MEGA Transparency Report

MEGA is committed to maintaining industry-leading levels of security and confidentiality of user information and data.

Six Months ended 30th September 2022

What is transparency?

Transparency reports provide public information on compliance programmes and achievements. They demonstrate accountability and play a critical role in building trust with users, suppliers, regulators, employees, investors and the general public.

In accordance with its Privacy & Data Policy, Mega periodically publishes statistics on takedown requests, subscriber information disclosure and related issues. This is intended to provide transparency to Mega’s operating processes relating to privacy and to statutory compliance. Mega’s report confirms its zero tolerance for illegal activity.

This is the ninth transparency report published by Mega since it commenced operations in January 2013. The reporting cycle was changed from annual to six-monthly in March 2022.

About Mega

Mega currently has over 270 million registered users in more than 215 countries and territories. In total, Mega’s users have uploaded more than 130 billion distinct files.

In 2013, Mega pioneered user-controlled end-to-end encryption through the web browser. Today, it provides the same zero-knowledge privacy and security for its cloud storage and chat applications, whether through a web browser, mobile app, desktop app or command line tool. Mega The Privacy Company provides Privacy by Design based on the uncompromising use of zero-knowledge user-controlled end-to-end encryption, commonly known as E2EE.

All chat messages and files are fully encrypted on the user’s device before being sent to Mega, using random keys that are encrypted with the user’s password before the encrypted keys, chat messages and files get submitted to and stored on Mega. The password remains on the user’s device and is never sent to Mega, so chats and file contents can’t be read or accessed in any manner by Mega. Files can only be decrypted by the original uploader through a logged-in account or by other parties to whom the account holder has consciously provided the required file/folder keys.

Mega’s encryption is described in a Whitepaper[1] and is open to independent scrutiny because all client-side source code is published[2], allowing its correctness and integrity to be verified by researchers.

Mega stores very limited non-encrypted Personal Data, such as the user’s email address and some activity detail relating to account access, file uploads, shares, chats etc. A full description of the information Mega stores about a user and their activities on Mega’s system can be found in clause 8.3 of Mega’s Privacy & Data Policy.

The privacy provided by Mega is a valued service, necessary for personal, professional, business and government use. It is consistent with the Universal Declaration of Human Rights, Article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence […].
Everyone has the right to the protection of the law against such interference […].

However, Mega has zero tolerance for illegal activity. While fiercely guarding the privacy of legitimate users, Mega will not be a haven for illegal activity.

Industry cooperation

Mega is an active member of leading industry bodies which seek to promote best practice for compliance activity and to assist with communications between platforms and with regulatory and enforcement agencies. Mega is a member of:

  • Global Internet Forum to Counter Terrorism (GIFCT)
  • The Tech Coalition
  • WeProtect Global Alliance
  • Asia-Pacific Financial Coalition Against Child Sexual Exploitation (APFC)

Mega is also a strong supporter of the ‘Principles to Counter Online Child Sexual Exploitation and Abuse’ issued in March 2020[3]. The Principles were produced by a working group of officials from New Zealand, Australia, the United Kingdom, the United States and Canada. Mega was one of the technology companies that provided supportive comments on the draft Principles during the consultation process.

Regulatory background

Mega was designed and is operated to ensure that it achieves the highest levels of compliance with regulatory requirements.

Mega’s services are governed by New Zealand law and users submit exclusively to the resolution of any disputes by arbitration under New Zealand law. Mega has sought extensive legal advice on its services from lawyers in New Zealand and various other jurisdictions in order to minimise the risk of non-compliance with regulatory requirements in the primary locations in which it operates.

Mega maintains market-leading processes for dealing with users who upload and share copyright infringing material or breach any other legal requirements. Mega cannot view or determine the contents of files stored on its system as files are encrypted by users before they reach Mega. However, if a user voluntarily shares a link (with its decryption key) to a folder or file that they have stored on Mega, then anyone with that link can decrypt and view the folder/file contents.

Mega policies

Copyright

Mega’s Terms of Service provide that copyright holders who become aware of public links to their copyright material can contact Mega to have access to the offending files disabled.

By complying with the relevant provisions of New Zealand’s Copyright Act, Mega is provided with a safe harbour, shielding it from liability for the material that its users upload and share using Mega’s services. Although not technically bound by US or EU law, Mega also complies with the conditions for safe harbour under the US Digital Millennium Copyright Act (DMCA) process and the European Union Directive 2000/31/EC.

Mega does this by allowing any person to submit a notice that their copyright material is being incorrectly shared through the Mega platform. When Mega receives such notices, it promptly processes them as detailed below, pursuant to Mega’s Terms of Service agreed to by every registered user. The number of files which have been subject to such takedown notices continues to be very small, indicative of a user base which appreciates the speed, flexibility and privacy of Mega’s systems for legitimate business and personal use.

The safe harbours in various jurisdictions require material to be removed or links disabled expeditiously. Some cloud storage providers target takedown within 24 hours. Mega targets takedown within a maximum of 4 hours, with most takedowns being actioned within minutes.

When designing and implementing its takedown policy and processes, Mega consulted with New Zealand law enforcement authorities. Mega has adopted policies and processes which it has been advised are consistent with their requirements[4].

Mega’s Terms of Service have to be acknowledged by every new user before their account activation can be completed. Those Terms make it very clear (e.g., in clauses 15.7 and 17-20) that Mega won’t tolerate infringement or any other illegal activity. However, it is impossible for Mega to review content uploaded by users, as it is encrypted on the user’s device before it is sent to Mega.

It is also logistically impossible for any cloud storage service (or indeed any other service provider in the Internet chain, such as an ISP) to review all uploaded content due to the massive volume of data that flows through these services. For example, Mega’s users upload approximately 65 million distinct files per day: 750 files per second on average. The infeasibility of policing user uploads has been clearly recognised in numerous court cases around the world.

Even if content could be reviewed, in many cases it would not be possible to determine whether it is infringing or not as the owners of many copyright items provide the user with a licence to make a backup copy, so uploading it to a cloud storage service would not be infringing. Also, statutory provisions such as Fair Use mean that a storage provider such as Mega cannot determine whether a stored file is infringing copyright.

Other similar cloud storage services are in the same position and don’t attempt to assess the copyright status of uploaded materials.

Objectionable (illegal) content –
Child Exploitation Material, Violent Extremism, Bestiality, Zoophilia, Gore, Malware, Hacked/Stolen Data, Passwords

Mega does not condone, authorise, support or facilitate the storage or sharing of Child Exploitation Material (CEM), also known as Child Sexual Abuse Material (CSAM), or other objectionable material as defined in section 3 of the New Zealand Films, Videos, and Publications Classification Act 1993, or other Internet-harming material, including as defined by the Harmful Digital Communications Act 2015. Mega has zero tolerance for users sharing such material. Users can submit reports of links to objectionable material by email to abuse@mega.nz.

Any reports of such content result in immediate deactivation of the folder/file links, closure of the user’s account and provision of the details to the New Zealand Government Authorities for investigation and prosecution.

The objectionable content shared by Mega users is generally historic still images and videos but there is a growing incidence of teenage self-generated imagery, often without personal shame. This is still illegal, even if voluntarily produced, but in some cases it has resulted from adult coercion. There can be related extortion and so-called revenge sharing, after a relationship ends.

Mega processes for compliance matters

Requests for removal of copyright content

Mega’s approach to dealing with requests for the takedown of content uploaded by its users (as well as requests for the disclosure of user information and data) is set out in its Takedown Guidance Policy.

Mega accepts takedown notices via a dedicated web page[5] or by email to copyright@mega.nz.
Requests are promptly processed without reviewing their validity[6].

The rights holder is able to specify one of three outcomes for file links:

  1. Removal of just a specified link to the file: – the file will remain in the user’s account;
  2. Removal of all links to the file: – the file will remain in the user’s account;
  3. Removal of all links to and all instances of the file: – there is no user permitted to store this file under any circumstance worldwide.

Folder links often refer to a large number of files, of which only some may be claimed to be infringing files. If the person requesting the takedown doesn’t provide identification of the infringing file or files within the folder, Mega will disable the reported folder link as folder contents can change. This means that the folder and its files will remain active in the user’s account. This would be the same as option (1) above in respect of file takedown requests.

The number of unique takedown requests submitted represents a very small percentage of the total number of files stored on Mega.

Table 1 – Copyright takedowns
  Copyright takedown requestsLinks taken down
/ Total Files
Total files (Billion)
2020Q4504,0810.0006%89.5
2021Q1532,7480.0006%95.7
 Q2554,6600.0005%101.5
 Q3746,3360.0007%107.0
 Q4629,2570.0006%112.3
2022Q11,187,6460.0010%117.6
Q2262,8880.0002%122.7
Q3276,9010.0002%127.9
Figure 1 – Counter Notices to dispute a copyright takedown

Counter notices

Mega receives counter-notices from some users who dispute the validity of a copyright takedown. These counter-notices are processed in accordance with safe harbour requirements, whereby the link will be reinstated unless the complainant gives notice of legal proceedings. Unfortunately, some content owners and agents trawl the Internet using robots which generate incorrect notices on behalf of copyright owners, and some fail to review the specific link content or to determine whether it is actually a live link.

Figure 1 – Counter Notices to dispute a copyright takedown

Repeat infringers

Mega suspends the account of any user with three copyright takedown strikes within six months. In some cases, the account can be reinstated after it is proved to be the subject of invalid takedown notices, but most suspended accounts are terminated. As at 30th September 2022, Mega had suspended 152,410 users for repeated copyright infringement. The data below shows that suspensions are a very small % of the number of registered users.

Table 2 – Copyright suspensions
YearQuarterNumber of users suspended% of registered users
2020Q41,7300.001%
2021Q12,5310.001%
 Q23,0070.001%
 Q32,4480.001%
 Q42,1980.001%
2022Q12,0330.001%
Q21,6900.001%
Q31,6760.001%
Figure 1 – Counter Notices to dispute a copyright takedown

Objectionable activity

During the 9.5 years to 30th September 2022, Mega has closed 972,000 accounts for sharing objectionable content. Details of every illegal link and of every related account that was closed were provided to the New Zealand Government and relevant international authorities for investigation and prosecution.

Figure 1 – Counter Notices to dispute a copyright takedown

Mega has commenced a new process to download the content of public links[7] that are reported to contain illegal content such as CSAM, to a server controlled by the New Zealand Government. Hashes are calculated for each downloaded file and then compared to hash sets provided by Interpol and NCMEC. Details of files that match the hashes of illegal content are then passed to Mega so the files can be removed from any account that has imported the file from the original public link. Those users are given a final warning, and the accounts are closed for any users who have on-shared the illegal content.

This process resulted in the closure of 99,000 accounts during Q3 2022.

Mega records its compliance activity relating to objectionable (illegal) activity in various categories. Details of major categories are shown below.

Figure 1 – Counter Notices to dispute a copyright takedown
Figure 1 – Counter Notices to dispute a copyright takedown
Figure 1 – Counter Notices to dispute a copyright takedown
Figure 1 – Counter Notices to dispute a copyright takedown
Figure 1 – Counter Notices to dispute a copyright takedown

Identification of objectionable content

Mega receives a few reports of CSAM links from international NGOs (such as reporting hotlines) and from law enforcement agencies, but most are submitted by private individuals who have noticed the links, with an associated description, being openly shared on public forums. Anyone with the link, including the decryption key, can download the content so Mega immediately disables the link and closes the user’s account.

Figure 1 – Counter Notices to dispute a copyright takedown
Figure 1 – Counter Notices to dispute a copyright takedown

Appeals

Appeals against account closure for holding alleged objectionable material are referred to the New Zealand Authorities for adjudication of the content. The account can be reinstated if the content is determined to be not illegal. Very few accounts have been reinstated after an appeal.

Figure 1 – Counter Notices to dispute a copyright takedown

Response to International Law Enforcement Agencies

Mega is ‘The Privacy Company’ and values the privacy of its users. We are committed to maintaining industry-leading levels of security for, and confidentiality of, user data and information. In considering any request for access to such data or information, Mega starts from the position that user data and information is private and should always be protected to the greatest extent possible.

However, privacy and protection of user information and data are not absolute rights and are subject to some limitations, such as in cases of illegal activity.

The basis on which Mega may, in extremely limited situations, disclose user information and data is set out in Mega’s Takedown Guidance Policy.

Unless an Emergency Response (as defined below) is required, or disclosure is necessary in relation to an investigation involving CSAM or violent extremism, Mega will generally only provide user data or information when required to do so by New Zealand law, or by a New Zealand court or law enforcement authority with appropriate jurisdiction. Mega may consider requests made by non-New Zealand law enforcement authorities.

Mega defines Emergency Response as a situation where Mega has written assurance from a senior officer of the New Zealand Police or similar law enforcement officer or authority acceptable to Mega that in the expert judgment of such person there are valid reasons to believe that disclosure is necessary to prevent or lessen a serious threat (as defined in section 7(1) of the Privacy Act 2020) to:

  • public health or public safety; or
  • the life or health of an individual or individuals;

and the person giving such assurance confirms in writing that the threat is of such urgency that there is no time to obtain a production order or other court order.

If satisfied as to the above, Mega may, at its discretion, accept the request in good faith.

When Mega accepts a request, Mega will provide advance notice to the affected user unless prohibited by a court order or where Mega decides delayed notice is appropriate, based on criteria described in our Privacy & Data Policy.

Although all files stored on Mega are encrypted prior to being uploaded to our system, and we therefore cannot access that content unless we are provided with the decryption key, Mega does have access to user registration information and the IP addresses used to access our services. A full description of the information Mega can retrieve about a user and their activities on our system can be found in clause 8.3 of our Privacy & Data Policy.

Mega provides Basic Subscriber Information to Law Enforcement agencies in countries with a democratically elected government and demonstrated legal systems, in cases of serious illegality.

The chart below shows the number of requests for Basic Subscriber Information that have been processed for law enforcement agencies.

Figure 1 – Counter Notices to dispute a copyright takedown

Metadata provided by Mega has resulted in a significant number of arrests of perpetrators, and rescue of children at risk of imminent harm.

Interpol and other agencies released publicity in March 2022, noting that an international operation coordinated by Mega and the New Zealand authorities had resulted in 146 children being rescued from imminent harm. There were 43 arrests in New Zealand and a much larger number of arrests in other countries.

Legal orders

During the six months ended 30th September 2022, Mega was subject to 13 legal orders from New Zealand authorities and then disclosed account metadata for the relevant user accounts which are alleged to be involved in serious criminal activity, either in New Zealand or overseas, relating to those orders.

Table 3 – Legal orders
Originating CountryAlleged criminalityNumber of Orders/WarrantsOutcome
New ZealandHacking and Violent Extremism9Metadata Supplied
IrelandCSAM1Metadata Supplied
NetherlandsHacking2Metadata Supplied
FranceHacking1Metadata Supplied
Figure 1 – Counter Notices to dispute a copyright takedown

In addition, many law enforcement agencies supplied subpoenas and search warrants produced by their local courts, apparently generated to provide local authority for the agency to obtain information. Unless processed through the lengthy MLAT process, these warrants have no application to foreign entities, such as Mega Limited, which is a New Zealand-registered company. We advise such agencies that Mega is not subject to their domestic laws or domestic court orders. However, in cases of serious criminality, including child sexual abuse allegations, Mega may supply metadata without a warrant, as specified in its Takedown Guidance Policy.

Other requests for personal information

During the six months to 30th September 2022, there were also 23 private requests for subscriber information. They were all declined by Mega, to preserve user privacy, as they did not meet the necessary requirements set out in Mega’s Takedown Guidance Policy.

Figure 1 – Counter Notices to dispute a copyright takedown

GDPR

The General Data Protection Regulation in Europe came into force in May 2018. Mega didn’t need to make any substantial disclosure or make changes to its operations as privacy has been at the core of Mega’s operations since it commenced in 2013.

In May 2018, we introduced a feature to allow users to download Personal Data relating to their account. The number of requests increased significantly in the second half of 2021, but we are not aware of any specific reason.

Figure 1 – Counter Notices to dispute a copyright takedown

Personal Data is retained indefinitely while the user’s account is open. After account closure, Mega will retain all account information as long as there is any law enforcement request pending, but otherwise for 12 months after account closure, as users sometimes request that an account be re-activated.

After 12 months, identifying information, such as email and IP addresses, is anonymised (except where email address records are retained for reference by the user’s contacts or where the user has participated in chats with other Mega users), but other related database records may be retained. This includes records of financial transactions relating to a user’s account where Mega is legally required to retain such information.

When a user deletes a file, that file becomes inaccessible, is marked for deletion and is then deleted fully from the Mega system when the next appropriate file deletion purging process is run. After account closure, all stored files will be marked for deletion and deleted fully when the next appropriate file deletion purging process is run.

Mega Limited, as controller, is represented in Europe by

Mega Europe sarl
202, Z.A.E. WOLSER F
L-3290 Bettembourg, Luxembourg
gdpr@mega.nz

The Lead Data Protection Supervisory Authority is the Luxembourg National Commission for Data Protection. This is the appropriate authority for accepting GDPR complaints about Mega.

National Commission for Data Protection
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
https://cnpd.public.lu

Definition of terms

Mega uses the term Child Sexual Abuse Material (CSAM) to refer to photos, videos and documents relating to sexually explicit images of, or conduct of, a child, consistent with the ECPAT 2016 Luxembourg Guidelines[8]. This is broadly equivalent to terms used by other platforms, such as Child Sexual Exploitation and Abuse (CSEA) and Child Sexual Exploitation and Abuse Imagery (CSEAI).

Law Enforcement Agencies (LEA) include police and other relevant investigation and prosecution agencies.

Suspension means closing a user’s account permanently.

References

[1] https://mega.io/SecurityWhitepaper.pdf

[2] https://mega.io/sourcecode

[3] www.dia.govt.nz/Voluntary-Principles-to-Counter-Online-Child-Sexual-Exploitation-and-Abuse

[4] https://mega.io/terms

https://mega.io/takedown

https://mega.io/copyright

[5] https://mega.io/copyrightnotice

[6] It is impossible to review the validity as the file contents are user–encrypted (unless the user has published or provided the encryption key), and also due to the uncertainties of copyright status, as noted above.

[7] Provided the encryption key is included in the report.

[8] https://ecpat.org/luxembourg-guidelines/

Download current/previous reports (pdf) or data in current report (xlsx)