Dropbox discloses 'less than 249' national security data requests, but hints it may have been far lower

Dropbox discloses 'less than 249' national security data requests, but hints it may have been far lower

Summary: The cloud storage service said the move to allow companies to disclose national security data requests as a "step in the right direction," but noted it's a flawed system for very few requests or even none.

TOPICS: Security
(Image: CNET)

Dropbox this week announced, not long after it was given the go-ahead from the U.S. Justice Department, how many national security requests for data it has been handed.

Sort of. Because there's always a caveat or two.

In late January, the Justice Dept. loosened the restrictions on Silicon Valley companies disclosing government surveillance requests that are at least six-months old under the guise of "national security."

That's caveat number one. It's a broad term that could frankly include anything under current U.S. law.

The second is that the numerical range in which these can be reported are so broad that in some cases any such disclosure may not in fact offer any clues on how many requests were made. 

That's Dropbox's big concern. In a blog post by Dropbox chief lawyer Bart Volkmer on Tuesday, he said the move to allow companies to disclose these requests was a "step in the right direction," but strongly hinted that companies such as the cloud storage firm was at a disadvantage because of its size and scale.

"...It doesn't go far enough, especially for services that receive only a handful of requests or none at all. We believe the public has a right to know the actual number of requests received and accounts affected, and we’ll continue to push to be able to provide this information."

Indeed, Dropbox received "zero to 249 requests" for data during the six-months prior to the blog post. That could be one, or two, as many as 249, or in fact none. Zero, zilch, nada.

And there's no way to know until the Justice Dept. eases up further.

Dropbox continues to fight the secretive Washington D.C.-based Foreign Intelligence Surveillance Court, set up under its namesake 1978 law, on how it discloses figures — with the company specifically wanting to disclose exactly how many requests it receives. 

In a legal brief submitted to the court [PDF] in September 2013, the company said because it received fewer than 100 regular law-enforcement requests for 2012, "reporting in the government’s format would decrease Dropbox’s ongoing transparency efforts."

"That's all we can report right now," Volkmer said. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • If it were none - they could probably say so.

    Considering that you'd have to actually get a request in order to get the gag order, I think we can safely rule out "none."

    However, it could theoretically be the case that it only happened once, or maybe less than a dozen times. That's certainly possible.

    But it does sound like it's happened, because without that gag order, anybody is free to say "nope, hasn't happened to us."