US government requests for access to Dropbox user content and account details rose in line with subscriber numbers over the first half of 2014, but several of the accounts requested didn’t actually exist, according to the firm.
The cloud storage company’s latest Transparency Report revealed that the authorities filed 120 search warrants, two court orders, and 109 subpoenas related to non-business accounts over the period.
Dropbox identified 454 accounts related to the search warrant and subpoena requests, yet bizarrely 14 accounts did not exist for the former and 16 for the latter.
No requests were made for Dropbox for Business accounts and 37 came from outside of the US. The firm isn’t allowed to specify how many 'national security requests' it received although the number was in the range 0-249.
Dropbox also revealed that, while the “rate of government data requests received per user remains steady,” the authorities are trying to keep such requests a secret.
It explained:
“Government agencies keep asking us not to notify users of requests for their data, even when they are not legally entitled to do so. If we receive a request that comes with a gag order, we’ll inform requesting agency of our policy and let users know about the request unless the agency provides a valid court order (or an equivalent).”
Information that Dropbox has been legally required to hand over includes 'non-content' – the subscriber info associated with an account, like name and email address – and 'content' – which is actual user files.
The firm said Washington rarely asks for content without a search warrant – only one of the 109 subpoenas in H1 2014 did seek such information, but Dropbox didn’t supply it.
Of the 174 accounts identified as part of 120 search warrants, content was produced on 103 of them.
“We’ll push for greater openness, better laws, and more protections for your information. A bill currently in Congress would do just that by reining in bulk data collection by the US government and allowing online services to be more transparent about the government data requests they receive,” said Dropbox lawyer Bart Volkmer in a blog post.
“Another would make it clear that government agencies must get a warrant supported by probable cause before they may demand the contents of user communications. We’ll continue to lend our support for these bills and for real surveillance reform around the world.”
Interestingly, security experts believe enterprise file sync and share systems similar to Dropbox for Business could be a better, more secure option for sharing sensitive corporate data than email.
“SMTP is not designed to protect data, SMTP is designed to leak data,” warned Gartner research vice president Jay Heiser at the Security & Risk Management Summit this week.
“I’d like to make the case we should stop using so much email. If you get an enterprise file sync and share service and manage the user accounts, you can do some activity logging and you can wrap some controls around it and I’d maintain that’s a more controlled way to share data than email is.”