"[A]s things stand the solutions we have identified restrict the service to a very limited set of features," the company said in a statement. "Because of this, the significant resources required to make PICOPS GDPR-compliant, and the fact that PICOPS is not part of our core technology stack, we have decided to discontinue the service despite overwhelming market needs and demand."
Researchers who mine social networks for a variety of information—whether for content, to create a network map or to create a profile of individuals—will have to abide by provisions of the GDPR, which has restrictions on automated profiling.
Researchers will have to be careful with research on "anything that is about mining information from social media to find cliques with the same interests or issues, or simply to determine if there is a flu outbreak somewhere," said the University of Ottawa's Jourdan. "The information is going to be less available and considered more private."
In addition, researchers may have to give notice and obtain consent for any non-anonymous data included in a profile and abide by the subject's decisions, according to an analysis by the International Association of Privacy Professionals.
Another security research activity that will likely be impacted by the GDPR is threat hunting. Using network telemetry and other data to find threats in the network, and then investigating those threats to identify the attacker, will often involve protected data under the GDPR.
For threat-intelligence analysts, this is problematic.
"Countless stories have been shared in the industry about how finding just one email address registered to a domain used for C2 [command and control] malware led to more insights about the malware threat and those operating it," one security firm pointed out.
Overall, threat hunters will have to maintain strong contacts with their companies' legal teams to vet any actions that could identify EU citizens.
"I hope that security researchers will embrace privacy and find ways to work with it," Forcepoint's Ford said. "The security industry will look at how we gather data and practice data minimization."
"By default, organizations will close things up until they figure out what they can and cannot do," said the University of Ottawa's Jourdan. "For the next few months, everything that has to do with investigating incidents and determining who is behind something will be impacted by GDPR."