Download

Using open-source searches in UDI and UNE (pdf, 1,0 MB) [Bruk av søk i åpne kilder i UDI og UNE (pdf, 1.0 MB)]

Summary

The use of open source intelligence (OSINT) can be an important tool in verifying the asylum applicant's basis for applying for protection in Norway, including the applicant's identity and asylum information. OSINT is a supplement to the information provided by the applicant and to all other information pertinent to the case. In this context, OSINT is information that is publicly available on the Internet, such as social media, public registers, government sanction lists, media databases, compliance databases, etc. Whether the information is considered public is related to who the publisher of the information is, how many can view it, whether the information is openly available without restriction and whether it is published legally and in what context. In this project, we have investigated the extent to which the Norwegian Directorate of Immigration (UDI) and the Immigration Appeals Board (UNE) have a unified strategy with regard to open source searches, the degree and manner in which the administration uses the information in the case processing and the extent to which the administration ensures the safety of asylum seekers and employees when conducting searches.

The issues are operationalized through several sub-issues with accompanying recommendations and are structured around the following sections:

Regulatory framework

Purpose - what, according to UDI and UNE, is the purpose of using OSINT? The purpose of using OSINT is in principle clear; to gather information pertinent to the case, but how the purpose is to be fulfilled must be clarified. It is recommended to establish overall goals and a uniform policy for the use of OSINT in UDI and UNE. This must include a coherent strategy and standards with principles and guidelines.

Guidelines - do guidelines regulate the activity and do the guidelines provide a clear purpose for the search activity, clear guidance in relation to when and how searches should be conducted, how findings should be evaluated and how the asylum seekers right to contradiction is ensured.

We recommend that UDI and UNE should review the structure, regulations, needs, expectations and requirements of its OSINT activity. Such a review should include:

• Clarifying authority and mandate for OSINT searches. Should OSINT be used and who should have the authority to make such searches?
• Status and form of guidelines
• Harmonization and coordination of policies across entities to ensure equal treatment, efficient utilization of resources, safeguarding privacy and access for all relevant parties, etc.
• Assessing the risk associated with using OSINT for case workers and asylum seekers, including the methods, profiles and technical aids to be used

Organization - concerns whether UDI and UNE have organized the OSINT activity in a way that ensures that cases are adequately investigated, safeguards the principle of equal treatment, mobilizes the necessary expertise and contributes to effective case processing

Our recommendation is:

• That UDI and UNE set up specialized units responsible for the OSINT activity.
• The division of responsibilities between this unit and other units regarding OSINT activity must be clarified.
• Establishing goals and resource limits for the activities lies with the respective agencies' management. This requires that a methodology and system is developed for assessing which cases OSINT is to be used for.

Competence - regards the degree to which UDI and UNE have the necessary competence to conduct OSINT-activity and how one develops this competence.

WE recommend that UDI and UNE should:

• Assess the need to strengthen their expertise in IT, security and privacy.
• Strengthen their expertise in data collection and analysis in connection with OSINT searches.
• Implement measures to ensure that relevant language skills are available when conducting searches.

Data collection

Data collection concerns UDI and UNE's use of technical tools to gather information from relevant sources, compiling and analyzing findings that contribute to informing the case and safeguarding the safety of applicants and case managers.

It's our view that acquisition of new technology may itself improve some of the routines, but a thorough, preliminary mapping of needs and purposes would provide more targeted and technologically adapted solutions. This applies to technical needs in various circumstances, whether it is for security reasons, use of sources or for documentation. In our view technical needs clarification, sharing and transfer of experiences from other agencies that use OSINT or have OSINT practices under development should also be considered.

Practices

Practices concerns whether UDI and UNE act in accordance with the guidelines that are in place today and if these satisfies the requirements of administrative law.

Low maturity and challenges in these areas indicate that practices related to the use of OSINT are not carried out with sufficient degree of management and control. Nor can one be sure that the demand for equal treatment of cases is being met. Our recommendation is that developing measures in accordance with the recommendations regarding regulatory framework and data collection would establish a sound framework for the OSINT activity.

Our overall assessment is that UDI and UNE both need to strengthen their maturity when it comes to the use of OSINT when handling asylum applications. Currently we observe

• A lack of clarity in procedures and guidelines
• Differences in practice as a result of unclear guidelines, possible deviations in practice on when OSINT searches should be used and major differences in competence
• Very general guidelines when assessing findings
• A lack of a systematic overview of the risk for the caseworker and asylum seeker associated with the search business
• A limited system for quality assurance of the OSINT-activity.

In total, we therefore find reason to question whether current practices provide asylum applicants and employees with enough security and whether applicants' legal rights are adequately safeguarded in connection with the use of OSINT.

We note that improvements are ongoing as we have been informed that during the project period, measures have been adopted in UNE that will strengthen safety in connection with OSINT searches. We have limited knowledge of the form and implementation of these. This also means that we have no basis for assessing whether these reduce the potential risk for the case managers in UNE and possibly the identity of asylum seekers in connection with the search activity. Therefore, we recommend that UDI and UNE consider whether searches should be conducted before risks are systematically assessed and/or comprehensive search routines implemented.

UDI, UNE and the National Police Immigration Service (PU) all employ OSINT, often addressing the same cases. There is an exchange of information related to OSINT results, but our informants have also pointed to barriers both in terms of the sharing of responsibility and information exchange. PU did not participate in this study. Further work on the development of the use of OSINT in connection with asylum cases should include all three actors who are responsible for handling asylum cases. In this case, the possibility of authorities must be considered.increased sharing of information from OSINT between the immigration authorities must be considered.