[Congressional Record Volume 162, Number 171 (Wednesday, November 30, 2016)]
[Senate]
[Pages S6585-S6587]


                   UNANIMOUS CONSENT REQUEST--S. 2952

  Mr. WYDEN. Mr. President, absent Senate action, at midnight tonight, 
this Senate will make one of the biggest mistakes in surveillance 
policy in years and years. Without a single congressional hearing, 
without a shred of meaningful public input, without any opportunity for 
Senators to ask their

[[Page S6586]]

questions in a public forum, one judge with one warrant would be able 
to authorize the hacking of thousands--possibly millions--of devices, 
cell phones, and tablets. This would come about through the adoption of 
an obscure rule of criminal procedure called rule 41. Rule 41 isn't 
something folks are talking about in coffee shops in Alaska, in Oregon, 
and in other parts of the country, but I am convinced Americans are 
sure going to come to Members of Congress if one of their hospitals--
one of their crucial medical programs--is hacked by the government. It 
is a fact that one of the highest profile victims of cyber attacks are 
medical facilities, our hospitals.
  The Justice Department has said this is no big deal. You basically 
ought to trust us. We are just going to take care of this. I will tell 
you, generally, changes to the Federal rules of procedure are designed 
for modest, almost housekeeping kinds of procedural changes, not major 
shifts in policies. When you are talking about these kinds of rules, 
they talk about who might receive a copy of a document in a bankruptcy 
proceeding. That is what the Rules Enabling Act was for. It wasn't for 
something that was sweeping, that was unprecedented, that could have 
calamitous ramifications for Americans the way government hacking 
would. As I have indicated, this would go forward without a chance for 
any Member of the Senate to formally weigh in.
  The government says it can go forward with this rule 41 and conduct 
these massive hacks--large-scale hacks--without causing any collateral 
damage whatsoever and ensuring that Americans' rights are protected. 
Oddly enough--again, breaking with the way these matters are usually 
handled--the government will not tell the Congress or the American 
people how it would protect those rights or how it would prevent 
collateral damage or even how it would carry out these hacks. In 
effect, the policy is ``trust us.''
  I think that right at the heart of our obligations is to do vigorous 
oversight. I always thought Ronald Reagan had a valid point when he 
said: You can trust but you ought to verify. That is especially 
important under this policy, where innocent Americans could be 
victimized twice--once by their hackers and a second time by their 
government.
  We are going to have the opportunity to do something about it before 
this goes into effect in just over 12 hours. I want to emphasize that 
those of us who would like the chance for Members of Congress to weigh 
in and be heard--our concern has been bipartisan. Senator Coons. 
Senator Daines. We have worked in a bipartisan fashion on this for 
months.
  This morning we are going to offer three unanimous consent requests 
to block or delay this particular change in order to make sure our 
colleagues have an opportunity to do what I think is Senate 101: to 
have a hearing and have a review that is bipartisan, where Senators get 
to ask questions, to be able to get public input in a meaningful kind 
of fashion.
  I urge every Senator to think, and think carefully, before they 
prevent this body from performing the vigorous oversight Americans 
demand of Congress. That is right at the heart of what Senator Coons, 
Senator Daines, and I will be talking about. This rule change will give 
the government unprecedented authority to hack into Americans' personal 
phones, computers, and other devices. Frankly, I was concerned about 
this before the election, but we now know that the administration--it 
is a new administration--will be led by the individual who said he 
wanted the power to hack his political opponents the same way Russia 
does. These mass hacks could affect cell phones, desktop computers, 
traffic lights, not to mention a whole host of different areas. During 
these hacks and searches, there is a considerable chance that the 
hacked devices will be damaged or broken, and that would obviously be a 
significant matter. Don't take my word for it.
  Mr. President, I ask unanimous consent to have an article that I 
wrote with renowned security experts Matt Blaze and Susan Landau 
printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                    [From Wired.com, Sept. 14, 2016]

        The Feds Will Soon Be Able To Legally Hack Almost Anyone

          (By Senator Ron Wyden, Matt Blaze and Susan Landau)

       Digital devices and software programs are complicated. 
     Behind the pointing and clicking on screen are thousands of 
     processes and routines that make everything work. So when 
     malicious software--malware--invades a system, even seemingly 
     small changes to the system can have unpredictable impacts.
       That's why it's so concerning that the Justice Department 
     is planning a vast expansion of government hacking. Under a 
     new set of rules, the FBI would have the authority to 
     secretly use malware to hack into thousands or hundreds of 
     thousands of computers that belong to innocent third parties 
     and even crime victims. The unintended consequences could be 
     staggering.
       The new plan to drastically expand the government's hacking 
     and surveillance authorities is known formally as amendments 
     to Rule 41 of the Federal Rules of Criminal Procedure, and 
     the proposal would allow the government to hack a million 
     computers or more with a single warrant. If Congress doesn't 
     pass legislation blocking this proposal, the new rules go 
     into effect on December 1. With just six work weeks remaining 
     on the Senate schedule and a long Congressional to-do list, 
     time is running out.
       The government says it needs this power to investigate a 
     network of devices infected with malware and controlled by a 
     criminal--what's known as a ``botnet.'' But the Justice 
     Department has given the public far too little information 
     about its hacking tools and how it plans to use them. And the 
     amendments to Rule 41 are woefully short on protections for 
     the security of hospitals, life-saving computer systems, or 
     the phones and electronic devices of innocent Americans.
       Without rigorous and periodic evaluation of hacking 
     software by independent experts, it would be nothing short of 
     reckless to allow this massive expansion of government 
     hacking.
       If malware crashes your personal computer or phone, it can 
     mean a loss of photos, documents and records--a major 
     inconvenience. But if a hospital's computer system or other 
     critical infrastructure crashes, it puts lives at risk. 
     Surgical directives are lost. Medical histories are 
     inaccessible. Patients can wait hours for care. If critical 
     information isn't available to doctors, people could die. 
     Without new safeguards on the government's hacking authority, 
     the FBI could very well be responsible for this kind of 
     tragedy in the future.
       No one believes the government is setting out to damage 
     victims' computers. But history shows just how hard it is to 
     get hacking tools right. Indeed, recent experience shows that 
     tools developed by law enforcement have actually been co-
     opted and used by criminals and miscreants. For example, the 
     FBI digital wiretapping tool Carnivore, later renamed DCS 
     3000, had weaknesses (which were eventually publicly 
     identified) that made it vulnerable to spoofing by 
     unauthorized parties, allowing criminals to hijack legitimate 
     government searches. Cisco's Law Enforcement access 
     standards, the guidelines for allowing government wiretaps 
     through Cisco's routers, had similar weaknesses that security 
     researchers discovered.
       The government will likely argue that its tools for going 
     after large botnets have yet to cause the kind of unintended 
     damage we describe. But it is impossible to verify that claim 
     without more transparency from the agencies about their 
     operations. Even if the claim is true, today's botnets are 
     simple, and their commands can easily be found online. So 
     even if the FBI's investigative techniques are effective 
     today, in the future that might not be the case. Damage to 
     devices or files can happen when a software program searches 
     and finds pieces of the botnet hidden on a victim's computer. 
     Indeed, damage happens even when changes are straightforward: 
     recently an anti-virus scan shut down a device in the middle 
     of heart surgery.
       Compounding the problem is that the FBI keeps its hacking 
     techniques shrouded in secrecy. The FBI's statements to date 
     do not inspire confidence that it will take the necessary 
     precautions to test malware before deploying them in the 
     field. One FBI special agent recently testified that a tool 
     was safe because he tested it on his home computer, and it 
     ``did not make any changes to the security settings on my 
     computer.'' This obviously falls far short of the testing 
     needed to vet a complicated hacking tool that could be 
     unleashed on millions of devices.
       Why would Congress approve such a short-sighted proposal? 
     It didn't. Congress had no role in writing or approving these 
     changes, which were developed by the US court system through 
     an obscure procedural process. This process was intended for 
     updating minor procedural rules, not for making major policy 
     decisions.
       This kind of vast expansion of government mass hacking and 
     surveillance is clearly a policy decision. This is a job for 
     Congress, not a little-known court process.
       If Congress had to pass a bill to enact these changes, it 
     almost surely would not pass as written. The Justice 
     Department may need new authorities to identify and search 
     anonymous computers linked to digital crimes. But this 
     package of changes is far too broad, with far too little 
     oversight or protections against collateral damage.
       Congress should block these rule changes from going into 
     effect by passing the bipartisan, bicameral Stopping Mass 
     Hacking Act.

[[Page S6587]]

     Americans deserve a real debate about the best way to update 
     our laws to address online threats.
  Mr. WYDEN. In the op-ed, we point out that legislators and the public 
know next to nothing about how the government conducts the searches and 
that the government itself is planning to use software that has not 
been properly vetted by outside security experts. A bungled government 
hack could damage systems at hospitals, the power grid, transportation, 
or other critical infrastructure, and Congress has not had a single 
hearing on this issue--not one.
  In addition, the Rules Enabling Act gives Congress the opportunity to 
weigh in, which is exactly what my colleagues hope to be doing now on 
this important issue.
  Because of these serious damages, I introduced a bill called the Stop 
Mass Hacking Act with a number of my colleagues, including Senators 
Daines and Paul. This bill would stop these changes from taking effect, 
and I am here this morning to ask unanimous consent that the bill be 
taken up and passed.
  Mr. President, I ask unanimous consent that the Judiciary Committee 
be discharged from further consideration of S. 2952 and the Senate 
proceed to its immediate consideration, that the bill be read a third 
time and passed, and the motion to reconsider be considered made and 
laid upon the table with no intervening action or debate.
  The PRESIDING OFFICER. Is there objection?
  The majority whip.
  Mr. CORNYN. Mr. President, reserving the right to object, I respect 
our colleague's right to come to the floor and ask unanimous consent. I 
understand that there are three unanimous consent requests, and I will 
be objecting to all three of them. I will reserve my statement as to 
why I am objecting after the third request.
  At this point, I object to the unanimous consent request.
  The PRESIDING OFFICER. Objection is heard.
  Mr. WYDEN. Mr. President, I wish to recognize my colleague from 
Montana, and after my colleague from Montana speaks, my friend from 
Delaware will address the Senate.
  The PRESIDING OFFICER. The Senator from Montana.
  Mr. DAINES. Mr. President, I thank my colleague from Oregon, Senator 
Wyden, for talking about this important issue on the floor today.
  We shop online with our credit cards, order medicine with our 
electronic health care records, talk to friends, share personal 
information, Skype, post beliefs and photos on social media, or 
Snapchat fun moments, all the while believing everything is safe and 
secure. It is more important now than ever to ensure that the 
information we store on our devices is kept safe and that our right to 
privacy is protected, and that is what we are really talking about here 
today. How can we ensure that our information is both safe and secure 
from hacking and government surveillance?
  Certainly technology has made our lives easier, but it has also made 
it easier for criminals to commit crimes and evade law enforcement. In 
short, our laws aren't keeping up with 21st-century technology 
advances. But the government's solution to this problem we are talking 
about today, the change to rule 41 of the Federal Rules of Criminal 
Procedure, represents a major policy shift in the way the government 
investigates cyber crime. This proposed solution essentially gives the 
government a blank check to infringe upon our civil liberties. The 
change greatly expands the hacking power of the Federal Government, 
allowing the search of potentially millions of Americans' devices with 
a single warrant. What this means is that the victims of hacks could be 
hacked again by their very own government.
  You would think such a drastic policy change that directly impacts 
our Fourth Amendment right would need to come before Congress. It would 
need to have a hearing and be heard before the American people with 
full transparency. But, in fact, we have had no hearings. There has 
been no real debate on this issue.
  My colleagues and I have introduced bipartisan, bicameral legislation 
to stop the rule change and ensure that the American people have a 
voice. The American people deserve transparency, and Congress needs 
time to review this policy to ensure that the privacy rights of 
Americans are protected.
  The fact that the Department of Justice is insisting this rule change 
take effect on December 1--that is tonight at midnight--frankly, should 
send a shiver down the spines of all Americans.
  My colleagues and I are here today to not only wake up Americans to 
this great expansion of powers by our government but also to urge our 
colleagues to join this bipartisan effort to stop rule 41 changes 
without duly considering the impact to our civil liberties. Our civil 
liberties and our Fourth Amendment can be chipped away little by little 
until we barely recognize them anymore. We simply can't give unlimited 
power for unlimited hacking which puts Americans' civil liberties at 
risk.
  Again, I thank my colleagues from Delaware and Oregon for joining me 
here today, and I yield to my friend and colleague from Delaware, 
Senator Coons.
  The PRESIDING OFFICER. The Senator from Delaware.

                          ____________________

[Congressional Record Volume 162, Number 171 (Wednesday, November 30, 2016)]
[Senate]
[Pages S6588-S6591]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                   UNANIMOUS CONSENT REQUEST--S. 3485

  Mr. WYDEN. Senator Cornyn has now objected to passage of the two 
bills relating to rule 41, and he is certainly within his right to do 
so. I wish to offer the theory--not exactly a radical one, in my view--
that if we can't pass bills with respect to mass surveillance or have 
hearings, we at least ought to have a vote so that the American people 
can actually determine if their Senators support authorizing 
unprecedented, sweeping government hacking without a single hearing. 
There is a lot more debate in this body over the tax treatment of race 
horses than massive expansion of surveillance authority.
  In a moment, I will ask unanimous consent that the body move to an 
immediate rollcall vote on the Stalling Mass Damaging Hacking Act which 
would delay rule 41 changes until March 31. I don't condone Congress 
kicking cans down the road. This is one example of where, with a short 
delay, it would be possible to have at least one hearing in both bodies 
so that Congress would have a chance to debate a very significant 
change in our hacking policy.
  Congress has not weighed, considered, amended, or acted like anything 
resembling an elected legislature on this issue. There have been some 
who have looked into the issue, but--I call it Senate 101--we should at 
least have a hearing on a topic with enormous potential consequences 
for millions of Americans. That had not been done, despite a bipartisan 
bill being introduced in the House and the Senate, days after the 
changes were approved. Lawmakers and the public ought to know more 
about a novel, complicated, and controversial topic, and they would be 
in a position to have that information if there was a hearing and 
Members of both sides of the aisle could ask important questions.

  Since the Senate has not had a hearing on this issue, lawmakers have 
still been trying to get answers to important questions. Twenty-three 
elected representatives from the House and Senate, Democrats and 
Republicans spanning the philosophical spectrum, have asked substantive 
questions that the Department of Justice has failed to answer, and they 
barely went through the motions. They spectacularly failed to respond 
to both concerns of Democrats and Republicans in both the Senate and in 
the House.
  I ask unanimous consent that the letter that was sent to the DOJ, 
signed by myself and 22 bipartisan colleagues from the House and 
Senate, be printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                Congress of the United States,

                                 Washington, DC, October 27, 2016.
     Hon. Loretta Lynch,
     U.S. Attorney General,
     Department of Justice, Washington, DC.
       Dear Attorney General Lynch: We write to request 
     information regarding the Department of Justice's proposed 
     amendments to Rule 41 of the Federal Rules of Criminal 
     Procedure. These amendments were approved by the Supreme 
     Court and transmitted to Congress pursuant to the Rules 
     Enabling Act on April 30, 2016. Absent congressional action 
     the amendments will take effect on December 1, 2016.
       The proposed amendments to Rule 41 have the potential to 
     significantly expand the Department's ability to obtain a 
     warrant to engage in ``remote access,'' or hacking of 
     computers and other electronic devices. We are concerned 
     about the full scope of the new authority that would be 
     provided to the Department of Justice. We believe that 
     Congress--and the American public--must better understand the 
     Department's need for the proposed amendments, how the 
     Department intends to use its proposed new powers, and the 
     potential consequences to our digital security before these 
     rules go into effect. In light of the limited time for 
     congressional consideration of the proposed amendments, we 
     request that you provide us with the following information 
     two weeks after your receipt of this letter.
       1. How would the government prevent ``forum shopping'' 
     under the proposed amendments? The proposed amendments would 
     allow prosecutors to seek a warrant in any district ``where 
     activities related to a crime may have occurred.'' Will the 
     Department issue guidance to prosecutors on how this should 
     be interpreted?
       2. We are concerned that the deployment of software to 
     search for and possibly disable a botnet may have unintended 
     consequences on internet-connected devices, from smartphones 
     to medical devices. Please describe the testing that is 
     conducted on the viability of `network investigative 
     techniques' (``NITs'') to safely search devices such as 
     phones, tablets, hospital information systems, and internet-
     connected video monitoring systems.
       3. Will law enforcement use authority under the proposed 
     amendments to disable or otherwise render inoperable software 
     that is damaging or has damaged a protected device? In other 
     words, will network investigative techniques be used to 
     ``clean'' infected devices, including devices that belong to 
     innocent Americans? Has the Department ever attempted to 
     ``clean'' infected computers in the past? If so, under what 
     legal authority?
       4. What methods will the Department use to notify users and 
     owners of devices that have been searched, particularly in 
     potential cases where tens of thousands of devices are 
     searched?
       5. How will the Department maintain proper chain of custody 
     when analyzing or removing evidence from a suspect's device? 
     Please describe how the Department intends to address 
     technical issues such as fluctuations of internet speed and 
     limitations on the ability to securely transfer data.
       6. Please describe any differences in legal requirements 
     between obtaining a warrant for a physical search versus 
     obtaining a warrant for a remote electronic search. In 
     particular, and if applicable, please describe how the 
     principle of probable cause may be used to justify the remote 
     search of tens of thousands of devices. Is it sufficient 
     probable cause for a search that a device merely be 
     ``damaged'' and connected to a crime?
       7. If the Department were to search devices belonging to 
     innocent Americans to combat a complicated computer crime, 
     please describe what procedures the Department would use to 
     protect the private information of victims and prevent 
     further damage to accessed devices.
           Sincerely,
         Ron Wyden; Patrick Leahy; Tammy Baldwin; Christopher A. 
           Coons; Ted Poe; John Conyers, Jr.; Justin Amash; Jason 
           Chaffetz; Steve Daines; Al Franken; Mazie K. Hirono; 
           Mike Lee; Jon Tester; Elizabeth Warren; Martin 
           Heinrich; Judy Chu; Steve Cohen; Suzan DelBene; Louie 
           Gohmert; Henry C. ``Hank'' Johnson; Ted W. Lieu; Zoe 
           Lofgren; Jerrold Nadler.

  Mr. WYDEN. I also ask unanimous consent that the response from the 
Department of Justice, which I have characterized as extraordinarily 
unresponsive to what legislators have said, be printed in the Record as 
well.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                       U.S. Department of Justice,


                                Office of Legislative Affairs,

                                Washington, DC, November 18, 2016.
     Hon. Ron Wyden,
     U.S. Senate,
     Washington, DC.
       Dear Senator Wyden: This responds to your letter to the 
     Attorney General, dated October 27, 2016, regarding proposed 
     amendments to Rule 41 of the Federal Rules of Criminal 
     Procedure, recently approved by the Supreme Court. We are 
     sending identical responses to the Senators and Members who 
     joined in your letter.
       The amendments to Rule 41, which are scheduled to take 
     effect on December 1, 2016,

[[Page S6589]]

     mark the end of a three-year deliberation process, which 
     included extensive written comments and public testimony. 
     After hearing the public's views, the federal judiciary's 
     Advisory Committee on the Federal Rules of Criminal 
     Procedure, which includes federal and state judges, law 
     professors, attorneys in private practice, and others in the 
     legal community, approved the amendments and rejected 
     criticisms of the proposal. The amendments were then 
     considered and unanimously approved by the Standing Committee 
     on Rules and the Judicial Conference, and adopted by the 
     United States Supreme Court.
       It is important to note that the amendments do not change 
     any of the traditional protections and procedures under the 
     Fourth Amendment, such as the requirement that the government 
     establish probable cause. Rather, the amendments would merely 
     ensure that venue exists so that at least one court is 
     available to consider whether a particular warrant 
     application comports with the Fourth Amendment.
       Further, the amendments would not authorize the government 
     to undertake any search or seizure or use any remote search 
     technique, whether inside or outside the United States, that 
     is not already permitted under current law. The use of remote 
     searches is not new, and warrants for remote searches are 
     currently issued under Rule 41. In addition, courts already 
     permit the search of multiple computers pursuant to a single 
     warrant, so long as the necessary legal requirements are met 
     with respect to each computer. Nothing in the amendments 
     changes the existing legal requirements.
       The amendments apply in two narrow circumstances. First, 
     where a criminal suspect has hidden the location of his 
     computer using technological means, the changes to Rule 41 
     would ensure that federal agents know which magistrate judge 
     to go to in order to apply for a warrant. For example, if 
     agents are investigating criminals who are sexually 
     exploiting children and uploading videos of that exploitation 
     for others to see--but concealing their locations through 
     anonymizing technology--agents will be able to apply for a 
     search warrant to discover where they are located.
       An investigation of the Playpen website--a Tor site used by 
     more than 100,000 pedophiles to encourage sexual abuse and 
     exploitation of children and to trade sexually explicit 
     images of the abuse--illustrates the importance of this 
     change. During the investigation, authorities were able to 
     wrest control of the site from its administrators, and then 
     obtained approval from a federal court to use a remote search 
     tool to undo the anonymity promised by Tor. The search would 
     occur only if a Playpen user accessed child pornography on 
     the site (a federal crime), in which case the tool would 
     cause the user's computer to transmit to investigators a 
     limited amount of information, including the user's true IP 
     address, to help locate and identify the user and his 
     computer. Based on that information, investigators could then 
     conduct a traditional, real-world investigation, such as by 
     running a criminal records check, interviewing neighbors, or 
     applying for an additional warrant to search a suspect's 
     house for incriminating evidence. Those court-authorized 
     remote searches in the Playpen case have led to more than 200 
     active prosecutions--including the prosecution of at least 48 
     alleged abusers--and the identification or rescue of at least 
     49 American children who were subject to sexual abuse. 
     Nonetheless, despite the success of the Playpen 
     investigation, Federal courts have ordered the suppression of 
     evidence in some of the resulting prosecutions because of the 
     lack of clear venue in the current version of Rule 41. In 
     other cases, courts have declined to suppress evidence 
     because the law was not clear, but have suggested that they 
     would do so in future cases.
       Second, where the crime involves criminals hacking 
     computers located in five or more different judicial 
     districts, the changes to Rule 41 would ensure that federal 
     agents may identify one judge to review an application for a 
     search warrant rather than be required to submit separate 
     warrant applications in each district--up to 94--where a 
     computer is affected. For example, agents may seek a search 
     warrant to assist in the investigation of a ransomware scheme 
     facilitated by a botnet that enables criminals abroad to 
     extort thousands of Americans. Such botnets, which range in 
     size from hundreds to millions of infected computers and may 
     be used for a variety of criminal purposes, represent one of 
     the fastest-growing species of computer crime and are among 
     the key cybersecurity threats facing American citizens and 
     businesses. Absent the amendments to Rule 41, however, the 
     requirement to obtain up to 94 simultaneous search warrants 
     may prevent cyber investigators from taking needed action to 
     liberate computers infected with such malware. This change 
     would not permit indiscriminate surveillance of thousands of 
     victim computers--that is not permissible now and will 
     continue to be prohibited when the amendment goes into 
     effect. This is because other than identifying a court to 
     consider the warrant application, the amendment makes no 
     change to the substantive law governing when a warrant 
     application should be granted or denied.
       The amended rule limits forum shopping by restricting the 
     venue in which a magistrate judge may issue a warrant for a 
     remote search to ``any district where activities related to a 
     crime may have occurred.'' Often, this language will leave 
     only a single district in which investigators can seek a 
     warrant. For example, where a victim has received death 
     threats, extortion demands, or ransomware demands from a 
     criminal hiding behind Internet anonymizing technologies, the 
     victim's district would likely be the only district in which 
     a warrant could be issued for a remote search to identify the 
     perpetrator.
       In cases involving widespread criminal conduct, activities 
     related to the crime may have occurred in multiple districts, 
     and thus there may be multiple districts in which 
     investigators may seek a warrant under the new amendment. For 
     many years, however, existing laws have recognized the need 
     for warrants to be issued in a district connected to 
     criminal activity even when the information sought may not 
     be present in the district. The language of the new Rule 
     41(6)(6) amendment limiting warrant venue to ``any 
     district where activities related to a crime may have 
     occurred'' was copied verbatim from the existing warrant 
     venue provisions in Rule 41(6)(3) and (b)(5), which 
     authorize judges to issue out-of-district warrants in 
     cases involving terrorism and searches of U.S. territories 
     and overseas diplomatic premises. Thus, the new venue 
     provision of Rule 41(b)(6) for remote searches is 
     consistent with existing practices in these other 
     contexts. Similarly, warrants for email and other stored 
     electronic communications are sought tens of thousands of 
     times a year in a wide range of investigations. Such 
     warrants may be issued in any district by a court that 
     ``has jurisdiction over the offense being investigated.'' 
     18 U.S.C. Sec. Sec. 2703 & 2711(3).
       As with law enforcement activities in the physical world, 
     law enforcement actions to prevent or redress online crime 
     can never be completely free of risk. Before we conduct 
     online investigations, the Department of Justice (the 
     Department) carefully considers both the need to prevent harm 
     to the public caused by criminals and the potential risks of 
     taking action. In particular, when conducting complex online 
     operations, we typically work closely with sophisticated 
     computer security researchers both inside and outside the 
     government. As part of operational planning, investigators 
     conduct pre-deployment verification and validation of 
     computer tools. Such testing is designed to ensure that tools 
     work as intended and do not create unintended consequences. 
     That kind of careful consideration of any future technical 
     measures will continue, and we welcome continued 
     collaboration with the private sector and cybersecurity 
     experts in the development and use of botnet mitigation 
     techniques. The Department's antibotnet successes have 
     demonstrated that the Department can disrupt and dismantle 
     botnets while avoiding collateral damage to victims. And of 
     course, choosing to do nothing has its own cost: leaving 
     victims' computers under the control of criminals who will 
     continue to invade their privacy, extort money from them 
     through ransomware, or steal their financial information.
       Law enforcement could obtain identifying information (such 
     as an IP address) from infected computers comprising a botnet 
     in order to make sure owners are warned of the infection 
     (typically, by their Internet service provider). Or law 
     enforcement might engage in an online operation that is 
     designed to disrupt the botnet and restore full control over 
     computers to their legal owners. Both of these techniques, 
     however, could involve conduct that some courts might hold 
     constitutes a search or seizure under the Fourth Amendment. 
     In general, we anticipate that the items to be searched or 
     seized from victim computers pursuant to a botnet warrant 
     will be quite limited. For example, we believe that it may be 
     reasonable in a botnet investigation to take steps to measure 
     the size of the botnet by having each victim computer report 
     a unique identifier; but it would not be lawful in such 
     circumstances to search the victims' unrelated private files. 
     Whether or not a warrant authorizing a remote search is 
     proper is a question of Fourth Amendment law, which is not 
     changed by the amendments to Rule 41. Simply put, the 
     amendments do not authorize the government to undertake any 
     search or seizure or use any remote search technique that is 
     not already permitted under the Fourth Amendment. They merely 
     ensure that searches that are appropriate under the Fourth 
     Amendment and necessary to help free victim computers from 
     criminal control are not, as a practical matter, blocked by 
     outmoded venue rules.
       The amendment's notice requirement mandates that when 
     executing a warrant for a remote search, ``the officer must 
     make reasonable efforts to serve a copy of the warrant on the 
     person whose property was searched or whose information was 
     seized or copied,'' and that ``[s]ervice may be accomplished 
     by any means, including electronic means, reasonably 
     calculated to reach that person.'' What means are reasonably 
     available to notify an individual who has concealed his 
     location and identity will of course vary from case to case. 
     If the remote search is successful in identifying the 
     suspect, then notice can be provided in the traditional 
     manner (following existing rules for delaying notice where 
     appropriate in ongoing investigations). If the search is 
     unsuccessful, then investigators would have to consider other 
     means that may be available, for example through a known 
     email address. In an investigation involving botnet victims, 
     the Department would make reasonable efforts to

[[Page S6590]]

     notify victims of any search conducted pursuant to warrant. 
     For example, if investigators obtained victims' IP addresses 
     at a particular date and time in order to measure the size of 
     the botnet, investigators could ask the victims' Internet 
     service providers to notify the individuals whose computers 
     were identified as being under the control of criminal bot 
     herders. Under such an approach, it would not even be 
     necessary for investigators to learn the identities of 
     specific victims. The Department will, of course, also 
     consider other appropriate mechanisms to provide notice 
     consistent with the amended Rule 41.
       Under the Federal Rules of Evidence, the government must 
     establish the authenticity of any item of electronic evidence 
     it moves to admit in evidence. To do so, it must offer 
     evidence ``sufficient to support a finding that the item is'' 
     what the government claims it to be, and a criminal defendant 
     may object to the admission of evidence on the basis that the 
     government has not established its authenticity. The 
     amendments to Rule 41 do not make any change to the law 
     governing the admissibility of lawfully obtained evidence at 
     trial, whether on the basis of authenticity or any other 
     basis, and to our knowledge authenticity objections have not 
     played a substantial role in prior federal criminal trials at 
     which evidence obtained as a result of remote searches was 
     introduced.
       Protecting victims' privacy is one of the Department's top 
     priorities. To the extent that investigators collect any 
     information concerning botnet victims, the Department will 
     take all appropriate steps to safeguard any such information 
     from improper use or disclosure. The Department presently and 
     vigorously protects the private information collected 
     pursuant to search warrants for computers and documents 
     seized from a home or business and the Department will follow 
     the same exacting standards for any warrant executed under 
     the amendments to Rule 41.
       We hope that this information is helpful. Please do not 
     hesitate to contact this office if we may provide additional 
     assistance regarding this or any other matter.
           Sincerely,
                                                  Peter J. Kadzik,
                                       Assistant Attorney General.

  Mr. WYDEN. Colleagues are going to see that substantive, clear 
questions, posed by Democrats and Republicans in writing, were not 
responded to.
  Because of the lack of genuine answers from the Justice Department to 
this letter, signed by 23 Members of Congress, and the substantial 
nature of these unprecedented changes in surveillance policy, I ask now 
for unanimous consent for a vote on the SMDH Act to give Congress time 
to debate these sweeping changes to government's hacking authority.
  I ask unanimous consent that the Senate proceed to the immediate 
consideration of S. 3485, introduced earlier today; that at a time to 
be determined by the majority leader, in consultation with the 
Democratic leader, but no later than 4 p.m. today, the Senate proceed 
to vote in relation to this bill.
  The PRESIDING OFFICER. Is there objection?
  The majority whip.
  Mr. CORNYN. Mr. President, I object.
  The PRESIDING OFFICER. Objection is heard.
  Mr. CORNYN. Mr. President, I know sometimes that when people hear us 
engage in these debates, they think we don't like each other and we 
can't work together; that we are so polarized, we are dysfunctional. 
Actually, these Senators are my friends in addition to being 
colleagues. Let me just explain how I think their concerns are 
misplaced.
  First of all, we all care about, on the spectrum of privacy to 
security, how that is dialed in. As the Presiding Officer knows, as the 
former attorney general of Alaska, we always try to strike the right 
balance between individual privacy and safety and security and law 
enforcement, and sometimes we have differences of opinion as to where 
exactly on that spectrum that ought to be struck, but the fundamental 
problem with the requests that have been made today is, Federal Rule Of 
Criminal Procedure 41 has already been the subject of a lengthy 3-year 
process with a lot of thoughtful input, public hearings, and 
deliberation.
  As the Presiding Officer knows, the courts have the inherent power to 
write their own rules of procedure, and that is what this is, part of 
the Federal Rules of Criminal Procedure. What happens is a pretty 
challenging process when we want to change a Federal rule of criminal 
procedure. We have to get it approved by the Rules Advisory Committee. 
It is made up of judges, law professors, and practicing lawyers. Then 
it has to be approved by the Judicial Conference. Then, as in this 
case, they have to be endorsed by the U.S. Supreme Court, which is 
Federal Rule of Criminal Procedure 41, which happened on May 1, 2016.
  If there was any basis for the claim that this is somehow a hacking 
of personal information without due process of law or without adequate 
consideration, I just--I think the process by which the Supreme Court 
has set up, through the Rules Advisory Committee and through the 
Judicial Conference, dispels any concerns that the objections that were 
raised were not adequately considered.
  I am also told, Senator Graham from South Carolina chaired a 
subcommittee hearing of the Senate Judiciary Committee--I believe it 
was last spring--on this very issue. So there has been some effort in 
the Congress to do oversight and to look into this, although perhaps it 
didn't get the sort of attention that it has gotten now.
  The biggest, most important point to me is that for everybody who 
cares about civil liberties and for everybody who cares about the 
personal right of privacy we all have in our homes and the expectation 
of privacy we have against intrusion by the government without due 
process, this still requires the government to come forward and do what 
it always has to do when it seeks a search warrant under the Fourth 
Amendment. You still have to go before a judge--an impartial 
magistrate--you still have to show probable cause that a crime has been 
committed, and the defendant can still challenge the lawfulness of the 
search. The defendant always reserves that right to challenge the 
lawfulness of the search. I believe all of these constitutional 
protections, all of these procedural protections, all the concerns 
about lack of adequate deliberation can be dispelled by the simple 
facts.
  There is a challenge when cyber criminals use the Internet and social 
media to prey on innocent children, to traffic in human beings, to buy 
and sell drugs, and there has to be a way for law enforcement--for the 
Federal Government--to get a search warrant approved by a judge based 
on the showing of probable cause to be able to get that evidence so the 
law can be enforced and these cyber criminals can be prosecuted. That 
is what we are talking about. All this rule 41 does is creates a 
circumstance where if the criminal is using an anonymizer, or some way 
to scramble the IP address--the Internet Protocol address of the 
computer they are operating from--then this rule of procedure allows 
the U.S. attorney, the Justice Department, to go to any court that will 
then require probable cause, that will then allow the defendant to 
challenge that search warrant--but to provide a means by which you can 
go to court and get a search warrant and investigate the facts and, if 
a crime has been committed, to make sure that person is prosecuted 
under the letter of the law.
  I appreciate the concerns my colleagues have expressed, that somehow 
we have gotten the balance between security and privacy wrong, but I 
believe that as a result of the process by which the Rules Advisory 
Committee, the Judicial Conference, and the Supreme Court have approved 
this rule after 3 years of deliberation, including public hearings, 
scholarly input by academicians, practicing lawyers, law professors and 
the like, I think that ought to allay their concerns that somehow this 
is an unthought-through or hasty rule that is going to have unintended 
consequences. I think the fundamental protection we all have under the 
Fourth Amendment of the Constitution against unreasonable searches and 
seizures and the requirement that the government come to court in front 
of a judge and show probable cause that a crime has been committed, and 
that even once the search warrant is issued, that the defendant can 
challenge the lawfulness of the search--all of that ought to allay the 
concerns of my colleagues that somehow we have gotten that balance 
between privacy and security right because I think this does strike an 
appropriate balance.

  Those are the reasons I felt compelled to object to the unanimous 
consent requests, and I appreciate the courtesy of each of my 
colleagues.
  The PRESIDING OFFICER. The Senator from Oregon.
  Mr. WYDEN. Mr. President, before he leaves the floor, I wish to 
engage my friend for a moment with respect to his remarks. He is 
absolutely right that we

[[Page S6591]]

have been friends since we arrived here, and we are working together on 
a whole host of projects right now. So this is debate about differences 
of opinion with respect to some of the key issues. I wish to make a 
couple of quick points in response to my colleague.
  My colleague said there had been an inclusive process for discussing 
this. As far as I can tell, the vast amount of discussion basically 
took place between the judges and the government. My guess is, if you 
and I walked into a coffee shop in Houston or Dallas, or in my home 
State, in Coos Bay or Eugene, people wouldn't have any idea what was 
going to happen tonight at midnight. Tonight at midnight is going to be 
a significant moment in this discussion.
  My colleague made the point with respect to security and privacy. I 
definitely feel those two are not mutually exclusive; we can have both, 
but it is going to take smart policies. My colleague has done a lot of 
important work on the Freedom of Information Act issues. These are 
complicated, important issues, and nobody up here has had a chance to 
weigh in. There has been a process with some judges, and I guess some 
folks got a chance to submit a brief. Maybe there was a notice in the 
Federal Register; that is the way it usually works, but nobody at home 
knows anything about that. My guess is, none of our hospitals know 
anything about something like this, and it has real implications for 
them because our medical facilities--something we all agree on that 
have been major sources of cyber hackings--they have been major kinds 
of targets.
  Again, this is not the kind of thing where somebody is saying 
something derogatory about somebody personally; we just have a 
difference of opinion with respect to the process. To me, at home, when 
people hear about a government process, they say: Hey, I guess that 
means I get a chance to weigh in. That is why I have townhall meetings 
in every county every year because that is what the people think the 
process is, not judges talking among themselves.
  The second point my friend touched on was essentially the warrant 
policies and that he supports the Fourth Amendment and this is about 
the Fourth Amendment. I think that is worth debating. To me, at a 
minimum, this is an awful novel approach to the Fourth Amendment. One 
judge, one warrant for thousands and potentially millions of computers 
which could result in more damage to the citizen after the citizen has 
already been hit once with the hack. So my colleague said this is what 
the fourth Amendment is about. I think that is a fair point for debate. 
I would argue this is an awful novel approach to the Fourth Amendment. 
This is not what I think most people think the Fourth Amendment is. 
Hey, this is about me and somebody is going to have to get a warrant 
about me. It is about individuals. To me, the Senate has now--and we 
still have officially 12 hours to do something about it--but as of now, 
the Senate has given consent to an expansion of government hacking and 
surveillance. In effect, the Senate, by not acting, has put a stamp of 
approval on a major policy change that has not had a single hearing, no 
oversight, no discussion. In effect, the Senate--this is not even 
Senate 101. That is what everybody thinks Senators are supposed to be 
about. When we are talking about search and seizure, that is an issue 
for Congress to debate, and the Justice Department shouldn't have the 
ability to, at a minimum, as I indicated in my conversation with my 
colleague from Texas, come up with a very novel approach to the Fourth 
Amendment without elected officials being able to weigh in.
  Now I will close by way of saying that when Americans find out that 
the Congress is allowing the Justice Department to just wave its arms 
in the air and grant itself new powers under the Fourth Amendment 
without the Senate even being a part of a single hearing, I think law 
abiding Americans are going to ask: So what were you people in the 
Senate thinking about? What are you thinking about when the FBI starts 
hacking the victims of a botnet attack or when a mass attack breaks 
their device or an entire hospital system, in effect, has great damage 
done, faces great damage, and possibly puts lives at risk?
  My hope is that Congress would add protections for Americans 
surrounding the whole issue of government hacking. I have said again 
and again and again that the smart technology policy, the smart 
surveillance policy from the get-go is built around the idea that 
security and liberty are not mutually exclusive, that a smart policy 
will do both, but increasingly, policies coming out of here aren't 
doing a whole lot of either. In this case, I think the Senate is 
abdicating its obligations. Certainly, in the digital era, Americans do 
not throw their Fourth Amendment rights out the window because they use 
a device that connects to the Internet.
  So I am going to close by way of saying that I think this debate 
about government hacking is far from over. My guess is that Senators 
are going to hear from their constituents about this policy sooner 
rather than later, and we will be back on the floor then, looking to do 
what should have been done prior to midnight tonight, which is to have 
hearings, to involve the public--not just Justices and maybe a few 
people who can figure out how to find that section of the Federal 
Register so they can weigh in.
  Americans are going to continue to demand from all of us in the 
Senate policies that protect their security and their liberty. They are 
right to do so. That cause will be harmed if the Senate doesn't take 
steps between now and midnight.
  With that, Mr. President, I yield the floor.
  I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The legislative clerk proceeded to call the roll.
  Ms. WARREN. Mr. President, I ask unanimous consent that the order for 
the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.

                          ____________________