Box won't say if it's giving your secrets to the government

The company says it only gives up customer data when "required by applicable law." But if it's keeping quiet on reportable figures, should we assume the worst?
Written by Zack Whittaker, Contributor

(Image: file photo)

Cloud storage giant Box won't say how many times it has turned over customer data to the government.

The company's policy stands out from the cloud storage crowd, including Google, Amazon, Microsoft, and Dropbox, which along with other every internet and phone company in the Fortune 500, provide a biannual transparency report detailing the number of government requests and secret orders they receive.

A spokesperson for Box confirmed that the company doesn't issue a transparency report, adding that government requests for customer data is "strictly limited to the extent mandated and required by applicable law."

"Our priority is always to preserve the privacy of our users to the fullest extent possible," the spokesperson said.

But confidence in the notion of "applicable law" quickly waned after the government was shown to have pushed the limits of its legal powers in the wake of the NSA disclosures.

Nine tech companies were named as being complicit in the PRISM program -- claims that were largely denied by the companies. PRISM was authorized under the law, though the program's existence wasn't known until documents leaked by Edward Snowden were published by journalists. It was the same law that authorized the NSA to hack into major companies around the world, collect records in bulk on every Verizon customer, and directly tap into the fiber cables that connect Google's datacenters around the world.

Without a transparency report, Box customers can't know for sure to what extent "applicable law" applies to them, such as a secret national security order or demands for bulk data.

Box has seen its user base grow to 69,000 businesses as of its fiscal third-quarter earnings in November, and only a fraction of its users are ordinary consumers. Most of Box's users are business accounts and companies, which have the option to store its own encryption keys, cutting Box out of the loop, or will otherwise get notified if it receives a subpoena.

If Box receives a gag order or a national security request, the company may not be able to tell its users at all.

Like all companies, Box isn't under any legal obligation to report how many government requests it receives, despite the fact that such reporting has now become an industry norm.

But, as the company swells in size and draws in more major customers, the issue of transparency becomes more difficult to ignore, and even tougher not to assume the worst.

Editorial standards