“There’s no fresh start in today’s world. Any twelve-year-old with a cell phone could find out what you did. Everything we do is collated and quantified. Everything sticks.”

- Selina Kyle “The Catwoman” from Dark Knight Rises

As I noted in my previous post, Anne Hathaway’s character in the Dark Knight Rises shows us the value of providing individuals with the ability to rehabilitate their online reputations, and learn from their mistakes. Intel is honored to promote Matt Ivester’s book LOL…OMG (click here to download a free copy from January 25th – January 29th) to put practical tools in the hands of students so they can still exercise the freedom to explore, take risks and innovate.

Making mistakes is a critical component of innovation. John Stuart Mill wrote convincingly about the hazards of a culture in which liberty is curtailed to a point where individuals slide into self protective conformity out of fear of the tyranny of the majority. Jeremy Benthem discussed the coercive ability of the Panopticon (the building plan of an institution that allows a guard to watch all of the inmates without them being aware they are being watched) as “a new mode of obtaining power of mind over mind, in a quantity hitherto without example.” Michel Foucault took the Panopticon one step further in Discipline and Punish, when he extended the concept to all social spheres. Foucault raised important questions of what it means to punish individuals for their bad acts, and the role of public humiliation to chill future bad behavior. We know we can chill bad behavior by observing individuals, but how much positive behavior will it also chill?

I have written in this blog of the need to separate the Right to Privacy from the Right to Steal or the Right to Hack. We need to allow individuals a sphere of privacy in which to try new ideas, concepts and business ventures without an undue fear of the consequences of a mistake. We need what I call the “Right to Fail”. This Right to Fail should protect individuals so they can challenge themselves and attempt what others say is impossible. This concept or protecting failure has been at the heart of Silicon Valley for decades, and is the foundation of our modern innovation economy. Actually, preserving individuals’ ability to take risks, while protecting them from undue consequences has existed for millennia. For example, there are concepts of debt forgiveness in the Old Testament. Debt forgiveness has involved both punishment (debtors prisons in Europe) and rehabilitation (allowing an individual to build back a good credit rating over time).

Modern bankruptcy laws have increased their focus on allowing individuals to make limited mistakes and then rehabilitate themselves. These laws do not offer a “Clean Slate” program to wipe away all record of failure, but they do mitigate the harm to the individual or company from having taken a risk. However, these laws have also been modified over time so they do not allow individuals to use them as cover for bad acts (e.g. The Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCA) of 2005). Similarly, we need a system in privacy law that will allow the Catwoman a reasonable chance to start a new life, without shielding her from reasonably suffering the consequences of her bad decisions. Creating a Right to Fail that allows for rehabilitation, but still adequately encourages personal responsibility and good judgment is at the root of the discussion around the EU Right to be Forgotten proposal. It appears more discussion is warranted, as optimizing for the Right to Fail, while not creating a Right to Steal, is an enterprise requiring great nuance, precision and adjustment over time.

The Panopticon and the history of bankruptcy laws provide useful lenses through which to analyze the European Commission proposal of a Right to be Forgotten. The task in drafting a Right to be Forgotten should have as its goal to allow individuals to escape from information about them that should never have been made public (the embarrassing photo (the LOL…OMG problem)) or that is no longer relevant (the position taken on a university term paper decades ago), while still allowing individuals to know important information about people with whom they engage (credit card fraud databases). This exercise may in the end be more about obscurity than forgetting, as Woodrow Hartzog and Evan Selinger point out in their excellent article in the Atlantic.

Would Anne Hathaway’s Catwoman really need a “Clean Slate” if there was a mechanism to ensure major search engines would not display the evidence of her misdeeds? If so, who should be trusted to make decisions about what level of obscurity is healthy for society? Who should review each request?

The proposed General Data Protection Regulation (the Regulation) attempts to break new ground on this issue. Section 3 of the Regulation covers Rectification and Erasure. Article 16 covers the rectification of inaccurate information, while Article 17 proposes provisions on the “Right to be forgotten and to erasure.” The current EU Data Protection Directive (Directive), which the Regulation would replace, also attempted to address this issue of what is an appropriate amount of forgetting. In the Directive these issues were handled under Section V “The Data Subjects Right of Access to Data”, which includes Article 12 (b) which requires “as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data”.

The Right to be Forgotten in the Regulation is a significant expansion on the access and deletion language in the current Directive, and is potentially closer to Batman’s Clean Slate program. Under the Regulation’s language individuals would not only have the ability to withdraw consent for information they had previously provided (it is unclear how this would work in many instances where a service provider has agreed to provide a service based on the consent to provide the information), but also to demand deletion of information that relates to them, but was provided by a third party. This demand for deletion can be made for a number of reasons, but arguably the most important is Article 17 (1)(a) that “the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.”

The Dark Knight Rises helps us see why this construction of the Right to be Forgotten will be difficult to implement. If the Catwoman objects to internet blog postings about her prior criminal convictions, one of the arguments she could make is that such stories are no longer necessary, and she should be able to have them “forgotten”. She would argue that the stories are old, and the information is no longer necessary or relevant to inform the public. The Regulation would put the onus on the Data Controller to determine whether this information is still necessary. The Controller would have an exception under Article 17 (3)(a) to exercise the right of free expression, but this would only apply to data processed “solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of the personal data with the rules governing freedom of expression.” The Regulation allows for the European Commission to create additional rules, but this does not seem to be an area where detailed implementing regulations and/or delegated acts will provide predictability or clarity.

Let’s say Selina Kyle objects to the accessibility of news stories about crimes she committed while she was under the age of 18. She complains to both the newspaper websites, and to the search engines, saying she wants the information “forgotten” (deleted from the websites) or at least “obscured” (not to show up as results in web searches). Many countries have juvenile justice systems which seal records of crimes committed by children. It seems to follow that some system of online reputation rehabilitation is consistent with the same values that are behind the juvenile justice procedures. However, society needs to remember some misdeeds to make certain similar events do not reoccur. The digital memory becomes our collective conscience. Additionally, tt is difficult to understand how completely forgetting would even be possible. In their paper “The Right to be Forgotten – between expectations and practice”, the European Network and Information Security Agency (ENISA) has expressed concerns about whether the Right to be Forgotten proposal can be technically implemented.

When do we have a Duty to Remember which outweighs the Right to be Forgotten? Who should make the decision? Should all the records be deleted or obscured? Is deleting all records even possible? What are the free speech implications?

Some argue the language in the existing Directive is better. As noted above, the Directive’s language allows requests for deletion for data or processing which “which does not comply with the provisions of the Directive”. Article 6 (1)(c) of the Directive provides personal data must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.” Because of this (and other language in the Directive), many have argued for some time that the existing Directive requires a “reasonable” level of deletion for information which would have a “disproportionate” impact on the individual to which the personal data relates.

As we need to optimize for the Right to Fail and Freedom of Expression at the same time, this type of flexible reasonableness standard may be the best legislation can offer. This standard would allow the Catwoman to make her case that her bad acts are behind her, and databases which have profiled her as a felon should now be modified. Such a flexible high level access and deletion obligation would still be difficult for companies to interpret and implement. Interpreting the standards will be equally challenging for courts and regulators.  Also, it will not solve issues with how individuals can request deletion from other websites and organizations which have subsequently gotten access to the data (e.g., information aggregators). However, the Directive’s access and deletion requirements at least would provide a flexible principle based method to optimize for both rehabilitation and punishment.

Regardless of the legal obligations, there are practical steps individuals can take to obscure information on the internet. Matt Ivester describes many of them in LOL…OMG, thereby helping teenagers understand the risks to their online reputation, and how they can protect themselves. Commercial services like Reputation.com also provide opportunities to obscure information on the internet. These types of educational efforts and services provide individuals with opportunities to protect their Right to Fail. Still, these systems of self help are imperfect, and depend in large part on individuals having the knowledge and resources to use them. The current debate around the Right to Be Forgotten asks important questions regarding how to provide all individuals with more control over their online reputation. The Right to be Forgotten seems at times a wonderful aspiration, but a troublesome obligation.

Sadly, in the real world it does not appear Selina Kyle and Bruce Wayne will live happily ever after, as the length of her illustrious career as the Catwoman will convincingly argue against a “clean slate.” However, the practical steps described above may be enough to empower many individuals to get enough obscurity to remedy the LOL…OMG problem, and also preserve their Right to Fail.

“There’s no fresh start in today’s world. Any twelve-year-old with a cell phone could find out what you did. Everything we do is collated and quantified. Everything sticks.”

- Selina Kyle “The Catwoman” from Dark Knight Rises

The Batman Dark Knight trilogy’s exploration of privacy issues has been well covered by other commentators, such as this. However, as we approach Data Privacy Day (January 28th in case you have “forgotten”) it is useful to look at the creation of the global permanent record on the internet. In the movie, The Catwoman wants to obtain access to the “Clean Slate” software, which will erase all record of her crimes from any public database, allowing her to “start over”. The Catwoman’s situation raises important social questions about the degree to which individuals should forever carry a mark for mistakes they have made. We cannot let the Right to Privacy turn into a Right to Steal. Processing personal data to protect against theft or other malicious acts is critical, such as to provide adequate cyber-security. However, a culture where everyone can discover mistakes we made decades ago, would be invasive and unduly chilling.

Instead of the “Clean Slate” program, perhaps we should recommend Selina Kyle download a free copy of LOL…OMG on Data Privacy Day. Matt Ivester has updated his book to create a high school edition. Intel and Reed Elsevier will be working with Matt to promote five days of free downloads of the e-book version. LOL…OMG is a practical explanation of privacy risks and how to manage online reputation. One Miami teacher recently said about the book, “I wish I could make Mr. Ivester’s book mandatory reading for every parent, student and educator. It’s a landmark achievement, and I would be honored to help spread the word.” The book recognizes not only will young people make mistakes, but we want them to make mistakes. How else can they attempt to reach their potential. Click here during January 25th – January 29th to download a free copy of LOL…OMG.

Intel is honored to play a role putting this practical book’s guidance in the hands of parents, teachers and high school students. Please help us by spreading the word about Data Privacy Day and this promotion.

In my next post, I will take a look at whether the EU proposal of a Right to be Forgotten could help Selina Kyle in her attempt to start over.

I spent much of last week in Brussels, Belgium, speaking with people about the European Union’s proposed Data Protection Regulation, including presenting at the 3rd Annual European Data Protection & Privacy Conference. The Regulation is a once in a generation opportunity to examine privacy and data protection, as one of the landmark pieces of privacy legislation (the 95/46 EU Data Protection Directive) is updated. Having spent a number of years managing Intel’s privacy organization while living in Europe, I saw the impact the EU member state authorities can have in protecting individuals’ privacy. However, I could also see the many places where the current EU model falls short (e.g. lack of harmonization, lack of predictable enforcement, too many non value add administrative burdens). The current draft regulation is an ambitious document, which follows the technology neutral, high level principles model recommended by many (including Intel). It also tries to address the difficulties experienced with the non-harmonized implementing legislation of the current Data Protection Directive which has been challenging for many organizations doing business in various EU Member States and at a global level. The binding nature of the proposed Regulation and the “main establishment” provisions (which would largely mean a company would work with one regulator as the lead responsible authority) could be tremendous advances. However, there has been considerable concern over some provisions in the document, and I myself was wondering on the plane to Brussels whether there would be political will to fix some of the flaws in the draft. I came away from the week feeling there exists a real opportunity for discussion and change to the proposal in the coming months.

Intel has multiple goals for privacy laws. We believe privacy is an important individual interest, and one needing robust legal protections. It is also critical for our business for individuals to trust their use of technology. We need individuals to have confidence in their use of the many features and services in which we invest significant capital to develop. In addition, Intel is a company founded on the concept of the social benefits of innovation. Privacy is a necessary pre-requisite for innovation.

Innovation can be the tide lifting all boats. The economic benefit of an innovation economy is not a zero sum game between countries. However, the tide will only lift those boats without holes. Each country must look at its policy environment and determine whether it has put in place the right laws and regulations to encourage innovation. This includes robust intellectual property laws, investment in education, tax benefits for research and development, immigration policies rewarding higher education and technology skills, and also robust privacy laws. Innovation happens when individuals have protected environments in which they can collaborate and take risks. A lack of privacy has a natural result of encouraging conformity, as individuals have concerns that any failure or controversial opinion will be placed in a profile about them, remembered forever, and used to discriminate against them. The technology sector has created a global digital infrastructure providing an unprecedented ability for individuals to engage with each other across generations, countries and cultures. We need to make certain we provide adequate protections so individuals will fully use the free exchange of ideas enabled by this infrastructure. This exchange of ideas will create increased innovation, economic growth and jobs for the floating boats.

With these goals in mind, we can evaluate the current state of both the US privacy environment and the Draft EU Data Protection Regulation, and see many commendable features. Both the EU and the US have recently published defenses of these privacy models in “myth-busting” pieces. Each document includes important points to clear up confusion about the existing privacy environment in the US and the proposed regulation in the EU. However, it is important to note there are still holes in both of these boats. I have spent considerable time on this blog discussing the need for comprehensive US privacy legislation. The current US administration released a Consumer Privacy Bill of Rights earlier this year. In this document they noted the US framework lacks the following two elements: “a clear statement of basic privacy principles that apply to the commercial world, and a sustained commitment of all stakeholders to address consumer data privacy issues as they arise from advances in technologies and business models.” The administration then called upon the US Congress to pass legislation to patch these holes in the US boat. Intel echoes that call.

Similarly, the EU Commission recognizes there are issues with the current Regulation draft, but they are issues which can be fixed. Commission Vice President Vivienne Reding delivered a key note address at the conference mentioned above. In her speech, Ms. Reding noted changes will be made to the draft. She defended privacy as good for innovation and economic growth. She also made clear the Commission’s interest in modifying current provisions which create undue administrative burdens or uncertainty for the private sector.

Intel’s analysis of the current draft notes several areas for focus in making changes. In follow up conversations with stakeholders we understand there are robust discussions taking place on all of these issues. Here are a few of the priority holes, which can and should be repaired:

• The importance of cyber security. The EU recognizes the Right to Privacy. This is different than the Right to Steal, the Right to Hack, or the Right to Attack. We all need to recognize some of the greatest risks to privacy come from malicious attacks on legitimate and responsible stewards of personal data. Processing personal data to provide reasonable cyber security is a legitimate interest of both Controllers and Processors and should be a lawful basis for such processing. Inclusion of Recital 39 is helpful, but this issue needs language in the Regulation text.

• Moving from file clerks to privacy professionals. The current Directive requires both company privacy staff and supervisory authority employees to spend too much time processing paper, and not enough time counseling the business or taking enforcement action against bad actors (respectively). Doing away with notification and registration is a good step. However, replacing registration with an obligation in Article 28 Section 1 to document “all processing operations” will create an unreasonable burden on companies and do little to protect the privacy of individuals. Further, given the resource constraints of the supervisory authorities, it is likely 99% of these documents will never be reviewed by a regulator. The Commission needs to change these provisions to focus more on documenting the controls processes, and requiring companies to stand ready to work with supervisory authority investigators.

• Allowing the Privacy Impact Assessment to be effective. Intel has been doing Privacy by Design for over twelve years. We have integrated our privacy assessment documents into our Secure Development Lifecycle, which is the process we use to develop our products. These assessment documents need to be flexible and enable discussion between the privacy staff and the business. However, Articles 33 an 34 of the Regulation potentially place a huge burden on these assessments, both by creating prescriptive detailed requirements for a Data Protection Impact Assessment, and by requiring in Article 34 Section 6 the company to produce the document to the Supervisory Authority. If the Commission feels a document must be produced for this purpose (of which I am highly skeptical of the utility), then the scope should be substantially reduced and the requirements decreased to make clear, 1. These documents should only be produced in rare circumstances, and 2. These documents are different than those assessment documents used by the privacy staff to integrate privacy into the product and business processes.

• Avoiding Over Regulating. The Commission should be commended for proposing a principles based, technology neutral framework. However, there is concern about the many mentions in the text of Implementing and Delegated Acts. Detailed regulation is not an appropriate way to increase data protection, as providing reasonable privacy is highly contextual. Many of the references to Implementing and Delegated Acts should be removed from the text. A better method for contextual interpretation is already provided in the draft in the creation of the European Data Protection Board and its responsibilities under Chapter VII’s co-operation and consistency goals. If the Commission can make certain this Board will operate in a transparent manner, with input from all stakeholders, then the Board will provide a better mechanism for the interpretation of the principles to individual contextual situations and new technologies.

• Sanctions should be fair and not decrease investment in Europe. The current proposal in Article 79, which authorizes sanctions up to 2% of annual worldwide turnover, is excessive and will create a disincentive for large organizations to launch new products and services in the EU. In Section 3 of that Article, the text includes a carve out for situations of a first and non-intentional non-compliance. This carve out provides that no sanction will be imposed and it will instead result in a written warning. However, companies with more than 250 employees are not eligible for that exemption, when they are processing the data for a commercial interest. Even with the exemption, 2% of worldwide turnover is excessive. In addition to doing away with the concept of worldwide turnover, the exemption should be available to all organizations.

After the excellent set of presentations at the conference, and the exchange of ideas during the week, I am hopeful the Commission will patch these and other holes. We owe it to the people who want to trust their use of technology to get this right.  Let’s continue the substantive discussion, as I welcome your thoughts and comments.

By Alice Borrelli, Director, Global Healthcare Policy, Intel Corp

Congratulations to the Bipartisan Policy Center (BCP) for hosting a constructive summit on Health IT to release the report: Accelerating Electronic Information Sharing to Improve Quality and Reduce Costs in Health Care.

The report laid out progress that the Office of National Coordinator (ONC) is making through Meaningful Use Stage 2 with solid recommendations to advance interoperability.  To reach the goals of electronic information sharing which support improvements in the quality and cost effectiveness of care, the BCP calls for a national strategy and long term plan for standards and interoperability, as well as improving the accuracy of patient matching.   

The report suggests that public and private sector efforts demonstrate the attributes of a voluntary consensus standards body as outlined in the “National Technology and Transfer Act.”   Given the success of the Open Data Center Alliance to develop associated reference architectures and voluntary standards for cloud computing, we would suggest that this process could be a model for building a consensus to drive data exchange and deliver what physicians and patients need.  And to be explored through a future blog, perhaps a common data model that all vendors could implement could be developed through an industry/government alliance.

During the BPC event, Dr. Mark Blatt, MD and Intel’s Global Medical Director, offered collaborative workflow as a means to remove waste, delay and cycle time through the exchange of data.  As one example, Dr. Blatt highlighted how the marketplace could collapse the delivery of patient care, especially consults from hours to minutes, when using real time data exchange through videoconferencing and data sharing on devices such as a tablet.  In fact, we need to think about applying Moore’s Law to healthcare where we double the access to patients while cutting the costs in half – maybe not in the 24 months that technology moves, but at a much more accelerated pace than today’s practices.  And, at the same time ensuring that this patient information is securely transferred to the clinicians and patients needing the data. 

Meaningful Use Stage 2 Final Rules, which go into effect in October 2013 for hospitals and January 2014 for eligible professionals, will change the dynamics of Electronic Health Record (EHR) data exchange toward a more robust system with industry standards required for certification:  HL7, LOINC, SNOMED-CT and IHE profiles.  Additionally, certification requires EHR technology to be able to receive, display and transmit, using standards for more than 20 different types of data needed for clinical decision-making.  A summary of care record for 50% of care transitions (exchange) must include data elements for problem, medication and allergy lists which overlap physicians’ preferences.

As healthcare moves from a volume to value based system, the business case for data exchange that facilitates care coordination is being made nationally through ACO’s, Independence at Home practices and bundled payments.  With the current direction from ONC, coupled with recommendations from BPC, Health IT will provide the underlying framework to ensure the success of these programs.

Key findings from the Doctors Helping Doctors survey of over 500 clinicians showed that:

• More than 70 percent cite the lack of interoperability and an information infrastructure—along with the associated costs—as major barriers to electronic information sharing.
• Only 22 percent of clinicians surveyed perceive the lack of a business case to exchange information to be a major barrier.
• When asked about their information needs for transitions of care, a majority of clinicians agree that medication lists, relevant laboratory test results and relevant imaging test results are essential to clinical decision-making.  
• They prefer that only the information they view as “essential” be  “pushed” to them, with the ability to access the rest of the information through a “query.” 

By Christoph Luykx, Public Policy Manager Europe, and Daniel Keenan, Public Policy Intern Europe

This past week Intel submitted its response to the European Commission’s consultation on the future of EU-US trade and economic relations. Inputs from Intel and other stakeholders will help enable the European Commission and other policy-makers to gather detailed views on what priorities would be integral to any strategic, future trade and economic relationship between the US and the EU. This includes the ongoing bilateral discussion on trade but also a potential trade agreement between both economic powerhouses. 

As outlined in an earlier blogpost, Intel strongly encourages the EU and US to negotiate a realistic but comprehensive, cross sectoral, 21^st century trade and investment agreement that can not only benefit both our economies, but also serve as a role model for the rest of the world. To achieve this goal, Intel supports a flexible framework, set up to allow the negotiation of general principles that apply to all industries or goods and services, and includes specific chapters that apply on a sectoral basis. In taking this approach, slow progress in removing barriers for one sector will not hamper progress in another.  

We believe there are a number of priorities that should be addressed in the ongoing bilateral discussions as well as in a potential comprehensive trade agreement: 

• The EU and US should set the example bilaterally and in their dealings with third countries on how governments can ensure cross-border data flows while protecting legitimate privacy and security concerns. Therefore, we believe that one of the chapters in a comprehensive trade agreement should be a Transatlantic Services and Cross-Border Data Transfer Agreement.
• Promoting a robust IP system with efficient and effective enforcement mechanisms, protection of trade secrets, and a “markets, not mandates” approach to copyright that would govern all content protection issues.
• The need to continue coordination on various (cyber)security policies that third countries are creating. The goal is to ensure that these don’t disrupt the Global Digital Infrastructure (GDI). We specifically would like to see a chapter reflected in the new comprehensive agreement on guiding principles and best practices regarding security requirements and their relationship to market access issues. Intel supports the ongoing work within the EU–US cybersecurity working group and calls on both governments to intensify further their coordination.
• Working to prohibit trade distortive requirements like forced localization requirements and committing both sides to push back on those measures wherever they occur in third countries. 

Intel also provided feedback on a number of other priorities, such as the restrictions on the transfer of foreground IP to other affiliated entities on publicly financed R&D & Innovation; interoperability efforts of E-health records; the joint commitment to the current arrangement for internet governance and ensuring that the internet eco-system remains open to innovation and commerce globally; resolving divergences in regulations and standards where feasible; potential joint EU and US efforts to promote due process for competition matters, supporting joint efforts to open bilateral and global procurement markets; and avoiding divergent policy approaches in coordination between EU and US with regards to the nascent Internet of Things (IoT). 

As the Transatlantic economic relationship is of crucial importance to Intel, we will continue our involvement and input into the EU and US administrations to make the comprehensive trade and investment agreement a reality.

Today, the Future of Privacy Forum, a Washington-based think tank that aims to advance responsible data practices, announced a new Smart Grid Privacy Seal Program, powered by TRUSTe, for organizations that use consumer energy data.   

Intel has long championed the responsible stewardship of consumer information and I am pleased to say that Intel contributed to the development of and supports the seal program. We believe the development of Smart Grid infrastructure should follow the principles of Privacy By Design and Accountability, where privacy requirements are taken into account early on and throughout the development lifecycle and where entities take responsibility for the information they collect and use no matter where it resides.

The development of the Smart Grid Seal Program is a visible demonstration of what can be achieved when stakeholders work in concert to develop privacy best practices. Intel’s support of the Smart Grid Seal Program is yet another demonstration of our commitment to creating an environment where consumers can trust their use of technology.

 Stop, Think, Connect

One of the best parts of my position as Intel’s Director of Security Policy and Global Privacy Officer is working with innovative organizations to improve awareness of cyber security and privacy.  It is an honor to serve on the board of directors of one such entity: The National Cyber Security Alliance (NCSA).  Monday is the start of NCSA’s month long effort to educate consumers about what they can do to protect themselves online.  

NCSA is a non-profit public-private partnership focused on empowering digital citizens to stay safer online and protect digital assets.  Coordination of Data Privacy Day (January 28^th) is led by NCSA and October is annual National Cyber Security Awareness Month (NCSAM).  Over the next 30 days, I will use this blog to promote some of NCSA’s activities and add my perspective to the conversation.  The theme of the 2012 “Our Shared Responsibility,” is intended to remind consumers and businesses that the Internet is a shared resource and we all need to do our part to protect it. 

In addition to checking back at this blog, I encourage you to visit the NCSAM website and get involved.

By David Hoffman, Director Security Policy and Global Privacy Officer, Intel Corporation

The cyber security threat landscape has changed fundamentally over the last decade. Crime syndicates, terrorists, and nation states are engaging in cyber attacks to steal billions of dollars in intellectual property, disrupt business, and threaten governments.  At the 2012 Intel Developer Forum, I moderated a panel, which discussed these threats and how governments can work with industry to improve the level of cyber security. 

The panel included Renée James (Intel’s Senior Vice President and General Manager of the Software and Services Group), Michael DeCesare (Co-President of McAfee), Michael Kaiser (Executive Director of the National Cyber Security Alliance), Bruce Aitken (Director of Global Policy, Intel China), and Prof. Deirdre Mulligan (Professor of law at the UC Berkeley School of Information and a Faculty Director of the Berkeley Center for Law and Technology). The panel explored themes introduced in Ms. James’s keynote earlier in the day of the importance of increasing the pace of cyber security innovation, and the substantial investment Intel and McAfee are making to do so.

Two alternate visions of the future were forecast by the discussion: (1) Individual countries increasingly pass laws regulating cyber-security or which apply primarily to the “local” jurisdiction, or (2) multi-jurisdictional efforts to address cyber-security challenges gain traction, increasing inter-governmental coordination and cooperation amongst states.  There is a great need for governments to take action to protect their citizens.  However, efforts which have the unintended consequence of inhibiting global collaboration or increasing the cost of complying with non-interoperable requirements and standards, run the risk of decreasing the investment in cyber security innovation.  The panel urged policy makers to pursue solutions that increase investment in cyber security research and development, and which scale to allow for more secure technology which can be sold around the world.   Cyber security risks are growing and can come from anywhere.  These global threats require pursuit of global solutions. 

The video of the panel discussion is now available: http://newsroom.intel.com/docs/DOC-2925.  

Next week begins a month of Cyber Security Awareness activities, please join the conversation here or look for other opportunities to get involved. 

Attempt to spur job creation by securing highly skilled talent of foreign-born workers

The House of Representatives considered today a proposal to provide up to 55,000 new employment-based visas (green cards) for highly skilled workers. The legislation, known as the STEM Jobs Act of 2012, failed to receive the 2/3 vote necessary to pass and was defeated by a vote of 257-158. The legislation would have created a new visa category for foreign-born graduates of U.S. universities who earn an advanced degree in the areas of science, technology, engineering or mathematics. Intel supported this legislation and encouraged members of congress to vote for it.

This issue, at its core, is about job creation in America. The national unemployment average is above 8% but in STEM fields, where we have a shortage of talent, the unemployment rate for engineers is around 3%. Additional visas for STEM graduates will ensure we have access to the talent we need to help our companies grow and create new opportunities for American workers.

The issue of high skilled immigration is often misunderstood. Highly skilled foreign workers do not take the place of American’s with similar abilities, they fill skills gaps in our domestic workforce and often generate new jobs for American workers. Highly skilled employees are vital to the continued success of Intel. They help us expand our technological knowledge, create new products, and develop innovative manufacturing techniques.

The proposal that was considered today had the support of nearly all Republicans but was opposed by most Democrats who supported the concept but disagreed on where the visas should come from. Democrats lined up behind an alternative version of the legislation, known as the Attracting the Best and Brightest Act of 2012. Even had the STEM Jobs Act passed the House it was unlikely the Senate would consider the legislation this year.

However it is achieved, the addition of new STEM visas is critically important to Intel and all employers who depend on a highly skilled workforce. At Intel we have thousands of employees who are working on temporary visas and waiting in lines that stretch for years to receive their permanent, employment-based visa. During this waiting period, our colleagues are restricted in the activities they can perform, their opportunities to move up within the company are limited, and their personal lives are unsettled.

Despite the failure of this bill to pass, it is encouraging to see a consensus develop in Congress around the idea that highly skilled workers are essential to our nation’s growth and prosperity. Both political parties recognize that foreign-born students who are educated in the United States should be allowed, and encouraged, to remain in this country and contribute to established companies like Intel and start-up companies we have not year heard of. The legislative process was designed to be slow and painstaking, and on this issue it certainly has been. But the support expressed this week for the differing Republican and Democratic proposals can be seen as a sign that our deeply divided political parties are inching toward consensus on this important issue.

On June 19^th, US President Obama, European Commission President Barroso and European Council President Van Rompuy expressed strong support for a “bold initiative to expand trade and investment could make a significant contribution to our strategy to strengthen growth and create jobs”. The endorsement, on the margins of the G20 meeting in Los Cabos Mexico, was delivered on the occasion of the presentation of the interim report of the EU – US High Level Working Group on jobs and growth. This working group was created during the last EU – US summit in November 2011 by EU and US leaders and tasked to identify policies and measures to increase trade and investment to support mutually beneficial job creation, economic growth, and competitiveness.

In its interim report, the working group reached the preliminary conclusion that a comprehensive agreement that addresses a broad range of bilateral trade and investment policies as well as issues of common concern with respect to third countries would, if achievable, provide the most significant benefit of the various options considered. The report states that a comprehensive agreement could include ambitious reciprocal market opening in goods, services, and investment, and address the challenges of modernising trade rules and enhancing the compatibility of regulatory regimes. The political endorsement by both EU and US leaders and their call for a final report before year’s end is a strong indication for growing momentum towards an new spark in the Transatlantic marriage.

Intel support for an ambitious, reinvigorated transatlantic partnership

Intel strongly welcomes these developments and calls for both governments to keep up the political momentum. Peter Cleveland, Intel’s global Vice President for public policy, highlighted the importance of a strong Transatlantic economic relationship for a global company like Intel during a trip last week to Brussels.

Peter Cleveland Euractiv interview

As outlined by Mr. Cleveland in various events in Brussels, both parties should keep an open mind and craft a 21^st century agreement that not only addresses the traditional areas of tariffs and regulatory convergence but also serves as a beacon towards third countries. “A strong agreement between the EU and US with regards to cooperation on rules and principles on global issues of common concern will send a strong signal that the EU and US are sharing the same objectives and guiding principles to jointly address market access concerns that are currently spreading across the world” according to Mr Cleveland.

Joint responsibility

The report indicates the need for continued consultation with public and private stakeholders to further analyze the different components of a comprehensive transatlantic agreement and to be able to make a final recommendation end of year. Intel will continue to work to this end with governments and other industry stakeholders to provide additional input and build momentum towards a renewed Transatlantic marriage, ready to address 21^st century challenges. 

PETER CLEVELAND SPEAKING AT EURACTIV PANEL