Processing of botnet tracking data under the GDPR

Botnet research is one of the many research areas affected by the coming into force of the General Data Protection Regulation (GDPR). This article aims to identify the most appropriate legal bases that would legitimise data processing in the context of botnet tracking and to give an overview of the practical implications for practitioners. First, we give a technical introduction to botnet tracking techniques and the types of processed data. Afterward, we argue that botnet tracking qualifies as ”processing of personal data” and falls under the material scope of the GDPR. We then present three scenarios where these botnet tracking techniques apply: botnet tracking research in the public interest, botnet tracking in the commercial interest and botnet tracking conducted by Internet service providers. For each scenario, we discuss the differing goals, identify the appropriate legal bases, and elaborate on the practical implications. This article concludes that the legal implications are very different for each of the three scenarios, highlighting the importance of carefully considering the legal bases before engaging in botnet tracking.