Six Months ended 30th September 2023
Report issued 7th November 2023
What is transparency?
Transparency reports provide public information on compliance programmes and achievements. They demonstrate accountability and play a critical role in building trust with users, suppliers, regulators, employees, investors and the general public.
In accordance with its Privacy & Data Policy, Mega periodically publishes statistics on takedown requests, subscriber information disclosure and related issues. This is intended to provide transparency to Mega’s operating processes relating to privacy and to statutory compliance. Mega’s report confirms its zero tolerance for illegal activity.
This is the eleventh transparency report published by Mega since it commenced operations in January 2013. The reporting cycle was changed from annual to six-monthly in March 2022.
About Mega
Mega currently has over 290 million registered user accounts in more than 215 countries and territories. In total, Mega’s users have uploaded more than 150 billion distinct files.
In 2013, Mega pioneered user-controlled end-to-end encryption through the web browser. Today, it provides the same zero-knowledge privacy and security for its cloud storage and chat applications, whether through a web browser, mobile app, desktop app or command line tool. Mega The Privacy Company provides Privacy by Design based on the uncompromising use of zero-knowledge user-controlled end-to-end encryption, commonly known as E2EE.
All chat messages and files are fully encrypted on the user’s device before being sent to Mega, using random keys that are encrypted with the user’s password before the encrypted keys, chat messages and files get submitted to and stored on Mega. The password remains on the user’s device and is never sent to Mega, so chats and file contents can’t be read or accessed in any manner by Mega. Files can only be decrypted by the original uploader through a logged-in account or by other parties to whom the account holder has consciously provided the required file/folder keys.
Mega’s encryption is described in a Whitepaper[1] and is open to independent scrutiny because all client-side source code is published[2], allowing its correctness and integrity to be verified by researchers.
Mega stores very limited non-encrypted Personal Data, such as the user’s email address and some activity detail relating to account access, file uploads, shares, chats etc. A full description of the information Mega stores about a user and their activities on Mega’s system can be found in clause 8.3 of Mega’s Privacy & Data Policy.
Safety by design is incorporated into Mega’s planning for new features and products. This informs both client and back-end software design and processes.
The privacy provided by Mega is a valued service, necessary for personal, professional, business and government use. It is consistent with the Universal Declaration of Human Rights, Article 12:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence […].
Everyone has the right to the protection of the law against such interference […].”
However, Mega has zero tolerance for illegal activity. While fiercely guarding the privacy of legitimate users, Mega will not be a haven for illegal activity.
Industry cooperation
Mega is an active member of leading industry bodies which seek to promote best practice for compliance activity and to assist with communications between platforms and with regulatory and enforcement agencies. Mega is a member of:
- Global Internet Forum to Counter Terrorism (GIFCT)
- The Tech Coalition
- WeProtect Global Alliance
- Asia-Pacific Financial Coalition Against Child Sexual Exploitation (APFC)
Mega is a member of the Christchurch Call, a community of over 120 governments, online service providers, and civil society organisations acting together to eliminate terrorist and violent extremist content online, with underlying commitments to human rights and fundamental freedoms, transparency, collaboration, research, and an effective appeals process. See https://www.christchurchcall.com/about/christchurch-call-text/
Mega is also a strong supporter of the ‘Principles to Counter Online Child Sexual Exploitation and Abuse’ issued in March 2020[3]. The Principles were produced by a working group of officials from New Zealand, Australia, the United Kingdom, the United States and Canada. Mega was one of the technology companies that provided supportive comments on the draft Principles during the consultation process.
Regulatory background
Mega was designed, and is operated, to ensure that it achieves the highest levels of compliance with regulatory requirements.
Mega’s services are governed by New Zealand law and users submit exclusively to the resolution of any disputes by arbitration under New Zealand law. Mega has sought extensive legal advice on its services from lawyers in New Zealand and various other jurisdictions in order to minimise the risk of non-compliance with regulatory requirements in the primary locations in which it operates.
Mega maintains market-leading processes for dealing with users who upload and share copyright infringing material or breach any other legal requirements. Mega cannot view or determine the contents of files stored on its system as files are encrypted by users before they reach Mega. However, if a user voluntarily shares a link (with its decryption key) to a folder or file that they have stored on Mega, then anyone with that link can decrypt and view/download the folder/file contents.
Mega policies
Copyright
Mega’s Terms of Service provide that copyright holders who become aware of public links to their copyright material can contact Mega to have access to the offending files disabled.
By complying with the relevant provisions of New Zealand’s Copyright Act, Mega is provided with a safe harbour, shielding it from liability for the material that its users upload and share using Mega’s services. Although not technically bound by US or EU law, Mega also complies with the conditions for safe harbour under the US Digital Millennium Copyright Act (DMCA) process and the European Union Directive 2000/31/EC.
Mega does this by allowing any person to submit a notice that their copyright material is being incorrectly shared through the Mega platform. When Mega receives such notices, it promptly processes them as detailed below, pursuant to Mega’s Terms of Service agreed to by every registered user. The number of files which have been subject to such takedown notices continues to be very small, indicating that the vast majority of users appreciate the speed, flexibility and privacy of Mega’s systems for legitimate business and personal use.
The safe harbours in various jurisdictions require material to be removed or links disabled expeditiously. Some cloud storage providers target takedown within 24 hours. Mega targets takedown within a maximum of 4 hours, with most takedowns being actioned within minutes.
When designing and implementing its takedown policy and processes, Mega consulted with New Zealand law enforcement authorities. Mega has adopted policies and processes which it has been advised are consistent with their requirements[4].
Mega’s Terms of Service have to be acknowledged by every new user before their account activation can be completed. Those Terms make it very clear (e.g., in clauses 15.7 and 17-20[5]) that Mega won’t tolerate infringement or any other illegal activity. However, it is impossible for Mega to review content uploaded by users, as it is encrypted on the user’s device before it is sent to Mega.
It is also logistically impossible for any cloud storage service (or indeed any other service provider in the Internet chain, such as an ISP) to review all uploaded content due to the massive volume of data that flows through these services. For example, Mega’s users upload approximately 65 million distinct files per day: 750 files per second on average. The infeasibility of policing user uploads has been clearly recognised in numerous court cases around the world.
Even if the content could be reviewed, in many cases, it would not be possible to determine whether it is infringing or not, as the owners of many copyright items provide the user with a licence to make a backup copy, so uploading it to a cloud storage service would not be infringing. Also, statutory provisions such as Fair Use mean that a storage provider such as Mega cannot determine whether a stored file is infringing copyright.
Other similar cloud storage services are in the same position and don’t attempt to assess the copyright status of uploaded materials.
Objectionable (illegal) content —
Child Exploitation Material, Violent Extremism, Bestiality, Zoophilia, Gore, Malware, Hacked/Stolen Data, Passwords
Mega does not condone, authorise, support or facilitate[6] Child Sexual Exploitation[7] or the storage or sharing of Child Exploitation Material (CEM)[8], also referred to as Child Sexual Abuse Material[8] (CSAM), or other objectionable material as defined in section 3 of the New Zealand Films, Videos, and Publications Classification Act 1993[9], or other Internet-harming material, including as defined by the Harmful Digital Communications Act 2015[10]. Mega has zero tolerance for users sharing such material. Users can submit reports of links to objectionable material by email to abuse@mega.nz.
Any reports of such content result in the immediate deactivation of the folder/file links, closure of the user’s account and provision of the details to the New Zealand Government Authorities, and other relevant international authorities, for investigation and prosecution.
The objectionable content shared by Mega users is generally historic still images and videos but there is a growing incidence of teenage self-generated imagery, often without personal shame. This is still illegal, even if voluntarily produced, but in some cases it has resulted from adult coercion. There can also be related extortion and so-called revenge sharing, after a relationship ends.
Mega processes for compliance matters
Requests for removal of copyright content
Mega’s approach to dealing with requests for the takedown of content uploaded by its users (as well as requests for the disclosure of user information and data) is set out in its Takedown Guidance Policy.
Mega accepts takedown notices via a dedicated web page[11] or by email to copyright@mega.nz.
Requests are promptly processed without reviewing their validity[12]. Two companies have executed agreements with Mega whereby they can directly enter takedown notices, without requiring further action by Mega staff. These companies are effectively ‘trusted flaggers’ for copyright reports.
The rights holder is able to specify one of three outcomes for file links:
- Removal of just a specified link to the file: — the file will remain in the user’s account;
- Removal of all links to the file: — the file will remain in the user’s account;
- Removal of all links to and all instances of the file: — there is no user permitted to store this file under any circumstance worldwide.
Folder links often refer to a large number of files, of which only some may be claimed to be infringing files. If the person requesting the takedown doesn’t provide identification of the infringing file or files within the folder, Mega will disable the reported folder link as folder contents can change. This means that the folder and its files will remain active in the user’s account. This would be the same as option (1) above in respect of file takedown requests. The number of unique takedown requests submitted represents a very small percentage of the total number of files stored on Mega.
Copyright takedown requests | Links taken down / Total Files | Total files (Billion) | ||
2020 | Q4 | 504,081 | 0.0006% | 89.5 |
2021 | Q1 | 532,748 | 0.0006% | 95.7 |
Q2 | 554,660 | 0.0005% | 101.5 | |
Q3 | 746,336 | 0.0007% | 107.0 | |
Q4 | 629,257 | 0.0006% | 112.3 | |
2022 | Q1 | 1,187,646 | 0.0010% | 117.6 |
Q2 | 262,888 | 0.0002% | 122.7 | |
Q3 | 276,901 | 0.0002% | 127.9 | |
Q4 | 377,574 | 0.0003% | 132.9 | |
2023 | Q1 | 342,668 | 0.0002% | 138.2 |
Q2 | 435,086 | 0.0003% | 144.0 | |
Q3 | 430,674 | 0.0003% | 149.9 |
Counter notices
Mega receives counter-notices from some users who dispute the validity of a copyright takedown. These counter-notices are processed in accordance with safe harbour requirements, whereby the link will be reinstated unless the complainant gives notice of legal proceedings. Unfortunately, some content owners and agents trawl the Internet using robots which generate incorrect notices on behalf of copyright owners, and some fail to review the specific link content or to determine whether it is actually a live link.
There are also cases where some parties deliberately issue false copyright takedown notices, for commercial competition or other reasons.
Repeat infringers
Mega suspends the account of any user with three copyright takedown strikes within six months. In some cases, the account can be reinstated after it is proved to be the subject of invalid takedown notices, but most suspended accounts are terminated. As at 30th September 2023, Mega had suspended 158,831 users for repeated copyright infringement. The data below shows that suspensions are a very small % of the number of registered users.
Year | Quarter | Number of users suspended | % of registered users |
2020 | Q4 | 1,730 | 0.0008% |
2021 | Q1 | 2,531 | 0.0012% |
Q2 | 3,007 | 0.0013% | |
Q3 | 2,448 | 0.0010% | |
Q4 | 2,198 | 0.0009% | |
2022 | Q1 | 2,033 | 0.0008% |
Q2 | 1,690 | 0.0007% | |
Q3 | 1,676 | 0.0006% | |
Q4 | 1,567 | 0.0006% | |
2023 | Q1 | 1,584 | 0.0006% |
Q2 | 1,479 | 0.0005% | |
Q3 | 1,791 | 0.0006% |
Objectionable activity
During the 11 years to 30th September 2023, Mega has closed 1.9 million accounts for sharing objectionable content. Details of every illegal link and of every related account that was closed were provided to the New Zealand Government and relevant international authorities for investigation and prosecution.
In 2022 Mega commenced a new process to download the content of public links[13] that are reported to contain illegal content such as CSAM, to a server controlled by the New Zealand Government. Hashes are calculated for each downloaded file and then compared to hash sets provided by Interpol and NCMEC. Details of files that match the hashes of illegal content are then passed to Mega so the files can be removed from any account that has imported the file from the original public link. Those users are given a final warning, and the accounts are closed for any users who have on-shared the illegal content.
This process resulted in the closure of 642,000 accounts during the six months to 30th September 2023.
Mega records its compliance activity relating to objectionable (illegal) activity in various categories. Details of major categories are shown below.
Identification of objectionable content
Mega receives a few reports of CSAM links from international NGOs (such as reporting hotlines) and from law enforcement agencies, but most are submitted by private individuals who have noticed the links, with an associated description, being openly shared on public forums. Anyone with the link, including the decryption key, can download the content so Mega immediately disables the link and closes the user’s account. Mega does not have any ‘trusted flaggers’.
Appeals
Appeals against account closure for holding alleged objectionable material are referred to the New Zealand Authorities for adjudication of the content. The account can be reinstated if the content is determined to be not illegal. Very few accounts have been reinstated after appeal.
Response to International Law Enforcement Agencies
Mega is ‘The Privacy Company’ and values the privacy of its users. We are committed to maintaining industry-leading levels of security for, and confidentiality of, user data and information. In considering any request for access to such data or information, Mega starts from the position that user data and information is private and should always be protected to the greatest extent possible.
However, privacy and protection of user information and data are not absolute rights and are subject to some limitations, such as in cases of illegal activity.
The basis on which Mega may, in extremely limited situations, disclose user information and data is set out in Mega’s Takedown Guidance Policy.
Unless an Emergency Response (as defined below) is required, or disclosure is necessary in relation to an investigation involving CSAM or violent extremism, Mega will generally only provide user data or information when required to do so by New Zealand law, or by a New Zealand court or law enforcement authority with appropriate jurisdiction. Mega may consider requests made by non-New Zealand law enforcement authorities.
Mega defines Emergency Response as a situation where Mega has written assurance from a senior officer of the New Zealand Police or similar law enforcement officer or authority acceptable to Mega that in the expert judgment of such person there are valid reasons to believe that disclosure is necessary to prevent or lessen a serious threat (as defined in section 7(1) of the Privacy Act 2020) to:
- public health or public safety; or
- the life or health of an individual or individuals;
and the person giving such assurance confirms in writing that the threat is of such urgency that there is not time to obtain a production order or other court order.
If satisfied as to the above, Mega may, at its discretion, accept the request in good faith.
When Mega accepts a request, Mega will provide advance notice to the affected user unless prohibited by a court order or where Mega decides delayed notice is appropriate, based on criteria described in our Privacy & Data Policy.
Although all files stored on Mega are encrypted prior to being uploaded to our system, and we therefore cannot access that content unless we are provided with the decryption key, Mega does have access to user registration information and the IP addresses used to access our services. A full description of the information Mega can retrieve about a user and their activities on our system can be found in clause 8.3 of our Privacy & Data Policy.
Mega provides Basic Subscriber Information to Law Enforcement agencies in countries with a democratically elected government and demonstrated legal systems, in cases of serious illegality.
The chart below shows the number of requests for Basic Subscriber Information that have been processed for law enforcement agencies.
Metadata provided by Mega has resulted in a significant number of arrests of perpetrators, and the rescue of children at risk of imminent harm.
Interpol and other agencies released publicity in March 2022, noting that an international operation coordinated by Mega and the New Zealand authorities had resulted in 146 children being rescued from imminent harm. There were 43 arrests in New Zealand and a much larger number of arrests in other countries.
Mega responds to Law Enforcement requests for subscriber account information as a priority. That is reflected in our response times. Reports from the pubic of objectionable content being shared are actioned at a similar speed.
Average Response Time (Hours) | Median Response Time (Hours) | ||
---|---|---|---|
2023 | 1st quarter | 0.63 | 0.32 |
2nd quarter | 0.66 | 0.34 | |
3rd quarter | 0.64 | 0.33 |
Some requests from law enforcement agencies are more complex than usual, resulting in the average being higher than the median.
Legal orders
During the six months ended 30th September 2023, Mega was subject to 8 legal orders from New Zealand authorities and then disclosed account metadata for the relevant user accounts which are alleged to be involved in serious criminal activity, either in New Zealand or overseas, relating to those orders.
There were also two Orders from overseas agencies, processed by New Zealand Police under the Mutual Assistance in Criminal Matters Act 1992, to disclose information relating to hacking cases.
Originating Country | Alleged criminality | Number of Orders/Warrants | Outcome |
New Zealand | Organised crime | 8 | Metadata Supplied |
Germany | Hacking | 1 | Metadata Supplied |
Poland | Hacking | 1 | Metadata Supplied |
In addition, many law enforcement agencies supplied subpoenas and search warrants produced by their local courts, apparently generated to provide local authority for the agency to obtain information. Unless processed through the lengthy Mutual Legal Assistance Treaty (MLAT) process, these warrants have no application to foreign entities, such as Mega Limited, which is a New Zealand-registered company. We advise such agencies that Mega is not subject to their domestic laws or domestic court orders. However, in cases of serious criminality, including child sexual exploitation and abuse allegations, Mega may supply metadata without a warrant, as specified in its Takedown Guidance Policy.
Other requests for personal information
During the six months to 30th September, there were also 56 private requests for subscriber information. One was provided after the applicant obtained a relevant court order. All the others were declined by Mega, to preserve user privacy, as they did not meet the necessary requirements set out in Mega’s Takedown Guidance Policy.
GDPR
The General Data Protection Regulation in Europe came into force in May 2018. Mega didn’t need to make any substantial disclosure or make changes to its operations as privacy has been at the core of Mega’s operations since it commenced in 2013.
In May 2018, we introduced a feature to allow users to download Personal Data relating to their account. The number of requests increased significantly in the second half of 2021, but we are not aware of any specific reason.
Personal Data is retained indefinitely while the user’s account is open. After account closure, Mega will retain all account information as long as there is any law enforcement request pending, but otherwise for 12 months after account closure, as users sometimes request that an account be re-activated.
After 12 months, identifying information, such as email and IP addresses, is anonymised (except where email address records are retained for reference by the user’s contacts or where the user has participated in chats with other Mega users), but other related database records may be retained. This includes records of financial transactions relating to a user’s account where Mega is legally required to retain such information.
When a user deletes a file, that file becomes inaccessible, is marked for deletion and is then deleted fully from the Mega system when the next appropriate file deletion purging process is run. After account closure, all stored files will be marked for deletion and deleted fully when the next appropriate file deletion purging process is run.
Mega Limited, as controller, is represented in Europe by
Mega Europe sarl
202, Z.A.E. WOLSER F
L-3290 Bettembourg, Luxembourg
gdpr@mega.nz
The Lead Data Protection Supervisory Authority is the Luxembourg National Commission for Data Protection. This is the appropriate authority for accepting GDPR complaints about Mega.
National Commission for Data Protection
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
https://cnpd.public.lu
Definition of terms
Mega uses the term Child Sexual Abuse Material (CSAM) to refer to photos, videos and documents relating to sexually explicit images of, or conduct of or with a child, consistent with the ECPAT 2016 Luxembourg Guidelines[14]. This is broadly equivalent to terms used by other platforms, such as Child Sexual Exploitation and Abuse (CSEA) and Child Sexual Exploitation and Abuse Imagery (CSEAI).
Law Enforcement Agencies (LEA) include police and other relevant investigation and prosecution agencies.
Suspension means closing a user’s account permanently, unless reinstated by a successful appeal.
References
[1] https://mega.io/SecurityWhitepaper.pdf
[2] https://mega.io/developers
[3] www.dia.govt.nz/Voluntary-Principles-to-Counter-Online-Child-Sexual-Exploitation-and-Abuse
[5] Clauses 17.8 and 19-22 in the revised Terms effective from 25 November 2023.
[6] MEGA Terms of Service https://mega.io/terms and https://mega.io/takedown
[7] See https://ecpat.org/luxembourg-guidelines/
[8] See the Definition of terms section at the end of this report.
[9] https://www.legislation.govt.nz/act/public/1993/0094/latest/DLM312895.html
[10] https://www.legislation.govt.nz/act/public/2015/0063/latest/DLM5711810.html
[11] https://mega.io/copyrightnotice
[12] It is impossible to review the validity as the file contents are user–encrypted (unless the user has published or provided the encryption key), and also due to the uncertainties of copyright status, as noted above.
[13] Provided the encryption key is included in the report.