An Open Letter to IBM's Open Letter

Last week, IBM published an "open letter" about "government access to data," where it tried to assure its customers that it's not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers.

At the outset, we think it is important for IBM to clearly state some simple facts:

  • IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.

  • IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.

  • IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.

  • IBM does not put "backdoors" in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.

  • IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

To which I ask:

  • We know you haven't provided data to the NSA under PRISM. It didn't use that name with you. Even the NSA General Counsel said: "PRISM was an internal government term that as the result of leaks became the public term." What program did you provide data to the NSA under?

  • It seems rather obvious that you haven't provided the NSA with any data under a bulk collection surveillance program. You're not Google; you don't have bulk data to that extent. So why the caveat? And again, under what program did you provide data to the NSA?

  • Okay, so you say that you haven't provided any data stored outside the US to the NSA under a national security order. Since those national security orders prohibit you from disclosing their existence, would you say anything different if you did receive them? And even if we believe this statement, it implies two questions. Why did you specifically not talk about data stored inside the US? And why did you specifically not talk about providing data under another sort of order?

  • Of course you don't provide your source code to the NSA for the purpose of accessing client data. The NSA isn't going to tell you that's why it wants your source code. So, for what purposes did you provide your source code to the government? To get a contract? For audit purposes? For what?

  • Yes, we know you need to comply with all local laws, including US laws. That's why we don't trust you -- the current secret interpretations of US law requires you to screw your customers. I'd really rather you simply said that, and worked to change those laws, than pretend that you can convince us otherwise.

EDITED TO ADD (3/25): One more thing. This article says that you are "spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government." Do you not know that National Security Letters require you to turn over requested data, regardless of where in the world it is stored? Or do you just hope that your customers don't realize that?

Posted on March 24, 2014 at 6:58 AM • 37 Comments

Comments

EvanMarch 24, 2014 8:01 AM

Of course, they cannot answer these questions - Lavabit founder Ladar Levisson said he could not, under the terms of the national security letter or whatever it was, publicly discuss or even mention what it was exactly that the NSA had demanded.

That's what so infuriating about this whole business - secret courts, secret letters, secret hearing, secret purposes. "Ignorance of the law is no exception", as the juridical maxim goes, but now it's been twisted to "Ignorance of the law is mandatory". We cannot have open and public debate about what intelligence agencies are doing because we are forbidden from knowing.

Dimitris AndrakakisMarch 24, 2014 8:03 AM

These endless NSA word-games have left me feeling helpless.

It seems that noone that interacts with the NSA, in whatever way, can or will tell the truth. Instead, they resort to weasel words, code names that they "don't know" (while of course they know of another code name) etc. etc.

It's hopeless really.

Bob S.March 24, 2014 8:37 AM

I suspect IBM like many other American corporations have lost billions of dollars worth of business due to the Revelations.

Mealy mouthed disclaimers written by corporate lawyers with assistance of government lawyers does nothing to improve the climate or trust levels.

On a more generic level, it seems prudent to assume since virtually all the of major internet corporations have been compromised one way or another, so has IBM.

The economic impact of the revelations and the inappropriate response of the government and corporations may very well bring the American economy down. I think it's already started.

MailmanMarch 24, 2014 8:56 AM

Aww, how sad: an open letter taking its distance from another open letter. I prefer it when letters remain stationary.

65535March 24, 2014 8:58 AM

That is a transparent non-denial wrapped in legalese and double talk. I will make a few adjustments that probably accurately reflect the situation:

“IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.”

[What we meant to say was the slang term “PRISM” was not in the legal discussion with the NSA. We used terms like “court order” and "compliance" with NSL secret letters and so on.]

“IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.”

[The fact that all of our customer’s data was mirrored by the NSA doesn’t really mean “Bulk Collection” or the like. We only have a certain percentage of the market – not the “bulk of the market.” And, it’s not bulk collection because bulk collection cannot be revealed – it is just a huge vacuuming of customer’s data.]

“IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.”

[We don’t need backdoors! It all goes out the Front Door – under CALEA… Sniff]

“IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.”

[Except when we get a NSL - we cannot talk about those! Besides, just because the Brits want data on Americans it is perfectly legal to hand it over. Just check the laws in the UK or any other EU country! We are a multinational company. We did not write those laws we just follow them!]

vas pupMarch 24, 2014 9:22 AM

@Bruce. Love all your points and this in particular: "Okay, so you say that you haven't provided any data stored outside the US to the NSA under a national security order. Since those national security orders prohibit you from disclosing their existence, would you say anything different if you did receive them? And even if we believe this statement, it implies two questions. Why did you specifically not talk about data stored inside the US? And why did you specifically not talk about providing data under another sort of order?"
@Evan. Your point is reasonable. The problem is that some secret Internal Policies of LEA/Intel which affect directly your rights as citizen never ever going through procedure of external review of their constitutionality and compliance with Bill of Rights in particular. Because they are secret, you can't challenge them in a Court. That is the key problem: disrespect to Constitution is not punishable. In some European Countries there is special Constitutional Court which is not reviewing particular cases when there is doubt of constitutionality of law applied in that particular case (as SCOTUS). Those Courts review constitutionality of any law, regulation, executive order, etc. REGARDLESS of particular case involved but rather by request/petition by eligible subject concerned including ordinary citizens. None of legal act affecting human rights could bypass scrutiny of such court. Moreover, Constitutional Court could not deny accepting cases based on subject matter, but does have special procedural requirements for petition (you are not required to be Lawyer admitted to the Bar, by the way).

WinterMarch 24, 2014 10:10 AM

We know IBM will comply with all legal requests from "local" authorities. And we know they will not be able to talk about some (most?) of these request because that would be illegal.

What do can they tell us?

1) All requests for data and assistance that they are allowed to talk about.

2) Any data they have volunteered beyond the demand of the law.

3) Mitigating steps they have taken to keep customer data out of the hands and jurisdiction of "antagonistic" intelligence services.

I do not hold my breath.

If anything else fails, blame the computerMarch 24, 2014 10:12 AM

hmm yea IBM might also mean that they did not provide data to The Government because neither the company nor the individuals working for the company did so.

Instead the machines that they had built did it.

EVO VIMarch 24, 2014 10:17 AM

The decision, not to use support from an IBM employee, who is more familiar with propositional logic, is the real statement.

Nick PMarch 24, 2014 10:24 AM

Bamford's history of the NSA shows they and IBM working together tightly going way back. IBM's sales to public sector are in $10-20 billion a year range. IBM is clearly committed to NSA and public sector if only to keep their revenue along with privileged position getting government contracts.

Nice teardown of their word games, though.

Clive RobinsonMarch 24, 2014 10:27 AM

@ Bruce,

Untill the law is changed and other coercion prevented...

All these major companies can do is issue such statments in what is in effect a "meaningless PR exercise".

And I suspect the only way to get the required changes will involve,

1, Public Ridicule of all such statments,
2, For these companies to suffer sufficient financial loss that it becomes a National Security issue economicaly.

So keep up the questioning and the ridicule, and the rest of us will need to stop buying their products to hammer it home to the judiciary and the executive via the usual "coercion" these companies employ.

AutolykosMarch 24, 2014 10:27 AM

@65535: Yeah, I agree that what they're saying is pretty clear to anyone used to parsing legalese. Still, I'd find it more polite to put it in a way that leaves no doubt they're not even trying to fool their customers. Either the Google way "We received between 0 and 999 national security letters this year." or the Mafia way "We do NOT, under any circumstances, comply with requests from law enforcement or secret services."

GlennMarch 24, 2014 10:43 AM

Bruce,

Do you have an opinion on warrant canary pages? I created one for my (very small) firm and update the date stamp weekly. It is quite clear -- no weasel words. Our interest is in telling the truth to our clients, which seems to differentiate us from corporate giants like IBM. I'm just wondering if there is a template you like, or if you even think they're worth the pixels they're printed in.

The ProblemMarch 24, 2014 11:45 AM

It doesn't even matter if what they (or any other company) say is true. There is always an invisible "that we know of" to be appended. They certainly cannot trust their workforce or the hardware/software they buy (even IBM doesn't build everything). Provision may be intentional or unintentional, but it is still provision. This is the real damage.

DanielMarch 24, 2014 12:26 PM

"These endless NSA word-games have left me feeling helpless."

This one of the deep problems in American society today. Legal discourse has become our political discourse and the tail is now wagging the dog; our culture has become so imbued with it that we cannot see how abnormal it is. We should not have to talk to each other like lawyers, what IBM released is not a "open letter", it's a legal brief designed to obfuscate. The only thing missing is the legal citations.

If I wanted to read legal briefs I would have went to law school. In my view, it's tragic that our public discourse has has demeaned itself to the level of shysters and spin doctors. Why we continue to allow these type of men to rule us is beyond me.

AnuraMarch 24, 2014 12:49 PM

The problem is that both the public and corporate sector use secrecy as a default. Even when congress negotiates bills that will become public, it's all done behind closed doors. When it comes to businesses, Econ 101 tells you that if everyone is perfectly rational and perfectly informed, then prices will tend towards equilibrium; the former is taken care of by advertising, and the latter by secrecy. IBM stands nothing to gain from admitting anything, before or after the fact.

In the same way, Congress stands the most to gain from being secret. Could you imagine how quickly they would be voted out if the public actually saw the ways bills were passed? If the public actually saw how much time Congress spent looking for campaign contributions? You have to be very calculated about what the public learns if you want to be re-elected; anything you say or do can and will be used against you in the next election.

The only way to fix the problem with government is to force government to be more open, but I don't see this happening. Everything necessary to fix the system requires Congress vote in favor of it; that would mean putting the people above themselves, which isn't likely. The only way to fix the corporate sector is to get the public to prefer companies that are more open, but that's less likely than getting Congress to pass legislation that hurts their chance of being reelected.

zMarch 24, 2014 1:46 PM

Yes, I know IBM's open letter said practically nothing and left more questions, but honestly, I don't blame IBM for this as much as I do the government.

There is very, very little a US company can legally say about this kind of thing, and a ton of severe consequences for angering the government, even if no laws are broken.

Companies can be audited, CEOs can be audited, taxes can be raised, regulations can be implemented. People can be threatened, homes and businesses can be searched as part of an "investigation" into suspected illicit activity. Are they complying with every nuance of the EPA's vast array of laws? How about OSHA? The SEC? They better, because if they piss off the right people (and they will), the full weight of those agencies will be brought upon them. The CEO of Qwest found this out the hard way.

And that's assuming they didn't break the law by disclosing stuff they were told not to. If they do, they face criminal penalties as well.


The solution is not to point the finger at companies and call for them to be more open when Uncle Sam is standing behind them with a hammer raised above their heads. That won't work. The political structures in which companies in the US operate do not allow them to truly oppose the government, outside of some limited and inconsequential ways.


A better way to accomplish the same goal is to cut down on the government's ability to punish uppity businesses by reducing its scope and power. As far as companies are concerned, it's also good to encourage them to build systems that do not allow them to comply with outrageous demands. You can't hand over data to the government if you don't store it. If you must store it, you can't hand it over if it's encrypted and the customer has the keys. Only then will focusing on business be more successful.


Businesses are not blameless, but we have to be realistic here.

unhappyRabbitMarch 24, 2014 3:02 PM

Anura: " As far as companies are concerned, it's also good to encourage them to build systems that do not allow them to comply with outrageous demands. You can't hand over data to the government if you don't store it. If you must store it, you can't hand it over if it's encrypted and the customer has the keys."

And in the UK you can sit in jail for 5 years if you refuse to hand over a key for encrypted data. So the problem just gets shuffled around and ultimately ends up on the individual - the entity least able to fight back. Companies have to deal with this reality, otherwise the economic damage hits them - they cannot consider themselves an island.

zMarch 24, 2014 3:10 PM

@unhappyRabbit

There are two things to consider with that:

1.) Does a company (or CEO of one) face criminal charges for refusing to hand over keys if it doesn't have them? I would very much doubt it.

2.) As to your second point, if they go after individuals, it breaks the secrecy of the surveillance. If everyone whose data was taken by the government was asked to hand over their keys, it wouldn't work. The surveillance depends on the company silently complying without the user's knowledge.

Dr HeinekenMarch 24, 2014 5:45 PM

Whilst on the subject of IBM...

IBM researchers' algorithm explores tweets for home location cues
http://phys.org/news/2014-03-ibm-algorithm-explores-tweets-home.html
By drawing on the content of users' tweets and their tweeting behavior, a team of three IBM researchers said they have a new algorithm to infer the home location of Twitter users at different granularities, including city, state, time zone or geographic region. The algorithm makes use of the person's last 200 tweets for tracking.

Their paper titled "Home Location Identification of Twitter Users" was submitted earlier this month on arXiv.org.

I am sure some "local governments" are very interested of this. If not in good ol' US of A then in places like Turkey...

Logical NOTMarch 24, 2014 6:38 PM

So if the NSA introduced a secret program called "Big Brother" which demanded that a company provided NO data to the NSA.

Then companies could stand up in court and say "we have absolutely rejected the NSA demands to comply with their Big Brother Program demands"

RobertoMarch 24, 2014 9:03 PM

But you ignored this: "If the U.S. government were to serve a national security order on IBM to obtain data from an enterprise client and impose a gag order that prohibits IBM from notifying that client, IBM will take appropriate steps to challenge the gag order through judicial action or other means"

CallMeLateForSupperMarch 25, 2014 9:38 AM

@Roberto
"...IBM will take appropriate steps to challenge the gag order through judicial action or other means"

Not so fast. That really does not say much; I worried over it when I read the original letter. See, "judicial action" - sounds serious, eh? - is completely gutted by "other means", because IBM has given itself a choice between the two: "... action OR other ..." IBM could choose "other means" every time, never approach such an issue through any legal channel. What the heck does "other means" mean? It could mean anything IBM wants it to mean. For example, IBM could phone TLA, cry like a little girl, "No-no.. please-please-pul-LEEZE. That's not FAIR!", and then cave to whatever TLA has demanded.

Yes, "mealy-mouth" sucks, but it is communication, which beats the h-e-doublehockeysticks out of the silence of secrecy.

anonymousMarch 25, 2014 12:50 PM

I don't get it. Is this a cultural thing? IBM could simply lie straight in your face. That's what businesses do all the time, so what's the big deal? Why do they have to weasel around the facts. If they lied to us, so what?! It's not like the truth police would shut them down, they have lied and survived many times before. Are they afraid of being sued?

FrancoisMarch 25, 2014 1:58 PM

I do not think they are trying to fool customers or reassure anyone. I think it is the opposite. By publishing this, in this language, they have found a way to say exactly what they are NOT saying.

If you were bound by a NSL, but you wanted to speak about it, what would you say? A disclosure like this one is about the only option.

The intent of the message is not the same as the content.

RobertoMarch 25, 2014 3:28 PM

@CallMeLateForSupper I would be curious what Bruce Schneier would have to say about that part though. Because he ignored that part in his response to the open letter.

Nick PMarch 25, 2014 5:42 PM

@ Bruce Schneier

Excellent essay. Integrates well a few different threads you've posted here, particularly US coercion & "users are the product." My own essays here also say the law makes security impossible. We certainly agree there and it's actually much worse than your essay implied with many more laws that are a threat. Yet, your specific points are a nice start for the lay person wanting to get their Congress rep to take action.

I wonder, though, if there's a counterexample to your "real security is impossible" if we're talking about multinationals. The multinationals are like a number of organizations working together. If it's HQ'd in a country with privacy protections, each division in each country might be designed to put as much trust in the main one as possible. At this point, each division would only be vulnerable to the local government to the point that's required to operate there. Between them, a chinese wall type policy would be used.

This organizational design is to be seen in contrast to an organization that legally operates in one jurisdiction that can be ordered to hand over all data for all business units. Should improve things quite a bit, including let citizens of a particular country just trust the unit that operates in theirs. (Or not depending on how their country is doing things.) This might also shield sales in event a legal authority is compelling a particular business unit to cooperate with surveillance.

Although, I think it's best to set something like this up when the company is created. Restructuring a current company like this might be too disruptive to be viable. Then again, if it's a highly adaptable company it might be doable.

FigureitoutMarch 25, 2014 8:52 PM

Bruce
--Agreed w/ Nick P, get to the point and the truth no matter how harsh. Looking forward to the discussion when you put it up. I will agree though that real security is impossible when you have first off a militarized police state intent on physically breaking all security; like all home users when you're away at work and they break into your home. That is their job, their single job to break your security; resist too hard and off to a cage you go. So you have to do extremely discrete and get into a major obsessive game. When you step back though you realize just how stupid and pointless it all is; and maybe it's why we haven't a colony on another planet yet.

Oh and Schmidt's assurance of being secure from gov't, wow. The internet is so out of control that there needs to be a physically separate network where I can download software and not freak out that I'm getting files I don't want.

Nick PMarch 25, 2014 10:06 PM

@ Figureitout

"Oh and Schmidt's assurance of being secure from gov't, wow. The internet is so out of control that there needs to be a physically separate network where I can download software and not freak out that I'm getting files I don't want."

It's why a while back I brought up the French network Minitel. It was an old school Internet alternative with many services. It died off. However, stuff like that and I2P/Freenet show we might layer a more private network on top of the Internet. (Or side-by-side with dedicated lines.) We don't need to rely on Web's insecure stack. It's best to throw it out for something more secure by design that's still quite usable and flexible. Interesting enough, many application frameworks sort of build a non-web on top of the Web showing us that this sort of thing can be done with advantages over existing Web. Not to mention old projects like Tanenbaum's Amoeba and Globe.

Only thing is necessary is to design one of those that can be implemented on secure architectures like those I've previously posted here. Then, worst case, we can build computers with two boards in them: trusted and untrusted. Untrusted is what you're used to. Trusted is the new stuff. Secure KVM switch built into the box makes it easy to switch and the form factor is a normal desktop PC. A few of my old designs took this approach but I'd like to see an entire 2nd Internet done this way. It might even have decent graphics thanks to those projects I told you about that improve that area.

0dayMarch 25, 2014 11:05 PM

@Bruce
I just published an essay on the larger issue
...
Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong

That is a good essay. Although I suspect it will not change the quasi-religious beliefs of many people that much...

Anyway, here are some questions I would like to ask Bruce.

These are about purely hypothetical situations...

1. Someone working for NSA were to offer you new, previously not seen, documentation detailing how NSA is spying on US citizens.

2. Someone working at Google were to offer you new, previously not seen, documentation detailing how Google is helping NSA to spy on US citizens.

3. Someone working at GCHQ were to offer you new, previously not seen, documentation detailing how GCHQ is is spying on UK citizens.


What would be your choice in each case:
A. tell the person that you cannot accept the documents
B. report the person to the relevant authorities
C. accept the documents
D. some combination of above

SomebodyMarch 26, 2014 11:38 AM

Of course it's a cultural thing.

Some people will look at a sheep and say "Sheep are black", others will say "There is at least one sheep in Wales, at least one side of which is black." You can tell a lot about a person by what they say, but you cannot determine from the form whether the sheep is black or white, or if it's really a camel -- You can tell the truth, lie or be mistaken in either format.

On the other hand any document from IBM that does not contain several pages of "A ____ is a none empty sequence of ____" is suspect.

BenniMarch 28, 2014 10:04 PM

In the Huawei slides is a note that

https://www.eff.org/document/20140322-nyt-operation-shotgiant-objectives

"Document processes to be used later for targeting other non-partnerable companies"

For me, this sentence seems seems to indicate a bit, that if nsa considers a company to be "non-partnerable", it is is lileky that this company visited by nsa hacker teams who infiltrate anyway.

If that is true, then IBM certainly has some partnership with the nsa.

Evi1M4chineApril 2, 2014 4:07 AM

What I always say: ONLY a liar would argue that deceit and fraudulent concealment is “not” a form of lying.

It is, in fact, the most evil form of lying, exactly because liars manage to manipulate to public’s perception of it like that.

Peter PiksaApril 2, 2014 4:45 AM

Nice. Weeks ago, when I first saw the IBM-Posting I responded with the comment posted below. The fun part about it: My comment has not been published. So, here it is:

My trust in US-based companies has gotten very little, I got to admit. In the past we have seen quite a lot so called suspiciously specific denials when it came to the topic of collaboration with agencies. I therefore take the following look at what you have written:

Original: "IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM."

Q: Ok, you might not have provided data access unter PRISM. What about the other NSA-Programs? Why do you specifically point to PRISM while not speaking about the other NSA-Programs?

Original: "IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata."

Q: Sounds nice, but why do you refer to bulk collection programs only? Has IBM provided client data access to the NSA or other government agencies under a surveillance program involving something else then the bulk collection of content or metadata? Maybe content- or metadata at a non-bulk style.

Original: "IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter."

Q: So what happens if the NSA or another agency would just call up some important person at IBM and just kindly ask him or her to hand out some user data? Im speaking about the scenario that does not cover a FISA order or National Security Letter.

Original: "IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data."

Q: What about other purposes? Why do you frame all this in "for the purpose of accessing client data"? That is suspicious to me.

Original: "IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates."

Q: So in other words, since US-law force you to cooperate and in the worst case to even hand out data and not speak out after being gag-ordered all of the aforementioned is basically more or less worthless?

Look, its not my goal to be offensive or to argue that all of what you have written is untrustworthy. But at the end of the day IBM and any other US-based company will have to deal with the disadvantage of having to comply with US-laws. At the end of the day it is about trust.

I feel sorry to say, but: Your statement does not convince me.

With all due respect
Peter Piksa

Richard CaldwellApril 15, 2014 11:18 AM

Some disturbing precedent, courtesy of wikipedia:

http://en.wikipedia.org/wiki/IBM_and_the_Holocaust

"IBM and the Holocaust is a book by investigative journalist Edwin Black which details the business dealings of the American-based multinational corporation International Business Machines (IBM) and its German and other European subsidiaries with the government of Adolf Hitler during the 1930s and the years of World War II. In the book Black outlines the way in which IBM's technology helped facilitate Nazi genocide through generation and tabulation of punch cards based upon national census data."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.