An Open Letter to IBM's Open Letter

Last week, IBM published an “open letter” about “government access to data,” where it tried to assure its customers that it’s not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers.

At the outset, we think it is important for IBM to clearly state some simple facts: IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.

IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.

IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.

IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.

IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

To which I ask:

We know you haven’t provided data to the NSA under PRISM. It didn’t use that name with you. Even the NSA General Counsel said: “PRISM was an internal government term that as the result of leaks became the public term.” What program did you provide data to the NSA under?

you provide data to the NSA under? It seems rather obvious that you haven’t provided the NSA with any data under a bulk collection surveillance program. You’re not Google; you don’t have bulk data to that extent. So why the caveat? And again, under what program did you provide data to the NSA?

you provide data to the NSA? Okay, so you say that you haven’t provided any data stored outside the US to the NSA under a national security order. Since those national security orders prohibit you from disclosing their existence, would you say anything different if you did receive them? And even if we believe this statement, it implies two questions. Why did you specifically not talk about data stored inside the US? And why did you specifically not talk about providing data under another sort of order?

Of course you don’t provide your source code to the NSA for the purpose of accessing client data. The NSA isn’t going to tell you that’s why it wants your source code. So, for what purposes did you provide your source code to the government? To get a contract? For audit purposes? For what?

you provide your source code to the government? To get a contract? For audit purposes? For what? Yes, we know you need to comply with all local laws, including US laws. That’s why we don’t trust you — the current secret interpretations of US law requires you to screw your customers. I’d really rather you simply said that, and worked to change those laws, than pretend that you can convince us otherwise.

EDITED TO ADD (3/25): One more thing. This article says that you are “spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government.” Do you not know that National Security Letters require you to turn over requested data, regardless of where in the world it is stored? Or do you just hope that your customers don’t realize that?

Posted on March 24, 2014 at 6:58 AM • 37 Comments