Frequently Asked Questions

This FAQ page is a digest of questions e-mailed to Qwarie, along with the answers we supplied.

1. Choice of Browser

A1.2. Depends how you define 'safe'. Technically Chromium is safe, but for OSINT research, we understand that it is not safe.
Check out these links:-
https://www.reddit.com/r/privacy/comments/34tc2f/how_safe_is_chromium_privacy_wise/

This one is more tech, but it demonstrates that the code behind Chromium makes a lot of connections with Google.
305, to be precise.
https://cs.chromium.org/search/?q=clients2.google.com&sq=package:chromium&type=cs

When an OSINT researcher uses Chromium, the evidence is leaking to Google.

Reputationally, there is too much risk for Qwarie to release mSIS for Chromium.

A1.3. https://restoreprivacy.com/secure-browser/ advise that there are privacy concerns with:-
- Google Chrome
- Microsoft Internet Explorer/Edge
- Opera

A1.4. Good question! Three reasons why Qwarie has not developed mSIS as a Chrome extension.

1. Privacy. Chrome leaks, Firefox doesn't leak.

2. GDPR. Chrome allows for rapid rendering of a page, so it can be saved as an off-line archive.
If we had made a Chrome extension, allowing a customer user to download and save personal information about people that are connected with the subject of an investigation on, for example, a Facebook page, where those other people that might be no part of the investigation, and where there is no legal basis to download and store that personal info, mSIS would allow the user to contravene the GDPR.
Our customer might receive a large fine from the ICO for contravening the GDPR. At Qwarie, we know we are safe. Our customer users won't get inadvertent exposure while using mSIS with Firefox.

3. Be diligent. As an OSINT researcher, you should keep your general web activity well separated from your OSINT research.
We recommend you should use Bravo for general web activity and Firefox for OSINT work. This way, pages that are not part of an investigation will not, by error, find their way into an investigation. Very unprofessional and embarrassing if it happens!

4. Stay safe with all of your on-line activity, do not use Chrome, Chromium, Internet Explorer/Edge.

A1.5. Ask your Sys Admin to check out other FAQs on this page, and hope they think again. If not, escalate the issue to your compliance officer or legal counsel, so that you are not responsible for decision that might compromise your company.

A1.6. The Brave browser is addressing privacy issues. We are assessing Brave and if it proves to be safe, we will release an mSIS extension for Brave.

A1.7. According to some browser testings, once installed, Edge runs scripts for data collecting and tracking, and sends information to Microsoft, Google, and others.

Check Jonathan Sampson's post, and see exactly what happened when he installed the Edge browser.

A1.8. We researched Internet Explorer as a safe and secure platform for mSIS and OSINT research.
What we discovered was quite disturbing.

https://www.telegraph.co.uk/technology/2019/02/08/stop-using-internet-explorer-warns-microsofts-security-chief/
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/The-perils-of-using-Internet-Explorer-as-your-default-browser/ba-p/331732

Clearly, IE is not safe for OSINT researchers. We did not want to expose our customers to risk, so we did not build mSIS for IE.

2. Procurement

A2.1. No. VAT is not included in the published price.

The Paypal payment system charges £50/licence/year plus VAT at 20%.

Entities in Europe, that are not VAT registered, including private individuals shall be charged £10 on top of the product price.
The value of the VAT, £10 is applied to the price and cannot be deducted.

Any buyer from outside of Europe, should use the form here to recover the VAT paid with an on-line purchase.

Businesses in Europe that are VAT registered might wish to recover the VAT from Qwarie
but also, they can recover the VAT on their next VAT return.

A2.2. Contact Qwarie using the form here.

Discounts are available on volume purchases and induction training is included free for a purchase of 10 and more licences.
Expenses might be charged.

3. mSIS & OSINT Research Processes

A3.1. As you are an insurance company, you are obliged to comply with the GDPR. Where you archive a page on a corporate website, there is unlikely to be a GDPR issue. However, where you archive a page from a social media platform, there are GDPR implications. The page might include posts and 'likes' from users that are not the subject of your investigation. You have no legal basis to store information about any person that is not the subject of your investigation.

To be sure, you should take advice from your Compliance Officer or Legal Counsel. Pass the responsibility for your investigation policy to the appropriate department, so that you are not held responsible in the event of an ICO investigation.

A3.2. As a UK Law Enforcement Agency, you have to comply with RIPA. Be really careful about the wording of the authority you receive. For sure, you can archive pages that relate to the subject of your investigation, but what happens if the person you research has the same name as your subject, but is not your subject?

It is unlikely that your authority will extend to, for example, all people called John Smith.

Chances are, the authority will only permit you to archive data relating to the subject. The LED might permit the storage of some collateral personal data, but be careful, step outside of the Directive and a defence counsel might have your prosecution thrown out on that, 'technicality'.

Why do you want to archive anyway? Lets assume you do have the authority to archive safely, the data is in a flat file. Do you have the capability to extract the personal data into an intelligence analysis application?

We recommend you stay safe, conduct effective OSINT and Social Media research, by taking appropriately annotated screenshots of legitimate evidence, and deliver a legally safe Case Bundle for prosecution.

An agency policy that allows you to archive pages on social media platforms exposes your agency to risk that is not necessary, where good OSINT research protocols are followed.