The Future of Privacy Forum seeks papers that showcase leading privacy research and analytical work that could be used by U.S. and international policymakers and data protection authorities. Submissions are due Sept. 26 for the group's seventh annual edition of its Privacy Papers for Policymakers Digest (see 1601130075), FPF said. Papers will be evaluated on originality, applicability to policymaking and overall writing quality, the group said. Privacy experts on FPF's advisory board will select five winning papers, which will be presented Jan. 11, the day before the FTC features privacy research papers at its second annual PrivacyCon event (see 1601140062 and 1601140029).

Domain name registry Verisign said it funded Nu Dot Co's $135 million winning bid last week for the registry rights to the .web generic top-level domain (gTLD). That confirmed industry chatter that the longtime .com registry had been orchestrating Nu Dot Co's controversial involvement in ICANN's public .web auction (see 1607290058). Verisign said it “entered into an agreement” with Nu Dot Co in which Verisign “provided funds for Nu Dot Co’s bid for the .web TLD. We are pleased that the Nu Dot Co bid was successful.” Nu Dot Co will execute the .web registry agreement with ICANN before turning over the registry rights to Verisign “upon consent from ICANN,” Verisign said in a Monday news release: Verisign “is well-positioned to widely distribute .web. Our expertise, infrastructure, and partner relationships will enable us to quickly grow .web and establish it as an additional option for registrants worldwide in the growing TLD marketplace.” Rival .web bidder Donuts made Nu Dot Co's funding source an issue in the days before the .web auction, filing a lawsuit against ICANN in U.S. District Court in Los Angeles on claims ICANN was negligent and in breach of contract for not thoroughly investigating the identities of then-speculated new parties in the control of Nu Dot Co. Judge Percy Anderson denied Donuts' application for a temporary restraining order to halt the .web auction amid the registry's suit and required Donuts to file an amended version of its complaint by Aug. 8 (see 1607250051 and 1607270027).

ICANN confirmed Thursday that domain registry Nu Dot Co made the $135 million winning bid (see 1607280057) for registry rights to the .web generic top-level domain (gTLD). Nu Dot Co beat domain registry Donuts, Google and five other bidders for .web through 23 rounds of bidding, ICANN said in a results report. Vistaprint Limited won rights to the .webs gTLD for $1, ICANN said. Nu Dot Co was the subject of controversy ahead of the .web auction, as Donuts claimed in a lawsuit that ICANN was negligent and in breach of contract for not sufficiently investigating whether Nu Dot Co was under partial control by a major entity along with stated parent company Straat Investments. The U.S. District Court in Los Angeles denied Donuts' request for a temporary restraining order to delay the .web auction but is still considering the underlying lawsuit (see 1607250051 and 1607270027). Nu Dot Co's winning bid for .web only deepens speculation about the registry's ownership status, with particular attention now focused on whether .com registry Verisign is involved with Nu Dot Co, a domain names industry executive told us. Verisign didn't directly mention .web in its Q2 earnings report Thursday or a conference call with investors, but the registry said in an SEC filing it had “incurred a commitment to pay approximately $130.0 million for the future assignment of contractual rights, which are subject to third-party consent.” Verisign didn't comment.

Former CIA Director Michael Hayden and George W. Bush administration Deputy National Security Adviser Elliott Abrams are among 28 former officials from Republican presidential administrations who jointly urged congressional leaders Friday to formally investigate the hacking of Democratic National Committee servers. The attacks are “an assault on the integrity of the entire American political process” and “not a partisan issue,” the Republicans said in a letter. The DNC hack and Wikileaks' subsequent publication of emails stolen during the hack are viewed as possibly spurring a more serious discussion about foreign cyber espionage during the presidential campaign (see 1607270061). “Congress has a responsibility to get to the bottom of this extraordinary breach, not only to determine who was responsible but also to consider the appropriate response,” Abrams and the others said in the letter. “The hacking of a political party’s email system by Russian intelligence agencies would, if proven, constitute unprecedented foreign interference in an American presidential campaign.”

Correction: iPass is a global mobile connectivity provider (see 1607270061).

The FTC approved a final order against AsusTeK Computer over allegations the company put personal information of thousands of consumers at risk on the internet because it didn't update software on its routers (see 1602230032), the commission said in a Thursday announcement. Commissioners voted 3-0 to approve the consent order, which requires the company to establish and maintain a comprehensive security program over the next 20 years that will be subject to independent audits. Asus must also notify customers about software updates or provide a way for customers to receive security notices, said the order. The commission said the order also forbids Asus from misleading customers about the security of its products. Asus, which settled with the FTC in February, didn't comment.

ICANN proceeded with the start of its public auction of the .web generic top-level domain (gTLD) Wednesday, after the U.S. District Court in Los Angeles ruled Tuesday against granting domain registry Donuts' application for a temporary restraining order. Donuts had sought the temporary restraining order Friday in connection with its lawsuit against ICANN, in which the registry is claiming ICANN was negligent for not exercising due diligence in investigating what Donuts believes are discrepancies in rival .web applicant Nu Dot Co's disclosures about its ownership. Donuts also claimed ICANN's failure to investigate the claims is a breach of contract and an instance of allowing unfair competition (see 1607250051). District Judge Percy Anderson faulted Donuts in his ruling (in Pacer) against the restraining order, saying he would have denied the request even if ICANN hadn't voiced its opposition (see 1607260057). Donuts failed to follow correct procedure by not contacting ICANN counsel about its restraining order request in advance of filing the lawsuit or correctly serving ICANN with the lawsuit, Anderson said. The restraining order request is also incorrect on the merits, since the evidence in ICANN's opposition filing “and the weakness of [Donuts'] efforts to enforce vague terms” in the ICANN bylaws and the gTLD application guidebook show Donuts “has failed to establish that it is likely to succeed on the merits” in the lawsuit, “raise serious issues, or show that the balance of hardships tips sharply in its favor,” Anderson said. “Moreover, because the results of the auction could be unwound, [Donuts] has not met its burden to establish that it will suffer irreparable harm in the absence of the preliminary injunctive relief it seeks.” Anderson also said Donuts didn't sufficiently prove jurisdiction in its lawsuit, but gave the registry until Aug. 8 to file an amended complaint to address the jurisdiction issue. "While we’re disappointed in the court’s decision, we recognize that the standards for granting a temporary restraining order are heightened and not necessarily indicative of the merits of the underlying case," a Donuts spokesman said. "We are now participating in" the .web auction and will continue "to reserve all available rights regarding this matter."

ICANN formally opposed domain registry Donuts’ application to the U.S. District Court in Los Angeles for a temporary restraining order to delay the planned Wednesday public auction of the .web generic top-level domain (gTLD) amid Donuts’ lawsuit against ICANN. The .web auction is to begin at 6 a.m. Pacific. Donuts filed the lawsuit Friday, claiming ICANN was negligent for not exercising due diligence in investigating what Donuts claims are discrepancies in rival .web applicant Nu Dot Co’s disclosures about its ownership. Donuts claimed ICANN’s failure to investigate is also a breach of contract and an instance of allowing unfair competition (see 1607250051). ICANN said in a filing (in Pacer) Monday the district court shouldn’t grant the restraining order because the need for emergency relief is of Donuts’ “own making.” Donuts admitted that it was aware June 7 about the statements made by Jose Ignacio Rasco, managing director of Nu Dot Co parent company Straat Investments that appeared to show that Nu Dot Co’s board included several new unidentified directors beyond those listed in Nu Dot Co’s 2012 application for .web, ICANN said. Donuts’ claims the temporary restraining order is needed because of the imminent .web auction “was caused by its own delay” in taking the issue to court. ICANN officials met with Donuts Executive Vice President Jon Nevett June 29 regarding the registry’s concerns about Nu Dot Co’s ownership information and indicated their investigation of the issue found “no evidence” of a change of ownership or management. Donuts had ample time to bring its concerns to the district court but instead “waited until July 22 to file this matter, after many facets of the Auction process had already begun,” ICANN said. Donuts didn’t comment.

The EU Article 29 Data Protection Working Party, which identified problems with the then-draft Privacy Shield three months ago (see 1604130002), said Tuesday it still has a "number of concerns" with the agreement, formally adopted by the European Commission two weeks ago (see 1607120001). But the group, composed of the national data protection chiefs, said in a news release that it "welcomes the improvements" to the data transfer mechanism with the U.S., basing the progress on the European Court of Justice's October decision that scrapped the old safe harbor agreement. European regulators said they will decide whether their current concerns will have been fixed at the first joint review of the deal between EU and U.S. authorities, about a year from now, and also see if safeguards "are workable and effective." Regulators said that review may also affect other data transfer mechanisms, including binding corporate rules and standard contractual clauses (see 1607060009). The group said it's still concerned with two issues of U.S. government access to Europeans' data. One, they "expected stricter guarantees" about the independence and clout of the U.S. ombudsperson -- a worry raised in their initial review. The ombudsperson position was created to deal with EU citizens' complaint for any misuse of their data. Second, the group said there's a "lack of concrete assurances" that bulk data collection won't occur even though the Office of the Director of National Intelligence has said it won't. European regulators also cited other concerns, including lack of specific rules on automated decisions, no general right to object and how the arrangement will apply to processors. "All in all, the uncertainty about the long term acceptance of the Privacy Shield is set to be prolonged, but on a positive note, the EU regulators appear willing to work with all the parties involved to make it work," emailed Hogan Lovells (London) data protection attorney Eduardo Ustaran. Bijan Madhani, the Computer & Communications Industry Association's public policy and regulatory counsel, said in a statement the Article 29 Working Party's "close examination of the Privacy Shield has helped produce more clarity for companies and citizens alike, and their participation in the joint annual review process is key."

The Software & Information Industry Association published a set of guidelines to help public and private sector officials develop and implement what it said are practical consumer privacy measures and practices. The association said in its report released Tuesday the guidelines are an alternative to calls for a comprehensive U.S. privacy statute such as the EU's General Data Protection Regulation and can help policymakers implement a comprehensive system or legislate or regulate a specific area "such as drones, student privacy, information service providers, or broadband privacy." During a webinar, Mark MacCarthy, SIIA senior vice president-public policy, also cited areas such as artificial intelligence, big data, cloud computing and IoT. He said the first five principles are more general while the second five are more specific. The first principle directs privacy regulators to analyze the consequences of their decisions and ensure the benefits of an adopted regulation justify costs. The second says any new privacy rule should mitigate risks to specific injuries. Technology Policy Institute President Thomas Lenard, describing the principles as a "very positive contribution," said during the webinar that the first two principles are essentially the core of the principles while the remaining eight "flesh" them out in some manner. The other eight principles are: ensuring social and business contexts are considered since norms and expectations differ and change; evaluating privacy as new technologies emerge; picking the right regulatory tool; providing transparency and consumer notices such as data breach notifications; using either an opt-in or opt-out choice; encouraging de-identification of data; assessing a data minimization policy in a risk-based process; and avoiding using data collected for one purpose for another. Center for Democracy & Technology CEO Nuala O'Connor said during the webinar there's "much to like" about the SIIA guidelines, but an organization should be mindful of collecting and retaining identifiable data since there's always a risk of a breach. But even de-identified data, which is preferable, can potentially lead to unintended consequences or bias through algorithms, she said.