Dropbox’s Government Data Request Principles
We understand that when you entrust us with your digital life, you expect us to keep your stuff safe. Stewardship of your data is a responsibility we embrace. Like other online services, Dropbox sometimes receives requests from government and law enforcement agencies seeking information about our users. Government data requests typically include things like search warrants, subpoenas, and court orders. These principles describe our approach to handling the requests we receive, how and when we resist improper requests, and how we’ll work to improve laws to make them more protective of our users’ privacy.
Be transparent: Online services should be allowed to publish the number and types of government requests they receive, and to notify individuals when information about them has been requested. This type of transparency empowers users by helping them better understand instances and patterns of government overreach. We’ll continue to publish detailed information about these requests and advocate for the right to provide more of this important information.
Be open about the number of requests we receive
We believe in reporting the exact number of government data requests received, the laws used to justify them, and the number of accounts affected. That’s why we publish this information (to the extent the law permits) in our Transparency Report. Our Transparency Report lists the number of court orders, search warrants, subpoenas, and government removal requests we have received, and our responses. We also provide as much detail about US national security requests as the law allows. Unfortunately, our report cannot currently include the exact number we receive — if any. We’ve urged the courts and the government to allow services like Dropbox to disclose the precise number of national security requests they receive and the number of accounts affected. We’re committed to and will continue fighting on this front.
Let users know when their information is requested
We believe in providing notice to our users when a government requests their information and have fought in court to do so. However, government requests frequently include a court-granted non-disclosure order, which prohibits us from giving notice to the affected user. In cases where we receive a non-disclosure order, we notify the user when it has expired. We believe services like Dropbox should always be permitted to provide notice to affected users, and will continue advocating for this important goal.
Fight overly broad requests: Government data requests should be limited in the information they seek and narrowly tailored to specific people and legitimate investigations. We’ll resist blanket and overly broad requests.
In the past, governments sought from telecommunications companies the phone records of large groups of people without suspicion that those people had been involved in illegal activity. We don’t think this is legal, and will resist requests that seek information related to large groups of people or that don’t relate to specific investigations. We’ll also resist requests stemming from government investigations that are improper, illegitimate, or have been brought in bad faith — for example, government attempts to suppress or censor political speech.
Provide trusted services: Governments should never install backdoors into online services or compromise infrastructure to obtain user data. We’ll continue to work to protect our systems and to change laws to make it clear that this type of activity is illegal.
We’ve seen reports that governments have been tapping into data center traffic of certain service providers. We’ve also seen reports that service providers have tools designed to give law enforcement access to user data directly or via third parties. Dropbox opposes these activities and would fight any attempt to require us to participate in them. Governments should always request user data by contacting online services directly and presenting legal process. This allows services like Dropbox to scrutinize the data requests and resist where appropriate.
Protect all users: Laws that give people different protections based on where they live or their citizenship are antiquated and don’t reflect the global nature of online services.
We’re committed to providing the same level of protection to all of our users. That means using these principles to scrutinize all the requests we receive, regardless of the origin of the request or user. It also means extending fundamental privacy protections to all users: government data requests shouldn’t be in bulk, they should relate to specific individuals and investigations, and a judicial body should evaluate and sign off on requests for content before they’re issued.
These principles will guide us in safeguarding fundamental privacy protections for all users and ensuring that governments are held accountable by the public.