The reason for the “or fewer” caveat is because Dropbox and other services are not permitted by the US government to report the exact number of NSLs received.
“Although the ability to report in bands of 250 is a positive development, these restrictions interfere with both the public’s right to obtain information about the US government’s surveillance activities and our rights to publish such information,” the company said in its 2013 Transparency Report. “We continue to believe that online services should be allowed to report the exact number of national security requests received and remain committed to defending that principle.”
The company reiterated its directive to “be transparent” in its newly debuted Government Data Request Principles. It also added that “governments should never install backdoors into online services or compromise infrastructure to obtain user data. We’ll continue to work to protect our systems and to change laws to make it clear that this type of activity is illegal.”
The language is a nod to the allegations by Edward Snowden that several tech companies have been working with the US government and the NSA to intercept user communications – a charge that Google, Microsoft, Apple and the rest of them have categorically denied.
In terms of the other principles, which describe its guidelines for handling requests of all kinds for customer information as well as how it plans to work to change the laws to make them more protective of online privacy, Dropbox said that it’s committed to fighting blanket requests and providing trusted services.
“Government data requests should be limited to specific people and investigations. We’ll resist requests directed to large groups of people or that seek information unrelated to a specific investigation.”
It also pledged to protect all users and not treat people differently based on their citizenship or where they live.
“We understand that when you entrust us with your digital life, you expect us to keep your stuff safe,” the company said.
Overall, the Transparency Report shows that the rate of government data requests received per user has remained steady – meaning that the number of requests received grew proportionately to Dropbox’s user base. In addition to the NSLs, it fielded 118 search warrants affecting 172 accounts, 159 subpoenas affecting 401 accounts, 90 requests from entities and governments outside of the US (none of which it responded to) and zero court orders.
When it came to notifying users that information about them had been requested, Dropbox noted that the government often asked that it not disclose the existence of legal process, even when the government was not legally entitled to non-disclosure.
“In those situations, Dropbox informed law enforcement of its notice policy and provided notice unless law enforcement provided a valid legal basis for non-disclosure (such as a court order),” it said.
Also, the actual content of the files being housed on Dropbox servers was rarely the target for law enforcement: out of those 159 subpoenas it received, only three sought “content information,” which it did not provide.