Because our users trust us with their most important stuff, we’re committed to being transparent about when and how governments ask us for our users’ information. Published since 2012, our biannual report publishes the number of requests we received and how we responded. We always apply our Government Data Request Principles to every request we receive, and remain committed to giving notice to users whose data is being sought, unless prohibited by a valid court order or a state law that specifically prohibits notice.
Each time we publish our report, we reevaluate the types of information we’re providing to see how we can be more transparent. This time, we’ve broken out the US requests we’ve received on a state-by-state basis to shed some light on where the requests are coming from.
| Country | Number of requests | Number of accounts affected | Content blocked in response to request | Content blocked pursuant to Acceptable use Policy | Notice provided to user |
|---|---|---|---|---|---|
| Russia | 31 | 31 | 0 | 0 | 0 |
We know that the numbers themselves only tell part of the story, so we also wanted to highlight some additional details to provide a more complete picture.
Subpoenas: Subpoenas include any legal process from law enforcement where there is no legal requirement that a judge or magistrate review the legal process. Local, state and federal government authorities may use subpoenas in both criminal and civil cases and subpoenas are typically issued by government attorneys or grand juries. We do not produce content information in response to subpoenas.
Search warrants: Search warrants require judicial review, a showing of probable cause, and must meet specificity requirements regarding the place to be searched and the items to be seized. Search warrants may be issued by local, state or federal governments, and may only be used in criminal cases. In response to valid search warrants, we produce non-content and content information.
Court orders: Court orders are issued by judges and may take a variety of forms, such as a 2703(d) order under the Electronic Communications Privacy Act, in both civil and criminal cases. In response to court orders, we will not produce content information unless the court order has procedural safeguards equivalent to those of a search warrant.
National security process: National security process includes National Security Letters (“NSLs”) and orders issued under the Foreign Intelligence Surveillance Act (“FISA orders”). We’d like to be more specific, but Dropbox is not permitted by the US government to report the exact number received.
All Writs Act Orders: All Writs Act Orders are issued by United States judges with authority from the All Writs Act of 1789. The statute gives courts the power to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”
Non-US requests: Non-US requests include any formal legal process from a non-US government seeking user data. At this time, we require non-US governments to follow the Mutual Legal Assistance Treaty process or letters rogatory process so that a US court will issue the required US legal process to Dropbox.
Government removal requests: Government removal requests include court orders, and written requests from law enforcement and government agencies seeking the removal of content based on the local laws of their respective jurisdictions.
User Notice: Anytime we receive a request from law enforcement for a user’s information, we notify the user unless we are legally prohibited from doing so. We send an email to the user, with the type of request, when we received it, what information it requests, and when we plan to comply. This gives the user an opportunity to object if appropriate. In limited cases we delay notice to the user until after we have complied, and in those cases we note the date we produced user records.
Non-content: When we provide “non-content” information in response to valid legal process, that means we provided subscriber information such as the name and email address associated with the account; the date of account creation and other transactional information like IP addresses. “Non-content” information does not include the files that people store in their Dropbox accounts.
Content: When we provide “content” information in response to valid legal process, that means we provided the files stored in a person’s Dropbox account, in addition to non-content information.
“No information provided”: This means that we didn’t provide any information in response to the request for one or more of the following reasons: (1) the request was duplicative of a request that we already responded to; (2) Dropbox objected to the request; (3) law enforcement withdrew the request; or (4) the request failed to specify an account.
“Account did not exist”: This means that law enforcement specified an account in their request, but that account did not exist.
| Country | Number of requests | Number of accounts affected | Content blocked in response to request | Content blocked pursuant to Acceptable use Policy | Notice provided to user |
|---|---|---|---|---|---|
| Russia | 3 | 3 | 1 | 2 | 3 |
