TY - JOUR
T1 - Processing of botnet tracking data under the GDPR
AU - Böck, Leon
AU - Andersen, Martin Fejrskov
AU - Demetzou, Katerina
AU - Karuppayah, Shankar
AU - Mühlhäuser, Max
AU - Vasilomanolakis, Emmanouil
PY - 2022
Y1 - 2022
N2 - Botnet research is one of the many research areas affected by the coming into force of the General Data Protection Regulation (GDPR). This article aims to identify the most appropriate legal bases that would legitimise data processing in the context of botnet tracking and to give an overview of the practical implications for practitioners. First, we give a technical introduction to botnet tracking techniques and the types of processed data. Afterward, we argue that botnet tracking qualifies as ”processing of personal data” and falls under the material scope of the GDPR. We then present three scenarios where these botnet tracking techniques apply: botnet tracking research in the public interest, botnet tracking in the commercial interest and botnet tracking conducted by Internet service providers. For each scenario, we discuss the differing goals, identify the appropriate legal bases, and elaborate on the practical implications. This article concludes that the legal implications are very different for each of the three scenarios, highlighting the importance of carefully considering the legal bases before engaging in botnet tracking.
AB - Botnet research is one of the many research areas affected by the coming into force of the General Data Protection Regulation (GDPR). This article aims to identify the most appropriate legal bases that would legitimise data processing in the context of botnet tracking and to give an overview of the practical implications for practitioners. First, we give a technical introduction to botnet tracking techniques and the types of processed data. Afterward, we argue that botnet tracking qualifies as ”processing of personal data” and falls under the material scope of the GDPR. We then present three scenarios where these botnet tracking techniques apply: botnet tracking research in the public interest, botnet tracking in the commercial interest and botnet tracking conducted by Internet service providers. For each scenario, we discuss the differing goals, identify the appropriate legal bases, and elaborate on the practical implications. This article concludes that the legal implications are very different for each of the three scenarios, highlighting the importance of carefully considering the legal bases before engaging in botnet tracking.
KW - Botnets
KW - GDPR
KW - Legal ground
KW - Legitimate interest
KW - Research activity
UR - http://www.scopus.com/inward/record.url?scp=85125470246&partnerID=8YFLogxK
U2 - 10.1016/j.clsr.2021.105652
DO - 10.1016/j.clsr.2021.105652
M3 - Journal article
SN - 0267-3649
VL - 45
JO - Computer Law & Security Review
JF - Computer Law & Security Review
M1 - 105652
ER -