OSInt in tax administrations: The growing potential of the use of freely accessible data in tax investigations.

At the end of 2022, the use of the OSInt technique for the tax investigation of a well-known figure in music was made public, by the Spanish tax agency. Through photos uploaded by the star to her social networks, among other elements, the Treasury was able to geoposition her to prove her jurisdictional residence.

The investigations conducted with the same OSInt process to YouTubers who openly stated moving to Andorra to pay less taxes also prevailed. In these cases, their public life in open sources has made it possible to follow the trail left by the metadata of their contents.

In this blog, we will try to briefly explain the main characteristics of the technique and its potentialities and limitations for the role of controller of tax administrations through the digital ”tracks“ or ”footprints” that are left by the protagonists themselves on social networks and on the Internet in general.

 

What is OSInt?

OSInt is the acronym for “Open-Source Intelligence.” It refers to the process that encompasses the collection, analysis and use of information from public and open sources, such as websites, social networks, forums, blogs, magazines, newspapers, among others, in order to obtain useful knowledge for a specific purpose.

The OSInt is used by a wide range of organizations, including government agencies, judicial, military, intelligence, private security companies, market research companies, journalists, researchers and cyber security analysts. Nowadays, its uses are oriented for marketing purposes, competitive intelligence, prevention of cyber attacks or security threats, and what is known as ”ethical hacking”, which serves to discover one’s own weaknesses, since these techniques are also used in criminal intelligence.

 

The OSInt process consists of the following steps:

  1. Planning the objective: what do you want to achieve with the research, in order to focus the search effectively.
  2. Selection of appropriate sources: This may include public sources, such as social networks, websites, government databases, online publications, among others.
  3. Collect information: A variety of techniques and tools are used to gather information, which may include advanced search engine searches, social media analytics, news monitoring, and searching specialized databases. For this there are a large number of tools, the choice of which will depend on the type of information that is sought, and the objective initially drawn [1]
  4. Analyzing and filtering information: Not all the data obtained are accurate, they must be carefully chosen.
  5. Make a report: Finally, the information is synthesized to produce a report or analysis summarizing the key findings of the research.

Below, we will mention some features that could be considered specific to the scope of TAS:

As for the definition of objectives, the OSInt technique could be oriented for the collection of information aimed at collecting basic information, among others, on:

  • Tax residence of a local or foreign taxpayer.
  • Undeclared assets, such as real estate, bank accounts, virtual wallets, etc.
  •  Significant consumption.
  • E-commerce on collaborative platforms and in non-traditional channels.
  • Hidden final beneficiaries.
  • Fiscally relevant social and economic relations

Likewise, these objectives should be adapted to the specific needs of the risk that is intended to be addressed, differentiating a specific forensic audit action to a specific subject, to an investigative task aimed at the preventive detection of cases with certain deviations, where the subjects that will make up the universe are not known in advance.

In relation to the sources of information, it is essential to correctly choose those external sources of a public nature and of legal origin, which allow interaction with the internal data managed by the organization, in order to cross-reference them to obtain deviations that indicate tax interest.

Next, the tools to be used for data collection may become a limitation for the process, within the framework of the policies of use of computer means, access to platforms and security standards in force in the TAs.

In this sense, in the Tax Administration Review Nº42 of CIAT[2], González García mentions that an administration may decide to train its employees in the use of personal tools, so that each of them will then have to perform the risk analysis, cross-referencing their data with those of corporate IT, or else create a mass download tool and provide an environment with integrated information in which all investigators, without the need for specialized IT knowledge, can perform the risk analysis.

The author considers that the latter is superior for the following reasons: a) The difficulty in training a large number of auditors in relatively sophisticated computer technologies, b) The disadvantage associated with the fact that the data of the different investigations cannot be consolidated to have a global view of the risk in the sector if they are carried out on PCs to which the security problems are associated, c) The loss of efficiency caused by the reduplication of tasks and d) last but not least is that obtaining the information requires in almost all cases, a high technical expertise, to get around the defenses put up by the pages to avoid their collapse with requests, to face the fact that the same data on each page has a different format, and many others.

As the growth in storage and open access data sources is exponential, as well as the type of software used for the search, analysis, interpretation and visualization of the objective information, the incorporation of the OSInt technique to the TAs requires adequate planning and highly trained teams in the use of available computer applications or self-developed for such purposes.

The analysis and filtering of the data could be the task that the greatest interdisciplinary expertise could demand. The varied amount of data provided by the tools requires a reliability test by contrasting it with other sources of information, since it may be false data due to corresponding to homonyms, use of names of famous people in unverified accounts, fake news, etc. At the XII Congress of Tax Collecting Entities of the CEAT[3], it was expressed that it is essential to classify this information obtained with OSInt, in order to verify the veracity and integrity of a large amount of information that advanced searches yield. This requires experts in interaction with other sources and intelligences. [4]

Finally, the data collected from Internet fingerprints will be converted into reporting information to be used for tax purposes, which may include photos, metadata, videos, and other public and open (i.e., unencrypted) multimedia sources that do not require authorization. Therefore, compliance with local and international rules on data privacy and its proper use should not be ignored.

That is why the multidisciplinary approach should include the work of analyzing the legality in the collection of data, in order to ensure that they are obtained from sources of unrestricted public access and are collected only for the proper function of the tax administration, in order to avoid disclosures of private data and the eventual dismissal of the evidentiary means by the well-known doctrine of the “fruit of the poisoned tree”

In summary, although OSINT can be a useful technique for investigations for tax purposes, we must consider our own limitations and carefully assess how the information obtained is filtered and used. It is essential to ensure compliance with the applicable legislation and regulations and to use the information obtained in an ethical and responsible manner.

 

[1] Just to quote a few: Google Dorks, Maltego, Shodan, Recon-ng, theHarvester, Creepy, Metagoofil, Brandwatch, Netlytic, NodeXL, Social Mention, etc.

[2] The Control of Electronic Commerce and the Collaborative Economy – Ignacio González García – Revista de Administración Tributaria Nº 42 – CIAT – June 2017

[3] XII National and International Congress of Collecting Societies – Center for Studies in Tax Administration of the Faculty of Sciences Economic from the UBA – Argentina. Osvaldo Falabella, Marcos Russo, Andrea Vera. – The OSInt at the AATT – 04/05/2023 – CPCECABA https://www.youtube.com/watch?v=Al4zJW4zR8c

[4] For example: HUMINT (Human intelligence); IMINT (Image Intelligence); SIGNT (Signals intelligence); SOCMINT (Social network intelligence); MASINT (Recognition and signature intelligence)

2,213 total views, 3 views today

Disclaimer. Readers are informed that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author's employer, organization, committee or other group the author might be associated with, nor to the Executive Secretariat of CIAT. The author is also responsible for the precision and accuracy of data and sources.

Leave a Reply

Your email address will not be published.

CIAT Subscriptions

Browse through the site without restrictions. Consult and download the contents.

Subscribe to our electronic newsletters:

  • Blog
  • Academic offer (Only in spanish)
  • Newsletter
  • Publications
  • News alert

Activate subscription

CIAT Members

Representatives, Correspondent and Authorized staff (TA)