Six Months ended 30th June 2024
Report issued 7th November 2024
What is transparency?
Transparency reports provide public information on compliance programmes and achievements. They demonstrate accountability and play a critical role in building trust with users, suppliers, regulators, employees, investors and the general public.
Mega periodically publishes statistics on takedown requests, subscriber information disclosure and related issues. This is intended to provide transparency to Mega’s operating processes relating to privacy and to statutory compliance. Mega’s report confirms its zero tolerance for illegal activity.
This is the twelfth transparency report published by Mega since it commenced operations in January 2013. This report contains new data for the nine months from October 2023 to June 30, 2024. This is a longer period than the usual six months because we expect to report on a January-June and July-December basis going forward to ensure our compliance with anticipated transparency regulations.
About Mega
As at 30 June 2024, Mega had over 308 million registered user accounts in more than 215 countries and territories. In total, as at 30 June 2024, Mega’s users had uploaded more than 167 billion distinct files.
In 2013, Mega pioneered user-controlled end-to-end encryption through the web browser. Today, it provides the same zero-knowledge privacy and security across its cloud storage and chat applications, whether accessed via a web browser, mobile app, desktop app or command line tool. Mega The Privacy Company provides Privacy by Design based on the uncompromising use of zero-knowledge user-controlled end-to-end encryption, commonly known as E2EE.
All chat messages and files are fully encrypted on the user’s device before being sent to Mega, using random keys that are encrypted with the user’s password before the encrypted keys, chat messages and files get submitted to and stored on Mega. The password remains on the user’s device and is never sent to Mega, so chats and file contents can’t be read or accessed in any manner by Mega. Files can only be decrypted by the original uploader through a logged-in account or by other parties to whom the account holder has consciously provided the required file/folder keys by way of URL or otherwise.
Mega’s encryption is described in a Whitepaper[1] and is open to independent scrutiny because all client-side source code is published,[2] allowing its correctness and integrity to be verified by researchers.
On 19 December 2023, Mega launched MEGA VPN, a VPN service available to our Pro users and more recently to subscribers of MEGA VPN as a standalone product. We do not store content or data that is transmitted using MEGA VPN: it is a means of transmission only.
Mega stores very limited non-encrypted Personal Data, such as the user’s email address and some activity details relating to account access, file uploads, shares, chats, etc. A full description of the information Mega stores about a user and their activities on Mega’s system can be found in clause 8.3 of Mega’s Privacy & Data Policy.
Safety by design is incorporated into Mega’s planning for new features and products. This informs both client and back-end software design and processes.
The privacy provided by Mega is a valued service, necessary for personal, professional, business and government use. It is consistent with the Universal Declaration of Human Rights, Article 12:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence […].
Everyone has the right to the protection of the law against such interference […].”
However, Mega has zero tolerance for illegal activity. While fiercely guarding the privacy of legitimate users, Mega will not be a haven for illegal activity.
Industry cooperation
Mega is an active member of leading industry bodies which seek to promote best practice for compliance activity and to assist with communications between platforms and with regulatory and law enforcement agencies. Mega is a member of:
- Global Internet Forum to Counter Terrorism (GIFCT)
- The Tech Coalition
- WeProtect Global Alliance
- Asia-Pacific Financial Coalition Against Child Sexual Exploitation (APFC)
Mega actively participates in the Lantern programme, managed by the Tech Coalition. Through this program, participating companies can securely and responsibly share signals about accounts and behaviours associated with online child sexual exploitation and abuse (OCSEA), including the storage or distribution of Child Exploitation Material (CEM), also known as Child Sexual Abuse Material (CSAM).
Mega is a member of the Christchurch Call, a community of governments, online service providers, and civil society organisations acting together to eliminate terrorist and violent extremist content online, with underlying commitments to human rights and fundamental freedoms, transparency, collaboration, research, and an effective appeals process. See https://www.christchurchcall.org/the-christchurch-call-commitments/
Mega is also a strong supporter of the ‘Principles to Counter Online Child Sexual Exploitation and Abuse’ issued in March 2020.[3] The Principles were produced by a working group of officials from New Zealand, Australia, the United Kingdom, the United States and Canada. Mega was one of the technology companies that provided supportive comment on the draft Principles during the consultation process.
Regulatory background
Mega was designed, and is operated, to ensure that it achieves the highest levels of compliance with regulatory requirements. Mega’s services are governed by New Zealand law but, where applicable, we also ensure compliance with international regulatory regimes.
Mega maintains market-leading processes for dealing with users who upload and share copyright-infringing material or breach any other legal requirements. Mega cannot view or determine the contents of files stored on its system as files are encrypted by users before they reach Mega. However, if a user voluntarily shares a link (with its decryption key) to a folder or file that they have stored on Mega, then anyone with that link can decrypt and view/download the folder/file contents. The same applies to chat links. A member of a group chat with the appropriate access right can create a chat link, allowing anyone with that link to join, view, post and download the materials shared within the group chat.
Mega policies
Copyright
Mega’s Terms of Service expressly prohibit our users from using our services to infringe copyright or any other intellectual property rights. Copyright holders who become aware of public links to their copyright material can contact Mega to have access to the offending files disabled. Similarly, copyright holders with information indicating that MEGA VPN has been used to access infringing content can provide relevant details to us for actioning.
By complying with the relevant provisions of New Zealand’s Copyright Act, Mega is provided with a safe harbour, shielding it from liability for the material that its users upload and share using Mega’s services. Although not technically bound by US or EU law, Mega also complies with the conditions for safe harbour under the US Digital Millennium Copyright Act (DMCA) process and relevant European Union Directives.
Mega does this by allowing any person to submit a notice that their copyright material is being stored and/or shared through the Mega platform or accessed via MEGA VPN without authorisation. When Mega receives such notices, it promptly processes them as detailed below, pursuant to Mega’s Terms of Service agreed to by every registered user. File takedowns continue to target a very small portion of the files stored on Mega, indicating that the vast majority of users appreciate the speed, flexibility and privacy of Mega’s systems for legitimate business and personal use.
The safe harbours in various jurisdictions require material to be removed and links disabled expeditiously. Some cloud storage providers target takedown within 24 hours. Mega targets takedown within 4 hours, with most takedowns being actioned faster.
When designing and implementing its takedown policy and processes, Mega consulted with New Zealand law enforcement authorities. Mega has adopted policies and processes which it has been advised are consistent with their requirements.
Mega’s Terms of Service have to be acknowledged by every new user before their account activation can be completed. Those Terms make it very clear (e.g., in clauses 17.3, 17.8 and 22) that Mega won’t tolerate copyright infringement or any other illegal activity.
It is impossible for Mega to review content uploaded by users, as it is encrypted on the user’s device before it is sent to Mega. It is also logistically impossible for any cloud storage service (or indeed any other service provider in the Internet chain, such as an ISP) to review all uploaded content due to the massive volume of data that flows through these services. For example, Mega’s users upload approximately 65 million distinct files per day: 750 files per second on average. The infeasibility of policing user uploads has been clearly recognised in numerous court cases around the world.
Even if content could be reviewed, in many cases it would not be possible to determine whether it is infringing or not as the owners of many copyright items provide the user with a licence to make a backup copy, so uploading it to a cloud storage service would not be infringing. Copyright laws vary worldwide and different provisions may apply depending on where users are located, which is not always knowable. Also, statutory provisions such as Fair Use mean that a storage provider such as Mega cannot determine whether a stored file is infringing copyright.
Other similar cloud storage services are in the same position and don’t attempt to assess the copyright status of uploaded materials.
When using MEGA VPN, users do not store any content (infringing or otherwise) with Mega that can be taken down in response to notice from copyright holders. However, where we are alerted that a user has infringed copyright via MEGA VPN, they are given a warning and a strike is recorded against their account. In accordance with our repeat infringer policy, a user who receives three strikes within a six-month period (whether in relation to VPN, cloud storage, or both) will have their account terminated.
Objectionable (illegal) content —
Child Exploitation Material, Violent Extremism, Bestiality, Zoophilia, Gore, Malware, Hacked/Stolen Data, Passwords
Mega does not condone, authorise, support or facilitate[4] Child Sexual Exploitation[5] or the storage or sharing of CEM/CSAM, other objectionable content as defined in section 3 of the New Zealand Films, Videos, and Publications Classification Act 1993,[6] or other harmful material, including as defined by the New Zealand Harmful Digital Communications Act 2015.[7] Mega has zero tolerance for users sharing such material. Users, law enforcement, or members of the public can report links to objectionable material to [email protected].
Any reports of such content result in immediate deactivation of the folder/file links and closure of the user’s account. We routinely provide details to New Zealand Government Authorities, and other relevant international authorities, for investigation and prosecution.
The objectionable content shared by Mega users is generally historic still images and videos. The content continues to include self-generated imagery which, in some cases, has resulted from adult coercion.
Mega processes for compliance matters
Requests for removal of copyright content
Mega’s approach to dealing with requests for the takedown of content uploaded by its users (as well as requests for the disclosure of user information and data) is set out in its Takedown Guidance Policy.
Mega accepts copyright takedown notices via a dedicated web page[8] or by email to [email protected].
Requests are promptly processed without reviewing their validity.[9] Four companies have executed agreements with Mega whereby they can directly enter takedown notices, without requiring further action by Mega staff. These companies are effectively ‘trusted flaggers’ for copyright reports.
- Removal of just a specified link to the file: — the file will remain in the user’s account;
- Removal of all links to the file: — the file will remain in the user’s account;
- Removal of all links to and all instances of the file: — there is no user permitted to store this file under any circumstance worldwide.
Folder links often refer to a large number of files, of which only some may be claimed to be infringing files. If the person requesting the takedown doesn’t provide identification of the infringing file or files within the folder, Mega will disable the reported folder link only as folder contents can change. This means that the folder and its files will remain accessible in the user’s account. This would be the same as option (1) above in respect of file link takedown requests.
The number of unique takedown requests submitted represents a very small percentage of the total number of files stored on Mega.
Year | Quarter | Copyright takedown requests | Links taken down / Total Files | Total files (Billion) |
2020 | Q4 | 504,081 | 0.0006% | 89.5 |
2021 | Q1 | 532,748 | 0.0006% | 95.7 |
Q2 | 554,660 | 0.0005% | 101.5 | |
Q3 | 746,336 | 0.0007% | 107.0 | |
Q4 | 629,257 | 0.0006% | 112.3 | |
2022 | Q1 | 1,187,646 | 0.0010% | 117.6 |
Q2 | 262,888 | 0.0002% | 122.7 | |
Q3 | 276,901 | 0.0002% | 127.9 | |
Q4 | 377,574 | 0.0003% | 132.9 | |
2023 | Q1 | 342,668 | 0.0002% | 138.2 |
Q2 | 435,086 | 0.0003% | 144.0 | |
Q3 | 430,674 | 0.0003% | 149.9 | |
Q4 | 402,414 | 0.0003% | 155.6 | |
2024 | Q1 | 846,463 | 0.0003% | 161.6 |
Q2 | 561,772 | 0.0003% | 167.5 |
VPN copyright infringement
From release of MEGA VPN on 19 December 2023 to 30 June 2024, we received and actioned 17 copyright infringement notices.
Year | Quarter | VPN copyright infringement notices |
---|---|---|
2023 | Q4 | 0 |
2024 | Q1 | 1 |
Q2 | 16 |
Counter-notices
Mega receives counter-notices from some users who dispute the validity of a copyright takedown. These counter-notices are processed in accordance with safe harbour requirements, whereby the link will be reinstated unless the complainant gives notice of legal proceedings. Unfortunately, some content owners and agents trawl the Internet using robots which generate incorrect notices on behalf of copyright owners, and some fail to review the specific link content or to determine whether it is actually a live link.
There are also cases where some parties deliberately issue false copyright takedown notices, for commercial competition or other reasons.
Since our last report, we have realised that our historical transparency reports contained incomplete data pertaining to copyright notice disputes due to an error in data extraction of which we were unaware. This issue has been resolved in the current report, which now includes a complete and accurate data set.
As can be seen, following the submission of a counter notice most of the links have been reinstated.
The increase in dispute numbers observed in Q3 and Q4 of 2023 was due to false copyright takedown notices submitted by malicious reporters using temporary email addresses to target some Korean users. We have addressed this issue by implementing an email verification process for the copyright notice submission system.
Repeat infringers
Mega suspends the account of any user with three copyright takedown strikes within six months (whether those strikes relate to file storage/sharing or VPN use). In some cases, the account can be reinstated after it is proved to be the subject of invalid takedown notices, but most suspended accounts are terminated. As at 30 June 2024, Mega had suspended 163,817 users for repeated copyright infringement. The data below shows that suspensions are a very small % of the number of registered accounts.
Year | Quarter | Number of users suspended | % of registered users |
2020 | Q4 | 1,730 | 0.0008% |
2021 | Q1 | 2,531 | 0.0012% |
Q2 | 3,007 | 0.0013% | |
Q3 | 2,448 | 0.0010% | |
Q4 | 2,198 | 0.0009% | |
2022 | Q1 | 2,033 | 0.0008% |
Q2 | 1,690 | 0.0007% | |
Q3 | 1,676 | 0.0006% | |
Q4 | 1,567 | 0.0006% | |
2023 | Q1 | 1,584 | 0.0006% |
Q2 | 1,479 | 0.0005% | |
Q3 | 1,791 | 0.0006% | |
Q4 | 1,346 | 0.0005% | |
2024 | Q1 | 2,312 | 0.0008% |
Q2 | 1,328 | 0.0004% |
Objectionable content
During the 11 years to 30 June 2024, Mega has closed 2.16 million accounts for sharing objectionable content. Details of every link to objectionable content and of every related account that was closed were provided to the New Zealand Government and relevant international authorities for investigation and prosecution.
In 2022, Mega commenced a process to download the content of public links[10] that are reported to contain objectionable content such as CSAM, to a server controlled by the New Zealand Government. Hashes are calculated for each downloaded file and then compared to hash sets provided by Interpol and NCMEC. Details of files that match the hashes of objectionable content are then passed to Mega so the files can be removed from any account that has imported the file from the original public link. Those users are given a final warning, and the accounts are closed immediately for any users who have on-shared the objectionable content.
This process was paused for technical reasons during the nine months to 30 June 2024. It has since been resumed and the number of accounts closed as a result will be included in our next Transparency Report.
Mega records its compliance activity relating to objectionable (illegal) content in various categories. Details of major categories are shown below.
Identification of objectionable content
Mega receives a few reports of CSAM links from international NGOs (such as reporting hotlines) and from law enforcement agencies, but most are submitted by private individuals who have noticed the links, with an associated description, being openly shared on public forums. Anyone with the link, including the decryption key, can download the content.
Upon receipt of reports of objectionable content, Mega immediately disables the link and closes the user’s account. Details are shared with New Zealand authorities. Mega does not have any ‘trusted flaggers’.
Signal sharing via Lantern
Mega proudly participates in the Lantern programme, which is managed by the Tech Coalition.
Sharing information across platforms (which is conducted in compliance with applicable data protection laws and is limited to information necessary to combat OCSEA) helps us to be more effective in our processes to remove illegal content and to take action on accounts storing or sharing such content. Lantern offers us a further means of identifying, addressing, and in some cases, preventing harmful or illegal conduct. We also want to do our part by helping other services to reduce this conduct on their platforms.
Our Terms of Service permit us to suspend or terminate access to our services if we receive credible information indicating that a user has shared or possessed CSAM through another online platform. Signals we receive via Lantern are considered credible information of this nature, which are carefully triaged by our compliance team.
In the nine months to 30 June 2024, we:
- Disabled 16 URLs reported to us via Lantern; and
- Closed 5,121 user accounts relying on signals received via Lantern.
The signals we share with other companies through Lantern primarily consist of user email addresses, which we have verified as belonging to Mega users who have created links to CSAM. These links are being distributed publicly, sometimes advertised for sale or reported as circulating on other platforms.
In the nine months to 30 June 2024, we uploaded 23,895 signals to Lantern.
Accounts closed for other reasons
In addition to closing accounts for storing or sharing objectionable content, or for repeated copyright infringement, we close accounts for other harmful conduct and/or breaches of our Terms of Service.
In the nine months ending 30 June 2024, we closed 36,088 accounts in this ‘other’ category.
Appeals
We process reports of objectionable content in good faith based on information provided to us. From time to time, those reports may be inaccurate and result in wrongful suspension or termination of user accounts.
While users have always been entitled to contact us to challenge the suspension or termination of their account, in early 2024 we implemented a formal appeal process, allowing users to submit a form at mega.io/appeal. As can be seen, this has resulted in us receiving an increased number of appeals against account termination or suspension.
Appeals against account closure for holding alleged objectionable material may be referred to the New Zealand Authorities for adjudication of the content. The account can be reinstated if the content is determined to be not illegal.
Overall, very few accounts are reinstated after appeal. In Q4 2023, there were 6 appeals, with 4 terminated accounts reinstated. In Q1 2024, there were 61 appeals, of which 52 were successful and resulted in accounts being reinstated, representing 0.05% of terminated accounts that quarter. In Q2 2024, there were 151 appeals, of which 38 were successful and resulted in accounts being reinstated, representing 0.06% of terminated accounts.
A larger than usual number of accounts were reinstated in Q1 and Q2 of 2024. We attribute this to offering a formal process for appeal, and to a particular case where a number of accounts that were incorrectly flagged as being associated with accounts identified as relating to LockBit ransomware. Due to that association, those accounts were suspended in the context of the LockBit takedown in February 2024, but wrongly identified accounts were restored in full when legitimate users appealed.
Response to International Law Enforcement Agencies
Mega is ‘The Privacy Company’ and values the privacy of its users. We are committed to maintaining industry-leading levels of security for, and confidentiality of, user data and information. In considering any request for access to such data or information, Mega starts from the position that user data and information is private and should always be protected to the greatest extent possible.
However, privacy and protection of user information and data are not absolute rights and are subject to some limitations, such as in cases of illegal activity.
The basis on which Mega may, in extremely limited situations, disclose user information and data is set out in Mega’s Takedown Guidance Policy.
Unless an Emergency Response (as defined below) is required, or disclosure is necessary in relation to an investigation involving CSAM or violent extremism, Mega will generally only provide user data or information when required to do so by New Zealand law, or by a New Zealand court or law enforcement authority with appropriate jurisdiction. Mega may consider requests made by non-New Zealand law enforcement authorities.
Mega defines Emergency Response as a situation where Mega has written assurance from a senior officer of the New Zealand Police or similar law enforcement officer or authority acceptable to Mega that in the expert judgment of such person there are valid reasons to believe that disclosure is necessary to prevent or lessen a serious threat (as defined in section 7(1) of the Privacy Act 2020) to:
- public health or public safety; or
- the life or health of an individual or individuals;
and the person giving such assurance confirms in writing that the threat is of such urgency that there is not time to obtain a production order or other court order.
If satisfied as to the above, Mega may, at its discretion, accept the request in good faith.
When Mega accepts a request, Mega may provide advance notice to the affected user unless prohibited by a court order or where Mega decides delayed notice is appropriate.
Although all files stored on Mega are encrypted prior to being uploaded to our system, and we therefore cannot access that content unless we are provided with the decryption key, Mega does have access to user registration information and the IP addresses used to access our services. A full description of the information Mega can retrieve about a user and their activities on our system can be found in clause 8.3 of our Privacy & Data Policy.
Mega provides Basic Subscriber Information (BSI) to law enforcement agencies in countries with a democratically elected government and demonstrated legal systems, in cases of serious illegality.
The chart below shows the number of requests for Basic Subscriber Information that have been processed for law enforcement agencies:[11]
Metadata provided by Mega has resulted in a significant number of arrests of Child Sexual Exploitation and Abuse perpetrators, and rescue of children at risk of imminent harm.
Interpol and other agencies released publicity in March 2022, noting that an international operation coordinated by Mega and the New Zealand authorities had resulted in 146 children being rescued from imminent harm. There were 43 arrests in New Zealand and a much larger number of arrests in other countries.
Mega responds to law enforcement requests for subscriber account information as a priority. That is reflected in our response times. Reports from the pubic of objectionable content being shared are actioned at a similar speed.
Year | Quarter | Average Response Time (Hours) | Median Response Time (Hours) |
---|---|---|---|
2023 | Q1 | 0.63 | 0.32 |
Q2 | 0.66 | 0.34 | |
Q3 | 0.64 | 0.33 | |
Q4 | 0.61 | 0.33 | |
2024 | Q1 | 0.72 | 0.32 |
Q2 | 0.63 | 0.30 |
Some requests from law enforcement agencies are more complex than usual, resulting in the average being higher than the median.
Legal orders
During the nine months ended 30 June 2024, Mega was subject to 12 legal orders from New Zealand authorities and then disclosed account metadata for the relevant user accounts which are alleged to be involved in serious criminal activity, either in New Zealand or overseas, relating to those orders.
There were also three Orders from overseas agencies, processed by New Zealand Police under the Mutual Assistance in Criminal Matters Act 1992, to disclose information relating to hacking cases.
Originating Country | Alleged criminality | Number of Orders/Warrants | Outcome |
New Zealand | Organised crime | 12 | Metadata Supplied |
Germany | Hacking | 1 | Metadata Supplied |
Switzerland | Hacking | 1 | Metadata Supplied |
Cyprus | Hacking | 1 | Metadata Supplied |
In addition, many law enforcement agencies supplied subpoenas and search warrants produced by their local courts, apparently generated to provide local authority for the agency to obtain information. Unless processed through the lengthy Mutual Legal Assistance Treaty (MLAT) process, these warrants have no application to foreign entities, such as Mega Limited, which is a New Zealand-registered company. We advise such agencies that Mega is not subject to their domestic laws or domestic court orders. However, in cases of serious criminality, including child sexual exploitation and abuse allegations, Mega may supply metadata without a warrant, as specified in its Takedown Guidance Policy.
Other requests for personal information
During the nine months to 30 June 2024, there were also 50 private requests for subscriber information. All were declined by Mega, to preserve user privacy, as they did not meet the necessary requirements set out in Mega’s Takedown Guidance Policy.
GDPR
The General Data Protection Regulation in Europe came into force in May 2018. Mega didn’t need to make any substantial disclosure or make changes to its operations as privacy has been at the core of Mega’s operations since it commenced in 2013.
In May 2018, we introduced a feature to allow users to download Personal Data relating to their account. The number of requests increased significantly in the second half of 2021, but we are not aware of any specific reason. Numbers have remained relatively consistent ever since.
Personal Data is retained indefinitely while the user’s account is open. After account closure, Mega will retain all account information as long as there is any law enforcement request pending, but otherwise for 12 months after account closure, as users sometimes request that an account be re-activated.
After 12 months, identifying information, such as email and IP addresses, is anonymised (except where email address records are retained for reference by the user’s contacts or where the user has participated in chats with other Mega users), but other related database records may be retained. This includes records of financial transactions relating to a user’s account where Mega is legally required to retain such information.
When a user deletes a file from the Rubbish bin, that file becomes inaccessible, is marked for deletion and is then deleted fully from the Mega system when the next appropriate file deletion purging process is run. After account closure, all stored files will be marked for deletion and deleted fully when the next appropriate file deletion purging process is run.
Mega Limited, as controller, is represented in Europe by
Mega Europe sarl
202, Z.A.E. WOLSER F
L-3290 Bettembourg, Luxembourg
[email protected]
The Lead Data Protection Supervisory Authority is the Luxembourg National Commission for Data Protection. This is the appropriate authority for accepting GDPR complaints about Mega.
National Commission for Data Protection
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
https://cnpd.public.lu
Definition of terms
Mega uses the term Child Sexual Abuse Material (CSAM) to refer to photos, videos and documents relating to sexually explicit images of, or conduct of or with a child, consistent with the ECPAT 2016 Luxembourg Guidelines.[12] This is broadly equivalent to terms used by other platforms, such as Child Sexual Exploitation and Abuse (CSEA) and Child Sexual Exploitation and Abuse Imagery (CSEAI).
Law Enforcement Agencies (LEA) include police and other relevant investigation and prosecution agencies.
Suspension means closing a user’s account permanently, unless reinstated by a successful appeal.
References
[1] https://mega.io/SecurityWhitepaper.pdf
[2] https://mega.io/sourcecode
[3] www.dia.govt.nz/Voluntary-Principles-to-Counter-Online-Child-Sexual-Exploitation-and-Abuse
[4] MEGA Terms of Service https://mega.io/terms and https://mega.io/takedown
[5] See https://ecpat.org/luxembourg-guidelines/
[6] https://www.legislation.govt.nz/act/public/1993/0094/latest/DLM312895.html
[7] https://www.legislation.govt.nz/act/public/2015/0063/latest/DLM5711810.html
[8] https://mega.io/copyrightnotice
[9] It is impossible to review the validity as the file contents are user–encrypted (unless the user has published or provided the encryption key), and also due to the uncertainties of copyright status, as noted above.
[10] Provided the encryption key is included in the report.
[11] We note that the sums of BSI requests relating to Organised Crime for the nine months to 30 June 2024 are approximate only, due to technical issues that have prevented us from extracting exact figures.