Since publishing our first transparency report in May 2012, we have remained committed to sharing information on the number of requests for user information that we receive from governments and how we respond to them. We scrutinize all data requests to make sure they comply with the law and give notice to users when their accounts are identified in a law enforcement request, unless prohibited by law. We do so because we believe that it’s important that our users understand when and under what circumstances their data may be sought by governments. This year, we’re also announcing our Government Data Request Principles, which describe how we deal with the requests we receive and how we’ll work to try to change the laws to make them more protective of your privacy.
In light of the US government’s recent decision to permit online services to disclose national security requests under certain conditions, we are reporting that we received 0—249 national security requests from the US government in 2013. Although the ability to report in bands of 250 is a positive development, these restrictions interfere with both the public’s right to obtain information about the US government’s surveillance activities and our rights to publish such information. We continue to believe that online services should be allowed to report the exact number of national security requests received and remain committed to defending that principle.
Our primary goal in publishing a transparency report is to inform individuals about government activity around requests for user information. We hope these observations about the requests we received in 2013 help you understand how these numbers affect you.
Subpoenas: Subpoenas include any legal process from law enforcement where there is no legal requirement that a judge or magistrate review the legal process. Local, state and federal government authorities may use subpoenas in both criminal and civil cases and subpoenas are typically issued by government attorneys or grand juries. We do not produce content information in response to subpoenas.
Search warrants: Search warrants require judicial review, a showing of probable cause, and must meet specificity requirements regarding the place to be searched and the items to be seized. Search warrants may be issued by local, state or federal governments, and may only be used in criminal cases. In response to valid search warrants, we produce non-content and content information.
Court orders: Court orders are issued by judges and may take a variety of forms, such as a 2703(d) order under the Electronic Communications Privacy Act, in both civil and criminal cases. In response to court orders, we will not produce content information unless the court order has procedural safeguards equivalent to those of a search warrant.
National security process: National security process includes National Security Letters (“NSLs”) and orders issued under the Foreign Intelligence Surveillance Act (“FISA orders”). Dropbox is not permitted by the US government to report the exact number received.
Non-US requests: At this time, we require non-US governments to follow the mutual legal assistance treaty process or letters rogatory process so that a US court will issue the required US legal process to Dropbox.
Non-content: When we provide “non-content” information in response to valid legal process, that means we provided subscriber information such as the name and email address associated with the account; the date of account creation and other transactional information like IP addresses. “Non-content” information does not include the files that people store in their Dropbox accounts.
Content: When we provide “content” information in response to valid legal process, that means we provided the files stored in a person’s Dropbox account, in addition to non-content information.
“No information provided”: This means that we didn’t provide any information in response to the request for one or more of the following reasons: (1) the request was duplicative of a request that we already responded to; (2) Dropbox objected to the request; (3) law enforcement withdrew the request; or (4) the request failed to specify an account.
“Account did not exist”: This means that law enforcement specified an account in their request, but that account did not exist.