Dropbox Law Enforcement Handbook

Table of Contents

 1. About
   - Law Enforcement Handbook
   - Dropbox
 2. Government Data Request Principles
 3. Sending Process to Dropbox
 4. Emergency Requests
 5. User Notice Policy
 6. Requests for User Information
   - User Identification
   - Subscriber Information
   - Account Content
   - Data Retention Policy
   - Preservation Requests
 7. Non-United States Requests




About

Law Enforcement Handbook

This handbook is for law enforcement seeking information from Dropbox in a criminal investigation. For more information on Dropbox’s philosophy on user data, please refer to our Privacy Policy and Government Data Request Principles. This handbook does not create any obligations concerning how Dropbox will respond in any particular case. Dropbox reserves the right to charge reasonable reimbursement fees for responding to law enforcement information requests.

Dropbox

Dropbox is a file syncing and collaboration service that allows users to access and share their files on computers, phones, tablets, and the Dropbox website.




Government Data Request Principles

Be transparent:

Dropbox's policy is to provide notice to users about law enforcement requests for their information prior to complying with the request, unless prohibited by law.

Fight blanket requests:

Dropbox cannot process requests that are overbroad, vague, or nonspecific. All requests should be limited to specific people and investigations. To identify an account, requests must list: a) A user ID, b) an email address associated with the account, or c) a Dropbox link.

Protect all users:

Dropbox provides user information in response to law enforcement requests only when we believe that we are legally required to do so. Dropbox requires all government requests to be in accordance with the federal Stored Communications Act (“SCA”), 18 U.S.C. § 2701-2712.

Provide trusted services:

Governments should never install backdoors into online services or compromise infrastructure to obtain user data. All requests are scrutinized to ensure they comply with privacy laws that protect user information.




Sending Process to Dropbox

We accept service of legal process from law enforcement in one of the following three ways:

Email: legalcompliance@dropbox.com
   Please send all documents as PDF files.

Fax:  415-789-4485

Mail:  Please send process here but address as below:
   CSC - Lawyers Incorporating Service
   2710 Gateway Oaks Dr., Ste. 150N
   Sacramento, CA 95833

For all forms of service, please address the process to:
 Dropbox, Inc.
 333 Brannan Street
 San Francisco, CA 94107

While we agree to accept service of law enforcement requests by these methods, neither Dropbox nor our users waive any legal rights based on this accommodation. Requests seeking testimony must be served on our registered agent for service of process. We do not accept those requests by email, mail or fax.




Emergency Requests

If you are seeking information in emergency circumstances, please contact us at legalcompliance@dropbox.com and provide the basis upon which you are making the request. We process these requests on an expedited basis.




User Notice Policy

Dropbox's policy is to provide notice to users about law enforcement requests for their information prior to complying with the request, unless prohibited by law. We might delay notice in cases involving the threat of death or bodily injury, or the exploitation of children. It is our policy to provide notice to users about grand jury subpoenas seeking user information. If you object to the user receiving notice in a particular case, please provide legal justification when serving the subpoena or obtain a sealing order prior to service. Once the basis for the non-disclosure has expired, we will give notice to the user.




Requests for User Information

User Identification

To identify an account, Dropbox requires either the User ID or the an email address associated with the account. In some situations, Dropbox is able to identify a user by a sharing link created by that user.

Subscriber Information

The following information may be available in response to an enforceable government subpoena or court order:

  1. The name provided by the user
  2. The email address provided by the user
  3. The time and date of account registration
  4. The type of account (Free/Paid/Business, and if paid, payment information)
  5. The IP addresses recorded for account logins and
  6. The last-seen IP address of computers linked to an account.

Content

Dropbox will only provide user content, whether in files or otherwise, in response to a search warrant (or an equivalent legal obligation supported by probable cause with judicial review).

Data Retention Policy

Subscriber information is available while an account is active. Deleted files in an active account will still be available for 30 days after deletion, or if the account has been preserved, until the preservation expires. Once an account is deleted, subscriber information and the content in the account will be unrecoverable after 30 days, unless the account is preserved.

Preservation Requests

We accept requests to preserve records for 90 days pursuant to 18 U.S.C. § 2703(f). Extensions may be requested. Unless an account is subject to a preservation request, subscriber information and user content for deleted accounts may be restorable by Dropbox for up to 60 days in the normal course of our operations.




Non-United States Requests

Dropbox is headquartered in, and offers it services from, the United States of America. Our customer data is stored exclusively in the United States.

If you would like to obtain information from Dropbox, please follow the applicable mutual legal assistance treaty process or letters rogatory process so that a U.S. court may issue the required U.S. legal process to Dropbox. Should you have questions regarding these procedures, you may wish to contact the Office of International Affairs at the United States Department of Justice.

While we understand that some companies provide registration information without requiring a U.S. court order, Dropbox is not able to do so at this time. For the foreseeable future, we will require such an order.