IBM latest tech company to deny links with NSA spy program

IBM said it was responding to customer questions about how the company would handle government requests for access to their data

IBM said it has not provided client data to the U.S. National Security Agency or any other government agency under surveillance programs involving the bulk collection of content or metadata.

The enterprise-focused company is the latest among U.S. tech companies to distance itself from NSA surveillance, which has raised concerns among customers worldwide about the safety of their data from U.S. government spying.

The U.S. cloud computing industry could lose US$22 billion to $35 billion of its foreign market over the next three years to competitors abroad as a result of the revelations of the NSA programs, think tank Information Technology & Innovation Foundation said in August.

Some nations like Brazil have also considered asking service providers to hold data within the country, a move that some Internet companies like Google have described as potentially fragmenting the Internet.

In a letter to customers Friday, IBM said it had not provided client data stored outside the U.S. to the U.S. government under a national security order, such as an order under the Foreign Intelligence Surveillance Act or a National Security Letter.

Former NSA contractor, Edward Snowden, claimed through disclosures to newspapers that a number of Internet companies were providing real-time access to content on their servers to the NSA under a program called Prism, which the companies denied. The agency also had secretly broken into the main communications that connect the data centers of Google and Yahoo around the world, according to reports.

IBM denied providing client data to the NSA or any other government agency under Prism. It said it does not have "backdoors" in its products or provide software source code or encryption keys to the NSA or any other government agency for accessing client data.

In a series of commitments to its customers, Robert C. Weber, (IBM's senior vice president for legal and regulatory affairs, and general counsel wrote in the letter, which was also posted online, that "in general, if a government wants access to data held by IBM on behalf of an enterprise client, we would expect that government to deal directly with that client."

But if served by the U.S. a national security order for data from an enterprise client and a "gag order" prohibiting it from discussing the order with the client, the company promises to challenge the gag order through legal and other means, it said.

For enterprise clients' data stored outside the U.S., IBM holds that any U.S. government effort to obtain such data "should go through internationally recognized legal channels, such as requests for assistance under international treaties." It would challenge through legal and other means a U.S. government order for access to data of enterprise clients stored outside the country, it added.

On the government policy front, IBM has described data localization requirements by countries as short-sighted policies, that "do little to improve security but distort markets and lend themselves to protectionist tendencies." Governments should also not subvert commercial technologies, such as encryption, that are intended to protect business data, the company said in what appears to be a reference to reports that the NSA has been attempting to circumvent encryption technologies.

Other tech companies have also tried to reassure their customers in the wake of the Snowden disclosures. Microsoft told business and government customers worldwide in December that it is committed to informing them of legal orders related to their data, and will fight in court any 'gag order' that prevents it from sharing such information with customers. The company also plans to encrypt customers' information moving between its data centers, with plans to complete the project by the end of 2014.

Yahoo and Google have also announced strengthening encryption of their services.

IBM said its letter was in response to customer questions on how best to secure their data, where to locate it, and how the company would respond should governments request access. It was also a matter of interest to its employees, partners and shareholders, Weber wrote.

In December, the Louisiana Sheriffs' Pension and Relief Fund sued IBM in a district court in New York, claiming that it failed to inform investors that sales in China would slow after disclosures that IBM was cooperating with the NSA spying program. Weber said at the time the suit was "pushing a wild conspiracy theory." IBM had attributed a drop in hardware sales in the third quarter partly to delayed procurement by Chinese government agencies while the local government framed a new economic policy.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags servicesIBMsecurityU.S. National Security AgencyComputing servicescloud computinginternetprivacy

More about GoogleIBM AustraliaIDGMicrosoftNational Security AgencyNSAPrismTechnologyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ribeiro

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place