One day, it will be possible to unlock a computer with a thumbprint, Emanuel Piore told a group of US senators during hearings on data privacy in 1967. IBM’s chief scientist explained to the Subcommittee on Administrative Practice and Procedure that companies like his were hard at work developing techniques to better secure machines and protect data for the onrush of the information age.
In fact, IBM had been on this quest since the dawn of computer manufacturing in the early 1950s — at a time when “security” usually meant locking the door to the computer room at the end of the day. With the emergence of remote terminals, the industry shifted tactics, intending to gate the machines themselves, just as Piore mused. Nearly 40 years later, IBM was the first computer maker to tie fingerprint authentication into the security chip of a personal laptop.
For as long as it has been managing information, IBM has been a leader in data security. From developing cryptography for automated bank and e-commerce transactions to designing security features for internet communication standards, the company’s contributions to safeguarding information span the tactical to the truly transformative. IBM devised a magnetic stripe credit card for computer terminal access. Its LUCIFER encryption algorithm helped Lloyds Bank safely deploy some of the world’s first automated teller machines. It was later modified and adopted by the US National Bureau of Standards (now known as the National Institute of Standards and Technology) as the first-ever Data Encryption Standard for the US.
In a world of countless internet-connected devices and cloud computing, the company has made a commitment to data privacy and security across information technology environments and architectures. IBM continues to work at the frontiers of many innovative data-security solutions, including confidential computing technology, an enterprise platform for managing data privacy in hybrid multi-cloud environments; fully homomorphic encryption, a novel standard for safeguarding data transmission; and lattice cryptography, a technique to secure information in the quantum computing age. Regardless of the technology or era, the company’s focus on protecting data and managing it responsibly remains steadfast.
The senators had called Emanuel Piore on that March day in 1967 to testify about computer privacy in the wake of a proposal by the US federal government to create a centralized National Data Center. While emphasizing IBM’s efforts to ensure data privacy through security measures on its machines, he highlighted a key distinction between data security and data privacy: “Preservation of privacy rests not with machines, but with men,” he said. “The effectiveness of all protective measures, however sophisticated they may become, will still depend on people.”
Echoing Piore’s sentiment, CEO T. Vincent Learson said in 1972 that “it is the task of public policy to decide who is to have access to what. But the question of how we are to limit access to this information only to those authorized to have it clearly comes home to us.” That year he established a broad program of study on data security, in part to educate the company and industry on steps toward more comprehensive security practices.
Data security and data privacy are often used interchangeably but are in fact distinct. Data security protects information from compromise via malicious intent or operator error. Privacy, on the other hand, governs how data is collected, shared and used. While Thomas Watson Jr. had long embraced IBM’s role in data security, it wasn’t until the late 1960s that he began to articulate the responsibility he felt around privacy, both for the industry at large and for IBM employees. “For the problem of privacy in the end is nothing more and nothing less than the root problem of the relation of each one of us to our fellow men,” he told the California Commonwealth Club in 1968.
In the mid-1960s, an employee’s request to read his own personnel file had triggered Watson Jr.’s awakening on data privacy issues, a scenario that IBM CEO Frank Cary recounted in the Harvard Business Review in 1976. “After he reviewed [the request] thoroughly, his answer to the employee was ‘yes’,” Cary said. From then on, Watson Jr. mandated that every manager should approve such requests.
As computers proliferated and data collection and processing practices grew more sophisticated, public concern arose around technology’s encroachment on privacy. Under Cary, IBM would take an assertive posture on the front lines of this public conversation. The company began advocating for uniformity in privacy-related practices at the national level. IBM executives frequently appeared before Congress to shape the debate. With dozens of legislative bills focused on individual privacy pending across the US, passage of even a fraction would create a morass of disjointed, and sometimes conflicting, requirements.
In 1974, the company published its “Four Principles of Privacy,” announcing them in 15 major US newspapers. The New York Times ran a letter from Cary outlining the approach. US Senator Barry Goldwater, for one, lauded IBM for its “significant contribution to the effort to restore individual privacy to the American people.” In 1973, the company had also instituted a first-of-its-kind corporate policy that codified employees’ right to privacy, reaching well beyond any laws or regulations requiring it. “Privacy,” Cary said, “is not a passing fad.”
As internet platforms and social media companies have grown in utility and ubiquity over the past two decades, concerns over data privacy have only intensified. IBM has responded with transparent policies and leadership on global standards.
The company was an early developer and adopter of the European Union Data Protection Code of Conduct for Cloud Service Providers. It was one of the first companies to appoint a chief privacy officer. In acknowledgment of its work with life sciences companies on the human genome, in 2005 IBM revised its long-standing equal employment opportunity policy to specifically exclude genetics from employment decisions, the first major company to do so.
For more than a century, IBM’s clients, especially in the financial services and healthcare sectors, have challenged the company to meet the toughest security and privacy requirements with sophisticated new approaches. This pressure has positioned the company well in an era where the explosion in information collection and evaluation makes data security and data privacy more critical than ever.
IBM is constantly evolving its approach. In 2018 it shared its “Principles for Trust and Transparency” to advance the global dialogue on responsible data practices in a world of artificial intelligence and cloud computing. Those principles emphasize the complementary nature of AI to human intelligence, creators’ ownership of their data and derived insights, and a commitment to transparency and explainability for AI and other transformative innovations.
Living its values, in 2020 the company shared its decision to shelve its general purpose facial recognition and analysis software, addressing its past use by law enforcement in mass surveillance and racial profiling, and calling for “a national dialogue on whether and how facial recognition technology should be employed by domestic law enforcement agencies.”
Former IBM CEO Ginni Rometty called data “the phenomenon of our time ... the world’s new natural resource.” If this is true, then companies like IBM “are being judged not just by how we use data, but by whether we are trusted stewards of other people’s data,” she said. “Society will decide which companies it trusts.”
IBM is a company built not on products and services, but rather on ideas and values
Early efforts to streamline transactions led to digital finance, online banking and e-commerce
IBM researchers traced the migration of prehistoric populations and revolutionized the field of human genomics