Dropbox yesterday released its 2014 Transparency Report. It shows that Dropbox this year received 268 requests from law enforcement organisations (the vast majority of which originate from within the US), and ‘0-249’ national security requests (companies are not permitted to disclose exact amounts of such requests they receive).
Dropbox has a policy of notifying users when it receives data requests, so it is interesting to see that a staggering 80 percent of law enforcement enquiries included ‘gag’ requests (not demands) such as these published by The Verge below,
Dropbox has signalled its determination to push back against such requests, unless a valid court order is received,
‘Government agencies keep asking us not to notify users of requests for their data, even when they are not legally entitled to do so. If we receive a request that comes with a gag order, we’ll inform requesting agency of our policy and let users know about the request unless the agency provides a valid court order (or an equivalent).’
Interestingly, and perhaps because they know such requests are likely to be rejected on constitutional grounds,
‘Government agencies rarely asked for content information without a warrant, which is the legal standard that Dropbox requires. Of the 109 subpoenas we received between January and June 2014, only one sought content information, which we did not provide.’
Dropbox also asserts that privacy its ‘top priority’,
‘Protecting our users’ privacy is a top priority at Dropbox, so we continue to apply our Government Data Request Principles to every request we receive. We also strongly support ongoing surveillance reform efforts. For example, a recently-introduced bill in the US Senate would end bulk metadata collection by the US government and significantly increase transparency around national security requests. We urge you to voice support for this bill so that it becomes law, including calling or emailing your congressional representative if you live in the United States. Of course, people all over the world use Dropbox and we look forward to supporting similar reforms around the globe.’
While this is an admirable attitude, users should be aware that while files stored on Dropbox are encrypted, they are encrypted on Dropbox’s servers, and Dropbox holds the encryption keys.
Therefore, if served a valid court order, or if coerced by the government over one of those ‘0-249’ national security requests, using powers granted it by the Patriot Act, The Foreign Intelligence Surveillance Act (FISA), or other national security legislation, Dropbox can and will hand over the required data.
In our article 5 most secure backup services we look at alternatives to Dropbox that offer much higher levels of security and privacy, so if this sort of thing worries you (as we feel it should), go check it out!