Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016)
(In re a Warrant to Search a Certain E–Mail Account Controlled & Maintained by Microsoft Corp.)
SUSAN L. CARNEY, Circuit Judge:
Microsoft Corporation appeals from orders of the United States District Court for the Southern District of New York denying its motion to quash a warrant ("Warrant") issued under § 2703 of the Stored Communications Act ("SCA" or the "Act"), 18 U.S.C. §§ 2701 et seq., and holding Microsoft in contempt of court for refusing to execute the Warrant on the government's behalf. The Warrant directed Microsoft to seize and produce the contents of an e-mail account that it maintains for a customer who uses the company's electronic communications services. A United States magistrate judge (Francis, M.J.) issued the Warrant on the government's application, having found probable cause to believe that the account was being used in furtherance of narcotics trafficking. The Warrant was then served on Microsoft at its headquarters in Redmond, Washington.
Microsoft produced its customer's non-content information to the government, as directed. That data was stored in the United States. But Microsoft ascertained that, to comply fully with the Warrant, it would need to access customer content that it stores and maintains in Ireland and to import that data into the United States for delivery to federal authorities. It declined to do so. Instead, it moved to quash the Warrant. The magistrate judge, affirmed by the District Court (Preska, C.J.), denied the motion to quash and, in due course, the District Court held Microsoft in civil contempt for its failure.
Microsoft and the government dispute the nature and reach of the Warrant that the Act authorized and the extent of Microsoft's obligations under the instrument. For its part, Microsoft emphasizes Congress's use in the Act of the term "warrant" to identify the authorized instrument. Warrants traditionally carry territorial limitations: United States law enforcement officers may be directed by a court-issued warrant to seize items at locations in the United States and in United States-controlled areas, see Fed. R. Crim. P. 41(b), but their authority generally does not extend further.
The government, on the other hand, characterizes the dispute as merely about "compelled disclosure," regardless of the label appearing on the instrument. It maintains that "similar to a subpoena, [an SCA warrant] requir[es] the recipient to deliver records, physical objects, and other materials to the government" no matter where those documents are located, so long as they are subject to the recipient's custody or control. It relies on a collection of court rulings construing properly-served subpoenas as imposing that broad obligation to produce without regard to a document's location. E.g., Marc Rich & Co., A.G. v. United States, 707 F.2d 663 (2d Cir. 1983).
For the reasons that follow, we think that Microsoft has the better of the argument. When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user's interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users' 21st-century demands for access and speed and their related, evolving expectations of privacy.
Rather, in keeping with the pressing needs of the day, Congress focused on providing basic safeguards for the privacy of domestic users. Accordingly, we think it employed the term "warrant" in the Act to require pre-disclosure scrutiny of the requested search and seizure by a neutral third party, and thereby to afford heightened privacy protection in the United States. It did not abandon the instrument's territorial limitations and other constitutional requirements. The application of the Act that the government proposes — interpreting "warrant" to require a service provider to retrieve material from beyond the borders of the United States — would require us to disregard the presumption against extraterritoriality that the Supreme Court re-stated and emphasized in Morrison v. National Australia Bank Ltd., 561 U.S. 247, 130 S.Ct. 2869, 177 L.Ed.2d 535 (2010) and, just recently, in RJR Nabisco, Inc. v. European Cmty., 579 U.S. ___, ___, 136 S.Ct. 2090, 195 L.Ed.2d 476 (2016). We are not at liberty to do so.
We therefore decide that the District Court lacked authority to enforce the Warrant against Microsoft. Because Microsoft has complied with the Warrant's domestic directives and resisted only its extraterritorial aspects, we REVERSE the District Court's denial of Microsoft's motion to quash, VACATE its finding of civil contempt, and REMAND the cause with instructions to the District Court to quash the Warrant insofar as it directs Microsoft to collect, import, and produce to the government customer content stored outside the United States.
I. Microsoft's Web-Based E-mail Service
Microsoft Corporation is a United States business incorporated and headquartered in Washington State. Since 1997, Microsoft has operated a "web-based e-mail" service available for public use without charge. It calls the most recent iteration of this service Outlook.com. The service allows Microsoft customers to send and receive correspondence using e-mail accounts hosted by the company. In a protocol now broadly familiar to the ordinary citizen, a customer uses a computer to navigate to the Outlook.com web address, and there, after logging in with username and password, conducts correspondence electronically.
Microsoft explains that, when it provides customers with web-based access to e-mail accounts, it stores the contents of each user's e-mails, along with a variety of non-content information related to the account and to the account's e-mail traffic, on a network of servers. The company's servers are housed in datacenters operated by it and its subsidiaries.
Microsoft currently makes "enterprise cloud service offerings" available to customers in over 100 countries through Microsoft's "public cloud." The service offerings are "segmented into regions, and most customer data (e.g. email, calendar entries, and documents) is generally contained entirely within one or more data centers in the region in which the customer is located." Microsoft generally stores a customer's e-mail information and content at datacenters located near the physical location identified by the user as its own when subscribing to the service. Microsoft does so, it explains, "in part to reduce `network latency'" — i.e., delay — inherent in web-based computing services and thereby to improve the user's experience of its service. As of 2014, Microsoft "manage[d] over one million server computers in [its] datacenters worldwide, in over 100 discrete leased and owned datacenter facilities, spread over 40 countries." These facilities, it avers, "host more than 200 online services, used by over 1 billion customers and over 20 million businesses worldwide."
One of Microsoft's datacenters is located in Dublin, Ireland, where it is operated by a wholly owned Microsoft subsidiary. According to Microsoft, when its system automatically determines, "based on [the user's] country code," that storage for an e-mail account "should be migrated to the Dublin datacenter," it transfers the data associated with the account to that location. Before making the transfer, it does not verify user identity or location; it simply takes the user-provided information at face value, and its systems migrate the data according to company protocol.
Under practices in place at the time of these proceedings, once the transfer is complete, Microsoft deletes from its U.S.-based servers "all content and non-content information associated with the account in the United States," retaining only three data sets in its U.S. facilities. First, Microsoft stores some non-content e-mail information in a U.S.-located "data warehouse" that it operates "for testing and quality control purposes." Second, it may store some information about the user's online address book in a central "address book clearing house" that it maintains in the United States. Third, it may store some basic account information, including the user's name and country, in a U.S.-sited database. ***
II. Procedural History
On December 4, 2013, Magistrate Judge James C. Francis IV of the United States District Court for the Southern District of New York issued the "Search and Seizure Warrant" that became the subject of Microsoft's motion to quash.
Although the Warrant was served on Microsoft, its printed boilerplate language advises that it is addressed to "[a]ny authorized law enforcement officer." It commands the recipient to search "[t]he PREMISES known and described as the email account [redacted]@MSN.COM, which is controlled by Microsoft Corporation." It requires the "officer executing [the] warrant, or an officer present during the execution of the warrant" to "prepare an inventory ... and promptly return [the] warrant and inventory to the Clerk of the Court." ***
After being served with the Warrant, Microsoft determined that the e-mail contents stored in the account were located in its Dublin datacenter. Microsoft disclosed all other responsive information, which was kept within the United States, and moved the magistrate judge to quash the Warrant with respect to the user content stored in Dublin.
As we have recounted, the magistrate judge denied Microsoft's motion to quash. In a Memorandum and Order, he concluded that the SCA authorized the District Court to issue a warrant for "information that is stored on servers abroad." In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, 15 F.Supp.3d 466, 477 (S.D.N.Y. 2014) ("In re Warrant"). He observed that he had found probable cause for the requested search, and that the Warrant was properly served on Microsoft in the United States. He noted that, inasmuch as an SCA warrant is served on a service provider rather than on a law enforcement officer, it "is executed like a subpoena in that it ... does not involve government agents entering the premises of the ISP [Internet service provider] to search its servers and seize the e-mail account in question." Accordingly, he determined that Congress intended in the Act's warrant provisions to import obligations similar to those associated with a subpoena to "produce information in its possession, custody, or control regardless of the location of that information." (citing Marc Rich, 707 F.2d at 667). While acknowledging that
Microsoft's analysis in favor of quashing the Warrant with respect to foreign-stored customer content was "not inconsistent with the statutory language," he saw Microsoft's position as "undermined by the structure of the SCA, its legislative history," and "by the practical consequences that would flow from adopting it." He therefore concluded that Microsoft was obligated to produce the customer's content, wherever it might be stored. He also treated the place where the government would review the cntent (the United States), not the place of storage (Ireland), as the relevant place of seizure.
Microsoft appealed the magistrate judge's decision to Chief Judge Loretta A. Preska, who, on de novo review and after a hearing, adopted the magistrate judge's reasoning and affirmed his ruling from the bench. In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, 1:13-mj-02814 (S.D.N.Y. filed Dec. 4, 2013), ECF No. 80 (order reflecting ruling made at oral argument).
Microsoft timely noticed its appeal of the District Court's decision denying the motion to quash. Not long after, the District Court acted on a stipulation submitted jointly by the parties and held Microsoft in civil contempt for refusing to comply fully with the Warrant. Microsoft timely amended its notice of appeal to reflect its additional challenge to the District Court's contempt ruling.
We now reverse the District Court's denial of Microsoft's motion to quash; vacate the finding of contempt; and remand the case to the District Court with instructions to quash the Warrant insofar as it calls for production of customer content stored out-side the United States.
III. Statutory Background
The Warrant was issued under the provisions of the Stored Communications Act, legislation enacted as Title II of the Electronic Communications Privacy Act of 1986. Before we begin our analysis, some background will be useful.
A. The Electronic Communications Privacy Act of 1986
The Electronic Communications Privacy Act ("ECPA") became law in 1986. As it is summarized by the Department of Justice, ECPA "updated the Federal Wiretap Act of 1968, which addressed interception of conversations using `hard' telephone lines, but did not apply to interception of computer and other digital and electronic communications." ECPA's Title II is also called the Stored Communications Act ("SCA"). The Act "protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers," according to the Justice Department. We discuss its provisions further below.
B. The Technological Setting in 1986
When it passed the Stored Communications Act almost thirty years ago, Congress had as reference a technological context very different from today's Internet-saturated reality. This context affects our construction of the statute now.
One historian of the Internet has observed that "before 1988, the New York Times mentioned the Internet only once — in a brief aside." Roy Rosenzweig, Wizards, Bureaucrats, Warriors, and Hackers: Writing the History of the Internet, 103 Am. Hist. Rev. 1530, 1530 (1998). The TCP/IP data transfer protocol — today, the standard for online communication — began to be used by the Department of Defense in about 1980. See Leonard Kleinrock, An Early History of the Internet, IEEE Commc'ns Mag. 26, 35 (Aug. 2010). The World Wide Web was not created until 1990, and we did not even begin calling it that until 1993. Daniel B. Garrie & Francis M. Allegra, Plugged In: Guidebook to Software and the Law § 3.2 (2015 ed.). Thus, a globally-connected Internet available to the general public for routine e-mail and other uses was still years in the future when Congress first took action to protect user privacy. See Craig Partridge, The Technical Development of Internet Email, IEEE Annals of the Hist. of Computing 3, 4 (Apr.-June 2008).
C. The Stored Communications Act
As the government has acknowledged in this litigation, "[t]he SCA was enacted to extend to electronic records privacy protections analogous to those provided by the Fourth Amendment." Gov't Br. at 29 (citing S. Comm. on Judiciary, Electronic Communications Privacy Act of 1986, S. Rep. No. 99-541, at 5 (1986)). The SCA provides privacy protection for users of two types of electronic services — electronic communication services ("ECS") and remote computing services ("RCS") — then probably more distinguishable than now. See Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1213-14 (2004). An ECS generally operated by providing the user access to a central computer system through which to send electronic messages over telephone lines. S. Rep. No. 99-541, at 8. If the intended recipient also subscribed to the service, the provider temporarily stored the message in the recipient's electronic "mail box" until the recipient "call[ed] the company to retrieve its mail." Id. If the intended recipient was not a subscriber, the service provider could print the communication on paper and complete delivery by postal service or courier. Id.; U.S. Congress, Office of Technology Assessment, OTA-CIT-293, Federal Government Information Technology: Electronic Surveillance and Civil Liberties 47-48 (1985). An RCS generally operated either by providing customers with access to computer processing facilities in a "time-sharing arrangement," or by directly processing data that a customer transmitted electronically to the provider by means of electronic communications, and transmitting back the requested results of particular operations. S. Rep. No. 99-541, at 10-11. We will refer to Microsoft and other providers of ECS and RCS jointly as "service providers," except where the distinction makes a difference.
As to both services, the Act imposes general obligations of non-disclosure on service providers and creates several exceptions to those obligations. Thus, its initial provision, § 2701, prohibits unauthorized third parties from, among other things, obtaining or altering electronic communications stored by an ECS, and imposes criminal penalties for its violation. Section 2702 restricts the circumstances in which service providers may disclose information associated with and contents of stored communications to listed exceptions, such as with the consent of the originator or upon notice to the intended recipient, or pursuant to § 2703. Section 2703 then establishes conditions under which the government may require a service provider to disclose the contents of stored communications and related obligations to notify a customer whose material has been accessed. Section 2707 authorizes civil actions by entities aggrieved by violations of the Act, and makes "good faith reliance" on a court warrant or order "a complete defense." 18 U.S.C. § 2707(e).
Regarding governmental access in particular, § 2703 sets up a pyramidal structure governing conditions under which service providers must disclose stored communications to the government. Basic subscriber and transactional information can be obtained simply with an administrative subpoena. 18 U.S.C. § 2703(c)(2). Other non-content records can be obtained by a court order (a "§ 2703(d) order"), which may be issued only upon a statement of "specific and articulable facts showing ... reasonable grounds to believe that the contents or records ... are relevant and material to an ongoing criminal investigation." § 2703(c)(2), (d). The government may also obtain some user content with an administrative subpoena or a § 2703(d) order, but only if notice is provided to the service provider's subscriber or customer. § 2703(b)(1)(B). To obtain "priority stored communications" (our phrase), as described below, the Act generally requires that the government first secure a warrant that has been issued "using the procedures described in the Federal Rules of Criminal Procedure," or using State warrant procedures, both of which require a showing of probable cause. Priority stored communications fall into two categories: For electronic communications stored recently (that is, for less than 180 days) by an ECS, the government must obtain a warrant. § 2703(a). For older electronic communications and those held by an RCS, a warrant is also required, unless the Government is willing to provide notice to the subscriber or customer. § 2703(b)(1)(A).
As noted, § 2703 calls for those warrants issued under its purview by federal courts to be "issued using the procedures described in the Federal Rules of Criminal Procedure." Rule 41 of the Federal Rules of Criminal Procedure, entitled "Search and Seizure," addresses federal warrants. It directs "the magistrate judge or a judge of a state court of record" to issue the warrant to "an officer authorized to execute it." Rule 41(e)(1). And insofar as territorial reach is concerned, Rule 41(b) describes the extent of the power of various authorities (primarily United States magistrate judges) to issue warrants with respect to persons or property located within a particular federal judicial district. It also allows magistrate judges to issue warrants that may be executed outside of the issuing district, but within another district of the United States. Fed. R. Crim. P. 41(b)(2), (b)(3). Rule 41(b)(5) generally restricts the geographical reach of a warrant's execution, if not in another federal district, to "a United States territory, possession, or commonwealth," and various diplomatic or consular missions of the United States or diplomatic residences of the United States located in a foreign state.
II. Whether the SCA Authorizes Enforcement of the Warrant as to Customer Content Stored in Ireland *** Prof. Lamdan has omitted an in-depth discussion about warrants versus subpoenas, applicability of warrants beyond the U.S., and other procedural issues. The full opinion is here if you are interested.
1. The SCA's Warrant Provisions
The reader will recall the SCA's provisions regarding the production of electronic communication content: In sum, for priority stored communications, "a governmental entity may require the disclosure... of the contents of a wire or electronic communication ... only pursuant to a warrant issued using the rules described in the Federal Rules of Criminal Procedure," except (in certain cases) if notice is given to the user. 18 U.S.C. § 2703(a), (b).
In our view, the most natural reading of this language in the context of the Act suggests a legislative focus on the privacy of stored communications. Warrants under § 2703 must issue under the Federal Rules of Criminal Procedure, whose Rule 41 is undergirded by the Constitution's protections of citizens' privacy against unlawful searches and seizures. And more generally, § 2703's warrant language appears in a statute entitled the Electronic Communications Privacy Act, suggesting privacy as a key concern.
The overall effect is the embodiment of an expectation of privacy in those communications, notwithstanding the role of service providers in their transmission and storage, and the imposition of procedural restrictions on the government's (and other third party) access to priority stored communications. The circumstances in which the communications have been stored serve as a proxy for the intensity of the user's privacy interests, dictating the stringency of the procedural protection they receive — in particular whether the Act's warrant provisions, subpoena provisions, or its § 2703(d) court order provisions govern a disclosure desired by the government. Accordingly, we think it fair to conclude based on the plain meaning of the text that the privacy of the stored communications is the "object of the statute's solicitude," and the focus of its provisions. Morrison, 561 U.S. at 267, 130 S.Ct. 2869.
2. Other Aspects of the Statute
In addition to the text's plain meaning, other aspects of the statute confirm its focus on privacy.
As we have noted, the first three sections of the SCA contain its major substantive provisions. These sections recognize that users of electronic communications and remote computing services hold a privacy interest in their stored electronic communications. In particular, § 2701(a) makes it unlawful to "intentionally access without authorization," or "intentionally exceed an authorization to access," a "facility through which an electronic communication service is provided" and "thereby obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage." Contrary to the government's contention, this section does more than merely protect against the disclosure of information by third parties. By prohibiting the alteration or blocking of access to stored communications, this section also shelters the communications' integrity. Section 2701 thus protects the privacy interests of users in many aspects of their stored communications from intrusion by unauthorized third parties.
Section 2702 generally prohibits providers from "knowingly divulg[ing]" the "contents" of a communication that is in electronic storage subject to certain enumerated exceptions. 18 U.S.C. § 2702(a). Sections 2701 and 2702 are linked by their parallel protections for communications that are in electronic storage. Section 2703 governs the circumstances in which information associated with stored communications may be disclosed to the government, creating the elaborate hierarchy of privacy protections that we have described.
From this statutory framework we find further reason to conclude that the SCA's focus lies primarily on the need to protect users' privacy interests. The primary obligations created by the SCA protect the electronic communications. Disclosure is permitted only as an exception to those primary obligations and is subject to conditions imposed in § 2703. Had the Act instead created, for example, a rebuttable presumption of law enforcement access to content premised on a minimal showing of legitimate interest, the government's argument that the Act's focus is on aiding law enforcement and disclosure would be stronger. Cf. Morrison, 561 U.S. at 267, 130 S.Ct. 2869. But this is not what the Act does.
The SCA's procedural provisions further support our conclusion that the Act focuses on user privacy. As noted above, the SCA expressly adopts the procedures set forth in the Federal Rules of Criminal Procedure. 18 U.S.C. § 2703(a), (b)(1)(A). Rule 41, which governs the issuance of warrants, reflects the historical understanding of a warrant as an instrument protective of the citizenry's privacy. See Fed. R. Crim. P. 41. Further, the Act provides criminal penalties for breaches of those privacy interests and creates civil remedies for individuals aggrieved by a breach of their privacy that violates the Act. See 18 U.S.C. §§ 2701, 2707. These all buttress our sense of the Act's focus.
*** In light of the plain meaning of the statutory language and the characteristics of other aspects of the statute, we conclude that its privacy focus is unmistakable.
3. Legislative History
We consult the Act's legislative history to test our conclusion.
In enacting the SCA, Congress expressed a concern that developments in technology could erode the privacy interest that Americans traditionally enjoyed in their records and communications. See S. Rep. No. 99-541, at 3 ("With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information."); H.R. Rep. No. 99-647, at 19 (1986) ("[M]ost important, if Congress does not act to protect the privacy of our citizens, we may see the gradual erosion of a precious right."). In particular, Congress noted that the actions of private parties were largely unregulated when it came to maintaining the privacy of stored electronic communications. See S. Rep. No. 99-541, at 3; H.R. Rep. No. 99-647, at 18. And Congress observed further that recent Supreme Court precedent called into question the breadth of the protection to which electronic records and communications might be entitled under the Fourth Amendment. See S. Rep. No. 99-541, at 3 (citing United States v. Miller, 425 U.S. 435, 96 S.Ct. 1619, 48 L.Ed.2d 71 (1976), for proposition that because records and private correspondence in computing context are "subject to control by a third party computer operator, the information may be subject to no constitutional privacy protection"); H.R. Rep. No. 99-647, at 23 (citing Miller for proposition that "under current law a subscriber or customer probably has very limited rights to assert in connection with the disclosure of records held or maintained by remote computing services").
Accordingly, Congress set out to erect a set of statutory protections for stored electronic communications. See S. Rep. No. 99-541, at 3; H.R. Rep. No. 99-647, at 19. In regard to governmental access, Congress sought to ensure that the protections traditionally afforded by the Fourth Amendment extended to the electronic forum. See H.R. Rep. No. 99-647, at 19 ("Additional legal protection is necessary to ensure the continued vitality of the Fourth Amendment."). It therefore modeled § 2703 after its understanding of the scope of the Fourth Amendment. As the House Judiciary Committee explained in its report, it appeared likely to the Committee that "the courts would find that the parties to an e-mail transmission have a `reasonable expectation of privacy' and that a warrant of some kind is required." Id. at 22.
We believe this legislative history tends to confirm our view that the Act's privacy provisions were its impetus and focus. Although Congress did not overlook law enforcement needs in formulating the statute, neither were those needs the primary motivator for the enactment. See S. Rep. No. 99-541, at 3 (in drafting SCA, Senate Judiciary Committee sought "to protect privacy interests in personal and proprietary information, while protecting the Government's legitimate law enforcement needs").
Taken as a whole, the legislative history tends to confirm our view that the focus of the SCA's warrant provisions is on protecting users' privacy interests in stored communications.
E. Extraterritoriality of the Warrant
Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act. See Morrison, 561 U.S. at 266-67, 130 S.Ct. 2869; RJR Nabisco, 579 U.S. at ___, 136 S.Ct. 2090.
The information sought in this case is the content of the electronic communications of a Microsoft customer. The content to be seized is stored in Dublin. The record is silent regarding the citizenship and location of the customer. Although the Act's focus on the customer's privacy might suggest that the customer's actual location or citizenship would be important to the extraterritoriality analysis, it is our view that the invasion of the customer's privacy takes place under the SCA where the customer's protected content is accessed — here, where it is seized by Microsoft, acting as an agent of the government. Because the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer's location and regardless of Microsoft's home in the United States. Cf. Riley v. California, ___ U.S. ___, 134 S.Ct. 2473, 2491, 189 L.Ed.2d 430 (2014) (noting privacy concern triggered by possibility that search of arrestee's cell phone may inadvertently access data stored on the "cloud," thus extending "well beyond papers and effects in the physical proximity" of the arrestee). ***
***Thus, to enforce the Warrant, insofar as it directs Microsoft to seize the contents of its customer's communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act.
We conclude that Congress did not intend the SCA's warrant provisions to apply extraterritorially. The focus of those provisions is protection of a user's privacy interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer's electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer's e-mail account stored exclusively in Ireland.
Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government.
We therefore REVERSE the District Court's denial of Microsoft's motion to quash; we VACATE its order holding Microsoft in civil contempt of court; and we REMAND this cause to the District Court with instructions to quash the warrant insofar as it demands user content stored outside of the United States.