The White House highlighted its 2015 cybersecurity efforts Thursday, saying its pace on addressing those issues will continue to increase “as the cyber threat continues to increase in severity and sophistication.” The White House’s retrospective went public amid its joint disclosure with the Office of Personnel Management (OPM) that the OPM data breach revealed in June affected an additional 21.5 million people beyond initial estimates (see 1507090049). The White House said its 2015 cybersecurity efforts include President Barack Obama’s Feb. 13 executive order to encourage cyberthreat information sharing (see 1502130048) and his April 1 executive order authorizing the attorney general and the secretaries of State and Treasury to impose sanctions on foreign-based entities launching cyberattacks against U.S. networks (see 1504010057). More recently, U.S. Chief Information Officer Tony Scott launched a 30-day “Cybersecurity Sprint” in June, ordering federal agencies to review and improve their cybersecurity policies (see 1506150071), the White House said. The Obama administration has also reached cybersecurity-related agreements with Brazil, India, Japan, the U.K. and the Gulf Cooperation Council, the White House said. “Since cybersecurity is about managing risk throughout the entire enterprise over the long-term, not through isolated, one-off actions, the Administration will continue to build on these efforts in the future,” the White House said. Meanwhile, the Department of Commerce said Thursday that the Internet Policy Task Force’s (IPTF) first cybersecurity multistakeholder process will focus on vulnerability research disclosure. The IPTF had been collecting input from industry stakeholders on potential cybersecurity topics it should explore (see 1506010055). The process, which NTIA is set to convene in September, is meant to create common principle and best practices related to security vulnerability information disclosures, said Deputy Assistant Commerce Secretary-Communications and Information Angela Simpson in a blog post. Commerce is urging security researchers, software vendors and other industry stakeholders “interested in a more secure digital ecosystem” to participate in the multistakeholder process, Simpson said.

Vladimir Tsastsin, 35, of Estonia, pleaded guilty Wednesday to wire fraud and computer intrusion charges “arising from his operation of a massive and sophisticated Internet fraud scheme that infected” more than four million computers in more than 100 countries with malware, said a news release from the Southern District of New York’s U.S. Attorney’s office. “The malware secretly altered the settings on infected computers, enabling Tsastsin and the six other charged defendants -- Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev, Andrey Taame and Anton Ivanov -- to digitally hijack Internet searches, re-route computers to certain websites and advertisements, and receive payment for the hijacked Internet traffic,” the release said. Tsastsin faces a maximum sentence of 20 years in prison for wire fraud and five years in prison for computer intrusion. Sentencing is Oct. 14.

Vonage joined the NYC Media Lab and will work with the lab and its university partners on innovation-oriented projects and programs, the group said in a release Wednesday. NYC Media Lab connects digital media and technology companies with members of New York City's universities, and Vonage will collaborate with experts in "engineering, data science, computer science, design and more" to further its innovation goals, the group said. Other NYC Media Lab company members include The Associated Press, Bloomberg, ESPN, Hearst, MLB Advanced Media, NBCUniversal, News Corp., Publicis Group, Rogers Communications, Showtime, Tenfore Holdings, Time Warner Cable, Verizon and Viacom. Members participate in annual seed projects, which can yield research papers and prototypes.

“Google’s failure to offer U.S. users the ability to request the removal of search engine links from their name to information,” as the company does for Europeans under the right to be forgotten policy, is an unfair and deceptive practice, Consumer Watchdog said in a complaint filed Tuesday with the FTC. Google has removed 348,794 URLs from its search results out of a requested 997,008, or 41.3 percent of links that were deemed inadequate, irrelevant no longer relevant or excessive, Consumer Watchdog said in a news release. Google’s “refusal” to consider such requests in the U.S. is unfair and deceptive, a violation of the FTC Act’s Section 5 authority, said Consumer Watchdog Privacy Project Director John Simpson. Google’s recent announcement that it would honor requests to remove links to revenge porn (see 1506190048) is proof Google could “easily honor Right To Be Forgotten requests in the U.S.,” Simpson said. “We urge the Commission to investigate and act,” he said. The right to be forgotten isn't censorship, because the content isn't removed from the Web, the complaint said. Before the Internet, youthful indiscretions and embarrassments “slipped from the general public’s consciousness,” the complaint said. “The Digital Age has ended that,” it said. “Everything -- all our digital footprints -- are instantly available with a few clicks on a computer or taps on a mobile device,” the complaint said. Examples of URLs that Consumer Watchdog said could be removed from search results in the U.S. include photos of a California woman who was decapitated in a car accident that were “wrongfully leaked by California Highway Patrol officers"; a mug shot photo of a woman who scratched her “violent” boyfriend’s chest as he came at her with a knife; photos of a woman who had worked as a lingerie model between the ages of 18-20 and lost her guidance counselor job after the photos surfaced, despite having previously disclosed her modeling career. In Europe, Google has removed URLs to newspaper articles about victims of rape and other crimes, the release said. Google has refused to remove some search results such as for a Swiss financial professional who was arrested and convicted for financial crimes or those who were dismissed from their jobs for committing sexual crimes, the release said. “Removal won’t always happen, but the balance Google appears to have found between privacy and the public’s right to know demonstrates Google can make the Right to Be Forgotten work in the United States,” the complaint said. “FTC investigations are non-public and we do not confirm or deny the existence of any investigations," an FTC spokesman told us. "We welcome complaints from consumers and consumer groups and review them carefully," he said. Google had no immediate comment.

“It is a pity” that the nine groups representing consumers and privacy advocates walked out of the NTIA’s facial recognition multistakeholder process (see 1506190041), said a blog post last week from Brian Brackeen, CEO of Kairos, a face recognition and emotion analysis software company. By leaving, the participants distracted media attention from the talks' real focus and purpose, Brackeen said. “Many valuable and helpful uses" for this technology "are in danger of being overlooked because of the media focus on privacy threats,” he said. “Discussion needs to move away from potential threats of Big Brother tracking your every movement, to showing how we can use the technology to better society,” Brackeen said. “At Kairos we are not against the concept of people having to opt in to using facial recognition in most circumstances, certainly in the commercial and retail situations that are the focus of these talks,” he said. Kairos believes “at a base minimum, people should be able to walk down a public street without fear that companies they’ve never heard of are tracking their every movement -- and identifying them by name -- using facial recognition technology,” he said. These talks were designed to create a set of voluntary guidelines commercial facial recognition companies could choose to adhere to and will not impact the federal government, law enforcement, the military, etc., he said. “While we are disappointed that some important parties left the table, we are still wholeheartedly supporting the efforts, and we look forward to opting into a new standard.”

Anonymous online reviewers are entitled to basic First Amendment protections, the Washington state Court of Appeals ruled Monday. The ruling came in a case brought by Tampa-based attorney Deborah Thomson, who received negative reviews on Avvo, Google and Yelp for how she handled a client’s divorce proceeding in September 2013, said a news release from Avvo, an online legal marketplace that was asked to reveal the identity of an anonymous reviewer. Thomson filed a defamation suit in May 2014 in Hillsborough County, Florida, and sought a subpoena in Washington state on June 25, 2014, hoping to “unmask” the critic who posted on Avvo, the release said. A Washington trial court rejected Thomson’s request in July 2014 and she appealed, it said. Thomson didn’t seek a subpoena in California where Google and Yelp are based, it said. "Whether they're leaving reviews on Amazon or commenting on an op-ed in their local paper, consumers have a right to protect their anonymity online, and to freely express their opinions on the products and services provided by businesses," Avvo General Counsel Josh King said. "This is a developing area of the law, and this case helps set a precedent for consumers' legal rights when expressing themselves online,” he said. “In order for us to deliver consumers the transparency they've come to expect, we need to protect and provide the ability to comment on the quality and delivery of professional services without fear of a lawsuit from a disgruntled attorney," King said. Currently, 12 states, the District of Columbia and many federal courts have adopted standards providing strong First Amendment protections to anonymous online reviewers, the release said. Thomson had no immediate comment.

Harvard University “discovered an intrusion on the Faculty of Arts and Sciences and Central Administration information technology networks” June 19, said Provost Alan Garber and Executive Vice President Katie Lapp in a joint statement Wednesday. “Since discovering this intrusion, Harvard has been working with external information security experts and federal law enforcement to investigate the incident, protect the information stored on our systems, and strengthen IT environments across the University,” the statement said. Garber and Lapp said there's no indication now that personal data, research data or PIN system credentials were compromised but said Harvard login credentials may have been used to access individual computers, and university email accounts “have been exposed.” To further secure data, the university is requiring those who are part of the Faculty of Arts and Science, Harvard Divinity School, Radcliffe Institute for Advanced Study or Central Administration to change the password associated with their Harvard account. Those part of the Graduate School of Design, Graduate School of Education, School of Engineering and Applied Sciences, or School of Public Health are required to change their email password. “Password changes will be required again at a later time,” the statement said. Those who are part of the business, Kennedy, law, medical or dental schools “do not need to take any action at this time,” the statement said.

“Thanks to the tireless efforts of my team at [the Office of Personnel Management] and our inter-agency partners," OPM has made progress in the investigation into the attacks on OPM’s background information systems, OPM Director Katherine Archuleta wrote in a blog post Saturday. “We hope to be able to share more on the scope of that intrusion next week, and in the coming weeks, we will be working hard to issue notifications to those affected,” she said. Archuleta said she remains “committed to improving the IT issues that have plagued OPM for decades” and to “finishing the important work outlined in my Strategic IT Plan” to evaluate and improve OPM security systems to ensure sensitive data is “protected to the greatest extent possible, across all of our networks.”

In comments submitted to the FTC after the agency's sharing economy workshop June 9 (see 1506090046), the Free State Foundation “credited the sharing economy with fostering innovation, creating value, and providing cost saving options for consumers,” FSF Research Associate Michael Horney wrote. Eight takeaways FSF gleaned from the workshop include: reputational feedback mechanisms have enabled bisymmetrical trust; bisymmetrical trust relationships balance privacy with transparency; self-regulation is not the same as no regulation; deregulate down rather than regulate up to address legitimate equity considerations; horizontal mergers are only a concern if regulations eliminate contestability; positive externalities and spillovers of the sharing economy were not discussed enough; and the sharing economy benefits low-income users more than high-income users. Horney said there wasn’t much discussion on how the FTC will or should regulate the sharing economy, which he found appropriate because “a deregulatory approach has been vital to the emergence and success of the sharing economy.”

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) is seeking comment on proposals to explore email security and the addition of derived personal identity verification (PIV) and other second-factor identifications for smart card logons as part of the center’s “building blocks” for companies to demonstrate their cyber capabilities, NIST said Thursday. NCCoE building blocks are cybersecurity implementations that the center uses in many of its sector-specific use cases. The email security building block proposes using the Domain Name System-Based Authentication of Named Entities (DANE) protocol to prevent unauthorized viewing of email. The second-factor identifications building block proposes a method for allowing mobile devices to use two-factor authentication -- derived PIV or other smart card plus a password -- rather than only relying on a password. Both proposals are open for public comment until Aug. 14, NIST said.