IBM (IBM) is the latest IT heavyweight to deny any linkage to the U.S. National Security Agency’s (NSA) spying program, going so far as to say it has never provided any customer information to federal agencies, placed any back entries into its products or offered up software source code or encryption keys for access to customer data as others have been accused.

Robert C. Weber, IBM's Legal and Regulatory Affairs senior vice president, wrote in a blog post that “clients have asked us questions about their data—how best to secure it, where to locate it, and how we would respond should governments request access.” (Editor's note: Weber uses "clients" to refer to customers, not technology.)

Owing to the nature of IBM’s enterprise business model, any government agency showing interest in IBM’s customer data would be referred to the customer, Weber wrote.

“Our client relationships are governed by contract, with clear roles and responsibilities assigned and clearly understood by all parties,” he wrote. “To the extent our clients provide us access within their infrastructure to the type of individual communications that reportedly have been the target of the disclosed intelligence programs, such information belongs to our clients.”

Weber then proceeded to lay out IBM’s four-point customer data privacy and security policy:

  • In general, if a government wants access to data held by IBM on behalf of an enterprise client, we would expect that government to deal directly with that client.
  • If the U.S. government were to serve a national security order on IBM to obtain data from an enterprise client and impose a gag order that prohibits IBM from notifying that client, IBM will take appropriate steps to challenge the gag order through judicial action or other means.
  • For enterprise clients’ data stored outside of the United States, IBM believes that any U.S. government effort to obtain such data should go through internationally recognized legal channels, such as requests for assistance under international treaties.
  • If the U.S. government instead were to serve a national security order on IBM to obtain data stored outside the United States from an enterprise client, IBM will take appropriate steps to challenge the order through judicial action or other means.

Weber also offered up three IBM recommendations “to restore trust.”

  • Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies.
  • Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data.
  • The U.S. government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.

“Data is the next great natural resource, with the potential to improve lives and transform institutions for the better,” wrote Weber. “However, establishing and maintaining the public’s trust in new technologies is essential. IBM is committed to being a responsible participant in this discussion and a strong advocate for our clients.”