We believe it’s critical for our users to know about when and how governments ask us for their information. That’s why, since 2012, we’ve published information about the government requests we receive for user information and how we respond to them.
We’re constantly iterating on how we can build this report so that it’s the most informative and useful for our users. For the first time, this report now lists the non-U.S. countries from which we received legal process. People all over the world use Dropbox and we’re committed to informing and protecting all of our users, no matter where they live.
This report also includes additional granularity around how we respond to the government data requests we receive. When we apply our Government Data Request Principles to every request we receive, we look at how many accounts are listed in each piece of legal process (whether a subpoena, search warrant, or court order). Some only identify a single account, whereas others identify tens of accounts in a single request. Our report now includes how we respond to government data requests by the accounts requested, rather than simply by the number of legal process received.
We remain committed to giving notice to users whose data is being sought. In doing so, we reveal what information the government is requesting and when we will provide it and offer the user a chance to object to the production of this information if they don’t believe the government has legal justification to seek it. We will always provide notice unless we are legally prohibited by a valid court order or a state law that specifically prohibits notice.
We know that the numbers themselves only tell part of the story, so we also wanted to highlight some additional details to provide a more complete picture.
Subpoenas: Subpoenas include any legal process from law enforcement where there is no legal requirement that a judge or magistrate review the legal process. Local, state and federal government authorities may use subpoenas in both criminal and civil cases and subpoenas are typically issued by government attorneys or grand juries. We do not produce content information in response to subpoenas.
Search warrants: Search warrants require judicial review, a showing of probable cause, and must meet specificity requirements regarding the place to be searched and the items to be seized. Search warrants may be issued by local, state or federal governments, and may only be used in criminal cases. In response to valid search warrants, we produce non-content and content information.
Court orders: Court orders are issued by judges and may take a variety of forms, such as a 2703(d) order under the Electronic Communications Privacy Act, in both civil and criminal cases. In response to court orders, we will not produce content information unless the court order has procedural safeguards equivalent to those of a search warrant.
National security process: National security process includes National Security Letters (“NSLs”) and orders issued under the Foreign Intelligence Surveillance Act (“FISA orders”). Dropbox is not permitted by the US government to report the exact number received.
Non-US requests: Non-US requests include any formal legal process from a non-US government seeking user data. At this time, we require non-US governments to follow the Mutual Legal Assistance Treaty process or letters rogatory process so that a US court will issue the required US legal process to Dropbox.
Non-content: When we provide “non-content” information in response to valid legal process, that means we provided subscriber information such as the name and email address associated with the account; the date of account creation and other transactional information like IP addresses. “Non-content” information does not include the files that people store in their Dropbox accounts.
Content: When we provide “content” information in response to valid legal process, that means we provided the files stored in a person’s Dropbox account, in addition to non-content information.
“No information provided”: This means that we didn’t provide any information in response to the request for one or more of the following reasons: (1) the request was duplicative of a request that we already responded to; (2) Dropbox objected to the request; (3) law enforcement withdrew the request; or (4) the request failed to specify an account.
“Account did not exist”: This means that law enforcement specified an account in their request, but that account did not exist.