Dropbox yesterday released a new set of principles that explain how it deals with government requests for customer data. The principles were a companion to its 2013 Transparency Report, which for the first time included National Security Letter requests made to the file hosting service.
“We believe everyone has a right to know how much information the government is seeking from online services,” Dropbox legal counsel Bart Volkmer. “This lets users fight back against improper requests, helps prevent abuses of power, and allows for a more informed public debate.”
Large Internet services companies such as Dropbox recently won a reprieve from the government which eased a gag order on reporting of National Security Letters and orders from the secret Foreign Intelligence Surveillance Court under the Foreign Intelligence Surveillance Act (FISA). For months last year, Dropbox, Facebook, Google, Yahoo, Microsoft, LinkedIn and others argued that their inability to report on FISA orders and National Security Letters not only hurt their transparency efforts with users, but infringed on the respective companies’ First Amendment rights to free speech.
The Justice Department wrote a letter in late January conceding after negotiations and lawsuits were filed on behalf of the tech companies that they would now have two reporting options for FISA requests related to national security. In return, the companies dropped their suits.
Dropbox, like Twitter before it, gave the ruling a half-hearted clap.
“This is a step in the right direction. But it doesn’t go far enough, especially for services that receive only a handful of requests or none at all,” Dropbox’s Volkmer said. “We believe the public has a right to know the actual number of requests received and accounts affected, and we’ll continue to push to be able to provide this information.”
The two reporting options available to companies going forward on FISA request reporting allow that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer and companies are allowed to similarly bundle their reporting. Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.
The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.
Dropbox reported that it received between 0-249 National Security Letters affecting a similar range of accounts.
As for law enforcement requests, Dropbox received 118 search warrants on 172 accounts; it produced content or subscriber information on 104 accounts, provided notice to the user in 42 cases, and five times it did not provide information. It also reported receiving 159 subpoenas on 401 accounts; Dropbox did not turn over any content, but in 155 cases either provided subscriber information or gave notice to the user. In 28 cases, no information was provided.