The Stored Communications Act: subscriber data on a subpoena, files on a warrant
1986 (governs Dropbox today)
Under the 1986 Stored Communications Act, US law enforcement can obtain a Dropbox user's basic subscriber records with a subpoena, account usage records with a court order, and the actual contents of their files with a search warrant — a tiered framework Dropbox publishes in its own guidelines.
What happened
The Stored Communications Act (SCA), part of the 1986 Electronic Communications Privacy Act, is the statute that governs when a provider like Dropbox must turn over user data. Dropbox's own law-enforcement guidelines lay out the tiers: a subpoena compels basic subscriber records (such as the email on the account, length of service, payment information and IP addresses); a court order under 18 U.S.C. 2703(d) compels non-content account usage records; and a search warrant is required to compel disclosure of content, meaning the user's files and filenames.
The same framework lets law enforcement send a preservation request that obliges Dropbox to retain a user's information for 90 days pending legal process, and an emergency-disclosure path lets data be released without a warrant when there is an imminent risk of serious harm or death. The SCA also supplies the gag-order mechanism (18 U.S.C. 2705(b)) that lets a court bar Dropbox from telling a user their account was targeted.
The practical takeaway is that the legal threshold to read a user's files is a warrant, not a mere request — but because Dropbox can decrypt those files, a warrant is sufficient to expose them. Nothing in the architecture prevents lawful disclosure of file content.
Impact
The SCA framework is what makes Dropbox's server-side encryption a privacy ceiling rather than a privacy guarantee: the company is legally able and obliged to produce decrypted file content on a valid warrant. For users, it clarifies that 'is my data private?' has a statutory answer — private from the public, reachable by the government with the right paper. The 90-day preservation and emergency-disclosure routes further widen the circumstances in which data moves to the government.