreadsheet of public posts by a public company. The first is a privacy question; the second is a research question. The legal exposure is much higher for the first.
7. Is the data identifiable, or aggregated?
A dataset of public posts stripped of names is still personal data if the posts are unique enough to identify the author. Pseudonymous data is still personal data if re-identification is reasonably possible. Aggregation is a way to make a dataset defensible; identification is a way to make it not.
8. Is the data current, or is it a snapshot?
A dataset that is updated by the platform is a moving target. A dataset that you captured on date D is a snapshot. Cite snapshots with their capture date, not the platform's "as of" date. The difference matters when the platform edits the data.
9. Is the data in the language you think it is?
A page in English is in English. A page in Portuguese that you read through a translation is a different source — the translation is yours, the original is the source. Cite the original, link to a translation if you have one, and name the translator if it is a model.
10. Is the data reproducible, or one-of-a-kind?
A dataset that any researcher could rebuild from public sources is reproducible. A dataset that only you have — because you paid for it, or because you captured it before it was deleted — is one-of-a-kind. One-of-a-kind datasets need a more careful audit trail, including the capture date, the method, and the chain of custody.
The edge cases
A few cases that come up often:
Leaked material in wide circulation
Material that has been widely distributed and that any reader could, in principle, find is a soft kind of open source. The standard of care is higher: name the chain, name the limits, and be honest about the parts you cannot verify. Material that is still in limited circulation is not in scope.
Court records
Court records that have been filed publicly are open sources. Court records that are sealed, or that have been expunged, are not. The difference matters; the line is usually clear.
Government databases
Government databases that are publicly searchable are open sources. Government databases that require a login, even a free one, are services. Government databases that are restricted to specific users (law enforcement, journalists with credentials) are not in scope.
Academic papers
Academic papers that are published in open-access journals are open sources. Academic papers that are behind a paywall are services; the abstract is open, the full text is not. Pre-prints that have not been peer-reviewed are open sources, but the weight is lower than a peer-reviewed version.
Anonymous sources
A claim sourced to "an anonymous official" is not yet verified. The journalist's reputation is the only weight behind it. That weight is real, but it is also the entire weight of the claim. A brief that leans on anonymous sources should name the weight, not pretend it is heavier than it is.
Internal documents that are leaked
A leaked internal document is in scope only if it is in wide circulation. A leaked internal document that is still in limited circulation, or that was obtained by hacking, is not in scope. The chain of custody is the test.
The line in practice
For most OSINT projects, the working line is the one in the simplest test above: if you can show a stranger the exact URL, document, or dataset your claim comes from — and they could read it themselves tomorrow — you are doing OSINT.
If you cannot, the claim is not in scope for a defensible brief. The fix is to find a source that is in scope, or to weaken the claim to match the source. A short, hedged, sourced statement is more useful than a long, confident one with a weak source.
A research project that respects the line is a research project that survives review. A research project that crosses the line is a research project that has to be redone.
Frequently Asked Questions
What is the simplest definition of an open source?
An open source is any information that is available to the general public without breaking the law. The openness is what makes the resulting insight defensible. A claim that rests on a stolen inbox looks exciting on a blog and crumbles the first time a serious reader asks to see the chain of custody.
Is leaked material an open source?
It depends. Material that has been widely distributed and that any reader could, in principle, find is a soft kind of open source — defensible, but with a higher standard of care. Material that is still in limited circulation, or that was obtained by hacking, is not an open source, no matter how widely it has been re-shared. The chain of custody is what determines the weight.
Related Guide
Open Source Intelligence