An Open Letter to IBM's Open Letter
Last week, IBM
published
an "open letter" about "government access to data," where it tried to
assure its customers that it's not handing everything over to the NSA.
Unfortunately, the letter (quoted in part below) leaves open more
questions than it answers.
At the outset, we think it is important for IBM to clearly state some simple facts:
- IBM has not provided client data to the National Security Agency
(NSA) or any other government agency under the program known as PRISM.
- IBM has not provided client data to the NSA or any other
government agency under any surveillance program involving the bulk
collection of content or metadata.
- IBM has not provided client data stored outside the
United States to the U.S. government under a national security order,
such as a FISA order or a National Security Letter.
- IBM does not put "backdoors" in its products for the NSA
or any other government agency, nor does IBM provide software source
code or encryption keys to the NSA or any other government agency for
the purpose of accessing client data.
- IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.
To which we ask:
- We know you haven't provided data to the NSA under PRISM. It didn't use that name with you. Even the NSA General Counsel said: "PRISM was an internal government term that as the result of leaks became the public term." What program did you provide data to the NSA under?
- It seems rather obvious that you haven't provided the
NSA with any data under a bulk collection surveillance program. You're
not Google; you don't have bulk data to that extent. So why the caveat?
And again, under what program did you provide data to the NSA?
- Okay, so you say that you haven't provided any data
stored outside the US to the NSA under a national security order. Since
those national security orders prohibit you from disclosing their
existence, would you say anything different if you did receive them?
And even if we believe this statement, it implies two questions. Why
did you specifically not talk about data stored inside the US? And why
did you specifically not talk about providing data under another sort of
order?
- Of course you don't provide your source code to the NSA
for the purpose of accessing client data. The NSA isn't going to tell
you that's why it wants your source code. So, for what purposes did you provide your source code to the government? To get a contract? For audit purposes? For what?
- Yes, we know you need to comply with all local laws,
including US laws. That's why we don't trust you -- the current secret
interpretations of US law requires you to screw your customers. I'd
really rather you simply said that, and worked to change those laws,
than pretending that you can convince us otherwise.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.