back to article Bruce Schneier sneers at IBM's NSA denials

Ten days ago IBM issued ”A Letter to Our Clients About Government Access to Data” that, as we reported, swore on all that is good and holy that it did not hand over data to the NSA and would never do such a thing. But the letter did not satisfy security commentator Bruce Schneier who's penned an open letter of his own to Big …

COMMENTS

This topic is closed for new posts.
  1. John Smith 19 Gold badge
    Unhappy

    It's as if IBM constructed a letter to *not* answer the questions people want to know.

    Funny that.

    Forgetting PRISM is the NSA's internal name for this, and that each company could have been given its own name to deliver data under (I quite like LYING WEASEL but I'd guess SOP would require something more randomly chosen) makes writing PR denials very easy to do for a US company.

    And while THE PATRIOT Act remains on the books PR is all it is.

  2. Wang N Staines

    Why does IBM think(lie) that it was able to evoid the NSA whereas MS, Google & Apple couldn't?

    1. Yes Me Silver badge
      Paris Hilton

      Why (not) IBM

      > Why does IBM think(lie) that it was able to evoid the NSA whereas MS, Google & Apple couldn't?

      Because, having got rid of the IBM Global Network many years ago and with all their PC operations moved to LeNovo, IBM doesn't actually have clients among the general public any more. So their client databases are completely different in nature from those of MS, Google, FB, etc. and probably less interesting, except for industrial espionage. Please don't down-vote me just for saying this, but IBM might even be telling the truth - because their data is boring.

      Paris, because I expect Hilton is still an IBM client.

      1. Mark Cathcart

        Re: Why (not) IBM

        Really? "IBM doesn't actually have clients among the general public any more". I guess the IBM I've been watching in the cloud marketplace must be a different IBM. The IBM that is a massive outsourcing/servicesorganization must be another different IBM, after all you can't be publically commenting on an IBM that existed 10+ years ago are extrapolating from that. surely some mistake?

        However, to assert a conspiracy theory and assume it is true in any big organization is a stretch. If IBM had complied with the NSA, we'd find out and even IBM couldn't keep it quiet, so I'm inclined to take them on their word.

        Never fight the truth for a downvote...

      2. James Anderson

        Re: Why (not) IBM

        Could not agree more.

        IBM management would gladly bend over and spread their cheeks for the US government who are after all one of their biggest customers.

        But as you say they don't have much data of interest, and, the data that is interesting to NSA , for example sales of serious hardware to dodgy dictators is routinely reported to various government agencies.

        Even if al-Zawahiri had an IBM account, I am fairly sure that information on which red books and CICS support packs he downloaded would add nothing to the NSAs intelligence efforts.

        As for the outsourcing -- yes IBM does a lot of this but the data still belongs to the clients. It would be much easier for the NSA to slap an order on the client companies than enter the legal minefield of forcing a corporation to breach thier contractual obligations.

  3. Paul Crawford Silver badge

    Follow the money...

    IBM has a lot to lose financially from any such involvement with the NSA (even if that is a legal requirement of doing business in the USA), thus they will be as "economical with the truth" as they dare, just short of statements that could lead jail-time.

    So yes, I suspect they "lied".

    1. Peter Simpson 1
      Paris Hilton

      Re: Follow the money...

      A lot to LOSE????

      I believe they actually SELL computers to the NSA. As well as worldwide, to other customers, a backdoor into whose systems, the NSA would love to have. Yeah, IBM has nothing to do with the NSA. And Santa Claus and the Easter Bunny are as real as I am...

      // ..and she's as pure as the driven snow!

      1. Mark Cathcart

        Re: Follow the money...

        IBM did not deny having anything to do with the NSA, they just denied being complicit or cooperating with them. I'm guessing Watson doing real time voice would make a fine machine for the NSA to buy That doesn't mean IBM cowtailed or complied to NSA requests for backdoors in systems they sell, or in their general business systems.

        I don't see why IBM or for that matter any vendor shouldn't sell to the NSA. I'm mostly amused over the fuss about Huawei and their potential risk in supplying to the US Government. After all the US Goverment knew what was possible, and practical.

  4. Anonymous Coward
    Anonymous Coward

    Of course

    "And you, dear readers?"

    Well, yes of course, this is all spin. When I read the statement I couldn't help but notice they said they didn't "provide" [client data to NSA]. So their statement doesn't even stand if they had allowed NSA to tap into those data themselves, which I believe some US companies have. Much simpler in terms of infra ...

    1. James Micallef Silver badge

      Re: Of course

      Typically I find that the more detail in any text, the more caveats, exceptions and loopholes it can contain. If IBM do not give customer data to the US government, or any of their agencies or agents they just needed to say:

      "we do not give customer data to the US government, or any of their agencies or agents"

      Of course this is clearly not the case as we know that if subpoenaed, they have to turn that information over. And one other thing that Schneier does not pouint out is that although IBM claims that they will legally challenge certain requests for data, there is no guarantee that they will win such challenges, nor that tehy will be allowed to talk about it. So at best IBM could say:

      "we do not give customer data to the US government, or any of their agencies or agents, except as required by law"

      But because S law now contains banana-republic style codicils that include gagging orders, everyone knows that "except as required by law" could mean anything. Hence the long-winded weaselly worded statement.

      Completely in agreement with Schneier here - why not just be honest with your customers and say

      "Hello, IBM here. We're being bent over a barrel and shafted by current US gov laws requiring us to turn over customer data based on just the say-so of a secret and unaccountable court, and by the way we can't even say whether we have ever even been subject to such requests, but you know they just *might* have happened".

      Of course that's no different to any other company operating in the US

  5. TJ1

    IBM Fears Backlash from Non-USA Customers

    How many organisations - especially governmental - would continue buying IBM if it was shown that in all likelihood the company was complicit in helping or turning a blind eye to the installation of back-doors in the firmware of IBM kit; SANs, Chassis Controllers, Fabric and Network switches, etc. ?

    All the same stuff the USA has accused Huawei of doing for, or being complicit with, on behalf of the Chinese Government.

    1. 's water music

      Re: IBM Fears Backlash from Non-USA Customers

      How many organisations - especially governmental - would continue buying IBM [if they handed over data]?

      Many, what's the (palatable to their mindset) alternative after all?

      All the same stuff the USA has accused Huawei of doing for, or being complicit with, on behalf of the Chinese Government.

      Well now we know that the NSA has been just as busy as PRC trying to install backdoors in Huawei kit the accusations are twice as believable :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: IBM Fears Backlash from Non-USA Customers

      All of them would - except China - those bastards are in bed with the NSA!

  6. Anonymous Coward
    Anonymous Coward

    I'm going to repeat my comment from elsewhere..

    .. but slightly paraphrased.

    If IBM (et al) had simply kept their mouth shut they would have been able to rely on the law that says they couldn't tell anyone as a reason why they kept quiet, but they chose to go public with rebuttals, and so wilfully made what appears to be misleading statements. For that, they deserve contempt.

    The harsh reality is that there is NO WAY a US based company can credibly claim they can protect information from any sort of state request, because they would then be quite simply acting illegally. That US laws for handing over data are so much more powerful (and devoid of any control or transparency) than laws that protect privacy is a problem of their own making, but it's not one that can be plastered over with marketing or denials.

    It requires changing those laws, and as they are at federal level that will take well over a decade (it would be reversing a process that has been going on for well over 3 decades, and accelerated by 9/11), and that's assuming there is actually a will to change it as there are plenty of snouts in that particular trough. I expect a LOT of BS about this topic this year because Silicon Valley has suddenly noticed that people actually care about this sort of thing, hence the hot denials and the flat out laughable "anger" from companies like Facebook.

    n this context you may be interested to know that Microsoft is unexpectedly for once actually ahead of the pack. In a little-reported event a few weeks ago (translated link), they agreed to provide contracts under Swiss law, and host in Europe. This is not a 100% clean solution from a privacy perspective, but it's 200% better than the "screw you, we're American" contracts you are normally served as end user. This is actually a massive, double shift in policy (contract and privacy) of a US company, and I'm watching this with interest - it is genuinely an industry first, and many have missed it.

    1. h4rm0ny

      Re: I'm going to repeat my comment from elsewhere..

      >>"n this context you may be interested to know that Microsoft is unexpectedly for once actually ahead of the pack. In a little-reported event a few weeks ago (translated link), they agreed to provide contracts under Swiss law, and host in Europe

      Microsoft want your money. Always have and always will. And I like that. Greed is something I trust. If privacy is a selling point, they'll sell it. I'm on record to them that the reason their Azure service was not used for one of my clients is because data was hosted in the USA. And I'm small fry in customer terms. MS were bound to do this at some point as soon as they could solve technical and legal ways to do it without pissing off US government too much.

      1. Paul Crawford Silver badge

        Re: I'm going to repeat my comment from elsewhere..

        "...and legal ways to do it without pissing off US government too much."

        IANAL but as far as I know the "patriot act" can be used to force them to provide data even from overseas sites, irrespective of other laws that may apply. So yes, it is good they are willing to pay lip service to EU laws and expectations, but if it matters you still can't depend on it.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm going to repeat my comment from elsewhere..

          From a previous commentard:

          Greed is something I trust. If privacy is a selling point, they'll sell it

          Absolutely - the problem is that they can't. As a matter of fact, no US based company can and stay legal. This has a massive impact on Silicon Valley, but until the EU said "non", they thought they could rely on the usual blackmail (trade agreement threats, which gave us the "Safe Harbor" kludge), bribery or lobbying (is there a difference?). Now the EU has decided to use its advantage in privacy protection and thus allow EU businesses to benefit, the US has to finally fix the mess they got themselves into.

          IANAL but as far as I know the "patriot act" can be used to force them to provide data even from overseas sites, irrespective of other laws that may apply.

          I develop global privacy strategies for a living. You need to get two things sorted out before you can begin:

          1 - do not have a HQ in the US

          2 - segregate data from the US (and other questionable jurisdictions) in non-US data centres.

          That way, a US subsidiary can only provide what it has access to and cannot be used as a backdoor. If you have your HQ in the US, it means your decision power resides there which can give rise to abuse.

          This is not enough (you also need to manage indirect and political leverage) but it's a start.

          1. Hit Snooze

            Re: I'm going to repeat my comment from elsewhere..

            2 - segregate data from the US (and other questionable jurisdictions) in non-US data centres.

            That way, a US subsidiary can only provide what it has access to and cannot be used as a backdoor. If you have your HQ in the US, it means your decision power resides there which can give rise to abuse.

            Every government will, if they are not already, tap into the data lines going through it's borders so it all boils down to which government you don't mind sharing your data\phone calls with.

            1. Anonymous Coward
              Anonymous Coward

              Re: I'm going to repeat my comment from elsewhere..

              Every government will, if they are not already, tap into the data lines going through it's borders

              First the grammar nazi: it's "its borders". Sigh. "it's" is short for "it is". Next: if you carry data in cleartext instead of with decent crypto you don't need to bother with a privacy policy - you need to start learning how to sweep streets. As for "crypto is broken" (which is guaranteed the next statement to show up), I'm not convinced. There is a LOT of scrutiny on those algorithms, but even if they were bust, it makes it harder to acquire data and it certainly prevents claims of "accidental" collection a la Google...

        2. P. Lee

          Re: I'm going to repeat my comment from elsewhere..

          My understanding is that US law applies to all US people and companies where-ever they are located in the world.

          Plus, the NSA can do what it likes overseas.

          Of course, it turns out they all do what they like anyway.

          1. Anonymous Coward
            Anonymous Coward

            Re: I'm going to repeat my comment from elsewhere..

            My understanding is that US law applies to all US people and companies where-ever they are located in the world.

            That's what the US would like you to believe, but that's not the case. If the US wants data from another country it will either have to file a request for assistance or acquire the data via "other" means.

            Plus, the NSA can do what it likes overseas.

            Correction: US Congress has told the NSA it can. That doesn't make it legal in other countries, it doesn't mean the NSA is free to rampage in other sovereign nations, and there will be more and more political consequences if the NSA is found to harm other nations.

            The age of blackmail isn't over yet, but resistance appears no longer futile :)

            I see personal privacy as freedom: if you want it, you'll have to fight for it.

            1. Anonymous Dutch Coward

              Re: I'm going to repeat my comment from elsewhere..

              That's what the US would like you to believe, but that's not the case. If the US wants data from another country it will either have to file a request for assistance or acquire the data via "other" means.

              One of those means is the Patriot act: every US-headquartered/based company must hand over all data from any of its subsidiaries on request. Game over.

        3. h4rm0ny

          Re: I'm going to repeat my comment from elsewhere..

          >>"IANAL but as far as I know the "patriot act" can be used to force them to provide data even from overseas sites, irrespective of other laws that may apply"

          Yes, but lawyers are twisty things. You can split parts of companies off into separate subsidiaries, you can tweak the ways you store data to provide legalese ways of getting out of stuff. Microsoft have a very solid legal team and a lot of motivation (money). And if all else fails, they spend several million on lobbying each year in the USA. Who would you rather have on your side when trying to indluence US Congress? A few low-paid techies or a Microsoft angry that they're losing ground in the European market?

          People here can't spend all their days complaining about how MS have too much influence or are sneaky lawyers and simultaneously not see it as a good thing that MS are motivated to find ways of meeting people and Europe's privacy demands. Trying to come between Microsoft and money is like damning a river. It's not easy and as the Doctor says: water finds a way. And like water, it follows the terrain. Formerly, that was comply with the NSA or you lose valuable contracts. Now, with the US government increasingly short of cash and the public and business increasingly demanding better privacy controls as a sales point, it's find ways to offer that.

          MS have Google to the left of them in online free services, Apple to the right of them with the laptop market. Enterprise is their fortress and they wriggle through any loophole and narrow their eyes at any senator who they see as threatening that.

          Like I say, I don't trust any big corporation, but I do trust greed. At least the old-fashioned kind that wants my money, rather than my personal information.

      2. Anonymous Coward
        Anonymous Coward

        Greed is something I trust.

        I strongly disagree: greed will make them sell privacy tool, but the very same greed will make them sell anti-privacy tools, lying through their teeth to their original customer about how much they care for their privacy. The rule is not "thou shall not steal", the rule is "thou shall not get caught", and of course they did get caught, so all they can and try to do is apply "damage limitation" tactics. I don't think it works at all and it's just pathetic to watch this circus of denials, but hey, I don't draw the rules of corporate PR, perhaps somebody in the world is stupid enough to buy this denial shit? Or maybe nobody does, but say well, we have no choice...

  7. h4rm0ny

    Verification

    IBM should have kept quiet and left people in wondering, rather than deny it and remove all doubt.

  8. xperroni

    "Wiggle room" is for sissies

    Real American companies tell outright lies.

  9. Anonymous Coward
    Anonymous Coward

    Argument is pointless

    I can't be moved to waste effort analysing IBM's statement and Schneier's response. It seems to me that the existence of secret orders and mechanisms to access data, and the use of gagging orders to prevent disclosure, mean that even if IBM were telling the complete truth its customers still couldn't trust that their data hadn't been extracted.

    Better to accept this reality and assume that any data which is held outside of your direct control is subject to access by government agencies (and criminals, for that matter), and design your data handling accordingly.

    And that means : if your data is sensitive, keep it in house and only transmit it using encrypted channels with keys that you and the recipient alone know.

    You can still comply with legal requirements for access, but at least you'll know about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Argument is pointless

      And that means : if your data is sensitive, keep it in house and only transmit it using encrypted channels with keys that you and the recipient alone know.

      You can still comply with legal requirements for access, but at least you'll know about it.

      This is correct insofar you have the expertise to protect that information in house, but good IT security requires expensive specialists who do nothing but protection (I'm assuming for the moment you're genuinely interested in preventing unauthorised access rather than the "we have followed ISO 27001" approach which only aims at avoiding liability).

      In general, especially the smaller companies do not have the resources to do this right so they outsource it - which is where the backdoor intercept risk by abuse of anti-terror laws enters the picture.

      1. Anonymous Coward
        Anonymous Coward

        Re: Argument is pointless

        Agreed - you need to have the in-house expertise and (I like your point here) follow standards with the intention of securing your information, not just avoiding liability.

        My point is mainly about the feeling that it is no longer possible to trust in others for your own security, so you have to look to your own capabilities.

        Inevitably smaller companies will have to outsource in some way, but at least they should be able to address the point about keeping sensitive data in-house. And they should be aware that anyone who offers a service based on "trust me" should perhaps be avoided.

  10. John Smith 19 Gold badge
    Unhappy

    "It's in the cloud" --> Marketing BS for "The NSA have it."

    Only clueless CEO's believe "It's safe because it's on a virtual server in cyberspace."

    Now if it were a real server in hyperspace (preferably inside it's own black hole).

  11. All names Taken
    Joke

    Plausible deniability roolz ok?

    We never told the boss because we took decision that in the better interest of the company the boss should not know.

    That way in all informal talks or discussions the Boss could demonstrate honestly honest and truthfully truthful even while 3D facial analysis was ongoing realtime or recorded for indepth analysis later.

    However, if any serious, formal or official talks or discussions were needed we had a time stamped document in the safe ready to give to the boss.

    1. Anonymous Coward
      Anonymous Coward

      Re: Plausible deniability roolz ok?

      However, if any serious, formal or official talks or discussions were needed we had a time stamped document in the safe ready to give to the boss.

      .. which means that a premises warrant would find that (you will be required to open that safe or be found in contempt of court)..

      1. All names Taken

        Re: Plausible deniability roolz ok?

        but we'd need our legal team to inspect the warrant first

  12. Anonymous Coward
    Anonymous Coward

    IBM isn't a single person

    Probably the most sensitive level of access would concern known vulnerabilities and intentional plants in their software or even hardware. And I just can't imagine that kind of information being known about throughout management or in the kind of public relations office likely to answer the kind of question discussed in the article. The kind of information in question is of no value if more than a few employees bound to secrecy know about it.

  13. rm -rf

    There's a sucker born every minute, and IBM's been around for a few minutes well.

  14. Forget It
    Meh

    I think it is plausible that Bruce S could deny that he sneered at IBM.

    I think he was forceful but diplomat.

  15. Miek
    Linux

    It's pretty obvious that IBMs answers were cagey at best.

  16. All names Taken

    Need to know basis?

    1. Anonymous Coward
      Anonymous Coward

      I dont know about that ....

  17. earl grey
    Flame

    There's only one way this works

    And that's if they keep NO information. So, NO, they're lying through their teeth.

  18. Gene Cash Silver badge

    IBM's involvement with the NSA goes back to its 1st super

    The 2nd IBM 7030 Stretch was turned into the IBM 7950 Harvest and delivered to the NSA in 1962. Hell their first computer ever, the "Automatic Sequence Controlled Calculator (ASCC)" or the "Harvard Mark I" was used in the Manhattan project to develop the bomb.

    I'm sure secret gov't projects are IBM's bread and butter these days. I don't see their crap consulting business keeping them afloat. So I'm sure they lie their asses off about it.

  19. tom dial Silver badge

    Schneier to Rometty: "Have you stopped beating your husband?"

    No company is immune to court warrants or subpoenas. That said, the numbers of such disclosed by Google, Yahoo, etc., and the numbers of people affected, are not so large as to be very alarming. Although US federal, state, and local governments combined constitute a large fraction of all such requests, they come from a lot of other countries as well.

    No company can guarantee its facilities and products are secure against spies, whether they work for a national government or a competitor. The activities of those spies nearly always are illegal.

    No company likes to talk much about any of the above. IBM, other US companies, and companies in other countries, even those with no footprint in the US, are not exceptions.

  20. JaitcH
    Meh

    Lawyer letters are written to say whatever you want to read into them

    A while back a senior executive once asked me if I had ever had legal training. I said no, but I know how to use the English language.

    His question came about because I had written a report that had split the board members who read the report - they couldn't agree precisely what the conclusions were.

    Lawyers, too, are trained to write truthful lies, which can be read either way.

    To my eye, this statement reeks of avoidance - somewhat clumsily - and as a result anyone dissecting it will come up with a different conclusion.

    IBM should have simply said that it complies with all laws on privacy and disclosure in all the jurisdictions where it operates and they are prevented it from giving a more forthright response.

    End of question.

This topic is closed for new posts.

Other stories you might like