Because our users trust us with their most important stuff, we’re committed to being transparent about when and how governments ask us for our users’ information. Published since 2012, our biannual report publishes the number of requests we received and how we responded. We always apply our Government Data Request Principles to every request we receive, and remain committed to giving notice to users whose data is being sought, unless prohibited by a valid court order or a state law that specifically prohibits notice.
Each time we publish our report we reevaluate the types of information we’re providing and whether it can be improved to better inform our users. This year, for the first time, our report includes requests we’ve received from governments to remove or block content from Dropbox in the past six-month period. When we receive these requests, we carefully determine whether the content should be removed because it violates a law or our Acceptable Use Policy. As is the case with government requests for user data, we notify users of requests to remove their content unless legally prohibited.
|Country||Number of requests||Number of accounts affected||Content blocked in response to request||Content blocked pursuant to Acceptable use Policy||Notice provided to user|
We know that the numbers themselves only tell part of the story, so we also wanted to highlight some additional details to provide a more complete picture.
Subpoenas: Subpoenas include any legal process from law enforcement where there is no legal requirement that a judge or magistrate review the legal process. Local, state and federal government authorities may use subpoenas in both criminal and civil cases and subpoenas are typically issued by government attorneys or grand juries. We do not produce content information in response to subpoenas.
Search warrants: Search warrants require judicial review, a showing of probable cause, and must meet specificity requirements regarding the place to be searched and the items to be seized. Search warrants may be issued by local, state or federal governments, and may only be used in criminal cases. In response to valid search warrants, we produce non-content and content information.
Court orders: Court orders are issued by judges and may take a variety of forms, such as a 2703(d) order under the Electronic Communications Privacy Act, in both civil and criminal cases. In response to court orders, we will not produce content information unless the court order has procedural safeguards equivalent to those of a search warrant.
National security process: National security process includes National Security Letters (“NSLs”) and orders issued under the Foreign Intelligence Surveillance Act (“FISA orders”). We’d like to be more specific, but Dropbox is not permitted by the US government to report the exact number received.
Non-US requests: Non-US requests include any formal legal process from a non-US government seeking user data. At this time, we require non-US governments to follow the Mutual Legal Assistance Treaty process or letters rogatory process so that a US court will issue the required US legal process to Dropbox.
Government removal requests: Government removal requests include court orders, and written requests from law enforcement and government agencies seeking the removal of content based on the local laws of their respective jurisdictions.
Non-content: When we provide “non-content” information in response to valid legal process, that means we provided subscriber information such as the name and email address associated with the account; the date of account creation and other transactional information like IP addresses. “Non-content” information does not include the files that people store in their Dropbox accounts.
Content: When we provide “content” information in response to valid legal process, that means we provided the files stored in a person’s Dropbox account, in addition to non-content information.
“No information provided”: This means that we didn’t provide any information in response to the request for one or more of the following reasons: (1) the request was duplicative of a request that we already responded to; (2) Dropbox objected to the request; (3) law enforcement withdrew the request; or (4) the request failed to specify an account.
“Account did not exist”: This means that law enforcement specified an account in their request, but that account did not exist.