> * This report doesn't include national security requests.
What good is this "Transparency Report" if it excludes an unspecified number arbitrary wide secret information access requests? The one kind that actually ignited the fire under Dropbox ass.
How can they seriously think this could calm and reassure anyone who cares about privacy of their data held with Dropbox?
Imagine yourself in Dropbox's shoes. Do you personally want to go to jail for fighting for freedom against NSA, or do you prefer to move from this country to another (where some other agency will fuck you the same way)?
When people focus their disappointment on companies that are forced to comply you get civil war while the real aggressor is just laughing at you. Let's instead focus on how government got so much brutal power, how can we possibly reduce it and prevent from increasing again in the future. That's the real issue here.
The OP doesn't have a problem understanding _why_ Dropbox has done this, he is highlighting the fact that this transparency report is definitely not a transparency report, and is therefore useless.
If a company publishes a "Transparency Report" that is woefully incomplete, they shouldn't call it a "Transparency Report", should they now? They effectively fudge the numbers to make things look better than they are.
Are things either completely transparent or opaque? Can I still call my motorbike's windscreen so, even though it only blocks a very small mount of wind? Should people below median height be allowed to say how "tall" they are?
I agree. However, it's called "Transparency Report" and not "This is the best we can tell you to avoid jail" to avoid jail. Alternative would be not to publish anything. Any freedom-fighting statement (while straight to the point and honorable) is a quick suicide. Point me to a business in US which openly opposes core government institutions and does well.
So your complaint is that they didn't name it well enough? Not that they didn't make it clear in several places that this doesn't include national security requests, of which they are legally obligated not to provide.
"or do you prefer to move from this country to another (where some other agency will fuck you the same way)?"
Im sorry, but that won't happen to you in a lot of other countries. Even with data retention in the european union there's still no such thing as NSL in most european countries.
Perhaps their goal is not to "calm and reassure". Perhaps their goal is to be as transparent as legally possible. In the legal brief they include an exhibit showing how their transparency report would have looked if they had included the national security requests -- go read it and tell me if you think it is more "reassuring".
> This report doesn't include national security requests. We want to report the exact number of national security requests we receive, if any. Unfortunately, the government allows services to disclose only the aggregate number of all law enforcement and national security requests received (and even then the disclosure must be in large bands). A report in that form decreases transparency, especially for companies that receive zero or very few national security requests.
They can't report on how many national security requests because they have to lump them in with regular law enforcement requests in bands of 1000. Since there were less than 1000, it would be 1-1000, and that's it. They're working on being able to release the exact number, so they had to file a brief with FISA.
this is explained in the document they link to. quote:
Had Dropbox received just one national-security request [... the report would] look like this:
Jan-Dec 2012 United States 1-1000
Reporting in this way decreases transparency. [...] It would also obfuscate the number of [...] requests [...] which were not sealed and are in the public record.
so they are arguing that you either get the numbers shown or 1-1000 and nothing else (which seems odd to me, as google seem to manage to show both - see my link below).
[Update - 9/23/2013] – Today we filed a legal brief asking the court to confirm that we have the right to report the number of national security requests we receive, if any. You can check out our brief here: Dropbox FISC Brief. We'll keep you updated about any developments.
You're falling for the assumption they want you to make.
They've phrased their document to suggest they have 1-1000 requests without actually saying it. For all we know they could have served thousands of requests last year but are using this as an excuse not to show that.
What good is a "Transparency Report" if it included that number? How would that change anything for those who care about the privacy of their data held in Dropbox?
"[Update - 9/23/2013] – Today we filed a legal brief asking the court to confirm that we have the right to report the number of national security requests we receive, if any."
I don't know. I think it's important to know about:
"Today we filed a legal brief asking the court to confirm that we have the right to report the number of national security requests we receive, if any. You can check out our brief here: Dropbox FISC Brief. We'll keep you updated about any developments."
Maybe you don't find that information important, but I do.
huhtenberg's point is simply that he doesn't agree with the classification of the page. That is contains too much information, and cannot include other information.
But they do fear politicians kicking their ass and ruining their lives if that information cost them elections. Also, strained metaphor is strained.
Fact is, that's not a Transparency Report, it's PR Report, to make you feel better and not run away screaming. I've decided that Dropbox/Google Sync shouldn't be trusted for anything of any importance.
It's a report that spends most of its length telling you in some detail exactly what they can't legally tell you.
Considering how self-congratulatory HN readers are about this community's intelligence, you'd think more of them would be able to read between the lines.
To recap, there are a few different types of requests.
There are warrants/court orders, which everyone is familiar with.
Then there are NSLs. Those usually come from the FBI, and with a gag order. These can be included in transparency reports in aggregate, which is what the numbers provided by Google etc (and presumably dropbox) show.
"By law, NSLs can request only non-content information, such as transactional records, phone numbers dialled or sender or recipient email addresses. They also contain a gag order, preventing the recipient of the letter from disclosing that the letter was ever issued."
Worse than the NSL is the FISA order. These are not included in any "transparency reports", and they do not have to target specific users. They allow surveillance without a warrant. They don't even have to be for seeking evidence related to a crime, and can be issued just for "intelligence gathering".
"And it's even worse for FISA subpoenas, which can be used to force anyone to hand over anything in complete secrecy, and which were greatly strengthened by Section 215 of the USA PATRIOT Act. The government doesn't have to show probable cause that the target is a foreign power or agent — only that they are seeking the requested records "for" an intelligence or terrorism investigation. Once the government makes this assertion, the court must issue the subpoena."
In short, none of these transparency reports are worth anything, because they don't acknowledge FISA requests.
This right here is the contentious "Section 215", which is colloquially summarized as get everything, sort it later.
Its broad-sweeping and baseless nature is what's ruffling lots of feathers, and NSA's General Alexander praised it frequently in the much-reported congressional hearings from ~3 months ago.
The FISC has recently declassified their court opinion on it (they love it):
Currently it is legal for a company to truthfully state that it has not received any NSLs. Therefore, we can assume any company that won't outright claim such a denial to have received at least one.
They've pretty much outright admitted to receiving them:
"We've urged the government to allow online services to disclose the exact number of national security requests received in a reporting period without revealing details about specific requests."
Absence of proof in a place where you would expect to find proof is strong evidence of absence, though. A transparency report which includes sentences like "We want to report the exact number of national security requests we receive, if any" is a pretty blatant statement that the number is greater than zero.
[Update - 9/23/2013] – Today we filed a legal brief asking the court to confirm that we have the right to report the number of national security requests we receive, if any. You can check out our brief here: https://dt8kf6553cww8.cloudfront.net/static/docs/DropboxFISC.... We'll keep you updated about any developments.
"Transparency Report" is such a bullshit term. It doesn't tell us anything. So what if they provide a neat table with rows filled with some random numbers. At the end of the day you are letting somebody else keep your files and do what they want with it.
This is the case with most of these transparency reports. Even if they did report them, they would only be able to give very vague numbers, like "between 1 and 999" or the like. But yeah, more info is always better.
If, as a customer, you don't like what Dropbox, Google, Microsoft etc. are doing, then cast your economic vote and don't use the one product that represents the bulk of their revenue. Most companies earn most of their money from one, maybe two, products (focus on not using those). For Google, don't waste time with email, focus on search...and so on.
Google: Search
Microsoft: Office
Dropbox: File sync/sharing
etc.
You don't have to go cold turkey, but it's easy enough to switch one at a time. Help other people (friends/family/etc.) to switch as well. Big changes happen one person at a time.
More importantly, you will see change if a major corporation sees a threat to their revenues.
Cast your economic vote. Repeat. Encourage others to do so as well.
Or, if you're capable of reading between the lines, you as a citizen can recognize that expecting other people to risk prison time for your approval is entitled cowardice, and that you should be giving your government Hell for the laws in question.
Totally, let me just go and tell my lobbyist to petition them... oh wait.
Giving the government hell is all well and good, but it is unlikely to cause much in the way of change. If businesses start to feel the pain on the other hand, then they have the incentive to challenge the government about the massive monetary losses they face because the government fucked up the internet. Both giving the government hell and boycotting compromised services are valid ways of fighting back.
Yes, you and your friends boycotting companies is going to make them desperate enough for their executives to risk prison time in order to win you back.
But the issue is, that I don't know what exactly are they doing, and don't have means to find out. For example, I don't know whether they provided backdoor, how wide that backdoor is, i.e. at how many places are my Dropbox files, for example.
Publishing a transparency report is an excellent step and it doesn't deserve this sort of comment. Government surveillance is a policy issue first and foremost, concentrating on consumer tech companies is but an attention seeking techniques to make the news more palatable to casual readers, if corporate compliance bothers you then telecom companies ought to top of the list seeing as they never even mounted a single challenge, nor did they seek transparency.
If your reasoning is that they're not lobbying against this, then you're wrong. You can't expect people not to use the Facebooks or Apples, it's a policy issue. Pressure the government, vote for the right people.
From the brief [1]: "There is no statute, nor any other law, supporting the government’s demands."
Does it mean that essentially the companies are intimidated to comply without the rule of law? Under what law and what sanctions do they face if full statistics is published?
Dropbox must feel like a godsend for NSA. The files for millions people from around the planet, conveniently sitting there for their taking (without anyone even knowing).
I truly love this country, but this progress is worrying.
The whole "scrutinize for legality" bit is overwrought and makes me question this whole thing. Are we to expect that every request has been established as perfectly legal? No. Dropbox isn't big enough to fight the government in court, and the legality of FISA requests hasn't been definitively established.
IMHO the 2nd line is the most interesting part here. There's a substantial interest in user data by other nations, a fact overshadowed by Snowden-NSA affair.
A bit of cold shower if you think hosting abroad is a viable solution to data privacy. You have nowhere to go.
> This report doesn't include national security requests ... the government allows services to disclose only the aggregate number of all law enforcement and national security requests received
It does not. Further down the page, they link to a document [1] that states that they would be required to report NSRs and law enforcement requests (combined) in ranges of 1,000, if they wanted to include the NSRs.
Dropbox isn't particularly secure in the first place, so I doubt the NSA needs to ask for any information. Especially as most of the auth is done over SSL/HTTP
Doesn't help, because the most plausible number is "0-1000" (which actually means >0 and <1000, since =0 would be handled differently). They're not allowed to report NSL+LE with more precision.
> * This report doesn't include national security requests.
What good is this "Transparency Report" if it excludes an unspecified number arbitrary wide secret information access requests? The one kind that actually ignited the fire under Dropbox ass.
How can they seriously think this could calm and reassure anyone who cares about privacy of their data held with Dropbox?