Open Source Due Diligence Summary

This summary is designed to help researchers identify, assess and manage risks to your research and work—especially risks arising from partnerships. It provides you with tools and techniques drawn from Open Source Intelligence (OSINT) to collect and analyze public information to identify national security risks associated with research partnerships.


PDF version

What are open source due diligence methods?
Why should you use them to research partners?

Open source due diligence methods bring focus and intent to online research and discovery. They help you build a structured approach to finding and interpreting information to make important decisions. You should use open source due diligence methods to verify that your partners are who they say they are; confirm that their relationships and motivations are clear; and ensure no obvious sources of unwanted control or influence exist. This will enable your research to remain secure while pursuing open and collaborative partnerships that benefit Canada.

What should open source due diligence help you find?

The most significant national security risks to your research are:

  • Transferring of your research knowledge to foreign governments without your consent.
  • Tampering with your research to reduce its value or potential benefit to Canada, or damage your reputation and achievements.

National security risks are more likely if your research partner has conflicting interests or is controlled or influenced by a foreign government. Due diligence helps you find some risk indicators like:

  • Structures or relationships that may compromise your partner’s autonomy.
  • Indications of connections to foreign governments, militaries or security services on sensitive research areas.
  • Information that shows your partner operates in countries known to steal intellectual property from researchers.
  • Any information that suggests lack of transparency.

Remember that the accumulation of information, combined with your understanding of your research’s sensitivity, will help you assess the risk level.

 

Follow the step-by-step approach below to conduct efficient and effective open source due diligence:

 

 

Plan your open source due diligence

 

Step 1 – Understand your baseline risk:
You know your work and how it might be used and how that might make it a target. Rely on this understanding to establish a baseline risk.

Step 2 – State what you know and identify gaps:
What do you know about your partner? What would you want to know about their motivations and goals?

Step 3 – Develop questions:
Search online for quick information. Identify more detailed questions to fill gaps in your knowledge, and to understand your partner’s intentions, independence and integrity.

Step 4 – Turn questions into tasks:
Start with basic, factual tasks.
Always include your information source.

 

Information source Use case
Corporate Records Establish corporate owners and shareholders
Identify parent companies and subsidiaries
Corporate Websites Review partnership and investment press releases
Confirm partner’s biographical details against other sources
Academic and Awards Databases Identify other partner-funded projects to understand priorities and collaborators
IP and Patent Databases Identify patents and other IP that originated in Canada but are owned by a foreign partner
Sanctions Verify that Canada, the U.S., U.N., etc. have not sanctioned a research partner
Controlled Goods and End User Lists Verify that partner is not at high risk of diverting research to their country’s military and security
Legal Databases Verify that partner has not been involved in civil or criminal actions related to your research area or generally

 

 

Pursue your findings fully by mapping each to an outcome

 

  1. Determine what to look for by defining where you want to look, what information you want to look for, and what controls you can put in place to refine your search and get good results.
  2. Decide if your search results are relevant and worthy of more attention.
  3. Choose which leads to pursue and in what order.

Outcome 1
No meaningful findings: Repeat your search with different tools, databases or keywords. Try to prove yourself wrong.
Confirm your assessment.

Outcome 2
What do you know about your partner? What would you want to know about their motivations and goals?

Outcome 3
Immediate, risky findings: Document high-risk findings. Collect evidence. Repeat your search with different tools, databases or keywords. Verify and prove your concerns.

You should have enough information to describe your findings to someone else and to make informed decisions. Can you explain the potential risks? Have you exhausted your research methods?

 

Document and explain your findings

 

  1. Be ready to describe your findings and assessment clearly and unambiguously. Draw reasonable conclusions. Avoid speculation. Document everything.
  2. Is the information verified and the source reputable?
  3. Based on what you know about your research area and your findings, what risks could arise in the partnership?