Dropbox Law Enforcement Handbook
Table of Contents
- Law Enforcement Handbook
2. Government Data Request Principles
3. Sending Process to Dropbox
4. Emergency Requests
5. User Notice Policy
6. Requests for User Information
- User Identification
- Subscriber Information
- Account Content
- Data Retention Policy
- Preservation Requests
7. Non-United States Requests
Law Enforcement Handbook
Dropbox is a file syncing and collaboration service that allows users to access and share their files on computers, phones, tablets, and the Dropbox website.
Government Data Request Principles
Dropbox's policy is to provide notice to users about law enforcement requests for their information prior to complying with the request, unless prohibited by law.
Fight blanket requests:
Dropbox cannot process requests that are overbroad, vague, or nonspecific. All requests should be limited to specific people and investigations. To identify an account, requests must list: a) A user ID, b) an email address associated with the account, or c) a Dropbox link.
Protect all users:
Dropbox provides user information in response to law enforcement requests only when we believe that we are legally required to do so. Dropbox requires all government requests to be in accordance with the federal Stored Communications Act (“SCA”), 18 U.S.C. § 2701-2712.
Provide trusted services:
Governments should never install backdoors into online services or compromise infrastructure to obtain user data. All requests are scrutinized to ensure they comply with privacy laws that protect user information.
Sending Process to Dropbox
We accept service of legal process from law enforcement in one of the following three ways:
Please send all documents as PDF files.
Mail: Please send process here but address as below:
CSC - Lawyers Incorporating Service
2710 Gateway Oaks Dr., Ste. 150N
Sacramento, CA 95833
For all forms of service, please address the process to:
333 Brannan Street
San Francisco, CA 94107
While we agree to accept service of law enforcement requests by these methods, neither Dropbox nor our users waive any legal rights based on this accommodation. Requests seeking testimony must be served on our registered agent for service of process. We do not accept those requests by email, mail or fax.
If you are seeking information in emergency circumstances, please contact us at firstname.lastname@example.org and provide the basis upon which you are making the request. We process these requests on an expedited basis.
User Notice Policy
Dropbox's policy is to provide notice to users about law enforcement requests for their information prior to complying with the request, unless prohibited by law. We might delay notice in cases involving the threat of death or bodily injury, or the exploitation of children. It is our policy to provide notice to users about grand jury subpoenas seeking user information. If you object to the user receiving notice in a particular case, please provide legal justification when serving the subpoena or obtain a sealing order prior to service. Once the basis for the non-disclosure has expired, we will give notice to the user.
Requests for User Information
To identify an account, Dropbox requires either the User ID or the an email address associated with the account. In some situations, Dropbox is able to identify a user by a sharing link created by that user.
The following information may be available in response to an enforceable government subpoena or court order:
1. The name provided by the user
2. The email address provided by the user
3. The time and date of account registration
4. The type of account (Free/Paid/Business, and if paid, payment information)
5. The IP addresses recorded for account logins and
6. The last-seen IP address of computers linked to an account.
Dropbox will only provide user content, whether in files or otherwise, in response to a search warrant (or an equivalent legal obligation supported by probable cause with judicial review).
Data Retention Policy
Subscriber information is available while an account is active. Deleted files in an active account will still be available for 30 days after deletion, or if the account has been preserved, until the preservation expires. Once an account is deleted, subscriber information and the content in the account will be unrecoverable after 30 days, unless the account is preserved.
We accept requests to preserve records for 90 days pursuant to 18 U.S.C. § 2703(f). Extensions may be requested. Unless an account is subject to a preservation request, subscriber information and user content for deleted accounts may be restorable by Dropbox for up to 60 days in the normal course of our operations.
Non-United States Requests
Dropbox is headquartered in, and offers it services from, the United States of America. Our customer data is stored exclusively in the United States.
If you would like to obtain information from Dropbox, please follow the applicable mutual legal assistance treaty process or letters rogatory process so that a U.S. court may issue the required U.S. legal process to Dropbox. Should you have questions regarding these procedures, you may wish to contact the Office of International Affairs at the United States Department of Justice.
While we understand that some companies provide registration information without requiring a U.S. court order, Dropbox is not able to do so at this time. For the foreseeable future, we will require such an order.