White House pushing for research carveout in GDPR

Some privacy provisions in GDPR could have a negative effect on security researchers' work.
EU sanctions
European Union flags in front of the European Parliament in Brussels. (Getty Images)

The White House is hoping to convince European regulators to protect security researchers in their General Data Protection Regulation so they can continue to scrape data that’s relevant for data breach and botnet investigations, according to White House Cybersecurity Coordinator Rob Joyce.

GDPR, which mandates companies with European customers to have numerous data protections in place, goes into effect May 25, 2018. The law will have a significant impact on the billion-dollar cybersecurity industry, but some of its privacy provisions could have a negative effect on security researchers’ work.

One of the more concerning developments revolves around access to data published by the Internet Corporation for Assigned Names and Numbers (ICANN). Whenever a domain name is registered, ICANN requires information like, a name, IP address and physical address to be submitted. While these details are sometimes forged, that information can provide clues about a cyberattack.

ICANN stores all of this data in a record archive known as WHOIS. With the way GDPR is currently written, ICANN may scrub aspects of WHOIS, thereby making it less useful to security researchers.


Security professionals have criticized the impending change. In an interview with independent cybersecurity journalist Brian Krebs, Gregory Mounier, head of outreach at EUROPOL‘s European Cybercrime Center, said that “the new WHOIS plan could leave security researchers in the lurch.”

“Let’s say you’re monitoring a botnet and have 10,000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore,” Mounier told Krebs.

Joyce said Tuesday at a cybersecurity conference in Annapolis, Maryland that he was also concerned by the chilling effect that GDPR may have on some cybersecurity research projects and investigations.

“We share some of your concern that some of the internet metadata that lets us hunt threat actors and which enables businesses to understand where the threats originate may be affected by GDPR,” said Joyce. “We are actively attempting to push back and fix or create a carve out in the regulations for GDPR … we think there’s room and time to get the ICANN records exempted from it.”

The Department of State is the lead U.S. agency in contact with the European Commission’s working group regarding GDPR compliance negotiations.


“Multiple other international partners have raised this same concern,” Joyce added. “It resonates with us and as we engage with the EU we’re looking to make sure that that there’s an effort to secure cyberspace. And taking away one of the tools for detection doesn’t line up.”

The State Department did not respond to a request for comment.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts