President Barack Obama selected the leaders of the Commission on Enhancing National Cybersecurity (CENC) Wednesday, announcing former National Security Adviser Tom Donilon as the commission’s chairman and former IBM CEO Sam Palmisano as vice chairman. Obama formed CENC last week as part of the White House’s Cybersecurity National Action Plan, which industry lawyers and lobbyists have viewed as an ambitious capstone to the Obama administration’s cybersecurity legacy. CENC is required to make recommendations by Dec. 1 on strengthening private sector and public sector cybersecurity (see 1602090068). Donilon "understands government and national security issues" and Palmisano "understands the intimacies of computing, of the digital world, the economic aspects of this, making them the "two of the best possible people to chair" CENC, Obama said, according to a White House transcript. "We're confident that this is going to be the kind of product that is of great importance to everybody. And this is not an ideological issue that should divide Washington along party lines. This is something that everybody has got an interest in getting right." Secretary of Commerce Penny Pritzker and Secretary of Homeland Security Jeh Johnson will also be “working very closely” with CENC, Obama said.

Google provided a seven-page response explaining its K-12 student data collection practices, in response to concerns of Sen. Al Franken, D-Minn., that the company was using such data for noneducational purposes. Franken publicly released Google's Feb. 12 letter Tuesday, which addresses several questions he posed in a Jan. 13 letter to the company. While Google's response was "thorough," Franken said in a news release he's "still concerned about what exactly Google does with the information it collects and processes from students who are browsing outside websites -- like YouTube -- while logged in to Google’s education services." He said he's interested in whether the company can provide stronger privacy protections to parents and students such as an opt-in for data collection. The Electronic Frontier Foundation in December filed a complaint with the FTC, alleging Google was collecting and data mining the personal information of school children (see 1512010068). The privacy group alleged the company's cloud-based software programs called Google Apps for Education (GAFE) and its "sync" feature for the Chrome browser essentially tracked students without getting their or their parents' permission. In its letter to Franken, Google explained how GAFE and the Chrome sync feature are used by schools, what data is collected, privacy policies and how schools and parents can control such data. The company said no student-related data is shared with third parties "except in a few exceptional circumstances," which are outlined in the GAFE agreement and privacy policy.

The Domain Name Association said its new Healthy Domains Initiative (HDI) is focusing on recommending a set of best practices for promoting a healthy domain name system, including surveying the landscape of online abuse. Major industry parties like Amazon, Google, MPAA and RIAA joined with the FBI, registries and content providers during a meeting last week to begin work on those best practices recommendations, DNA said Monday. HDI members will now work on determining how DNA should prioritize the group’s work, while working groups within HDI are discussing potential initial best practices recommendations, DNA said. HDI “is an important step forward to ensure we work collaboratively with our peers toward a more secure and stable Internet naming system,” said DNA Chairman Adrian Kinderis in a news release. Rightside is “encouraged by the positive direction this effort is taking,” said Vice President-Business and Legal Affairs Statton Hammock.

Pandora said it plans to keep spending on music content, on-demand product development and international expansion as rumors swirled that the company is looking for a buyer. With a revenue goal of $4 billion by 2021, Pandora has an ambitious investment plan for 2016 to quickly expand, executives told analysts Thursday after regular U.S. markets closed. The next day, shares closed down 12 percent to $7.99. Content cost increases due to a Copyright Royalty Board rate-setting ruling (see 1512170063) last year will lead to a $160 million jump in content costs this year over 2015, said the company. Additional investments for 2016 include $120 million for marketing, $100 million for product development and $125 million to build “infrastructure for the future, including content licensing and reporting infrastructure,” it said. The Q4 loss was $19.4 million, reversing a year-ago quarterly profit of $12.3 million, though revenue rose about 37 percent to $336 million. Pandora expects to have its on-demand subscription offering in the market before the end of the year but it won’t generate “meaningful revenue” in 2016, said CEO Brian McAndrews on an earnings call. The timing assumes the company will have publishing deals in place with labels, he said. McAndrews wouldn’t comment on a report in the New York Times that Pandora is working with Morgan Stanley on a sale plan. Macquarie Capital has “long believed that its brand and large 81m user base could be attractive” to traditional media companies, Internet or technology giants or “anyone in the music space,” analyst Amy Yong wrote investors Friday.Despite what an analyst cited as a slowdown in growth of listener hours and active users, Pandora expect growth over the next five years from consumer electronics and vehicles, said McAndrews. Pandora’s market share for radio listening in the U.S. passed 10 percent during the year, but with just 2 percent penetration in vehicles -- “which represent nearly half of radio listening” -- the company sees “tremendous upside” as cars become more connected, McAndrews said.

President Barack Obama's latest executive order creating a Federal Privacy Council boosts the privacy profession and spotlights the need for privacy along with security, wrote two top executives with the International Association of Privacy Professionals in a piece posted Thursday on the group's website. IAPP President-CEO Trevor Hughes and Omer Tene, vice president-research and education, said the Tuesday executive order, which was part of a larger cybersecurity plan (see 1602090068), is "focused on fomenting agency and inter-agency privacy management programs; creating and sharing best practices for protecting privacy and implementing appropriate privacy safeguards; and improving the processes for hiring, training, and professional development of privacy professionals in government." The executive order also recognized that privacy is "a key standalone concept" that must be considered along with data security, they wrote. "It means being transparent, responsible, and ethical in organizational uses of personal data, managing individuals’ expectations, and minimizing data flows." They said the "dichotomy between privacy and security is a false one," and the concepts are "two sides of the same coin." For instance, without privacy, they said, surveillance agencies would do their jobs unfettered by human rights considerations and employers would scrutinize their workers' every move. Hughes and Tene said the executive order is the beginning of a process for more privacy-conscious workers and privacy that is translated into action.

The global success of Netflix “has attracted the attention of attackers” in the form of malware and phishing email campaigns targeting Netflix users’ information, Lionel Payet, Symantec threat intelligence officer, said in a Thursday blog post. “The details are then added to a growing black market that claims to provide cheaper access to the service,” Payet said. Netflix subscriptions allow one to four users on the same account, he said. This means that an attacker could use a phishing campaign to “piggyback on a user’s subscription without their knowledge,” he said. “In these phishing campaigns, attackers redirect users to a fake Netflix website to trick users into providing their login credentials, personal information, and payment cards details. These tactics are not uncommon; cybercriminals are still using them on a daily basis.” The bigger problem is that the attackers “may not just keep this access for themselves,” he said. “There is an underground economy targeting users who wish to access Netflix for free or a reduced price. The products could even allow customers to open their own illegal store.” The most common illicit offers are for access to existing Netflix accounts, Payet said. “These accounts either provide a month of viewing or give full access to the premium service. In most advertisements for these services, the seller asks the buyer not to change any information on the accounts, such as the password, as it may render them unusable. This is because a password change would alert the user who had their account stolen of the compromise.” For their own protection, Symantec “advises users to only download the Netflix application from official sources,” he said. “Additionally, users should not take advantage of services that appear to offer Netflix for free or a reduced price, as they may contain malicious files or steal data.” Netflix representatives didn’t comment.

Google will apply the "right to be forgotten" process in Europe to global search engine pages, rather than just limit it to European search engine home pages, several news organizations and privacy groups reported Thursday. The company didn't comment on the issue. Reuters said Google had been fighting with European privacy regulators over a May 2014 ruling by the European Court of Justice (ECJ) that the company scrub search results of individuals who made such requests. It said the French regulator threatened to fine the company if it didn't delete search results "globally across all versions of its website, such as Google.com." The company acquiesced, Reuters said. As of Thursday, Google said it has received nearly 386,000 requests for removals. It has removed more than 492,000 URLs, or about 43 percent of the total evaluated. Jens-Henrik Jeppesen, Center for Democracy & Technology European affairs director, wrote in a blog post Thursday that his group is "sympathetic" to people concerned that some of their personal information is available publicly, but the ECJ ruling "enables broad restriction of access to lawful, public information, and as such, it inevitably curbs free expression." Plus, the court's guidance is "so vague" it's unclear what removal requests should be approved and which should not. Jeppesen said more repressive governments may demand that "their censorship laws should be applied to global domains when accessed from their countries. That would be a serious step back for dissidents and others who seek to promote human rights and democracy in their countries."

Cybersecurity Coordinator Michael Daniel defended the White House's Cybersecurity National Action Plan Thursday against criticism that CNAP was introduced too late in President Barack Obama's administration. He said CNAP “is really a capstone” of the work the administration has been doing on cybersecurity since Obama took office in 2009. Industry stakeholders praised introduction Tuesday of CNAP, saying it builds off Obama's 2013 and 2015 cybersecurity executive orders, the White House's cybersecurity legislative work and other efforts. Stakeholders also questioned whether the White House would see much of a result from the plan before Obama leaves office in January and whether Congress would be willing to sign off on the White House's proposal to bump up cybersecurity funding to $19 billion in FY 2017 (see 1602090068). “We're doubling” down via CNAP on many of the White House's past cybersecurity initiatives, including new work related to critical infrastructure cybersecurity, Daniel said during a New America event. The White House believes it will be able to receive “broad” support on Capitol Hill for its cyber budget proposal despite what are likely to be “robust and frank discussions with Congress” about the Obama administration's overall $4.1 trillion FY 2017 budget proposal, Daniel said. The newly created Commission on Enhancing National Cybersecurity (CENC), which will need to provide recommendations to the White House by the end of 2016 on ways to improve cybersecurity in the private sector and public sector, will be able to provide a “good distillation of the path forward” on cybersecurity, Daniel said. CENC is unlikely to generate “brand new ideas” on cybersecurity but will instead probably provide the White House with recommendations based on best practices from academia, businesses and tech experts, he said.

A co-founder of competitive videogaming company Vulcun -- which recently settled FTC allegations that it used a Google Chrome browser extension to launch ads without users' permissions (see 1602050036) -- said the commission's consent order contained "many inaccuracies and blatant factual errors." Posting the company's response on Medium.com Tuesday, Murtaza Hussain, who was named in the complaint with co-founder Ali Moiz, wrote that when Vulcun bought the browser extension and replaced it with its own, the company offered an "explicit" opt-in for users. "There was disclosure. Of the 200K users, about 15% or so Opt’ed in," he wrote. Rejecting an FTC allegation that users were barraged with ads, Hussain said the only ones shown were disclosed on the Chrome start page and they were the top apps of the day, which Vulcun didn't get paid for. He said the company promoted an ad one time when it garnered about 30,000 opt-in users. Many users liked it, but about 1 percent of users complained, mainly because "some of them had simply forgotten that they opt'ed in to this program and were surprised why/how this app got on their phone," he wrote. In response, Vulcun suspended the promotion and tried to improve the model, he wrote, but the company decided it couldn't eliminate the bad user experience and shut down the program in December 2014. The FTC opened the investigation in July 2015 as a result of the user complaints. "We decided to sign their order and move on. And then boom  --  many months after signing I see this press release that makes us look almost like con-artists," wrote Hussain. "As entrepreneurs we live and die by our reputations and I felt that I needed to set the record straight and tell my part of the story.”

Despite the bigger risks of hacks posed by IoT deployments, more than seven of 10 corporate IT departments spend less than 20 percent of their time “securing the corporate network and data assets,” a Strategy Analytics survey found. The research firm canvassed 600 firms worldwide and found that 56 percent of respondents acknowledged their firms had experienced an IoT breach in the previous 12 months, and 39 percent said their networks didn't suffer any security breaches, it said. "The survey results are a huge wake-up call,” Strategy Analytics said. “IoT environments exponentially increase the size of the attack vector since companies have so many more devices, end points and applications to secure," it said. "IoT deployments can potentially be very risky business.” Other survey findings: (1) 44 percent of corporations that got hacked were unable to determine the source or the type of security attack or the duration of the breach, “which is alarming," Strategy Analytics said. (2) Only 7 percent of firms’ IT departments spend more than half their time on security. (3) 56 percent of respondents cited “end user carelessness” as the top security threats to their IoT networks, followed by 42 percent who cited “malware” as the biggest IoT security threat.