Security Experts:

IBM: No Backdoors, No Source Code, No Client Data Provided to NSA

After details began to emerge on the scope of US government spying when classified documents were leaked by Edward Snowden, many US technology companies have been put in a tough position with their customers.

In response to recent client concerns over data security and privacy related to government requests, IBM on Friday shared some details on its interactions with the government and how it plans to respond should governments request access to its customers’ data.

According to Robert Weber, IBM Senior Vice President, Legal and Regulatory Affairs, and General Counsel, IBM has not provided client data to the NSA or any other government agency under the program known as PRISM or under any surveillance program involving the bulk collection of content or metadata.

In a letter to clients on March 14, Weber made the following assurances:

• IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.

• IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.

• IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

How has IBM not been subjected to the significant levels of government requests for customer data that other Internet and technology companies such as Google, Microsoft, Yahoo and Twitter, have?

“Our business model sets us apart from many of the companies that have been associated with the surveillance programs that have been disclosed,” Weber explained. “Unlike those companies, IBM’s primary business does not involve providing telephone or Internet-based communication services to the general public.”

“To the extent our clients provide us access within their infrastructure to the type of individual communications that reportedly have been the target of the disclosed intelligence programs, such information belongs to our clients,” he continued.

In other words, if a government did have an interest in IBM’s customer data, the government would approach that client, not IBM, Weber said.

In his letter, Weber said IBM would offer the following assurances to its customers:

• In general, if a government wants access to data held by IBM on behalf of an enterprise client, we would expect that government to deal directly with that client.

• If the U.S. government were to serve a national security order on IBM to obtain data from an enterprise client and impose a gag order that prohibits IBM from notifying that client, IBM will take appropriate steps to challenge the gag order through judicial action or other means.

• For enterprise clients’ data stored outside of the United States, IBM believes that any U.S. government effort to obtain such data should go through internationally recognized legal channels, such as requests for assistance under international treaties.

• If the U.S. government instead were to serve a national security order on IBM to obtain data stored outside the United States from an enterprise client, IBM will take appropriate steps to challenge the order through judicial action or other means.

In December 2013, a group of US-based Internet giants called on Washington to overhaul its surveillance laws. In an open letter to President Obama and Congress, the tech giants called on Washington to lead the way in a worldwide reform of state-sponsored spying. 

In his letter, Weber also emphasized the need for Governments to take action in order to restore trust, and said IBM believes governments should take the following actions:

• Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies.

• Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data.

• The U.S. government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.

In January, President Barack Obama announced plans to curtail the reach of massive phone surveillance sweeps by the NSA, but said bulk data collection must go on to protect America from terrorists.

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

“Data is the next great natural resource, with the potential to improve lives and transform institutions for the better,” Weber concluded. “However, establishing and maintaining the public’s trust in new technologies is essential."

Weber also said IBM will "engage governments around the world on behalf of sensible, market-led policies that enable the free flow of data while promoting strong security." 

Subscribe to the SecurityWeek Email Briefing
view counter