Privacy & Encryption Concerns Government Access & Surveillance

National Security Letters and FISA orders: demands Dropbox can barely acknowledge

2013–2014

HighStatus: historical 0–249 national-security requests reported for 2013 affectedProduct: Core sync

Dropbox is subject to National Security Letters and FISA orders that arrive with gag provisions barring it from disclosing even that it received them; the most it can publish is a band such as '0–249' national-security requests.

What happened

Beyond ordinary criminal process, US providers can receive National Security Letters (NSLs) and orders issued under the Foreign Intelligence Surveillance Act (FISA). These instruments routinely come with non-disclosure obligations that prevent the recipient from confirming the request — or even its existence — to the affected user or the public. Dropbox's 2013 Transparency Report was its first to address national-security requests, and even then the law permitted it to say only that it had received somewhere in the range of 0–249 such requests, affecting a similar range of accounts.

That banded, vague reporting is itself the product of a 2014 settlement. After Edward Snowden's disclosures, technology companies pressed the secret FISA court for the right to publish national-security request figures, arguing the gag rules violated their First Amendment rights. In January 2014 the Justice Department conceded a compromise: companies could report national-security demands only in broad bands and with a delay. The companies dropped their suits in exchange.

The result is a permanent transparency gap. For the category of government access that worries privacy advocates most, Dropbox is legally forbidden from telling users the precise truth.

Impact

NSLs and FISA orders are the part of the surveillance picture users can never fully see. Because the gag provisions can be indefinite, a Dropbox user whose data was swept up under a national-security demand may never be notified, and the public can only ever read an order-of-magnitude band. This is not evidence that Dropbox volunteers data — the documented fact is the opposite, that it litigated for more disclosure — but it is a structural limit on accountability for any US cloud provider.

Related issues

2023–2026 (ongoing)3 sources

Medium

'Not training — today': lingering skepticism over Dropbox's AI data assurances

Dropbox repeatedly assures users that AI features do not train on their data and that content is deleted within 30 days — but because these are revocable policy promises layered over server-side access rather than technical guarantees, security commentators remain skeptical that the assurances will hold.

Privacy & Encryption ConcernsCurrent / Ongoing Issues (2024–2026)

Read documentation

National Security Letters and FISA orders: demands Dropbox can barely acknowledge

What happened

Impact

Related issues

'Not training — today': lingering skepticism over Dropbox's AI data assurances

Sources

Dropbox Dash goes mainstream (2025): an AI assistant that indexes everything you connect

Dash and the third-party AI connectors: trusting Dropbox to broker your data to OpenAI, Google, and Microsoft

Discontinuing Dropbox Vault: the PIN-protected folder turned ordinary