OSINT is completely legal because it only uses information that is available through “open sources”. This means that it doesn’t include information that is kept within your organisation’s database, but rather just information available from public sources.
From social media to news articles and press conferences, the information gathered by OSINT is available to everyone. There’s a vast array of information spread around the internet, and any of this information can be found. While everyone has access to this information, OSINT simply allows a cybercriminal to gather all the information they need in a more precise and efficient way.
This is done through various tools and techniques. In other words, a cybercriminal doesn’t have to sit behind their computer screen for hours on end searching for relevant information, there’s software that gathers all the intelligence for them. Because they’re not breaching your security, there’s nothing illegal about OSINT.