back to article IBM: We gave nothing to the NSA, stateside or elsewhere

IBM has become the latest of the tech giants to deny handing over customer data to the NSA's PRISM program. In this open letter, Big Blue's general counsel Robert Weber (also senior veep for legal and regulatory affairs) gives the “no way” message to the world at large. Specifically, Weber writes that IBM did not provide “ …

COMMENTS

This topic is closed for new posts.
  1. Mark 85

    Reform?

    From El Reg: " to El Reg strikes a discord: if Uncle Sam never actually got the data David Snowden asserts it has accessed (at least from IBM), where's the need for reform? "

    I take it you either believe all the releases might be a smokescreen or IBM is shoveling cow droppings? I tend to believe the latter since IBM has always had a relationship with security and defense interests in the US.. read that as "made a profit from them".

    1. Trevor_Pott Gold badge

      Re: Reform?

      Nor, I should point out, does IBM have a history of scruples when it comes to customer selection. In fact, of all the vendors out there, I would most easily believe that the devices used to remove the presumption of innocence from billions of individuals were manufactured by IBM. Of course, I've no proof of that, but they would be the logical supplier to me.

      1. Anonymous Coward
        Anonymous Coward

        Re: Reform?

        I fear you may both be the victim of successful diversion tactics (no matter, so is the author).

        What you forget is that intercept is not the sole province of the NSA - the whole acronym soup can participate, and that LEGALLY SUPPORTED. I predicted that 2014 would be the year of privacy spin - here is another example. I don't care two pennies about IBM claiming they never provided data to the NSA - I note wit interest that being specific nicely excludes all the other agencies..

        1. Trevor_Pott Gold badge

          Re: Reform?

          Other agencies have to get a warrant. The NSA does not*. This is the primary difference. Warrant = presumption of innocence preserved. No warrant = Spookocracy.

          *warrants from secret courts operating with zero oversight overseeing secret laws issuing secret letters of demand are not counted as "warrants" for the purpose of hte preservation of the presumption of innocence.

          1. Anonymous Coward
            Anonymous Coward

            Re: Reform?

            Other agencies have to get a warrant.

            Actually, thats not always the case, which is one of the key problems in the US.

  2. silent_count

    Translation

    Give us your money because saying we're trustworthy makes it so. And we don't want to spend any of it to store your data in your country.

  3. xperroni

    It's what a witch would say

    As brighter minds have pointed, trust is the biggest casualty in this whole surveillance debacle. Even if IBM et al swear they're clean, there's always the feeling that's just what they'd say either way. When lying is a standard business practice, how do honest (or at any rate, uninvolved) companies prove themselves in the eyes of customers?

    1. Busby

      Re: It's what a witch would say

      Its not just that they may want to lie but legally they may have to. Current US law means no one can be trusted to tell the truth which is bad news for everyone, mainly the consumers but all parties suffer.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's what a witch would say

      Several problems with this:

      1. It is a variation of the lyar's paradox. If IBM has ever had a National Security Letter it will be obliged to lie that it has never had it.

      2. IBM supposedly operates cloud on behalf of customers including foreign entities. If it never had a national security letter this means that its own claims of cloud prowess are highly overrated. After all everyone and their dog has had one.

  4. Captain DaFt

    Uh-huh

    "We gave NOTHING to the NSA, stateside or elsewhere"

    "We just pretended they weren't here while they were tapping everything, since we're not allowed to talk about it."

  5. MrDamage Silver badge

    We gave them nothing,

    But we do have an employee called Nigel Stephen Andrews, who has unfettered access to all of our systems and records.

  6. F. Svenson

    David?

    Is David Snowden related to Edward?

    1. Anonymous Coward
      Anonymous Coward

      Re: David?

      Maybe he's using "David" as a nom-de plume in the hopes that it'll make it harder for the NSA to know whether they've got the 'right Snowden'.

  7. Anonymous Coward
    Anonymous Coward

    Didn't give them anything

    They just took it for themselves.

  8. Anonymous Coward
    Anonymous Coward

    I just bought an IBM server blade for forensic experimentation

    16 cores, 92GB ram - now I'll start to probe the Built-In-Lights-Out management mini-pc & everything else we can think of and see if there's anything covert going on, (we've already had a tailored-access-modified HP server delivered a couple of years ago - so are definitely a target of economic/scientific interest)

    The IBM can go and live in our shiny new double-anechoic tent (the Shamir-zone) whilst we see what it's doing ...

    ...as for IBM hardware that's remotely located in some far away US Cloud, we have no suspicions that all our data is being leaked/profiled/analysed - just because they can. Surely we can believe large USAian enterprises!

    1. Anonymous Coward
      Anonymous Coward

      Re: I just bought an IBM server blade for forensic experimentation

      Interested to hear how you intend to profile what the CIM jobbie is upto. Obviously you can watch its net traffic which would be fun up to a point.

      Just in case anyone reading here has never thought about it: iLOs (HP) DRAC (Dell) etc etc are able to do things like checkpoint their host and read the RAM contents without the host or its OS being any the wiser that anything is happening.

      Read this http://fish2.com/ipmi/itrain.pdf for a more involved write up on these things. It's quite long and a bit idiosyncratic but a good wake up call for any sysadmin who might not have even bothered with a VLAN or two for them.

    2. Matt Bryant Silver badge
      Facepalm

      Re: AC Re: I just bought an IBM server blade for forensic experimentation

      Why? Will IBM even be making blades for much longer? Maybe you should have tested a Lenovo one instead?

  9. capcorn

    NSA is National Security Agency of the USA only not of the whole world. Why NSA thinks that it is an authoritative body which has a rule all over and can control the data of any one. It should stop thinking in this way and accepts that it is their own employees which leaked the secrets. Freedom rights to every person must be abided by the agency.

  10. ForthIsNotDead

    It's not that we don't trust *you*, IBM...

    ...the problem is, planet earth doesn't trust *your* government. As we know, your government permits the NSA to come to you and order you to hand over just whatever the hell it wants. Further more, we all know that the NSA has the legal powers to prevent you, IBM, from disclosing the fact that you have:

    a) been approached by the NSA

    b) actually handed over any data

    In fact, the NSA could have requested data, and you may have indeed declined, and you would still be legally prevented from disclosing that fact.

    And for all those reasons, dear, beloved, IBM, it's a "thanks, but no thanks".

  11. Anonymous Coward
    Anonymous Coward

    I always find these denials interesting, especially from government where they are quite specific in what they have not done, yet leave what they have done in the shadows.

    The NSA says they didn't infect millions of PC's with malware, which means it could be 100,000, 500,000, or up to 1.9 million PC's and they are still telling the "truth".

    Any government department that goes rogue, lies to the people, Congress, or indeed any civilian oversight should be slapped down with the harshest of jail terms by the courts. The men who run those departments should face the full fury of the law when they exceed their mandates. Anything less, encourages tyranny.

  12. John Smith 19 Gold badge
    Unhappy

    While THE PATRIOT Act exists he *would" say that.

    Even if it was lying through his teeth.

    1. Anonymous Coward
      Anonymous Coward

      Re: While THE PATRIOT Act exists he *would" say that.

      Whether it's true or not, if he failed to take a (legal) action on something that was affecting the company's bottom line; then he'd be opening himself up to a sueball from the shareholders.

      Lying glibly isn't illegal. Especially if you have orders requiring you to lie.

      1. Anonymous Coward
        Anonymous Coward

        Re: While THE PATRIOT Act exists he *would" say that.

        Lying glibly isn't illegal. Especially if you have orders requiring you to lie.

        Many Germans tried a variation of that excuse at Nuremberg... it didn't wash then either.

  13. Anonymous Coward
    Anonymous Coward

    just not enough

    Sorry, IBM, but because of your government's behaviour I'm not inclined to trust you just because of a press release.

  14. Yet Another Anonymous coward Silver badge

    Disgusted

    So the preferred supplier of data processing equipment to the Third Reich refused to help the noble NSA in defending freedom, democracy and Apple pie from the evil terrorists?

  15. James 100

    IBM and NSA secrets

    Given IBM's history, including the design of DES - where it emerged, decades later, that the S-box values had been carefully chosen for resistance to differential cryptanalysis, which IBM and the NSA were keeping a closely guarded secret at the time - it's not exactly far-fetched to think IBM might be doing things covertly now as well. Indeed, to assert IBM hasn't done secret things with NSA would be a flat-out lie (they've worked together on classified projects for decades); the only question is if and how much this impacts IBM's other customers. (For that matter, Google employs people with high security clearance, like many high-tech US companies - and of course what they do is secret, so they can't actually tell us whether it infringes our privacy or not...)

    David Snowden did actually work for IBM, though I suspect the article's supposed to be referring to the more famous Edward J Snowden currently living in Russia.

  16. Bloakey1

    Re:David?

    Perhaps he is following the traditional route and is in a state of transition on his way to becoming Davina ( See Chelsea WoManning).

  17. Anonymous Coward
    Anonymous Coward

    In other words, one of the USAs biggest hardware-slingers is getting a spanking due to the NSAs shenanigans. Possibly time for some lobbying or something to bring them to heel? Even though IBM do have form with undue cooperation with temporal authorities *cough* 1940s census *cough*; the basic claim that they just punt kit out seems plausible enough. The bit I found interesting was this:

    "IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data."

    Why the scare quotes round "backdoors"? Do they call them something else internally in IBM (NSA-holes would be my favourite). Could they technically not be called backdoors because they're always located on the top of the board?

    1. Anonymous Coward
      Anonymous Coward

      Why the scare quotes round "backdoors"? Do they call them something else internally in IBM

      I'm plumping for them calling such backdoors "features".

  18. John Smith 19 Gold badge
    Joke

    IBM: "We gave NSA *nothing* "

    We charged them through the nose like we do all our customers.

  19. Anonymous Coward
    Anonymous Coward

    Like, totally believable - NOT

    That's what they're expected to say.

  20. Beachrider

    FISA in the USA...

    IBM's comment needs to cover all FISA warrants (that is what you are talking about here), that would be key. The proceedings of FISA are often top-secret and are reviewed by the Chief Justice of the Supreme Court (who appoints and fires these judges).

    Edward Snowden has certainly gained notoriety for exposing the broad warrant granted to the NSA for disclosure of Verizon call-metadata (but not the calls themselves). It was amazing because FISA was used to 'go fishing' with otherwise-not-suspects people, both Americans and non-Americans.

    EVERYONE wants to deny that they are complying with FISA Warrants, but they would risk TREMENDOUS HARM if it eventually came out that they lied about complying.

    Given the recent penchant for disclosure of these types, I wonder if IBM would openly lie about FISA warrants. There are about 2000 of them every year, though.

  21. WatAWorld

    Localization apparently actually accomplished and accomplishes quite a bit then.

    "Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies."

    "Do little" he says.

    [I added the numbering below.]

    "1. IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.

    2. IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.

    3. IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter."

    Analysis:

    1. Denial only covers PRISM.

    2. Denial only covers bulk collection.

    3. Denial only covers data that was localized to a foreign country.

    In other words what US law forces IBM to do is results in a privacy benefit to foreign governments, foreign companies and foreign private citizens who localize their country's data within their own country, or at least localized anywhere but the USA.

    Localization apparently actually accomplished and accomplishes quite a bit then.

    Probably the only downside of localization is that it hurts the bottom line of large multinational storage and cloud providers.

  22. WatAWorld

    How does data get to IBM?

    IBM would not have to turn over data from foreign governments, companies and individuals to the NSA if the NSA intercepted that data on its way from overseas to IBM USA or when it traveled between IBM facilities over US owned or US controlled networks.

    So even if IBM issued a broad statement and was truthful, the issue still stands that the data is passing through the USA or US controlled networks, and so IBM cannot assure anyone that that data is not being intercepted during that transmission.

    Part of the solution is for foreign governments, companies and individuals to keep their data in their own country (or the EU) so their own country's human rights laws and privacy legislation can protect it.

    It is not IBM's sole responsibility that its government does not recognize the ordinary citizens of long-time allies as human beings with human rights, but that is how it is. IBM has to live with that fact until it can convince its government that treating the rest of the world's population as untermenschen is bad for business.

  23. Anonymous Coward
    Anonymous Coward

    Bruce Schneier has a bone to pick with IBM, and rightly so:

    https://www.schneier.com/blog/archives/2014/03/an_open_letter_.html

This topic is closed for new posts.

Other stories you might like