2013 Transparency Report

January to December 2013

Since publishing our first transparency report in May 2012, we have remained committed to sharing information on the number of requests for user information that we receive from governments and how we respond to them. We scrutinize all data requests to make sure they comply with the law and give notice to users when their accounts are identified in a law enforcement request, unless prohibited by law. We do so because we believe that it’s important that our users understand when and under what circumstances their data may be sought by governments. This year, we’re also announcing our Government Data Request Principles, which describe how we deal with the requests we receive and how we’ll work to try to change the laws to make them more protective of your privacy.

In light of the US government’s recent decision to permit online services to disclose national security requests under certain conditions, we are reporting that we received 0—249 national security requests from the US government in 2013. Although the ability to report in bands of 250 is a positive development, these restrictions interfere with both the public’s right to obtain information about the US government’s surveillance activities and our rights to publish such information. We continue to believe that online services should be allowed to report the exact number of national security requests received and remain committed to defending that principle.

Search warrants

What Dropbox received
Search warrants
118
Accounts identified
172
How Dropbox responded
Account(s) did not exist
9
Content and non-content produced
104
Notice provided
42
No information provided
5

Court orders

What Dropbox received
Court orders
0
Accounts identified
0
How Dropbox responded
Account(s) did not exist
0
Content and non-content produced
0
Notice provided
0
No information provided
0

Subpoenas

What Dropbox received
Subpoenas
159
Accounts identified
401
How Dropbox responded
Account(s) did not exist
37
Content produced
0
Non-content produced
94
Notice provided
61
No information provided
28

National security requests

National Security Process received
0-249
Accounts affected
0-249

Non-United States requests

Non-United States requests
90
Accounts affected
0

Beyond the numbers

Our primary goal in publishing a transparency report is to inform individuals about government activity around requests for user information. We hope these observations about the requests we received in 2013 help you understand how these numbers affect you.

  • The rate of government data requests received per user remained steady — this means that the number of requests received grew proportionately to Dropbox’s user base.
  • When it comes to user notice, the government often asked that Dropbox not disclose the existence of legal process, even when the government was not legally entitled to non-disclosure. In those situations, Dropbox informed law enforcement of its notice policy and provided notice unless law enforcement provided a valid legal basis for non-disclosure (such as a court order).
  • When it comes to seeking content information, the government rarely asked for content information when it was not legally entitled to receive such information. For example, of the 159 subpoenas we received, only 3 sought content information, which we did not provide.

Glossary

Types of legal process that Dropbox receives

Subpoenas:  Subpoenas include any legal process from law enforcement where there is no legal requirement that a judge or magistrate review the legal process. Local, state and federal government authorities may use subpoenas in both criminal and civil cases and subpoenas are typically issued by government attorneys or grand juries. We do not produce content information in response to subpoenas.

Search warrants:  Search warrants require judicial review, a showing of probable cause, and must meet specificity requirements regarding the place to be searched and the items to be seized. Search warrants may be issued by local, state or federal governments, and may only be used in criminal cases. In response to valid search warrants, we produce non-content and content information.

Court orders:  Court orders are issued by judges and may take a variety of forms, such as a 2703(d) order under the Electronic Communications Privacy Act, in both civil and criminal cases. In response to court orders, we will not produce content information unless the court order has procedural safeguards equivalent to those of a search warrant.

National security process:  National security process includes National Security Letters (“NSLs”) and orders issued under the Foreign Intelligence Surveillance Act (“FISA orders”). Dropbox is not permitted by the US government to report the exact number received.

Non-US requests:  At this time, we require non-US governments to follow the mutual legal assistance treaty process or letters rogatory process so that a US court will issue the required US legal process to Dropbox.

Information Dropbox provides in response

Non-content:  When we provide “non-content” information in response to valid legal process, that means we provided subscriber information such as the name and email address associated with the account; the date of account creation and other transactional information like IP addresses. “Non-content” information does not include the files that people store in their Dropbox accounts.

Content:  When we provide “content” information in response to valid legal process, that means we provided the files stored in a person’s Dropbox account, in addition to non-content information.

“No information provided”:  This means that we didn’t provide any information in response to the request for one or more of the following reasons: (1) the request was duplicative of a request that we already responded to; (2) Dropbox objected to the request; (3) law enforcement withdrew the request; or (4) the request failed to specify an account.

“Account did not exist”:  This means that law enforcement specified an account in their request, but that account did not exist.

2012 Transparency Report

January to December 2012

United States requests

Requests for user information
87
Accounts specified
164
Response rate
82%

Non-United States Requests

Requests for user information
<20
Accounts specified
<20
Response rate
0%*
*In 2012, Dropbox required data requests to go through the United States judicial system.