To Our Clients:

For decades, clients around the world have trusted IBM with their data. We believe we have earned that trust.

In view of the wide range of proposed government regulations around the world related to the handling and treatment of data, clients have asked us questions about their data – how best to secure it, where to locate it, and how we would respond should governments request access.

This is also a matter of interest to our employees, our partners, and our shareholders. Given the global discussion about data security and privacy, we wanted to communicate our view on these issues.

At the outset, we think it is important for IBM to clearly state some simple facts:

• IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.
• IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.
• IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.
• IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.
• IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

IBM is fundamentally an enterprise company, meaning our customers are typically other companies and organizations rather than individual consumers. We serve some of the world’s most successful global corporations, helping them achieve their business goals.

Our business model sets us apart from many of the companies that have been associated with the surveillance programs that have been disclosed. Unlike those companies, IBM’s primary business does not involve providing telephone or Internet-based communication services to the general public. Rather, because the vast majority of our customers are other companies and organizations, we deal mainly with business data. Our client relationships are governed by contract, with clear roles and responsibilities assigned and clearly understood by all parties. To the extent our clients provide us access within their infrastructure to the type of individual communications that reportedly have been the target of the disclosed intelligence programs, such information belongs to our clients.

For these reasons, it has long been our (and our clients’) expectation that if a government did have an interest in our clients’ data, the government would approach that client, not IBM.

Our Commitment to Clients and Recommendations to Governments

We understand that clients are concerned about the security and privacy of their data. Therefore, we want to offer the following assurances:

• In general, if a government wants access to data held by IBM on behalf of an enterprise client, we would expect that government to deal directly with that client.
• If the U.S. government were to serve a national security order on IBM to obtain data from an enterprise client and impose a gag order that prohibits IBM from notifying that client, IBM will take appropriate steps to challenge the gag order through judicial action or other means.
• For enterprise clients’ data stored outside of the United States, IBM believes that any U.S. government effort to obtain such data should go through internationally recognized legal channels, such as requests for assistance under international treaties.
• If the U.S. government instead were to serve a national security order on IBM to obtain data stored outside the United States from an enterprise client, IBM will take appropriate steps to challenge the order through judicial action or other means.
• IBM will continue to invest in world-class security technologies and services, and we will engage governments around the world on behalf of sensible, market-led policies that enable the free flow of data while promoting strong security. IBM will also continue its decades-long tradition of privacy leadership.

Governments must act to restore trust. IBM believes governments should take the following actions:

• Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies.
• Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data.
• The U.S. government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.

Conclusion

Technology often challenges us as a society. This is one instance in which both business and government must respond. Data is the next great natural resource, with the potential to improve lives and transform institutions for the better. However, establishing and maintaining the public’s trust in new technologies is essential.

IBM is committed to being a responsible participant in this discussion and a strong advocate for our clients.