Five Ways GDPR Could Limit Security Research - Page 2

"[A]s things stand the solutions we have identified restrict the service to a very limited set of features," the company said in a statement. "Because of this, the significant resources required to make PICOPS GDPR-compliant, and the fact that PICOPS is not part of our core technology stack, we have decided to discontinue the service despite overwhelming market needs and demand."

Researchers who cull blockchain data may have to take extraordinary care to avoid de-anonymizing personal information and violating GDPR.

4. Take care in mining social media

Researchers who mine social networks for a variety of information—whether for content, to create a network map or to create a profile of individuals—will have to abide by provisions of the GDPR, which has restrictions on automated profiling.

Researchers will have to be careful with research on "anything that is about mining information from social media to find cliques with the same interests or issues, or simply to determine if there is a flu outbreak somewhere," said the University of Ottawa's Jourdan. "The information is going to be less available and considered more private."

In addition, researchers may have to give notice and obtain consent for any non-anonymous data included in a profile and abide by the subject's decisions, according to an analysis by the International Association of Privacy Professionals.

5. Hunting may produce protected data

Another security research activity that will likely be impacted by the GDPR is threat hunting. Using network telemetry and other data to find threats in the network, and then investigating those threats to identify the attacker, will often involve protected data under the GDPR.

For threat-intelligence analysts, this is problematic.

"Countless stories have been shared in the industry about how finding just one email address registered to a domain used for C2 [command and control] malware led to more insights about the malware threat and those operating it," one security firm pointed out.

Overall, threat hunters will have to maintain strong contacts with their companies' legal teams to vet any actions that could identify EU citizens.

"I hope that security researchers will embrace privacy and find ways to work with it," Forcepoint's Ford said. "The security industry will look at how we gather data and practice data minimization."

Overall, the impact of the GDPR on security research has not yet been fully felt, experts said.

"By default, organizations will close things up until they figure out what they can and cannot do," said the University of Ottawa's Jourdan. "For the next few months, everything that has to do with investigating incidents and determining who is behind something will be impacted by GDPR."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...