METHOD

OSINT Research vs Stalkerware: Where Investigation Ends and Surveillance Begins

March 2026  ·  12 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

A licensed investigator opens a browser and runs a subject search — employment history, public records, associated addresses. Two streets away, an abusive ex-partner does the same. The tool is identical. The output is identical. What differs is everything that surrounds the query: the purpose, the pattern, the duration, and whether the subject has any reason to expect the level of attention being directed at them.

This is the central problem of open-source intelligence in 2026. The methodology of OSINT and the methodology of stalkerware-enabled surveillance share significant technical overlap. Both involve aggregating data from multiple sources. Both involve building a profile of a specific individual. The legal and ethical distinction does not live in the tool — it lives in the behaviour, the intent, and the pattern. For a broader framework on where investigation ends and surveillance begins, see The OSINT Ethics Spectrum.

This article examines that line from both sides: for the investigator who needs to know where legitimate research ends, and for the individual who suspects they are the subject of something more than professional interest.

The FOUR Rubric: A Shared Analytical Framework

Law enforcement and forensic psychologists use several structured frameworks to distinguish persistent unwanted attention from normal information-seeking. The FOUR rubric — Fixated, Obsessive, Unwanted, Repeated — is widely used in stalking risk assessment and applies equally to digital investigation patterns. It is useful because it is behavioural rather than technical: it does not ask what data was accessed, but how and why.

Fixated

The focus is on a specific person rather than a topic, a category, or a data point. An OSINT investigation into a company’s corporate structure is not fixated in this sense — the subject is an organisation and the inquiry terminates when the question is answered. An investigation that keeps returning to one individual — their movements, relationships, communications — regardless of whether the original question has been answered, exhibits fixation.

For the investigator: Ask whether the scope of your inquiry would survive external scrutiny. If the information you are seeking is about a person rather than a specific question that person’s data can answer, document why that individual is the relevant unit of analysis and what terminates the inquiry.

For the target: Fixation is often the first indicator that attention has become a pattern. If someone consistently knows details — your whereabouts, recent social activity, professional moves — that they could only know through sustained focus on you specifically, fixation may already be established.

Obsessive

The behaviour is disproportionate to any legitimate need for information. A background check on a prospective business partner is proportionate. Running the same check monthly after the partnership is established is not. Monitoring a public figure’s published statements is proportionate for journalism. Monitoring their personal account for engagement patterns on a daily basis is not.

Proportionality is also the test GDPR applies to data processing under Article 5(1)(c): data must be “adequate, relevant and limited to what is necessary.” Applied behaviourally — is the volume and frequency of information-seeking proportionate to a stated legitimate purpose? — it provides a clean self-audit for investigators.

For the investigator: If you find yourself returning to a subject outside the scope of a specific instruction, or retaining data beyond the period required for the assignment, proportionality has been broken regardless of whether each individual query was technically permissible.

For the target: Disproportionate information-gathering often surfaces indirectly. Someone references minor details of your day-to-day life that would require sustained monitoring to know. The volume of what they know is inconsistent with the number of legitimate interactions you have had with them.

Unwanted

The target does not consent to the level of attention directed at them. This criterion intersects directly with GDPR’s lawful basis requirements under Article 6: in the absence of consent, a legitimate interest must be established and must not be overridden by the data subject’s interests or fundamental rights. For private individuals — with no public-interest dimension to their activities — that test fails almost universally for persistent personal monitoring.

Critically, public availability of data does not confer consent to its aggregation. A name appearing in a company registry, a photograph on a professional profile, and an address in a public record do not constitute consent to those data points being combined into a persistent dossier maintained and updated without the subject’s knowledge. The mosaic effect — where individually innocuous data points combine into something the subject would find deeply intrusive — is the mechanism that crosses the consent threshold at the aggregate level.

For the investigator: The public availability of each data point does not resolve the consent question for the composite profile. If the dossier you are building would alarm the subject if they knew it existed, and no specific legitimate purpose justifies it, the unwanted criterion is engaged.

For the target: You do not waive your right to object to surveillance simply by having a LinkedIn profile or because your address appears in a public registry. GDPR Article 21 gives you the right to object to processing based on legitimate interests — that right applies to investigators and data aggregators alike.

Repeated

This is not a one-off search. It is a persistent pattern. This criterion is also central to how criminal law defines stalking: the Protection from Harassment Act 1997 (UK), as interpreted in Lau v DPP [2000] and its subsequent evolution, requires a “course of conduct” rather than a single incident. What constitutes a course of conduct has progressively expanded in digital contexts: repeated profile views, repeated searches, or a sustained monitoring infrastructure can each constitute an incident in the analysis, even without direct contact with the subject.

European jurisdictions have developed equivalent frameworks. The Dutch Hoge Raad has recognised in multiple rulings that systematic tracking of social media activity and location data constitutes stalking under Article 285b Sr where it is directed at a specific individual and creates a reasonable fear. German courts applying §238 StGB have reached the same position on behavioral monitoring applications. The EU’s 2024 revision of the Victims’ Rights Directive explicitly names digital stalking as a form of conduct requiring legal protection.

For the investigator: If your inquiry involves returning to the same subject across multiple sessions, for reasons that have expanded beyond the original mandate, the repetition criterion is engaged. A single comprehensive investigation is structurally different from recurring surveillance of the same individual.

For the target: Repetition is what transforms curiosity or a single professional inquiry into a pattern with legal significance. It often becomes visible through timing — information known shortly after it was posted, awareness of movements that follows a consistent pattern, responses to content shared in semi-private settings.

The Technical Distinction: Functional vs Behavioral

The cleanest operational test for distinguishing OSINT from surveillance is not about the data source but about the query structure.

A functional query is discrete and terminates when answered: “What email address is registered to this domain?” “What companies is this person listed as a director of?” The inquiry has a specific object, a definable answer, and a natural end state. Once the question is answered, the need for further inquiry is resolved.

A behavioral monitoring query is persistent, subject-focused, and open-ended: “Alert me every time this person posts on Instagram.” “Notify me when this phone appears near this address.” “Track every time this account likes a post or changes a profile detail.” The inquiry has no defined end state. It is not answering a question — it is maintaining continuous awareness of a specific person’s activity.

This distinction maps directly onto the EU AI Act’s Article 5 prohibitions, fully in force from August 2026: real-time remote biometric surveillance in publicly accessible spaces is prohibited. Emotion recognition systems applied to individuals without their consent are prohibited. Social scoring systems that evaluate people based on their behaviour over time are prohibited. These prohibitions reflect a legislative judgment that persistent behavioral monitoring of individuals — regardless of the data source or the technical sophistication of the tool — crosses a line that functional inquiry does not.

Stalkerware operates almost entirely in the behavioral monitoring register. The Coalition Against Stalkerware’s 2025 Annual Report documented over 31,000 unique devices affected by stalkerware applications in Europe in 2024, a 17% increase on the previous year. The report identifies a structural pattern: stalkerware is overwhelmingly installed by intimate partners or ex-partners, is frequently disguised as parental control or employee monitoring software, and in the majority of cases operates without the knowledge or consent of the device owner. The primary data collected — continuous location tracking, keystroke logging, message interception — is precisely the behavioral monitoring data that the EU AI Act and GDPR were designed to address as a distinct harm category.

EU AI Act (2026)

Article 5 of the EU AI Act creates absolute prohibitions on AI systems that build persistent behavioral profiles of individuals without their knowledge. The prohibition on real-time remote biometric identification extends by interpretive logic to any AI-enabled system that maintains continuous awareness of a named individual’s location, activity, or identity across public and private contexts. The Act also prohibits systems designed to “exploit vulnerabilities of specific groups of persons” — a category courts are expected to interpret to cover surveillance tools deployed in abusive relationship contexts.

Practically: any commercial application that markets itself as providing continuous background awareness of another adult’s device or location, without that adult’s active and informed consent, faces a structurally difficult case under Article 5 from August 2026.

GDPR and Special Category Data

Persistent behavioral monitoring frequently generates GDPR Article 9 special category data without the controller intending it. Location patterns infer health conditions, religious attendance, political participation. Relationship networks infer sexual orientation. Systematic movement data infers economic vulnerability. The aggregation of individually non-sensitive data points into a behavioral profile routinely crosses the Article 9 threshold — requiring explicit consent or another specific lawful basis that neither commercial surveillance tools nor individual actors conducting personal surveillance can satisfy.

The Lau v DPP Evolution

Lau v DPP [2000] established the foundational principle in harassment law that a course of conduct must involve at least two incidents, assessed in context — their nature, the relationship between parties, and cumulative effect on the victim. The evolution since 2000 has progressively expanded what constitutes an incident in digital contexts: a persistent monitoring application running continuously constitutes a prolonged incident; a series of covert location checks constitutes a course of conduct; the maintenance of a shadow profile of someone’s digital activity constitutes preparation for harassment even before direct contact occurs.

For OSINT practitioners, the significance is that the course-of-conduct analysis does not require intent to harass — it requires a pattern of behaviour that a reasonable person would find alarming. Investigators who return to a private individual repeatedly, who maintain aggregated profiles beyond the scope of a specific instruction, or who monitor ongoing activity rather than answering discrete questions, are conducting activities that case law is progressively bringing within the stalking and harassment framework.

ENISA Threat Landscape 2025/2026

The ENISA Threat Landscape Report 2025 classifies stalkerware explicitly within the spyware taxonomy, distinguishing it from commercial surveillance vendors — addressed separately as “commercial surveillance tools” — by its deployment context: stalkerware is characterised by installation by a known individual on a known target’s device, as opposed to nation-state or commercial-grade remote deployment.

The significance of this classification is structural: it places stalkerware within the scope of the EU Cyber Resilience Act and NIS2 Directive’s incident reporting requirements. Device manufacturers and platform providers now have regulatory obligations to detect and report stalkerware as a security incident — not merely as a terms-of-service violation. This is a material shift from the pre-NIS2 environment in which platform responses to reported stalkerware were largely discretionary. Under NIS2, a platform that becomes aware of stalkerware operating through its services and fails to act faces its own compliance exposure.

If your organisation uses OSINT tools or monitors third-party investigators, a Corporate Audit maps exactly what is findable about your executives, what credentials are in circulation, and where the boundary between investigation and surveillance runs in practice.

Talk to an Analyst

Boundary Markers for Investigators

Five questions applied before beginning any subject-focused inquiry:

  • What specific question am I answering? If the question cannot be stated in a single sentence, the scope is undefined.
  • When is this inquiry complete? An investigation without a defined end state is surveillance.
  • Who has authorised this, and is it documented? Written instruction with a defined scope protects both the investigator and the client — organisations that commission regular external intelligence work typically begin with a defined audit scope. Verbal instruction is insufficient for serious investigation work.
  • Would the data I am retaining survive a GDPR Subject Access Request? If the subject requested their data from your records tomorrow, would the retention period and purpose be defensible to a DPA?
  • Is my inquiry functional or behavioral? Answering a specific question is different from monitoring ongoing activity.

Documentation of purpose and scope is not merely good practice — it is the primary protection against an investigation crossing a line that cannot be uncrossed. A note written at the start of each inquiry — stating the question being answered, the authorising party, and the intended data retention end date — creates a defensible record that distinguishes professional investigation from personal surveillance. It takes five minutes and matters considerably if it is ever reviewed.

Recognising Surveillance: A Guide for Targets

Technical indicators on your device

  • Unusual battery drain, particularly when the device is idle
  • Elevated background data usage from applications that should not require network access
  • The device remaining warm when not in active use
  • Unfamiliar applications, or applications with location, microphone, or camera permissions you did not deliberately configure
  • Location sharing left active on accounts without your knowledge — Apple Find My, Google Location Sharing, WhatsApp Live Location

Behavioural indicators

  • The other party references specific details of your daily activity — locations, conversations, purchases — that you have not shared with them
  • They appear to know your movements in advance, or respond to social media content within seconds of it being posted
  • They know the content of messages sent on platforms you do not share with them
  • You find repeated unfamiliar accesses in your account activity logs — most major platforms provide this under GDPR Article 15 access rights

What to do

If you have reason to believe stalkerware is present on your device: do not remove it immediately. Abrupt removal frequently alerts the installing party and can escalate risk, particularly in domestic abuse contexts. Contact a specialist support service first — the Coalition Against Stalkerware maintains a directory of national partner organisations.

For OSINT-based surveillance that has not involved device compromise:

  • Submit a formal Article 17 erasure request to any data broker or platform you believe is the source of information being used to monitor you
  • File a complaint with your national DPA (AP, CNIL, BfDI, ICO) if a specific data controller is identifiable as the source of the monitoring
  • File a police report framed around the FOUR criteria — documenting the fixation, the disproportionate nature, the absence of consent, and the pattern. This structure maps directly onto the course-of-conduct analysis that investigators and prosecutors use

The boundary between OSINT research and surveillance is not always visible from the outside. It is visible in the pattern, the intent, and the documentation — or the absence of it.

Resources

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.