Tumblr's Transparency Report

At Tumblr, we believe it’s important to provide everyone – from occasional visitors to our most active community members – with an open, safe, and transparent platform for self-expression.

Consistent with our core principles, we’d like to shine some light on an issue that is deeply important to both our community and the greater public: government requests for user information.

Like many Internet platforms, Tumblr received requests for user information in 2013 from U.S. and non-U.S. government agencies. To help make sure that such requests are precise and lawful, last year we published Law Enforcement Guidelines, which provide government agencies with strict guidance on how to submit requests. Even so, sometimes we receive government requests that are unclear, overbroad, or defective. In those cases, and in accordance with recognized laws and our policies, we push back on behalf of our users.

For the sake of transparency, and to ensure that our users are well informed, we’re publishing a series of posts on this blog explaining how, when, and why governments requested information about Tumblr users in 2013, and how we responded to those requests. These posts, which together comprise our 2013 Law Enforcement Transparency Report, cover the following topics:

• Tumblr’s Process and Policies
• Transparency Report Data
• Providing User Notice
• National Security Issues

Going forward, we plan to publish a transparency report here every six months.

As always, we welcome your feedback: ask us your questions via the Ask feature on this page, or share comments/suggestions by emailing us at policy@tumblr.com.

When we say that Tumblr receives requests for user information from U.S. and non-U.S. government agencies, what do we mean? Here are a few examples of what governments may ask us to provide, along with relevant context:

• A local sheriff’s office may request copies of messages posted by a cyber-harasser, as evidence in a criminal prosecution.

• The FBI may request the IP address of a user suspected of computer hacking, in order to locate the user’s server.

• A foreign government official may request the IP address of a user involved in a medical emergency, in order to get that user appropriate help.

Because Tumblr’s headquarters is located in the United States, in New York City, New York, and we have no foreign offices, the vast majority of requests we receive originate in the U.S. Law enforcement officials in the U.S. may be authorized by law to obtain user information (e.g., a private message or IP address) from service providers like Tumblr after sending us lawful subpoenas, court orders, and search warrants. Each request is subject to different legal requirements, and authorizes the release of different types of information.

We require non-U.S. governments to issue their requests to us through something called a “Mutual Legal Assistance Treaty” (MLAT) or a “letter rogatory.” A U.S. court must review foreign requests submitted through these channels, to ensure that they are consistent with U.S. laws and standards.

Finally, in the interest of public safety and, in particular, the safety of our users, we may voluntarily disclose user information to appropriate government officials if we believe it’s necessary to prevent an emergency involving death or serious physical injury. In 2013, the vast majority of these voluntary emergency disclosures originated from members of the Tumblr community who notified government officials that another user might be attempting to commit suicide. In such cases, we may disclose limited information, such as an IP address, so that officials can locate the user and provide him or her with immediate assistance.

So, how do we evaluate these government requests? As explained in our Law Enforcement Guidelines, our legal department makes sure that all government requests for user information are issued for lawful purposes, through lawful means, and respect basic principles of free expression. In light of our standards, here are a few examples of requests with which we do not comply:

• Requests that are unlawful, like requests for user content that are sent as simple emails or faxes, without supporting legal paperwork such as a search warrant.

• Requests that are vague or inaccurate, like requests for user information that include only a user’s real name (which we don’t know anyway) rather than referring to a specific Tumblr URL.

• Requests that we believe are too broad or do not respect our users’ Fourth Amendment rights, like requests for user content via a subpoena, rather than a search warrant based on probable cause.

We also strongly believe in providing our users with (1) notice that we’ve received requests for their information, and (2) an opportunity to challenge those requests. Our notice policy is discussed in greater detail in our post on providing user notice.

In 2013, we received 462 requests from government agencies for information corresponding to 529 Tumblr URLs. In the next few posts, we will explain how we evaluated and responded to these requests.[1]

When reviewing this information, please keep in mind a few important points:

• Account data includes registration email address, how long a Tumblr account has been registered, login IP address, and IP address used to make a post.

• Blog content includes the posts made to a blog, both public or private. Posts can be one of Tumblr’s seven post types, including text, audio, images, or videos.

• In cases in which we produced blog content, we also produced account data. So the “Blog Content Produced” category is a small subset of the “Account Data Produced” category.

Consistent with our commitment to transparency with our users, we believe it’s important for them to know when their accounts have been targeted by a law enforcement request. As explained in our Law Enforcement Guidelines, our policy is to notify users of any request for their account information by providing them with a notice letter and a copy of the legal process we received, as well as a reasonable period of time to challenge the request in court.

Note, though, that if a request is coupled with a non-disclosure order, we are legally prohibited from notifying the targeted user. A judge may issue a non-disclosure order if the judge concludes that providing the user with notice could lead to the destruction of evidence, an attempt by the user to escape law enforcement, or could cause some other major impediment to the investigation.

Additionally, under our policies, we may not provide notice in emergency situations where we, in conjunction with government officials, conclude that the additional time required to provide notice prior to the production of information might lead to imminent death or serious bodily injury. This has been primarily in cases when a user posted a credible suicide note, and we were asked to disclose limited account data to help officials locate the user and provide him or her with immediate medical help.

Finally, exceptional cases arise that present a serious threat to public safety, such as cases involving impending violent crimes or harm to minors. In such cases, we generally do not provide notice to users, because we believe the interest in protecting the public outweighs the interest in providing notice.