IBM said it has not provided client data to the U.S. National Security Agency or any other government agency under surveillance programs involving the bulk collection of content or metadata.
The enterprise-focused company is the latest among U.S. tech companies to distance itself from NSA surveillance, which has raised concerns among customers worldwide about the safety of their data from U.S. government spying.
[ Also on InfoWorld: The great escape: How the NSA is driving companies out of U.S. clouds. | Get the skinny on the state of the cloud with InfoWorld's "Cloud Computing Deep Dive" special report. | Stay up on the cloud with InfoWorld's Cloud Computing Report newsletter. ]
The U.S. cloud computing industry could lose $22 billion to $35 billion of its foreign market over the next three years to competitors abroad as a result of the revelations of the NSA programs, think tank Information Technology & Innovation Foundation said in August.
Some nations like Brazil have also considered asking service providers to hold data within the country, a move that some Internet companies like Google have described as potentially fragmenting the Internet.
In a letter to customers Friday, IBM said it had not provided client data stored outside the U.S. to the U.S. government under a national security order, such as an order under the Foreign Intelligence Surveillance Act or a National Security Letter.
Former NSA contractor, Edward Snowden, claimed through disclosures to newspapers that a number of Internet companies were providing real-time access to content on their servers to the NSA under a program called Prism, which the companies denied. The agency also had secretly broken into the main communications that connect the data centers of Google and Yahoo around the world, according to reports.
IBM denied providing client data to the NSA or any other government agency under Prism. It said it does not have "backdoors" in its products or provide software source code or encryption keys to the NSA or any other government agency for accessing client data.
In a series of commitments to its customers, Robert C. Weber, (IBM's senior vice president for legal and regulatory affairs, and general counsel wrote in the letter, which was also posted online, that "in general, if a government wants access to data held by IBM on behalf of an enterprise client, we would expect that government to deal directly with that client."
But if served by the U.S. a national security order for data from an enterprise client and a "gag order" prohibiting it from discussing the order with the client, the company promises to challenge the gag order through legal and other means, it said.
For enterprise clients' data stored outside the U.S., IBM holds that any U.S. government effort to obtain such data "should go through internationally recognized legal channels, such as requests for assistance under international treaties." It would challenge through legal and other means a U.S. government order for access to data of enterprise clients stored outside the country, it added.
On the government policy front, IBM has described data localization requirements by countries as short-sighted policies, that "do little to improve security but distort markets and lend themselves to protectionist tendencies." Governments should also not subvert commercial technologies, such as encryption, that are intended to protect business data, the company said in what appears to be a reference to reports that the NSA has been attempting to circumvent encryption technologies.
Other tech companies have also tried to reassure their customers in the wake of the Snowden disclosures. Microsoft told business and government customers worldwide in December that it is committed to informing them of legal orders related to their data, and will fight in court any 'gag order' that prevents it from sharing such information with customers. The company also plans to encrypt customers' information moving between its data centers, with plans to complete the project by the end of 2014.
Yahoo and Google have also announced strengthening encryption of their services.
IBM said its letter was in response to customer questions on how best to secure their data, where to locate it, and how the company would respond should governments request access. It was also a matter of interest to its employees, partners and shareholders, Weber wrote.
In December, the Louisiana Sheriffs' Pension and Relief Fund sued IBM in a district court in New York, claiming that it failed to inform investors that sales in China would slow after disclosures that IBM was cooperating with the NSA spying program. Weber said at the time the suit was "pushing a wild conspiracy theory." IBM had attributed a drop in hardware sales in the third quarter partly to delayed procurement by Chinese government agencies while the local government framed a new economic policy.