You Are Traceable with OSINT

“Technology is always ahead of the law. That’s been true since the 1990s and it’s even more true today.” - Cynthia Hetherington Share on X

Publicly available data can paint a much clearer picture of our lives than most of us realize, and this episode takes a deeper look at how those tiny digital breadcrumbs like photos, records, searches, even the background of a Zoom call can be pieced together to reveal far more than we ever intended. To help break this down, I’m joined by Cynthia Hetherington, Founder and CEO of The Hetherington Group, a longtime leader in open-source intelligence. She also founded Osmosis, the global association and conference for OSINT professionals, and she oversees OSINT Academy, where her team trains investigators, analysts, and practitioners from all experience levels.

Cynthia shares how she started her career as a librarian who loved solving information puzzles and eventually became one of the earliest people applying internet research to real investigative work. She talks about the first wave of cybercrime in the 1990s, how she supported law enforcement before the web was even mainstream, and why publicly accessible data today is more powerful and more revealing than ever. We get into how OSINT actually works in practice, from identifying a location based on a sweatshirt logo to examining background objects in video calls. She also explains why the U.S. has fewer privacy protections than many assume, and how property records, social media posts, and online datasets combine to expose surprising amounts of personal information.

We also explore the growing role of AI in intelligence work. Cynthia breaks down how tools like ChatGPT can accelerate analysis but also produce hallucinations that investigators must rigorously verify, especially when the stakes are legal or security-related. She walks through common vulnerabilities people overlook, the low-hanging fruit you can remove online, and why your online exposure often comes from the people living in your home. Cynthia closes by offering practical advice to protect your digital footprint and resources for anyone curious about learning OSINT themselves. This is a fascinating look at how much of your life is already visible, and what you can do to safeguard the parts you’d rather keep private.

“Open-source intelligence is simply publicly accessible information, but it’s the intent behind how we collect and analyze it that makes it intelligence.” - Cynthia Hetherington Share on X

Show Notes:

• [01:17] Cynthia Hetherington, Founder & CEO of The Hetherington Group is here to discuss OSINT or Open-Source Intelligence.
• [02:40] Early cyber investigators began turning to her for help long before online research tools became mainstream.
• [03:39] Founding The Hetherington Group marks her transition from librarian to private investigator.
• [04:22] Digital vulnerability takes center stage as online data becomes widely accessible and increasingly revealing.
• [05:22] We get a clear breakdown of what OSINT actually is and what counts as “publicly available information.”
• [06:40] A simple trash bin in a photo becomes a lesson in how quickly locations can be narrowed down.
• [08:03] Cynthia shares the sweatshirt example to show how a tiny image detail can identify a school and possibly a city.
• [09:32] Background clues seen during COVID video calls demonstrate how unintentional information leaks became routine.
• [11:12] A news segment with visible passwords highlights how everyday desk clutter can expose sensitive data.
• [12:14] She describes old threat-assessment techniques that relied on family photos and subtle personal cues.
• [13:32] Cynthia analyzes the balance and lighting of a Zoom backdrop, pointing out what investigators look for.
• [15:12] Virtual and real backgrounds each reveal different signals about a person’s environment.
• [16:02] Reflections on screens become unexpected sources of intelligence as she notices objects outside the camera frame.
• [16:37] Concerns grow around how easily someone can be profiled using only public information.
• [17:13] Google emerges as the fastest tool for building a quick, surface-level profile of almost anyone.
• [18:32] Social media takes priority in search results and becomes a major driver of self-exposed data.
• [19:40] Cynthia compares AI tools to the early internet, describing how transformative they feel for investigators.
• [20:58] A poisoning case from the early ’90s demonstrates how online expert communities solved problems before search engines existed.
• [22:40] She recalls using early listservs to reach forensic experts long before modern digital research tools were available.
• [23:44] Smarter prompts become essential as AI changes how OSINT professionals gather reliable information.
• [24:55] Cynthia introduces her C.R.A.W.L. method and explains how it mirrors the traditional intelligence lifecycle.
• [26:12] Hallucinations from AI responses reinforce the need for human review and verification.
• [27:48] We learn why repeatable processes are crucial for building trustworthy intelligence outputs.
• [29:05] Elegant-sounding AI answers illustrate the danger of unverified assumptions.
• [30:40] An outdated email-header technique becomes a reminder of how quickly OSINT methods evolve.
• [32:12] Managed attribution—hiding your digital identity—is explained along with when it’s appropriate to use.
• [33:58] Cynthia unpacks the reality that the U.S. has no constitutional right to privacy.
• [35:36] The 1996 case that sparked her digital-vulnerability work becomes a turning point in her career.
• [37:32] Practical opt-out steps give everyday people a way to remove basic personal data from public sites.
• [38:31] She discusses how indirect prompting of AI tools can still narrow down someone’s likely neighborhood or lifestyle.
• [39:58] Property and asset records emerge as unavoidable exposure points tied to government databases.
• [40:52] A high-risk client’s situation shows how family members often create digital vulnerabilities without realizing it.
• [42:44] Threats that surface too late demonstrate why proactive intelligence work is essential.
• [44:01] Concerns about government surveillance are contrasted with the broader access private investigators actually have.
• [45:12] Train tracks become an example of how physical infrastructure now doubles as a modern data network.
• [46:03] She explains how audio signatures and forensic clues could theoretically identify a train’s path.
• [47:58] Asset tracking becomes a global operation as valuable cargo moves between ships, trucks, and rail systems.
• [49:48] Satellite imagery makes monitoring even remote or underwater locations almost effortless.
• [51:12] Everyday applications of geospatial analysis include environmental changes and shifts within local communities.
• [52:19] Surveillance is compared to gravity; it's constant, invisible, and always exerting pressure.
• [52:44] Cynthia shares practical strategies for controlling your environment and keeping conversations private.
• [54:01] Resources like OSINT Academy, Information Exposed, and the Osmosis Association offer pathways for learning and strengthening personal privacy.
• [55:32] The episode closes with encouragement to stay aware of what you share and how easily digital clues can be connected.

“Your assets expose you. Every time you pay taxes or register something you own, your name enters another database.” - Cynthia Hetherington Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Hetherington Group
• OSMOSIS
• OSINT Academy
• Cynthia Hetherington – LinkedIn
• OSINT: The Authoritative Guide to Due Diligence
• Business Background Investigations: Tools and Techniques for Solution Driven Due Diligence

Transcript:

Cynthia, thank you so much for coming on the podcast today.

Chris, thanks for having me. I'm very excited to join you and to be part of this.

I'm super looking forward to this conversation. OSINT to me is this magical ability that I'm super curious to hear about and to talk about. But before we get started talking about OSINT specifically, can you talk about who you are and what you do?

Well, thanks. I appreciate the opportunity. I'm a very proud business owner in the open source intelligence community and space, but I started out and still consider myself a librarian. So an information practitioner and specialist that learned how to get answers out of books off shelves, which slowly transitioned as the internet started to enter into the public library system.

We started adopting and adapting technology to help our communities. And very early on, actually in the 1990s, I realized that the internet was absolutely the next big thing. I mean, it was quick. Even before it was a web-based system, even using it in a text-based system, I was really leveraging it as much as I possibly could. It just helped the public. I would have patrons that would come in from all over the country because we were a little bit more advanced in what our internet capabilities were, where we're located.

But as I started really making headway as a librarian in the information space and using the internet, local law enforcement started to hear about my abilities. And this is at the beginning when cyber cops were starting off. So Kevin Manson was the first cyber cop. Dr. Fred Cohen invented the term “computer virus.” Dr. Bill Tafoya was hunting the Unabomber. They were all FBI. Los Alamos Labs. I mean, these were, you know, Bell Labs is producing Ches – we call him the Ches, but Bill Cheswick, who invented firewalls. Mike Garrity, now New Jersey CISO. These are all my friends. Jimmy Doyle was over in New York. All the first cyber cops were starting out.

And then the key critical person for me, or team, was the Electronic Crimes Task Force at a Secret Service. They just started forming. Infragard was also starting to form – a lot of those joint like civic to government agencies. Like, what do you know about technology? Well, what do I know? And I got pulled in.

I mean, what easier than, I guess at the time, a young and happy librarian who loves to share information. I realized at that time the internet was going to be the real catalyst and that giving away books and information for free from behind a desk was a wonderful calling, but that there was a bigger opportunity for me as a capitalist and as a woman who wanted to start her own business.

So I got my license to be a private detective. The company itself, Heatherington Information Services, just celebrated 26 years in business. And to be a PI in most states in the country, you have to apprentice for five years, which I had a great mentor, and everybody's been great all the way up until even yesterday.

Now, Heatherington Information Services, known as Heatherington Group, services the Fortune 50 companies. And our biggest product is what we call digital vulnerability, which is understanding the growth of the last 30 years and what the internet presents us and how we're here today. Real excited to share, still a librarian at heart, and I'm always open to questions and helping the next person next to me with their information needs.

Awesome. So for those that aren't familiar with OSINT, what is OSINT?

Open Source Intelligence, or OSINT for short, is the availability of publicly available information. The acronyms are really rich in this community, but PAI or publicly accessible information. Commercially accessible information, which means it could be your deed to your house or your telephone number or even bits and pieces of information about you, but for a charge, is still an open source. It's still available.

It's easier sometimes to say what private information is, your social security number, you know, your address, things that might be protected by a law or regulation. And this will change as well, depending on what country we're looking at or what jurisdiction.

Or even what state you're in now.

Yeah. So we've been really working in that space for the entire career and lifespan. But sometimes, we call something an acronym that could just be very simply explained as, it's information you could get your hands on.

Yeah. But to me, it is the specificity of getting that information with very little sourcing, so to speak. Like one of the things I've seen and we've talked about before is someone will post a picture online of a garbage bin in a parking lot and say, okay, internet, where is this? And people are able to figure it out.

Especially today, Chris, as you point out, a photo is a bit of information that can actually be searched against. And that wasn't the case even as simply as five years ago. I mean, I'm sure we'll talk about where this is going, but anything that could be used as a start point to locating more detail or specificity about a product, a person, a place, a location or an event.

The INT in OSINT is really what makes this a little different because as it becomes an intelligence product, that becomes deliberate. So when we say open source intelligence, we're saying we're using that bin and that photograph to help identify that location because we might have a crime group meeting there or maybe that's where some evidence was left behind.

So the “INT” is the intelligence. Like, this actually matters for something. And that can mean anything from the government down to a legal case to just answering a question for a business customer.

And I know from interviewing some other people, open source is really important. Open source intelligence is really important when people are investigating like crimes against children, trafficking, and things like that, where we've got little bits of information, little bits of pictures of things in the background of pictures that are inappropriate to talk about. But like, there's information in the background that can help figure out, well, where did this incident actually happen?

We've been using imagery analysis, whether it's mapping or even just a picture of an item. And I'll give you a very basic example that everyone will kind of scratch your head and go, yeah, that makes sense. So in a photograph of a woman who might be considered to be a victim of a crime. You don't have a lot of details. Maybe the picture of her face is blurry. Maybe the background is just too generic, you know, just giant double arches, but you don't know where those double arches land. But then there's her sweatshirt and it says, you know, Belvedere High on it.

We take the image and we all, you know, a lot of folks just with common sense – that's why there are so many armchair detectives today. You know, they're listening to great podcasts, they're watching Netflix documentaries and saying, I could do this too, and they can. And we do romanticize, with our acronyms or language and our hubris about how expert we are. And I will and do stand as an expert in this field. But it doesn't mean that someone with some common sense wouldn’t look and say, Belvedere High, there's only three of those in the country. So why don't you start there?

Yeah.

You know, and it's an image. You said, well, that's not the picture that we're geolocating on a map. you know, using satellite imagery. No, it's just there's only three Belvedere High Schools. It's got to be one of them.

Yeah.

It's how my first case started.

It's a data point. It points you to something. Either the person was there or they currently are near there, or they know someone who is near there.

Yes. Yes.

Or it came from a thrift shop and now it's not relevant.

Exactly.

Although maybe it still is relevant because it was probably bought from a thrift shop near where that school was.

It's really possible. There was a lot of assessments, armchair assessments being done of people during COVID because everybody was getting on their cameras and having their meetings there. So people were dressing more casually, wearing logo T-shirts. Everybody was absolutely, there was an entire Reddit channel to inspecting the backdrops of your Zoom calls. You know, if it wasn't like faded out or melted out and you had books behind you, know, I was definitely reading the bookshelf. Like, What books are you reading? What inspires you? What book is closest to you? You know, and mentally just after years of doing this, doing threat assessments based on, you know, your Nancy Drew collection.

I remember early on in COVID, I think I did like an episode about work from home. And, you know, for parents and employees about like, what do you need to be careful about, about what's in your background? If the window is open, then people can see the cross streets and they can do that.

Or there was a great story. One of the, some television station, they started like the reporters were sitting at their desks at home with their cameras next to them talking their news story as opposed to being in the soundstage. And there was one story where the, for those that are listening, you can't see this. The camera was kind of, the person was sitting next to the camera. So the camera was looking at their screen and the host. And there was nothing like on the screen itself, except that there were sticky notes with passwords.

Yes.

And here we are, national television broadcasting your passwords.

Yep. Every time.

And so it was little things that like people don't realize what is in the background or what is, once you change the paradigm, all of a sudden what is on your desk suddenly matters. No one ever saw what was on your desk before, but all of a sudden work from home or there's a television camera behind you, all that stuff that you carefully hit off screen is now visible.

Well, you keep your desk clean, right? We all have the keep desk clean policy. And you could say, and I've been doing this trick forever. I mean, I'm an old school detective who just happened to apply technology, but I walk into an office or if I'm in a virtual call and I know I'm looking at the actual backdrop, there's always, and this was an old threat assessment tactic or even a sales tactic.

If you walk in and, you know, maybe this is a little characteristic and not very relevant in 2025, but back in the day I'd walk in and a gentleman, if he was sitting on his desk, would have pictures of his family behind him facing forward. And a woman would always have the pictures facing her. So that sounds a little sexist, but it was just this persistent, consistent thing I saw over and over again. So I would look for those types of indicators even on Zoom calls, because I would say, all right, so there's grandkids or kids in his life. It could be his, he could have married into it. They could have been, you know, they're not like photoshopped kids in there.

And so the conversation would always roll back into something that would bring him back to family because when he's in a good soft space, which is what your family does to you, it creates, it just genetically creates stuff in your brain. It's like, oh, that's a good happy thought. I would slowly roll you into that conversation and then eventually I would get back to the actual sales conversation. You would be in a pliable mood and you would buy my products. Every time.

So out of curiosity.

That's OSINT, by the way.

Yeah. So, and this is, I'm a little nervous to ask this question. For those that are listening to this, you have to go on YouTube and watch this piece of the, this upcoming question. What can you tell about me from what's behind me in this Zoom call? And then I'll have a question about what's behind you on your screen.

Aha. So your imagery looks like it is one of the manufactured images. It's so well-placed. The balance of the imagery is very symmetrical, although there's a tree in one side and then you've got a very old school phone, which I love, a lamp, you’ve got your “on air” – I’m almost going to say that this is a fabricated image. Also, the lighting suggests that there's, because there's a reflection of the phone on the desktop that's behind you. Most of us don't have a light overhead like that, but if it's genuine, it's lovely.

Thank you. It is genuine.

You put some time and effort into it. I love it.

Yes. Well, I should say my wife helped me with it. I am not a designer. My wife is not necessarily a designer, but she has a good idea of things that like, hey, honey, that's really distracting. You don't want it back there.

But this is great balance. I love it because the tree gives a little green in there. And I'm about that. Like my background is also very real.

And to walk through my entire office, and I've shared this before, so this is not like giving up government secrets here, but my building is a church. So this is the old pastor's office.

Oh, nice.

Although it's been updated greatly. And then you can see a little bit of a fluff ball in the corner. I bought the whole building for my dog because, you know, we're a faith-based group and she kind of selected this little spot. So I said, that's great. So we kept the cross on the roof and just updated the whole decor.

Nice. Like I look at your background and the thing that's not high enough resolution for me to tell is there's a reflection of what you're looking at on the TV behind you.

It's the TV across from you.

Or so there's something that's reflecting and I'm like, I can't tell what it is. I was like watching you, like when you were moving and going, okay, it's not the monitor, it's not the Zoom screen, but there's something up there that I can see reflecting, but I can't tell what it is.

Well, so, and I'll take the mystery out, right? So right now it's Morgan Wallen, “More Than My Hometown,” playing on Spotify on the TV in front of me. There's TVs all over this building. And of course, we're watching important intelligence topics, so it's either the Food Network or some sort of music playing in my office.

The dog channel.

Oh gosh, no, I'd have ten puppies in here.

So, we're going to shift gears a little bit. So for the average consumer, should this freak us out? Like, how easily can people find out stuff about me with a few minutes online, with a few dollars to spend?

Well, the good news is if you want to be the person who's going to do the looking up, you really don't even have much to spend these days because much of the information is so readily available. We do not need money or password access to get the basic rundown of an individual, just a person you're curious about. And let me try to put this in a positive way so this doesn't sound creepy or surveillance-y or anything. Perhaps you're going to go and have a meeting with a new – and let's be clear, not new employee, nothing that would violate an equal opportunity piece. But let's just say you're going to have a meeting with someone. You're going to go on a date with somebody new. You've met somebody, you're interested in a new neighbor. You know, that might be a little creeperish, but I know you're all doing it anyway. So like, let's just do this responsibly in the right way.

“We do not need money or password access to get the basic rundown of an individual.” - Cynthia Hetherington Share on X

Google is still your number one resource. And the reason Google is so effective is not because it's just this great search engine, which it is, it's because it's the largest data set that's out there. And it is reaching in and capturing information out of the largest repositories of information that are accessible. So when we talk about scalable architecture, Google is going to be bigger than my creeper website or even the Zillows that are out there. I mean, those are huge, huge data sets, but nothing is as big as what Google's index is because it's one big catalog.

Now that I'm there, Google prioritizes the results that it gives back in a way that talks about the algorithms, just called the popularity algorithm. So the thing where you and I both search on coffee mugs at the same time, we both sort through the links. We both happen to click on the same link because it seems like it makes the most sense. And that just tells Google like, oh, that's a popular match when people search for coffee mugs. And I realize I'm talking math to mathematicians here, but just so it comes into context as to why we're influenced to click on certain things.

We are immediately taken with social media, which is why social media is always the first links when you search for personas or people. Because people say, oh, I'm looking for not coffee mugs, but I'm looking for Chris Parker. I want to know more about Chris Parker. Oh, there's his Facebook account, his Instagram, or his LinkedIn particularly. That's where you're self-professing. You're out there with your guard down talking about your abilities, your skills, your book, everything about you. So we all click over there, which is why Google will give us that and its top 10 links.

So Google's our start, and we start gathering a lot of data out of it. But Chris, let's be honest, we're all heading over to ChatGPT or Grok or some other LLM or agentic artificial intelligence, whatever, new tech. We always want to use the new.

Nobody's going on ChatGPT. That's, you know, that's nonsense.

No, Chat, it's okay. He didn't mean that.

Well, ChatGPT to me – and I'll just use the one brand there – reminds me, and I could speak from experience because I was there when the Internet really popped up and it became this force that shoved itself into the information world. And I was sitting behind a reference desk handing out books on Marco Polo. And then someone had a complicated Marco Polo question, and I didn't have the books on the shelf to help him. I turned to the internet, and I just struggled my way. And I'm using Marco Polo as an example, but I can give you a real case example on how it would be solved today with what we have.

So back then, we had a gentleman came into my public library, small library, and he said, “My customer, my client thinks she's being poisoned by her husband. She's getting divorced from him. They still live in the same house. She feels sick every morning. But,” you know, this is the 1990s, like 1992. “I don't know what to test her for. I don't even know where to start.” And I'm like pulling the, you know, Writer's Guide to Poisons off the shelf and the 1-800, if you think you've been poisoned, phone number. But we don't have these resources at our public library.

So I went to the internet and I found a listserv called Forensics L. Still out there. And I wrote, and I said, hey, I'm a librarian from Northern New Jersey. Here's a scenario. This woman thinks she's being poisoned. Is there a book, a resource, a tool? Like, where should I go? Like, what should I look for? And then, and this is important to know, I tell them in the e-mail, I'm like, these are the sources I looked at. Got no answer.

Immediately, It could have been Broward County or one of the Florida County medical examiners caught the e-mail, emailed me directly back and said, it's actually very complicated. Testing for poison isn't just like, you know, spit in a tube and send it off to a website. It's going to require, you know, a lot of back and forth. Have them call me.

And I remember sitting at my desk at like my 286 computer and I was like dumbfounded. I mean, it took me longer to hook up with my Windsock connection than it did to get this guy to e-mail me back with a response. By the way, she was being poisoned. The husband was in a book printing business and the chemical they used to stamp the gold on the tops of leather-bound books, like, you know, Holy Bible, New Testament, whatever, that was the chemical he was slipping in her coffee every day.

Interesting.

So at that moment, though, I was like, wow, the Internet has just blown up my world. I was able to get an expert to talk to an investigator. This is game changing.

Chris, that's what artificial intelligence feels like today. It's that impactful. And I've been using the Internet, not the crypto, not the dark web. None of that has impressed me like what I'm saying.

So today, I could probably answer that very same question in a matter of microseconds, because I would prompt chat the same way as I would as a librarian in 1990. I would go to chat and say, here's the query. I'd throw it out of my head, and I would tell chat, these are the sources I've already looked at. These are the types of authorities I would expect to get an answers, because I don't want it to just go off to some fiction author's website. I want it to come back and say, we looked at the medical journal of really important poison experts, and they said this. And it's in the prompting. It's in the question asking that you get the good. Garbage in, garbage out.

Yeah. To me, there's a there's a fundamental skill set on – and I'll use the Kleenex term, you know, Kleenex is a brand, but it's tissue. No one calls it tissue anyway. You call it Kleenex. Google is the same thing. Whatever search engine you're using. Googling something is a skill set. You don't just type in, you know, fish and get answers of, well, what kind of food am I supposed to feed this specific one? You've got to feed it good information. ChatGPT is the same thing. Prompt engineering is the new, how do you actually search something, right?

It's where we're headed with open source intelligence, because when the analyst pool gets together, private detectives tend to be all-in-one consuming product producer. So I'm a private eye, I pick up my phone, I answer the customer, I do the research, which is called collection. I take all that information, I analyze it, I write my report, and then I listen to the fallback. And that's our methodology here called CRAWL: communicate, research, analyze, write, and listen. So one investigator does all of the work.

But when you go into larger institutions like the intelligence community, the military community, or any of these other organized bodies that are producing open source intelligence for their commands, you have collectors, you have analysts, you'll have signal intelligence, you have, Good Lord, you're also, geo-intelligence, geospatial intelligence. You have all the different intelligence arms. And they have to be because they're very large projects with very large amounts of data. So everyone specializes.

But now AI could do that collection for you. The data's out there. And if you go to any of the conferences or talk to any of these specialists in this space, they'll all tell you, we want more data. And I just went to one and I said exactly the opposite. I'm like, you do not want more data. You do not want more data. You want answers. You need to ask smarter questions. You have enough data. Now you have to start asking smarter questions.

“You do not want more data. You want answers. … You have enough data. Now you have to start asking smarter questions.” - Cythina Hetherington Share on X

Like, the Earth is only so big. So what happens when we exhaust all the Earth's resources? We start going to the outer orbits. Well, while someone else is going out to the outer orbit thinking that they're getting more and more, right? Because everyone wants to consume more. Some smart people are saying, you know what? Have we really looked in the ocean? Because if we go like, I don't know, a couple miles deep down there, there might be discoveries we're not even familiar with yet. Atlantis might exist. Who knows?

Just deeper than we thought.

Yeah.

So has have the large language models become a good, and not an asset, but a good process for open source intelligence people? Or is it still a little hard to get out of it what you're looking for?

I do keep coming back, and I have these like little sayings. I use them, I’m famous for all these sayings. My office has got them stapled all over the place, but garbage in, garbage out. If you add bad questions, you'll get bad answers.

And then the thing that I do when I'm training in this space to talk about that bit of information is verify for veracity. And this could go into any field and in any part of the profession that you're using technology. Make sure that the questions you're asking are smart. Interrogate the answers you get back. And I truly mean it. Interrogate it from either the data language, the information science language, or the interrogator language, make sure that this would meet a repeatable process.

My CRAWL method is very similar to what's called the intelligence life cycle. And quite frankly and honestly, I didn't know that there was a thing called the intelligence life cycle. When I wrote my first book, I made this thing called CRAWL because I thought it was a good acronym and it was easy to remember. And it's still it's exactly the same thing, but really what's happening here is we're looking at repeatable processes. CRAWL wasn't based on that life cycle. It was based on the scientific method. Librarians are information scientists. We follow a methodology. Chris, I could walk into a library in SoCal and pull the same book from the same point of the library that I can in North Jersey. We have repeatable processes. We will continually do the same thing over and over again.

So when we talk about LLMs, if I could query that system the same way twice, then I could build an automation. We just happen to call it AI.

And so if you're, and I guess you have to do a certain amount of work to make sure that you're avoiding hallucinations. And that's part of the prompt, I assume.

Yeah, the hallucinations are very real. And actually, that's my biggest topic as I've been moving around the country and doing my little lectures here and there. They're like, oh, Cynthia, why don't you talk about this? And I'm like, no, you don't. You want me to talk about the problems that you're getting confronted with.

And that is beautifully elegant responses to questions that you're like, wow, did they just give me the answer to this? And it's Shepardized and it's ready to go into my court briefing or, you know, I can put this up to the colonel. And the merit of standard for investigations and intelligence work is, would I brief this to my commander or, and for my sake, to a lawyer or a judge? And that's why you verify for veracity to make sure, like, just check the source, just check that information.

And it's like working with a really eager intern. It really is. Like they'll produce stuff all day long, it doesn't mean it's good. It might look good, but it might be very thin. And the people who are getting fined or called out for letting hallucinations slip through their ecosystem, that's lazy, sloppy work. That's like making an assumption based on an IP address. Oh, it was – what was AOL's IO, like 158 or something? That the original AOL was always went back to.

Oh, their /8 block? Yeah, might have been 158.

And as soon as you'd see it pop up, you'd be like, that just goes into the ether, we can't tell you where this is. Oh, but if like you read through the email data, metadata, you can – I'm like, no, you can't. Stop trying to make something out of this. The guy's got to say somewhere in e-mail. I'm like, I'm in Tyson's Corner.

I remember corresponding with somebody early on in the days of e-mail and they had sent me an e-mail. I didn't know where they, like, I didn't know what, like someone I casually knew and I didn't know where they worked. And they had sent me an e-mail from their personal e-mail address. And I went through and looked through the headers and found the source IP address and went to ARIN and okay, who's this IP address assigned to? And it was assigned to a small company. Now, if it was assigned to, like, AT&T, then this person could be anywhere in the US. But it was a small block of IP addresses assigned to a company locally. And I responded back to this person something along the lines of, so how do you like working at whatever? And they were like, how do you know where I work? Because it was that IP address that they were emailing from their work.

You did an OSINT.

Yeah. Now, mind you, that one doesn't work anymore, and I think that's probably a good thing that simple of OSINT doesn't work anymore.

No, I hate it. I love that, it made my job so much easier. And a technical trick that we all do.

You know, and OSINTers, which is what I commonly call us, or, you know, these open source intelligence professionals, can get really wrapped around the axle about the technology aspects of what they do. We call it managed attribution, which is basically hiding yourself to do the job. And there's a time and a place for that. If you're going after a drug gang or trafficking or a nation state, you don't want to be like, hey, we're the US military or we're Santa Clara County Police Department. We want to be smart about what we do, but we also have to explain our methodology and our ethical stance for when that thing goes to court. So you've got a certain license, but you don't want to abuse it. You don't want to just cloak yourself all the time.

And I want to bring this point back to like what you're asking me about. Like, what does the ChatGPT expose on us for using this, for finding information about ourselves? What is open source intelligence saying about you, the listener? You know, what are all these things?

“In the United States, there is no privacy. There’s nothing in the Constitution that says you have a right to privacy.” - Cynthia Hetherington Share on X

Fortunately and unfortunately in the United States, there is no privacy. There's nothing in the Constitution that says you have a right to privacy. There are other countries that do, but there is no right to it here. There is an expectation of privacy. And I'll let the lawyers and the legal minds that are above my pay grade argue about what that looks like. However, here's the real truth of it. Technology is always ahead of the law. I mean, I could tell you that since supporting cybercrime investigators in the 90s, technology's always ahead of law.

And here's the real example of how I got into the privacy business and the OSINT business and how this became a viable feature. How does a librarian turn into a security expert with a 20 plus year business? And it's still available on the internet.

In 1996, a local prosecutor's office out of Manhattan called up, and they handled the special narcotics team. And the head investigator there called up and said, “Cynthia, there's a judge who wants all the narcotics investigators to come into court and testify.” I mean, just think that through. The narcotics investigators work undercover because they're going after little narco gangs on the street, so they have to maintain their cover. But the judge's reasoning was, if I have to be out here in public as the judge, and then if Mrs. McGillicuddy up the block has to come out and testify, why shouldn't these guys come in and testify? They should be coming in. So he said, “What could you find if you just knew their names on a report?”

There was no World Wide Web at the time. But I spent a weekend and I created a 30-page dossier on plain clothes and undercover cops that I could find on the internet at that time. I had a 30-page document. And then I did a little appendix on the judge. Knowing your name, ma'am, this is everything that's out there. And just again, this is circa 1996. So I had a property record, maybe a mention of where her kid went to school because she asked in a bulletin board somewhere about what the best school system was. It wasn't a lot, but it was enough.

And the outcome was, is that the judge saw the reason and said, yes, if I put this officer's name out there, he and his family or she and her family, including myself, the judge, could have retribution of individuals who disagree with our rulings and our work. We see this happening every single day today.

So I, the tactic I used at the time was what I used to hunt people. I'm a private detective. My role is to find people on the internet and to write up reports about everything I can locate that they make publicly accessible. So I used the tactic and I said, darn, if this happens, that means every law enforcement officer out there, if someone wants to Google them because they got a speeding ticket, can find that information. So I did that.

And I ended up creating the very first product and still the oldest product in the space, which is digital vulnerability. And I have a book out there, a white paper, I should say, called Information Exposed. If you were actually to go and visit a very old website, you'll see the 1998 version of this online. So when I meet up with my Mike Bazzells, and they've been at my conference, they've all spoken, and I have a lot of respect, and they've modernized a lot of this, but I'm like, guys, I've been erasing people from the internet since 1996. It's just, it's not hard. This isn't difficult work. You just have to basically stop promoting your entire lives everywhere all the time.

So would that be the key advice for people who are like, you know, I am concerned about what information is out there about me. For someone who doesn't want to hire you to make them disappear, what are the things that they could do to get rid of the low hanging fruit, the super easy, findable information?

Every website that has your information out there should have an opt out button. And I'm actually being very specific about the words I'm using here. You can go and you go to just whitepages.com and you're like, oh, there's my address. It's how a lot of our customers end up coming to us. They just Google themselves and all of a sudden they see information out there that they're shocked about. So for all the PAI websites or that publicly accessible name, address, phone number, relatives, You can look on that website and opt yourself out. You just have to do all that legwork, which is daunting. But it's like doing your taxes. You do it once a year. You check in on the information. You can get a lot of that low-hanging fruit down.

The thing that concerns me, and we are still testing the systems, is that I can now prompt a ChatGPT to do that lookup for me. And ChatGPT will say, well, I'm sorry, but we won't share that information with you, you know? Well, then I could say, well, what about people who live in the LA County area? If you're really wealthy and you love yoga and spas, like what neighborhood are you more inclined to live in? And you just keep prompting it until it spits back like a four block radius. And then you could just do property searches.

So that gets us to the nexus of information. Where is white pages and all those Intellius and all those sites pulling it from? And you find out that it's your own deed, it's your own property record. Well, maybe you do something with your accountant and your attorney to change how your assets are attached to you, because it's your assets that expose you. The stuff you own is taxed and governed by an oversight group, whether it's the local county government, town, state, or federal government. The more times your name gets said because you have to pay taxes or get licensed for it, the more times you'll be put out in a database. All that data is for sale. So if you can own and control that data spread, that helps.

But that final piece is stop with the TikToks and stop with the social media updates and where you're at all the time. That's the common sense side. It's like, no kidding, we all know where you're at. You just told me.

Like to me, I see people who are like, they're prolific about posting about their life, and then they're upset that something, that people found out something about them. Like, well, but you were telling everybody about you. You can't tell everybody everything and then get upset when someone says, well, I know about you.

Yes.

Not that I'm not trying to victim blame, but like there are people who broadcast everything that are then are then turn around and upset when people find out about everything.

We had a very high net worth client come to us years ago. He's a he's an internet father – a platform father, I should say – and he had an ex-employee who was violent and dangerous. So he went through every extreme, every way to try to remove himself, including engaging us. And we are very specific about the customers – we're not for everybody. You're not going to pay us like 50 bucks and we're going to push a button and get you off the internet. We are the elite. That's why we handle the customers we handle.

And it's because we'll tell some customers, no, this customer taught me this lesson. I said, “For you and your family, the people that live in your house are your points of exposure.” Because most of our customers are way too busy being captains of industry to be making Xbox games or TikTok videos or any of that. They're busy like launching stuff and, you know, products, rockets, whatever. So when your spouses or their kids start posting stuff. That's why we have to include everybody. We say it's a collective. And it's just like everybody at night knows lock the door, lock the windows. You can live amongst society, you can join and do things. We're not asking you to be sequestered like a nun in a monastery, but we're saying, have some common sense.

And in this guy's case, he was really on board, but his new fiancé just got a new social media account and was trying to promote her design studio and kept posting, and that violent employee showed up there. Thank God nothing happened, but we get phone calls from corporate security directors who spin around in a minute. I hate this because it's always after. I'm like, we want to get in front of the problem. Intelligence is about being in front of the problem. And they're like, well, so-and-so just had someone walk up their driveway, and this guy's angry because he voted this way or he said this thing. And I'm like, well, how do you find his driveway? You should have engaged us six months ago. And now that he's there, guess what? He's got to move.

Yeah. And I mean, think about it, that's what movie stars do. They don't, you know, property is not in their name. And hopefully, as long as no one sees them go to that piece of property, then no one knows they're there.

No, we all know they're there, because they broadcast on social media. Oh, and especially Altiza in California. The rain is so bad, it's flooding in my yard. Look, there's, you know, Ms. So-and-so's yard. I'm not going to call out names here because I say this all the time. I watch their videos. They're taking pictures from their pools. And Chris, you said it earlier, I could do a geolocation match directly based on a photograph you've uploaded, even if it's just the sunset. Angle, trajectory, image recognition, geospatial design. And I'm using free tools.

And how much more does the government have?

No, I'm not, we're not talking government spying here.

So you know what? You worry about the government, but the government has to go through so many loops to get the authorization to do anything. And it can't do anything on the US, at least the bodies I'm working on.

But for all the people that are worried about what the government sees, they are the least funded, least manned. Worry about the private detectives that are out there. Because we have the least amount of laws, we have the greatest authority, and if we have the highest paying customers, we could find everything. That's why all those government people come to private security when they get out.

Because they actually get to do something.

We have all the tools.

I mean, because the difference is the government is, in theory, not profiting off the platforms that do this. Whereas some private satellite owner, they sell data. They don't have to worry about process.

Here's something for fun. Imagine that a train goes through your town. Everybody's got train tracks. Nobody thinks about trains anymore. But you think, well, what's the big deal about train tracks? It's just steel, right? No. Train tracks are now new data networks. Because when you lay the steel, you lay all the logistics that go with the steel. And now that everything is improved with technology, a chip or a microchip could be implanted in that micro steel. And it could read back data. And we like that because it helps us with logistics and understanding how quickly our Amazon packages get shipped to us.

Except if certain trains or cargo are going over those tracks at certain periods of time, and who lays the steel and who owns the date of that. And let's just take this out of the country. So if I have trains going around Istanbul or parts of Europe, I could tell you what military shipments are moving at what points and at what times from my office here in North Jersey.

Can you tell under certain circumstances what train, like if you just had the audio of a train going by, would you be able to figure out what train cars, what train tracks and where it is in the world just from the audio of the clickety clack?

I haven't had that case. I would, and this is what every investigator will say: I know a guy, I'll find you a guy, and I would find it. But I would think an audio expert would, because forensically we would be able to find out.

I've worked some train cases, actually, some manslaughter, not a manslaughter case where it was a train injury, and I ended up talking to the engineers. And there are certain aspects of each train, but yeah, I can't imagine that you couldn't not.

However, trains don't just come and go randomly. Like you can't just like a plane, it's on a track. There has to be a trajectory.

So there could only be so many places where that train is in the world.

Exactly, yeah. And it's a piece of cargo. So I might be looking for valuable assets moving around the globe. What's the difference between looking at a tractor trailer full of paper plates going through Miami and a tractor trailer full of diamonds going through Montana? As it gets on and off a cargo vessel that comes into the country, that goes on the back of a tractor trailer, that then gets on a train, tracking that asset around is huge business. And that's, you know, those are the paying customers. Just think of what we do for fun.

I know we're bumping up against the edge of time here, and so we're going to wrap it up. Can you set up a camera, be watching a port, and being able to say that cargo container is valuable, like the contents of that container is more valuable than the contents of this other container, just by how it leaves, how it's handled, who's around it.

I should be able to know that by looking at the manifest of the vessel coming in. So there are databases, and this has been around forever. Think about commodities markets. Think about tractor trailers. In fact, it's actually a pretty straightforward answer. I like to come up with the sexy PI answer, but really comes down to somebody has to insure the manifest. So that's why we know like if it's a large insurance package, you'll see executive protect, or you'll see security vehicles in your neighborhood, you'll see extra pieces in place.

But yeah, I could certainly, within letter of law, set up cameras to do surveillance. Surveillance is possible, but why would I do that when I could just go to a satellite company and buy the videos? I'll just buy the pictures. Again, I'm a very lazy investigator. If I could sit home and do all this from my couch, which I can now, I'll buy a picture from the sky and I'll track it.

In fact, there is a case going on right now I can recommend because it's an open case. It's been talked about in Smithsonian. Off the coast of Colombia, there's a vessel at the bottom of the ocean, an old Spanish warship. It's so sexy. It's got Spanish gold on there. I mean, how cool is that? That's like old, old school story. But, you know, someone discovered it and that company owns that asset at the bottom of the ocean. And yet the Colombian government thinks it owns it because it's a dispute in their court system. So they send a warship out every few days and float over it. I'm like, what are they doing? We don't know. But boy, we could see the pictures.

Oh, fun. Like, to me that like, it must be fun for people who, let's say you're not even an investigator, you're just looking at satellite data and going, huh, this weird thing. It must be fun just looking for weird behavior. Why is this boat circling out in the middle of the ocean? Like, that's not normal, I wonder what they're doing.

We have an entire community of people who love this stuff. It could go all the way from very well recognized and appreciated Bellingcat, who does open source intelligence on military exercises and the movements. They're looking at pictures of, could be Iran or China. Like one day it looked like this, the next day it looked like that. And you gee whiz it.

But then there's all the way down to the local community side where you say like, what's just even what's changing in my community? How is, you know, like we just got a new Amazon factory three years ago where now we have one of the AI technology hubs. What is this doing? There's just so many good ways to use this information.

“Open source intelligence could really be used by anybody. It’s very fancy research with the specific purpose of creating an output.” - Cynthia Hetherington Share on X

That's why open source intelligence could really be used by anybody. It's very fancy research with the specific purpose of creating an output. Whether you're an environmentalist who wants to understand the new AI tech plants in your community or you want to see the effects of gentrification in your neighborhood, you know, more parks, maybe less schools, whatever is going on, you can do and use that. Or you think somebody maybe murdered their spouse and they're near a large wooded area. Yeah, there's all sorts of uses for these applications. And it's really up to the creative mind.

As far as keeping yourself safe and protected and keeping yourself off the radar, you don't want to be the one in the picture. Just be hyper aware. Always think about surveillance like gravity. Gravity is a constant presence in our life. We all especially know it as we get older. But if we didn't have gravity, we'd all be floating around like we were astronauts, right? So when you realize like, oh, yeah, that's pervasive, that's a constant thing. Well, the surveillance is also that way. And in the times when you really want to have a true sense of personal sanctimony, special quiet time, get in a room that that would generate skiff quality acoustics. Or here's the best trick.

No windows, no doors, lots of metal, spaced out by stuff that's not metal.

Exactly. Like you have a Faraday bag for, you know, your coat. But really the best secrets are the ones that just aren't spoken.

“The best secrets are the ones that just aren’t spoken. Share on X

Don't talk about Fight Club.

Good point.

So if people want to learn more about OSINT, more about what you do, how to get in this field, how to avoid getting on your radar, do you have any guides, any white papers, any kind of like, how could people learn more?

00:52:43 Cynthia Hetherington

We have a number of ways. You can learn, you can read, you can join. The best way to learn this type of aspect is to visit us at osintacademy.com. We have open classes. People are always welcome to come in, and you can take a webinar. You can take a few days. It's online. It's in person. It's accessible to all people. And anybody could start at any level. We are very technical, and we also have brand new people coming in. So osintacademy.com is one space.

I have a white paper I've been sharing since 1998, and it's gone through many different names, but Information Exposed really goes into depth about how your public records get out there, how your information is shared. It's not so much the modern guide to just removal. It's the, this is what a property record looks like and why you're out there. It's from a public record standpoint. And that's available at heatheringtongroup.com. I'm sure you have to give us your information to get the information, but, you know, granted, modern day marketing.

And then the last thing I want to make your listeners aware of is there is an association out there for OSINT professionals, and I'm only saying it because it's free membership. So I'm not asking for anything, but OSMOSIS, OSMOSIS, just like it sounds, osmosisassociation.org has 2,500, no, actually 2,600 members and we're in 82 countries now. We talk about this stuff constantly. And for my practicing OSINTers who are out there, we are really, our whole goal for OSMOSIS is to promote this profession, to get it more recognized. We don't want to look like we're working behind the cloak and dagger.

An OSINT professional is an information professional, and we should be sitting at the desk with the accountant, the lawyer, the CEO, because with data as pervasive and challenges like AI coming in, somebody has to be smart enough to understand what vet for veracity means.

And let's go back to the old days, Chris. Garbage in, garbage out.

I love it. Cynthia, we will make sure to post all those in the show notes for the listeners and for the SEO love and all that good stuff. Thank you so much for coming on the podcast today.

Thank you, Chris. It was a real joy. I look forward to hearing more of your podcasts in the future.

Thank you.