
Dropbox - Transparency Report - lispython
https://www.dropbox.com/transparency
======
huhtenberg
What a complete bullshit -

> * _This report doesn 't include national security requests._

What good is this "Transparency Report" if it excludes an unspecified number
arbitrary wide secret information access requests? The one kind that actually
ignited the fire under Dropbox ass.

How can they seriously think this could calm and reassure anyone who cares
about privacy of their data held with Dropbox?

~~~
oleganza
Imagine yourself in Dropbox's shoes. Do you _personally_ want to go to jail
for fighting for freedom against NSA, or do you prefer to move from this
country to another (where some other agency will fuck you the same way)?

When people focus their disappointment on companies that are _forced_ to
comply you get civil war while the real aggressor is just laughing at you.
Let's instead focus on how government got so much brutal power, how can we
possibly reduce it and prevent from increasing again in the future. That's the
real issue here.

~~~
huhtenberg
You are missing the point.

If a company publishes a "Transparency Report" that is woefully incomplete,
they shouldn't call it a "Transparency Report", should they now? They
effectively fudge the numbers to make things look better than they are.

~~~
lotsofcows
Are things either completely transparent or opaque? Can I still call my
motorbike's windscreen so, even though it only blocks a very small mount of
wind? Should people below median height be allowed to say how "tall" they are?

------
lawnchair_larry
To recap, there are a few different types of requests.

There are warrants/court orders, which everyone is familiar with.

Then there are NSLs. Those usually come from the FBI, and with a gag order.
These can be included in transparency reports in aggregate, which is what the
numbers provided by Google etc (and presumably dropbox) show.

 _" By law, NSLs can request only non-content information, such as
transactional records, phone numbers dialled or sender or recipient email
addresses. They also contain a gag order, preventing the recipient of the
letter from disclosing that the letter was ever issued."_

Worse than the NSL is the FISA order. These are _not_ included in _any_
"transparency reports", and they do not have to target specific users. They
allow surveillance without a warrant. They don't even have to be for seeking
evidence related to a crime, and can be issued just for "intelligence
gathering".

 _" And it's even worse for FISA subpoenas, which can be used to force anyone
to hand over anything in complete secrecy, and which were greatly strengthened
by Section 215 of the USA PATRIOT Act. The government doesn't have to show
probable cause that the target is a foreign power or agent — only that they
are seeking the requested records "for" an intelligence or terrorism
investigation. Once the government makes this assertion, the court must issue
the subpoena."_

In short, none of these transparency reports are worth anything, because they
don't acknowledge FISA requests.

~~~
ihsw
> Worse than the NSL is the FISA order.

This right here is the contentious "Section 215", which is colloquially
summarized as _get everything, sort it later_.

Its broad-sweeping and baseless nature is what's ruffling lots of feathers,
and NSA's General Alexander praised it frequently in the much-reported
congressional hearings from ~3 months ago.

The FISC has recently declassified their court opinion on it (they love it):

[http://www.uscourts.gov/uscourts/courts/fisc/br13-09-primary...](http://www.uscourts.gov/uscourts/courts/fisc/br13-09-primary-
order.pdf)

------
pixelcort
Currently it is legal for a company to truthfully state that it has not
received any NSLs. Therefore, we can assume any company that won't outright
claim such a denial to have received at least one.

~~~
kintamanimatt
They've pretty much outright admitted to receiving them:

"We've urged the government to allow online services to disclose the exact
number of national security requests received in a reporting period without
revealing details about specific requests."

~~~
andrelaszlo
They usually remember to end these sentences with "...if any". :P

------
Sukotto
What does "response rate" mean? The percentage of times you gave the asked for
information to whomever it was that asked for it?

If so, how do you decide when to decline requests?

How often do you get a request, decline it, then get another request against
the same user or account?

~~~
z92
> How often do you get a request, decline it, then get another request against
> the same user or account?

Never thought of it. So its possible to always give the information asked and
still keep response rate bellow 1%!

"... and statistics".

------
001sky
_[Update - 9 /23/2013] – Today we filed a legal brief asking the court to
confirm that we have the right to report the number of national security
requests we receive, if any. You can check out our brief here:
[https://dt8kf6553cww8.cloudfront.net/static/docs/DropboxFISC...](https://dt8kf6553cww8.cloudfront.net/static/docs/DropboxFISCBrief-
vflkjalRT.pdf). We'll keep you updated about any developments._

------
throwawayyyz
"Transparency Report" is such a bullshit term. It doesn't tell us anything. So
what if they provide a neat table with rows filled with some random numbers.
At the end of the day you are letting somebody else keep your files and do
what they want with it.

------
rurounijones
"This report doesn't include national security requests."

So the numbers are interesting and a good start but the good stuff is left out
for the moment.

~~~
devindotcom
This is the case with most of these transparency reports. Even if they did
report them, they would only be able to give very vague numbers, like "between
1 and 999" or the like. But yeah, more info is always better.

~~~
devcpp
What about black boxes that capture all traffic going through their servers
and send it all to the NSA? Would that count as just one request?

------
akbar501
If, as a customer, you don't like what Dropbox, Google, Microsoft etc. are
doing, then cast your economic vote and don't use the one product that
represents the bulk of their revenue. Most companies earn most of their money
from one, maybe two, products (focus on not using those). For Google, don't
waste time with email, focus on search...and so on.

Google: Search Microsoft: Office Dropbox: File sync/sharing etc.

You don't have to go cold turkey, but it's easy enough to switch one at a
time. Help other people (friends/family/etc.) to switch as well. Big changes
happen one person at a time.

More importantly, you will see change if a major corporation sees a threat to
their revenues.

Cast your economic vote. Repeat. Encourage others to do so as well.

~~~
Semiapies
Or, if you're capable of reading between the lines, you as a citizen can
recognize that expecting other people to risk prison time for your approval is
entitled cowardice, and that you should be giving your government Hell for the
laws in question.

~~~
da_n
Totally, let me just go and tell my lobbyist to petition them... oh wait.

Giving the government hell is all well and good, but it is unlikely to cause
much in the way of change. If businesses start to feel the pain on the other
hand, then they have the incentive to challenge the government about the
massive monetary losses they face because the government fucked up the
internet. Both giving the government hell and boycotting compromised services
are valid ways of fighting back.

~~~
Semiapies
Yes, you and your friends boycotting companies is going to make them desperate
enough for their executives to risk prison time in order to win you back.

Good luck with that.

------
znowi
From the brief [1]: "There is no statute, nor any other law, supporting the
government’s demands."

Does it mean that essentially the companies are _intimidated_ to comply
without the rule of law? Under what law and what sanctions do they face if
full statistics is published?

[1]
[https://dt8kf6553cww8.cloudfront.net/static/docs/DropboxFISC...](https://dt8kf6553cww8.cloudfront.net/static/docs/DropboxFISCBrief-
vflkjalRT.pdf)

------
sandstrom
Dropbox must feel like a godsend for NSA. The files for millions people from
around the planet, conveniently sitting there for their taking (without anyone
even knowing).

I truly love this country, but this progress is worrying.

------
sengstrom
It is a push to allow Dropbox to publish the NSR numbers. It is also a public
relations campaign. Uncertainty can hurt your business.

------
droopyEyelids
The whole "scrutinize for legality" bit is overwrought and makes me question
this whole thing. Are we to expect that every request has been established as
perfectly legal? No. Dropbox isn't big enough to fight the government in
court, and the legality of FISA requests hasn't been definitively established.

~~~
ihsw
The scrutinization is first and foremost for the protection of Dropbox, and
user privacy is secondary. Always gotta look out for #1.

------
varjag
IMHO the 2nd line is the most interesting part here. There's a substantial
interest in user data by other nations, a fact overshadowed by Snowden-NSA
affair.

A bit of cold shower if you think hosting abroad is a viable solution to data
privacy. You have nowhere to go.

------
serf
"are committed to giving notice to users when their accounts are identified in
a law enforcement request. "

does this mean that the account holder will personally be told by Dropbox, or
that we're being told by being shown this data?

------
nadaviv
> This report doesn't include national security requests ... the government
> allows services to disclose only the aggregate number of all law enforcement
> and national security requests received

So does the total number include NSRs or not?

~~~
chris24
It does not. Further down the page, they link to a document [1] that states
that they would be required to report NSRs and law enforcement requests
(combined) in ranges of 1,000, if they wanted to include the NSRs.

1 -
[https://dt8kf6553cww8.cloudfront.net/static/docs/DropboxFISC...](https://dt8kf6553cww8.cloudfront.net/static/docs/DropboxFISCBrief-
vflkjalRT.pdf)

------
KaiserPro
Dropbox isn't particularly secure in the first place, so I doubt the NSA needs
to ask for any information. Especially as most of the auth is done over
SSL/HTTP

------
chancancode
So, they are publishing this without the NSRs today, so we can diff it against
future reports, is that the idea?

~~~
rdl
Doesn't help, because the most plausible number is "0-1000" (which actually
means >0 and <1000, since =0 would be handled differently). They're not
allowed to report NSL+LE with more precision.

------
simplexion
...and that's why I use Spideroak.

~~~
Ygg2
... or keep a local copy in a different town.

