IBM has committed to challenging every government request it receives for its customers’ data, claiming it has never provided US law enforcement with any data under the country’s Cloud Act.
The act, which came into effect in March 2018, effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud, but IBM said it has only ever received one request for European client content from US law enforcement under the Cloud Act.
In that request, IBM said it declined to provide the information on the basis it was “inconsistent” with the company’s principles.
“IBM European entities operate subject to EU law and the national laws of the country where they operate, which includes all protections, including privacy, that are mandated by those laws. This is no different from other European companies,” said IBM’s chairman of Europe, the Middle East and Africa (EMEA), Martin Jetter, in a blog post published on 2 June.
“The US government has no jurisdiction over IBM European entities to demand data entrusted to us by our enterprise and public sector clients merely because these entities have a parent company based in the US. Neither the US Cloud Act nor any other similar law changes that,” he wrote. “IBM European entities will contest any demands they receive beyond the lawful jurisdiction of the requesting government.”
Martin Jetter, IBM
Jetter added that, in the one instance where a request was made by US authorities under the Cloud Act, “IBM insisted the US government either contact the client directly or work through the internationally recognised mutual legal assistance treaty [MLAT] process. Faced with the IBM position, the US government pursued the MLAT process.”
According to the company’s 2020 Law enforcement requests transparency report, IBM received 42 law enforcement requests from the US federal government last year, and 17 from US state governments, which it said have nothing to do with the Cloud Act.
While client data was not provided in any of these instances, account information – which includes “basic subscriber contact information such as name, email, business address, and IP address” – was provided in 40 and 16 cases respectively.
Another 22 requests for its customer data were made by “other countries”, 20 of which led to the disclosure of account information, and one of which led to the disclosure of IBM client data to the UK government, although IBM declined to comment on the specifics of the case.
Speaking to Computer Weekly, IBM’s vice-president of government and regulatory affairs in Europe, Liam Benham, clarified that “the one request that is mentioned in our latest transparency report is not the same request we’re talking about under the Cloud Act… We’ve had one Cloud Act request in the three-plus years life of the act, and over the past 12 months… we reported one additional request from a government that wasn’t the US government.”
He added: “I think that also speaks to our point here that we are not a magnet for these government data requests, and I think that’s because of the nature of our business – we’re not in that consumer space where many of these requests target.”
Aside from the Cloud Act, under section 702 of the Foreign Intelligence Surveillance Act (FISA), the US attorney general and director of intelligence services are able to jointly authorise the targeted surveillance of people outside the US, as long as they are not a US citizen.
Any court order issued under FISA laws also comes with a gag order, a legal instrument that prevents the recipients from letting anybody else know they have received the order.
Asked about FISA, Benham said: “We’ve never provided client data stored outside of the US to the US government under any national security order, including FISA warrants. We’ve also said that we would legally challenge any attempt to access our clients’ data, and we would also legally challenge any attempt at a gagging order.
“We do not own this data, we’re mapping this data on behalf of our client, so you’ve got to go talk to the client if you have concerns… because protecting our clients’ data is obviously sacrosanct to our business.”
He added that despite IBM’s focus on managing business customers’ data, it would approach the disclosure of industrial data just as it would with personal data. “We apply these principles equally,” he said, adding that other cloud providers must be more open and transparent about government requests for their customers’ data.
Agnieszka Bruyère, vice-president of IBM Cloud in EMEA, said these were “legitimate concerns because the data is really the source of innovation”, reiterating that the data is owned by IBM’s clients, not IBM itself.
“Back in 2017, we put in place the specific service which is called EU-only services, where the operations are done by EU personnel. We have a specific approval process under control, with very strict controls, to give temporary access, if the necessity is raised, to a non-EU person.
“But all of this is completely strict to the approvals and with the controls we put in place, with a very short timeframe when the people can actually connect, so I think that’s a very important differentiator for us.”