Our guest is a former FBI investigator and current university professor who has tips for practitioners in every industry. From the protocol before you log on to conduct OSINT research to the resources and reporting, here are the tips for approaching your OSINT like law enforcement.
Richard is a law enforcement and legal expert with over 26 years’ experience as a U.S. government official and serves as a Director for A1C Partners, LLC specializing in open-source intelligence and focusing on legal, privacy and policy matters impacting the collection and use of publicly available information. Richard is an adjunct faculty member at George Mason University in its Department of Criminology, Law and Society, teaches a course on the intelligence process, and recently published a textbook entitled “An Intelligence Studies Anthology, Foundational Concepts and Case Studies for the 21st Century” (Cognella, Inc. 2021). He is an attorney with his own Washington, D.C.-based law firm, Denholm Law, PLLC and is licensed by the Ohio Supreme Court and D.C. Court of Appeals.
RICHARD DENHOLM
I would always say, like, be safe out there. Like we usually told each other, be as safe online as you are in person, basically.
[music plays]
JEFF PHILLIPS
Welcome to Needlestack. I'm Jeff Phillips, and I'll be your host for today's episode.
AUBREY BYRON
I'm Aubrey Byron, a producer on needlestack.
JEFF PHILLIPS
So today we're joined by Richard Denham, a former FBI investigator and director at A1C Partners. Welcome to the show, Richard.
RICHARD DENHOLM
Thanks. Great to be here.
AUBREY BYRON
So great to have you back, Richard. For those of you new to the show, Richard joined us last year to discuss how law enforcement is using OSINT. Can you give us a little bit of an overview to remind listeners about those tactics and how you use it both in your history at the FBI and at A1C?
RICHARD DENHOLM
Yeah, sure. Just a little bit more background about myself. I spent about 22 years with the FBI, retired as a Supervisory Special Agent unit Chief at FBI headquarters. My last stop was the FBI's detailed of the Department of justice at its OSINT of Fusion Center. So we specialize in information sharing across law enforcement to help improve investigations, help investigators make better cases to enforce the laws of the United States. After I retired, I ended up with a Onec Partners as a director. I also am an attorney, and I'm using much of my legal background to help advise our customers on legal privacy and policy concerns when they use open source information in particular, but also focused on other intelligence issues as well. And as my side job, I'm an adjunct faculty member at George Mason University in Fairfax, Virginia, and I teach intelligence there as well.
JEFF PHILLIPS
It's a great background, and we'll dig into some elements of that. Before we started recording, we were talking, Richard, that on one hand, OSINT is always changing as a discipline, but sometimes things from illegal and what you can and can't do. Maybe there hasn't been significant changes versus last time, but can you talk a little bit about are you seeing anything changing out there, whether it's for the government on the federal side or anything you've seen on the commercial side?
RICHARD DENHOLM
Yeah, sure. It is important to stay on the cutting edge in this arena. Since we last talked about a year ago, I have not seen any earth shaking changes in the open source, publicly available information realm. As far as obviously we're always looking for court cases and legislation that would infringe on the government's ability to collect open source information or use it. I haven't seen anything really earth shakering in that. Clearly, there are cases that come out occasionally that we have to be aware of, and we have to be aware of it for private sector clients as well. Right. They have to follow the law. They have to be concerned with privacy issues for their employees and for their customers. We know that in California they have a very robust privacy law in place. We also know that in the European Union, their laws governing privacy are very stringent. Those are kind of the guardrails between California and the European Union. Those are kind of the guardrails right now, too, that you kind of have to watch for. I would say large corporations in particular. Right. Because national corporations operate in all 50 states. So what I've seen with them is that they often have to abide by the most stringent rules.
RICHARD DENHOLM
Right. So that's why California almost kind of takes over some of that realm. It's interesting to note, I just moved out of Virginia. Virginia has environmental standards that match California's, which are stricter, and there's a big debate in Virginia right now about why are we falling California. Right. But when you're in the legal realm, whether it's open source, environmental, other types of policy regulations, you always try to keep your eye on what's the most stringent privacy protections. And it's good to protect privacy. I'm not saying anything about that.
JEFF PHILLIPS
Sure.
RICHARD DENHOLM
But as we talked about last time, I noted that if information is publicly available in whatever source right. We know that deeds for houses and mortgages are publicly recorded. Right. That information is available to everyone, and everyone includes the government. Right. And so we also know that when we talk about constitutional privacy in this country, we all, as citizens, are required to protect our privacy as well. Right. I mean, what you don't protect and what you open and Torres Lee put out there is fair game for you, for me, for the government, unfortunately, for other governments to see as well. Right. So it is a huge framework that applies. So hopefully that helps a little bit.
JEFF PHILLIPS
Yeah, that's super interesting. I hadn't thought of it that way before with you giving those guardrails. If California and the European Union have the strictest rules, if you're abiding by those, then you're covered. It may reduce some things that you can do, but from a legal standpoint, that for sure makes a lot of sense if you use that as kind of your bottom line of the rules you're going to follow.
RICHARD DENHOLM
Right?
AUBREY BYRON
Yeah. Our listeners span a lot of different industries, and it seems sometimes like they can almost be a little bit siloed in their approach. Are there certain strategies that law enforcement use that you think could apply well to other OSINT practitioners outside of law enforcement?
RICHARD DENHOLM
I don't want to give you, like, a pithy answer to that, but it is a little bit like know the law. I mean, do research in it. Have a team that provides advice. Everybody. And again, I am a licensed attorney. I can say it. A lot of people hate attorneys, but they can be very useful. Right. Especially in this arena. You need them to be conducting the research for you so that you can have an understanding of and I think I said this last time, too whatever state you're operating in, you definitely want to have a very firm understanding of what the privacy laws are in your state, what the courts have held in your state as far as the use of open source information for whatever that is. And obviously in the private sector, that would involve hiring employees. Right? I mean, how far can you go digging through their backgrounds? What can you do? What can't you do? So I think Aubrey kind of a simple answer is understand the law and policy and regulations in your state and then use that to form your own policy and have a policy. The worst thing and it happens where people internal to whatever, to companies.
RICHARD DENHOLM
I don't really see it too much in government because they are very bound by laws and regulations, so they communicate about it. But the worst thing you can do is just to start operating, and somebody has a good idea, like, hey, for all of our employees, we're going to scrub all of their Facebook posts, everything that we can, everything that's out there. We're going to store that information ourselves on our systems, gather any pii that we can on the person, and it may all sound like a great idea. And you start doing that, and you gain maybe a better understanding of who you're going to hire, which is a good thing. But you might go too far, and you might actually violate somebody's privacy, run afoul of the laws of your state. So we in the privacy realm, too. When we look at these, there's a lot of discussion of retention policies, right? So, for example, you need to be aware that if you have a potential employee and you collect information on them, you better have a policy, and you better have it written down and reviewed and understood. How long are you going to retain that data?
RICHARD DENHOLM
I mean, Jeff, if I want to hire you and I gather tons of data on you and then I never hire you, you walk away, and I hang on to your data for, I don't know, ten years, and then we get hacked, right? And maybe there was Pii in there about you, and now that may create liability for your company, right. So, again, it's an idea of talking through this, having a team of people again, teaching at George Mason, constantly talking about collaboration and the intelligence realm. Talk it through, do a red team. What are the worst case scenarios that can occur, and then have a policy? If I want to hire, Jeff, I do collect data on you. We don't hire you. Walk away. Okay, we're going to have a policy a month later, 30 days later, that date is purged. Right. That's gone. Or six months later. But have something in place.
JEFF PHILLIPS
That makes a lot of sense. Richard, by the way, that comes up a lot of times when we're talking with people, customers and whatnot on the Dark website that point you made, which is you need to have a policy. If there is no policy, that's not necessarily an opening just to go do what you want. You'd prefer to have it. You got to have something written down, whether that before you go out and do things like you said, pii, or go to the Dark Web, having a policy versus a lack of policy, meaning you're good to go. You shouldn't take that approach, for sure.
AUBREY BYRON
I think that's the subject of a few of our blogs. Yeah, it's like you should go on the Dark Web. But hold on.
JEFF PHILLIPS
Let's dig back a little bit. Rich, go ahead. Sorry.
RICHARD DENHOLM
No, I was just going to add I learned a lot in my law enforcement career as well, having, unfortunately worked around some cases involving child pornography and those kind of things and that kind of data. When you talk about Dark Web, you could start stepping into some of that stuff, and you don't want to be accessing that information or collecting it or having it on your computer. We had to put in place very stringent standards on how to handle that material. I mean, as agents, you're collecting evidence, right? But if you're dealing with that type of evidence, you have to take extra precautions because it's very easy to become a disseminator of it, even unintentionally, and there's really no loophole for you, even as a federal agent. If I hand it to another agent or I hand it to an Ausa and I'm not careful, that technically could be dissemination. So there's a lot of trips and traps out there. So, Aubrey, when you bring up the Dark Web, there's a lot of nefarious things that are occurring in there, and you better have an understanding of what you're dealing with, because even the good folks can step into stuff that can get them jammed up.
RICHARD DENHOLM
So sorry, jeff, go ahead.
AUBREY BYRON
Absolutely.
JEFF PHILLIPS
No, sure. No, it's great advice. Well, let's go back George Mason University and recall you being a professor there. Can you remind us what's the curriculum curriculum that you teach? Has that been evolving at all? And just to give you some backdrop, we've had two or three guests now this year that are on the academic side. So it's really interesting to see what's going on with OSINT and intelligence as we educate the next level of or the next generation of investigators out there through college.
RICHARD DENHOLM
Absolutely. And I was happy to hear you, my colleague, Dr. Steven Coldheart, on a while back from Sunni. He's kind of at the cutting edge of OSINT issues and intelligence work, and it's exciting to be collaborating with him and talking to him as often as I do, but yes, at George Mason. Yeah, right. No, and he really, you know, is moving a lot of things forward in this realm of OSINT. So George Mason, I teach in the Department of Criminology Law and Society, and we have an intelligence minor there. And as you can imagine, george Mason is in Fairfax, Virginia, in the suburbs of Washington, DC. So it's a great university and a great location because of its proximity to the government, which is critical. And several years ago, they really saw a need to really build up their intelligence program there to teach, as you said, even the next generation of intelligence analysts, teach them even the basics of what is the intelligence community, who are the members of the intelligence community, which agencies? And then to educate them on, again, just the basics, the history of the United States intelligence community, how it's evolved, and how to be an intelligence analyst.
RICHARD DENHOLM
So I started there teaching basic introduction to the intelligence community about three years ago. Now, I have added one class as an aside. I also am an expert in public corruption. I worked a lot of corruption for the FBI, and they let me teach a course in corruption last year, and I'll be teaching that again in the fall. I have written a textbook on intelligence and corruption. Now, those are both used at the university, which is fine. I'm not quite sure if those were published last time we talked, but both are now. I have a textbook on each topic. And so this semester, though, I began to teach a more advanced intelligence analysis course, getting more into critical thinking and really teaching the students. Again, a simple answer of don't take things at face value. Right. I mean, it's much more in depth than that because it is an entire semester. But I think that's a good way to kind of conceptualize it of what you build the course around, especially in this day and age. And I think we talked a bit about disinformation last time I was here with you as well, that you really have to be on the lookout, especially in this day and age, for disinformation right.
RICHARD DENHOLM
And how to analyze things coming at you to make sure that it's accurate and that you are able to turn raw information into intelligence and disseminated and get it into the intelligence cycle. Right. And during that course, we do, of course, talk a lot about open source intelligence, and it's a critical factor in that course as well.
AUBREY BYRON
Tell us a little bit more about how OSINT plays into that, public corruption in particular. That's interesting.
RICHARD DENHOLM
That's a great question. I was quite at the cutting edge of this, but in my travels in the FBI, worked in Youngstown, Ohio, quite a bit, worked on several very large, high profile public corruption investigations. And I got to tell you what is OSINT, what is publicly available information, it's many things. But journalists, the press, right. That's open source information I often found working corruption. There's a lot of fantastic journalists, investigative journalists who did a lot of the background work for me. Right. And you could sit there and follow a lot of the investigative pieces that they put together and they're throwing sunshine on corruption, right? Which I always say when I teach corruption loves to dwell in darkness. And again, the fourth estate, the media journalists throw light onto that and that's great. But really that's all they can do, right? They can only throw light on it. So then we kind of saw that as investigators, to be aware of our environment, we would call it our Aor area of responsibility. We'd pay attention to that. And I will tell you, I made a lot of leads in my investigations and made pieces of my criminal investigations from Tidbits that I pulled from those media reports, right?
RICHARD DENHOLM
And when they go into the criminal investigative realm, that opens up a whole another realm of vetting because you're going to put somebody's life and livelihood in jeopardy basically, right, when you subject them to the criminal process. So we didn't just take reporters information at face value, we had to build on it. Sometimes it went nowhere, I mean, it was just nothing. And that's fine. But I will tell you, I mean there were times that those were pretty good leads and those turned into pieces of criminal cases from our work on it and sometimes made their way into indictments and on to trial, et cetera. So again, that's just a very clear use of open source information, public information we read too, right? As federal investigators, I don't think anybody would want us. And again, it kind of fits into this open source work we talk about. Now just play this out. We want to protect privacy. We do protect privacy, but, I mean, argue with me if you would like, but would you like law enforcement or government to have people out there publicly saying I'm going to fly planes into buildings and then we do nothing about it, right?
RICHARD DENHOLM
We know that those mistakes were made and those mistakes can't happen again, right? I mean, we're all human. There's mistakes that continue to happen, we see that every day as well. But we need to be paying attention too, if you're in law enforcement. And they do, and I did at the time still talk a little bit in present test. It's a little hard to get away from that, being inspired, but I'm still a big fan of the FBI. They get criticized very unfairly often. Sometimes they deserve it. But again, that's the point, right? This information that's out there should be reviewed, should be vetted. And what do I always talk about balanced with the privacy concerns, et cetera?
AUBREY BYRON
No, that's a great point. We actually had a few journalists on for a series we did on fact checking. And it's not often you don't think of journalism really as OSINT, but in a lot of ways it's very similar. And you said sunshine and especially using sunshine laws to get public information that isn't readily available.
RICHARD DENHOLM
Well, 100%, right? And then there's freedom of information act. And there are ways, obviously, that information could be obtained legally. And then clearly, journalists develop sources, and clearly, when I was an FBI agent, that's what we were supposed to do, right? Develop sources, vet those sources, develop leads and information and cases from that. And we talk about that in the courses at George Mason as well. Human intelligence. Human, right. I mean, it's the best intelligence, and you have to be careful using it, obviously. And it has to be vetted and checked and triple checked, blah, blah, blah. But human is the best. Okay. And then we talk about technical sources, tech in, et cetera. Very important. All the tools that we've talked about with you, tools are very valuable. You can use them to gather information and move things along quicker, organize information. That's clearly important. But it all goes back to human. I'm saying that. So it's very important, and I don't want to lead you guys, too, but you were kind of asking before as far as I thought, as far as how we as investigators would look at OSINT, how it would factor into investigations, et cetera.
RICHARD DENHOLM
I think that kind of describes it between the media, the journalists that we use for cases and then actually doing open source research in the government ourselves.
JEFF PHILLIPS
Keeping kind of on this topic of I guess the way I'm going to ask, this turns into OSINT, but from your FBI days, we seem to have seen more intelligence disclosures on behalf of the government intelligence community, especially in the run up to the Ukraine. So where they were taking where intelligence was being shared openly. What are your thoughts there? Do you see a larger shift toward maybe there's less classification and more public disclosures of that kind of analysis, or that was a very unique situation. What are your thoughts about less classification and disclosure of some of the intelligence community information?
RICHARD DENHOLM
That's interesting. I wouldn't frame it up that way. I don't think there's less classification. Maybe there's less emphasis on people following the rules. Maybe that's maybe how I would frame.
AUBREY BYRON
It up a little bit.
JEFF PHILLIPS
Well, we know that for what's being found in houses. Yeah, for sure.
RICHARD DENHOLM
Houses, garages, everything else, everywhere else. Right.
JEFF PHILLIPS
But it also seemed like we put out some of that intelligence to assist the Ukraine publicly about what we were knowing. We went pretty public with what we were seeing going on in Russia, for example.
RICHARD DENHOLM
Yeah. In my defense, I'd say that's a little outside my realm. I think State Department experts might be a little bit better to comment. I'm always happy to comment, though, because that's how I am. But I really think right. I think it's a strategy. I think the government would release things in such a global realm like that. And again, we teach this at George Mason. Right. When you look at the history of intelligence, there have been deception operations throughout history. Right. Disinformation and misinformation. The Ghost Army in World War II is still one of my favorites, creating in the UK armies of blown up inflatable tanks and barracks and everything else, right. To fool the Germans as they flew over thinking that the strike into France would occur from the north. Right. So I think what you're talking about with the whole Russia Ukraine thing too, kind of fits into that. Right. The governments are using information strategically in ways they see fit. So the president is the ultimate classification, authority and the ultimate releaser of information. So clearly, if any president thought, even though this is classified, it's important to release for part of our strategic objectives.
RICHARD DENHOLM
Again, I'm not an expert in that, but I do teach it a little bit. I think that would be why that there were some strategic interest to it. Believe me. I was thinking even at the time, the Russian alleged build up along the border of Ukraine, even before the war started, you start to think a little bit about because they are masters of disinformation, they are some of the best. And you start to wonder, is what we're seeing there? Is that a dummy army? Now, clearly this is where we get into the technical realm in our day and age. Much harder to do that today. Right. Doing inflatable tanks in the UK now, I think they would spot, even though apparently floating balloons at 40,000ft are difficult to spot. You know what I mean? Yeah, right. But I've never been good at Rubik's Cube or chess, and I feel like my whole life has been chess and Rubik's Cubes. But all those things flying the Chinese if it was and again, I asked my classes too the other night, are we still 100% sure it was Chinese? I mean, we're being told things. There's writing.
RICHARD DENHOLM
Is there writing on it? I didn't see a big China flashing on it at the time. Right. But when you talk about intelligence analysis, too, you have to ask those questions. Right. Don't take anything at face value. Research it, study it now. So again, back to your question with Russia, Ukraine again, it's fascinating stuff and whatever those strategic goals are to release information, I believe in our government, always have, since I worked in it. I think I'm an expert to comment. The motives are good on our part. We generally don't invade our neighbors. I'm not aware of us invading Canada or Mexico in the last few hundred years to take their territory. Unlike the Russians. Right? Again, I guess a long winded answer to your short question, but that was by 2 seconds.
JEFF PHILLIPS
It makes sense. If it matches to the strategy, then but you're not seeing anything like, oh, we're going to release a bunch more. It's going to depend. It will depend if in the future, if another scenario arises where releasing what is considered classified information is useful to our approach, that makes sense.
RICHARD DENHOLM
And I think that I would argue that that's extremely, extremely rare because the whole idea of classifying information is to protect government information, because releasing it again, teaching the students at George Mason, we talk about top secret, secret and unclassified, those have real meanings as far as the potential damage to the United States, right? And releasing top secret data would pose tremendous damage to the United States if it's released. That's why we classified it at top secret level, so it's not released. So the overall general rule, Jeff, is that information is not going to be released. And if it is, that's also in the realm of the FBI to conduct potential criminal investigations, definitely counterintelligence investigations, et cetera.
AUBREY BYRON
Richard, you mentioned how those newspaper scoops could be a good lead for FBI investigations. We've talked a lot about the recent influx in sort of amateur Twitter sleuths, participating in Osint online, and sometimes this can do a lot of good, such as helping to geolocate or debunk photos in Ukraine, for instance. But it can also go off the rails, such as making false accusations in the case of Moscow, Idaho murders. What do you think the relationship is right now between law enforcement and these sort of amateur researchers?
RICHARD DENHOLM
Again, a great question, and when you first posed that to me a while back, it generated a lot of thought on my part, which is always a good thing, and I've really gone back and forth in my mind about it. But I think where I land overall is from a law enforcement perspective, we want information, we want sources, okay? We're going to be listening. And we were listening, and they are now, I'm sure, and collecting that information, but then vetting it again, right? That kind of is the theme of the day. It has to be vetted because there are times that those Twitter sources you talk about are really good, they really are onto something, and it's valid. But just like I mentioned, with kind of the journalism aspect for corruption, et cetera, to start digging, you got to vet it, right? Because their standards are lower than ours, frankly, right? I mean, they need to be truthful or they're going to get sued for slander, defamation, whatever. But in the government and when you're doing criminal investigations, it's a higher standard, right? Because if you're doing a criminal investigation, you're planning to take something to trial, right?
RICHARD DENHOLM
You're not just doing it for fun. And so your ultimate objective is, you know that if you get to trial, you have to prove beyond a reasonable doubt that somebody committed a crime. And that standard in front of twelve jurors. You have to convince them, all right? And it can be tough and it takes a lot of work. So again, it has to be vetted even more. So you may take one source, but I would want to talk to five or six more sources around that person to verify the information. And so with somebody from Twitter who's providing information using the comment, you take it with a grain of salt is a very valid term, I think very practical, but you have to do that. But also keeping an open mind, like, hey, we could treat this Twitter source just like any other source and think they could be providing us very valuable information that could turn into something and sometimes does. And then the flip side of it is, as you indicated, you have to be very leery of those whose motives aren't good. They are out to get somebody, right? People unfortunately, can be people and want to make false accusations against somebody because they don't like them.
RICHARD DENHOLM
That person offended them. So in this room, you have to constantly be aware of that and be like, what's your motive for telling us? Is it altruistic? And if so, yeah, that's great. I mean, I worked several large scale murder investigations nationally publicized, which brings out all of these type of people that you're talking about. We had a very famous one in Canton, Ohio, a famous murder case, much like the Lacey Peterson murder case out in Modesto, California. We had a very similar one in Cat in Ohio right after that with a nine month pregnant woman who had disappeared. And there were a lot of do gooders who came out. And I will tell you a quick aside, a quick story about that to kind of draw this together for what happens with this. A lot of people came out to help search for the missing woman, and that's awesome. And we generated some great leads, but out of thousands, maybe only less than a handful turned out to be good. Okay, so you keep that in mind and you don't want to disregard those potential leads. That could be really good, right? That would be bad.
RICHARD DENHOLM
But for example, we had some folks who came out to help us, actually in another case that I'm thinking of, and they brought dogs to help us search. Okay. And I actually had one of the dogs, it was out in the woods with the dog searching, and the dog alerted on something was going. I'm like, oh my gosh, I might be onto something. And the dog led me down this trail and down a hill and dug up a Wendy's bag that was sitting there on the hill. So I guess you could kind of call that the Wendy's bag theory of folks on Twitter, right? They could lead you to the body that you're looking for or hopefully a living person, or they could lead you to a Wendy's bag. I mean, this is literally kind of how you have to keep it in mind.
AUBREY BYRON
Yeah, for sure.
JEFF PHILLIPS
Well, Richard, as we start to wrap up here, first, want to thank you for coming on again. Our conversations are always super interesting. You've got such a diverse background, obviously from the FBI and. The firm you're with and then as a professor. We hope you'll join us again here in another year, but any final thoughts you have for the audience today?
RICHARD DENHOLM
No, and I'd be happy to it. I always enjoy talking to you. Thank you for having me on your show. No, I guess I would always say be safe out there. Like we usually told each other, be as safe online as you are in person, basically. And I think especially in this day and age post COVID there's a lot of fraudsters out there, so be very leery and be protective of your privacy information if we're talking about open source and what you put out there publicly. But again, thank you for the opportunity to be on and look forward to chatting again.
JEFF PHILLIPS
And I love that. Richard, be as safe online as you would be out.
AUBREY BYRON
Yeah, that's great adventure.
JEFF PHILLIPS
It makes a lot of sense.
RICHARD DENHOLM
Thank you.
JEFF PHILLIPS
Well, again, thanks to our guest Richard Denham, for joining us today. If you liked what you heard, you can subscribe to our show wherever you get your podcast, watch episodes on YouTube and view transcripts and other episode info on our website, authentic8.com/needlestack. That's authentic with the number eight /needlestack. And be sure to let us know what you thought of the show on Twitter @needlestackpod is our Twitter handle and like and subscribe wherever you're listening today. We'll be back next time with more OSINT tips for your research. See you then.