Stewardship of your data is a responsibility we embrace. These principles describe our commitment to your privacy and how we'll handle requests from government and law enforcement agencies seeking information about our users.
Online services should be allowed to publish the number and types of government requests they receive, and to notify individuals when information about them has been requested. This type of transparency empowers users by helping them better understand instances and patterns of government overreach. We’ll continue to publish detailed information about these requests and advocate for the right to provide more of this important information.
Be open about the number of requests we receive
We believe in reporting the exact number of government data requests received, the laws used to justify them and the number of accounts affected. That’s why we publish this information (to the extent that law permits) in our Transparency Report. Our Transparency Report lists the number of court orders, search warrants, subpoenas and government removal requests we have received, and our responses. We also provide as much detail about US national security requests as the law allows. Unfortunately, our report cannot currently include the exact number we receive, if any. We’ve urged the courts and the government to allow services such as Dropbox to disclose the precise number of national security requests they receive and the number of accounts affected. We’re committed to and will continue fighting on this front.
Let users know when their information is requested
We believe in providing notice to our users when a government requests their information, and we have fought in court to do so. However, government requests frequently include a court-granted non-disclosure order, which prohibits us from giving notice to the affected user. In cases where we receive a non-disclosure order, we notify the user when it has expired. Dropbox is also committed to following the USA Freedom Act. This ensures that courts have the opportunity to review non-disclosure obligations for any national security letters we may receive. We believe that services such as Dropbox should always be permitted to provide notice to affected users, and we will continue advocating for this important goal.
Government data requests should be limited in the information they seek and narrowly tailored to specific people and legitimate investigations. We’ll resist blanket and overly broad requests.
In the past, governments asked telecommunications companies for the phone records of large groups of people without suspicion that those people had been involved in illegal activity. We don’t think this is legal and will resist requests that seek information related to large groups of people or that don’t relate to specific investigations. We’ll also resist requests stemming from government investigations that are improper, illegitimate or have been brought in bad faith – for example, government attempts to suppress or censor political speech.
Governments should never install backdoors into online services or compromise infrastructure to obtain user data. We’ll continue to work to protect our systems and to change laws to make it clear that this type of activity is illegal.
We’ve seen reports that governments have been tapping into the data centre traffic of certain service providers. We’ve also seen reports that service providers have tools designed to give law enforcement access to user data directly or via third parties. Dropbox opposes these activities and would fight any attempt to make us participate in them. Governments should always request user data by contacting online services directly and presenting legal process. This allows services such as Dropbox to scrutinise the data requests and resist where appropriate.
Laws that give people different protection based on where they live or their citizenship are antiquated and don’t reflect the global nature of online services.
We’re committed to providing the same level of protection to all of our users. That means using these principles to scrutinise all of the requests we receive, regardless of the origin of the request or user. It also means extending fundamental privacy protections to all users: government data requests shouldn’t be in bulk, they should relate to specific individuals and investigations, and a judicial body should evaluate and approve requests for content before they’re issued.
The requests we receive originate from all over the globe. At the current time, we usually require non-US governments to work with US government agencies so that a US court issues the appropriate legal process to Dropbox.