Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

IBM: No Backdoors, No Source Code, No Client Data Provided to NSA

After details began to emerge on the scope of US government spying when classified documents were leaked by Edward Snowden, many US technology companies have been put in a tough position with their customers.

After details began to emerge on the scope of US government spying when classified documents were leaked by Edward Snowden, many US technology companies have been put in a tough position with their customers.

In response to recent client concerns over data security and privacy related to government requests, IBM on Friday shared some details on its interactions with the government and how it plans to respond should governments request access to its customers’ data.

According to Robert Weber, IBM Senior Vice President, Legal and Regulatory Affairs, and General Counsel, IBM has not provided client data to the NSA or any other government agency under the program known as PRISM or under any surveillance program involving the bulk collection of content or metadata.

In a letter to clients on March 14, Weber made the following assurances:

• IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.

• IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.

• IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

How has IBM not been subjected to the significant levels of government requests for customer data that other Internet and technology companies such as Google, Microsoft, Yahoo and Twitter, have?

Advertisement. Scroll to continue reading.

“Our business model sets us apart from many of the companies that have been associated with the surveillance programs that have been disclosed,” Weber explained. “Unlike those companies, IBM’s primary business does not involve providing telephone or Internet-based communication services to the general public.”

“To the extent our clients provide us access within their infrastructure to the type of individual communications that reportedly have been the target of the disclosed intelligence programs, such information belongs to our clients,” he continued.

In other words, if a government did have an interest in IBM’s customer data, the government would approach that client, not IBM, Weber said.

In his letter, Weber said IBM would offer the following assurances to its customers:

• In general, if a government wants access to data held by IBM on behalf of an enterprise client, we would expect that government to deal directly with that client.

• If the U.S. government were to serve a national security order on IBM to obtain data from an enterprise client and impose a gag order that prohibits IBM from notifying that client, IBM will take appropriate steps to challenge the gag order through judicial action or other means.

• For enterprise clients’ data stored outside of the United States, IBM believes that any U.S. government effort to obtain such data should go through internationally recognized legal channels, such as requests for assistance under international treaties.

• If the U.S. government instead were to serve a national security order on IBM to obtain data stored outside the United States from an enterprise client, IBM will take appropriate steps to challenge the order through judicial action or other means.

In December 2013, a group of US-based Internet giants called on Washington to overhaul its surveillance laws. In an open letter to President Obama and Congress, the tech giants called on Washington to lead the way in a worldwide reform of state-sponsored spying. 

In his letter, Weber also emphasized the need for Governments to take action in order to restore trust, and said IBM believes governments should take the following actions:

• Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies.

• Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data.

• The U.S. government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.

In January, President Barack Obama announced plans to curtail the reach of massive phone surveillance sweeps by the NSA, but said bulk data collection must go on to protect America from terrorists.

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

“Data is the next great natural resource, with the potential to improve lives and transform institutions for the better,” Weber concluded. “However, establishing and maintaining the public’s trust in new technologies is essential.”

Weber also said IBM will “engage governments around the world on behalf of sensible, market-led policies that enable the free flow of data while promoting strong security.” 

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.