The White House is asking through the State Department for European regulators to create an exception in their impending General Data Protection Regulation, one that would allow security researchers to easily look up data related to data breach and botnet investigations.
The GDPR applies to any company handling data about EU residents, and will have a significant impact on the billion dollar cybersecurity industry, but some of its privacy provisions could have a negative effect on security researchers’ work.
For example, the Internet Corporation for Assigned Names and Numbers (ICANN) collects basic information including name and physical address for every domain name that is registered, which is stored in its publicly searchable WHOIS database. These details are easily forged or obfuscated, but the information can provide clues about a cyberattack.
With the way GDPR is currently written, ICANN may withhold some of this information from public searches, thereby making it less useful to security researchers. The organization plans a system of “accreditation” which will allow journalists, law enforcement, and security researchers access to the full set of data, but that won’t be ready until December at the earliest.