Text of speech at FTC March 16, 2009 – Part 3(Don Whiteside and Scott Uthe contributed substantially to these remarks) Privacy Tools Abound There is no shortage of tools available to users focused on protecting their privacy. The majority of these tools target specific user behavior; access control mechanisms linked to “black listed” websites, automatic mechanisms to delete cookies and other underpinnings of behavioral targeting materials, tools to inspect platforms for rouge applications such as spy-bots, viruses, and the like. While these are valuable tools, they really don’t address the challenge of developing more secure platforms and enhancing user trust in technology. To gain focus on security Intel has organized our staff to be able to best apply security and privacy expertise in project teams. Platforms, Intel’s Privacy Opportunity Over the past 40 years, Intel has been at the center of this IT technology system, doubling the amount of transistors we can integrate onto a fixed area of silicon; some of you know this as Moore’s Law, after Intel’s founder Gordon Moore. In the early days of Intel, we focused the ‘transistor budget’ on bringing traditional mainframe capabilities to end user products; with the birth of the PC in the early 80’s as a fundamental market tipping point. Increasingly however, we are rapidly investing a portion of the transistor budget on the difficult challenge of building trust directly into the platform; whether it’s a PC, Server, smart phone, or networking equipment. Trusted hardware is the foundation upon which the market will build trusted operating systems, applications, networks, and services. Building trust and privacy is now an integral part of our entire innovation pipeline. We are actively engaging with “white hat” communities, striving to stay one step ahead of an escalating threat model, and doing fundamental research on novel trust mechanisms. We increasingly are introducing new hardware based cryptographic mechanisms that can protect data through secure bus structures, secure memory, secure application execution environments such as trusted virtualization, and secure I/O to protect against attacks like keyboard logging. For these reasons, we have created an organizational structure focused on bringing security and privacy expertise to individual product reviews. My organization now has a structure which can draw upon hardware security architects, network and information security engineers, privacy compliance specialists and security/privacy lawyers. Out of this diverse group, we create project teams to review individual products or programs. These reviews are triggered in a few different ways. We have built several internal processes to facilitate this focus on security and privacy. All Intel employees are required to complete both privacy and security related training tailored to their job position. This complements their familiarity with processes they use everyday. We have instituted several steps in the development of each Intel product to ensure that we’re not only building great security products, but that these products enhance user privacy. We look at how personal data is collected and processed, unique platform identifiers and their linkage to personal data, and how remote privileges are managed. We have formal product design reviews at the definition phase of a new product development, and it is performed again on the final product before commercial shipment. Challenges Exist But, we have to recognize that this is a complex environment with numerous inherent challenges. While the newest platforms, operating systems, and applications include security and privacy safeguards, there are billions of legacy platforms in use today that may not include these innovations. We serve a global market with no policy harmonization. Hackers and identity thieves are increasingly creative in their attacks. Solutions are complex and increase the need for users to be aware, engaged, and see value in new platform features. Many of the best security innovations depend upon cryptography. However, some countries have chosen to highly regulate cryptography, and have thereby made it difficult to create global products with the most secure technology. This lack of ability to deploy security innovation globally, creates an environment with interoperability issues, a lack of worldwide investment in keeping up with the threat environment, and prevents IT professionals and users in some countries from having access to the best technology to protect data. Today’s event continues the critical global dialogue between industry, governments and NGOs that is essential to us collectively working to address these challenges and build trust in technology for tomorrows digital world. Again, I thank the FTC for scheduling this event, and I look forward to the continued dialogue.
Connect with Us