[Congressional Record Volume 162, Number 171 (Wednesday, November 30, 2016)] [Senate] [Pages S6585-S6587] UNANIMOUS CONSENT REQUEST--S. 2952 Mr. WYDEN. Mr. President, absent Senate action, at midnight tonight, this Senate will make one of the biggest mistakes in surveillance policy in years and years. Without a single congressional hearing, without a shred of meaningful public input, without any opportunity for Senators to ask their [[Page S6586]] questions in a public forum, one judge with one warrant would be able to authorize the hacking of thousands--possibly millions--of devices, cell phones, and tablets. This would come about through the adoption of an obscure rule of criminal procedure called rule 41. Rule 41 isn't something folks are talking about in coffee shops in Alaska, in Oregon, and in other parts of the country, but I am convinced Americans are sure going to come to Members of Congress if one of their hospitals-- one of their crucial medical programs--is hacked by the government. It is a fact that one of the highest profile victims of cyber attacks are medical facilities, our hospitals. The Justice Department has said this is no big deal. You basically ought to trust us. We are just going to take care of this. I will tell you, generally, changes to the Federal rules of procedure are designed for modest, almost housekeeping kinds of procedural changes, not major shifts in policies. When you are talking about these kinds of rules, they talk about who might receive a copy of a document in a bankruptcy proceeding. That is what the Rules Enabling Act was for. It wasn't for something that was sweeping, that was unprecedented, that could have calamitous ramifications for Americans the way government hacking would. As I have indicated, this would go forward without a chance for any Member of the Senate to formally weigh in. The government says it can go forward with this rule 41 and conduct these massive hacks--large-scale hacks--without causing any collateral damage whatsoever and ensuring that Americans' rights are protected. Oddly enough--again, breaking with the way these matters are usually handled--the government will not tell the Congress or the American people how it would protect those rights or how it would prevent collateral damage or even how it would carry out these hacks. In effect, the policy is ``trust us.'' I think that right at the heart of our obligations is to do vigorous oversight. I always thought Ronald Reagan had a valid point when he said: You can trust but you ought to verify. That is especially important under this policy, where innocent Americans could be victimized twice--once by their hackers and a second time by their government. We are going to have the opportunity to do something about it before this goes into effect in just over 12 hours. I want to emphasize that those of us who would like the chance for Members of Congress to weigh in and be heard--our concern has been bipartisan. Senator Coons. Senator Daines. We have worked in a bipartisan fashion on this for months. This morning we are going to offer three unanimous consent requests to block or delay this particular change in order to make sure our colleagues have an opportunity to do what I think is Senate 101: to have a hearing and have a review that is bipartisan, where Senators get to ask questions, to be able to get public input in a meaningful kind of fashion. I urge every Senator to think, and think carefully, before they prevent this body from performing the vigorous oversight Americans demand of Congress. That is right at the heart of what Senator Coons, Senator Daines, and I will be talking about. This rule change will give the government unprecedented authority to hack into Americans' personal phones, computers, and other devices. Frankly, I was concerned about this before the election, but we now know that the administration--it is a new administration--will be led by the individual who said he wanted the power to hack his political opponents the same way Russia does. These mass hacks could affect cell phones, desktop computers, traffic lights, not to mention a whole host of different areas. During these hacks and searches, there is a considerable chance that the hacked devices will be damaged or broken, and that would obviously be a significant matter. Don't take my word for it. Mr. President, I ask unanimous consent to have an article that I wrote with renowned security experts Matt Blaze and Susan Landau printed in the Record. There being no objection, the material was ordered to be printed in the Record, as follows: [From Wired.com, Sept. 14, 2016] The Feds Will Soon Be Able To Legally Hack Almost Anyone (By Senator Ron Wyden, Matt Blaze and Susan Landau) Digital devices and software programs are complicated. Behind the pointing and clicking on screen are thousands of processes and routines that make everything work. So when malicious software--malware--invades a system, even seemingly small changes to the system can have unpredictable impacts. That's why it's so concerning that the Justice Department is planning a vast expansion of government hacking. Under a new set of rules, the FBI would have the authority to secretly use malware to hack into thousands or hundreds of thousands of computers that belong to innocent third parties and even crime victims. The unintended consequences could be staggering. The new plan to drastically expand the government's hacking and surveillance authorities is known formally as amendments to Rule 41 of the Federal Rules of Criminal Procedure, and the proposal would allow the government to hack a million computers or more with a single warrant. If Congress doesn't pass legislation blocking this proposal, the new rules go into effect on December 1. With just six work weeks remaining on the Senate schedule and a long Congressional to-do list, time is running out. The government says it needs this power to investigate a network of devices infected with malware and controlled by a criminal--what's known as a ``botnet.'' But the Justice Department has given the public far too little information about its hacking tools and how it plans to use them. And the amendments to Rule 41 are woefully short on protections for the security of hospitals, life-saving computer systems, or the phones and electronic devices of innocent Americans. Without rigorous and periodic evaluation of hacking software by independent experts, it would be nothing short of reckless to allow this massive expansion of government hacking. If malware crashes your personal computer or phone, it can mean a loss of photos, documents and records--a major inconvenience. But if a hospital's computer system or other critical infrastructure crashes, it puts lives at risk. Surgical directives are lost. Medical histories are inaccessible. Patients can wait hours for care. If critical information isn't available to doctors, people could die. Without new safeguards on the government's hacking authority, the FBI could very well be responsible for this kind of tragedy in the future. No one believes the government is setting out to damage victims' computers. But history shows just how hard it is to get hacking tools right. Indeed, recent experience shows that tools developed by law enforcement have actually been co- opted and used by criminals and miscreants. For example, the FBI digital wiretapping tool Carnivore, later renamed DCS 3000, had weaknesses (which were eventually publicly identified) that made it vulnerable to spoofing by unauthorized parties, allowing criminals to hijack legitimate government searches. Cisco's Law Enforcement access standards, the guidelines for allowing government wiretaps through Cisco's routers, had similar weaknesses that security researchers discovered. The government will likely argue that its tools for going after large botnets have yet to cause the kind of unintended damage we describe. But it is impossible to verify that claim without more transparency from the agencies about their operations. Even if the claim is true, today's botnets are simple, and their commands can easily be found online. So even if the FBI's investigative techniques are effective today, in the future that might not be the case. Damage to devices or files can happen when a software program searches and finds pieces of the botnet hidden on a victim's computer. Indeed, damage happens even when changes are straightforward: recently an anti-virus scan shut down a device in the middle of heart surgery. Compounding the problem is that the FBI keeps its hacking techniques shrouded in secrecy. The FBI's statements to date do not inspire confidence that it will take the necessary precautions to test malware before deploying them in the field. One FBI special agent recently testified that a tool was safe because he tested it on his home computer, and it ``did not make any changes to the security settings on my computer.'' This obviously falls far short of the testing needed to vet a complicated hacking tool that could be unleashed on millions of devices. Why would Congress approve such a short-sighted proposal? It didn't. Congress had no role in writing or approving these changes, which were developed by the US court system through an obscure procedural process. This process was intended for updating minor procedural rules, not for making major policy decisions. This kind of vast expansion of government mass hacking and surveillance is clearly a policy decision. This is a job for Congress, not a little-known court process. If Congress had to pass a bill to enact these changes, it almost surely would not pass as written. The Justice Department may need new authorities to identify and search anonymous computers linked to digital crimes. But this package of changes is far too broad, with far too little oversight or protections against collateral damage. Congress should block these rule changes from going into effect by passing the bipartisan, bicameral Stopping Mass Hacking Act. [[Page S6587]] Americans deserve a real debate about the best way to update our laws to address online threats. Mr. WYDEN. In the op-ed, we point out that legislators and the public know next to nothing about how the government conducts the searches and that the government itself is planning to use software that has not been properly vetted by outside security experts. A bungled government hack could damage systems at hospitals, the power grid, transportation, or other critical infrastructure, and Congress has not had a single hearing on this issue--not one. In addition, the Rules Enabling Act gives Congress the opportunity to weigh in, which is exactly what my colleagues hope to be doing now on this important issue. Because of these serious damages, I introduced a bill called the Stop Mass Hacking Act with a number of my colleagues, including Senators Daines and Paul. This bill would stop these changes from taking effect, and I am here this morning to ask unanimous consent that the bill be taken up and passed. Mr. President, I ask unanimous consent that the Judiciary Committee be discharged from further consideration of S. 2952 and the Senate proceed to its immediate consideration, that the bill be read a third time and passed, and the motion to reconsider be considered made and laid upon the table with no intervening action or debate. The PRESIDING OFFICER. Is there objection? The majority whip. Mr. CORNYN. Mr. President, reserving the right to object, I respect our colleague's right to come to the floor and ask unanimous consent. I understand that there are three unanimous consent requests, and I will be objecting to all three of them. I will reserve my statement as to why I am objecting after the third request. At this point, I object to the unanimous consent request. The PRESIDING OFFICER. Objection is heard. Mr. WYDEN. Mr. President, I wish to recognize my colleague from Montana, and after my colleague from Montana speaks, my friend from Delaware will address the Senate. The PRESIDING OFFICER. The Senator from Montana. Mr. DAINES. Mr. President, I thank my colleague from Oregon, Senator Wyden, for talking about this important issue on the floor today. We shop online with our credit cards, order medicine with our electronic health care records, talk to friends, share personal information, Skype, post beliefs and photos on social media, or Snapchat fun moments, all the while believing everything is safe and secure. It is more important now than ever to ensure that the information we store on our devices is kept safe and that our right to privacy is protected, and that is what we are really talking about here today. How can we ensure that our information is both safe and secure from hacking and government surveillance? Certainly technology has made our lives easier, but it has also made it easier for criminals to commit crimes and evade law enforcement. In short, our laws aren't keeping up with 21st-century technology advances. But the government's solution to this problem we are talking about today, the change to rule 41 of the Federal Rules of Criminal Procedure, represents a major policy shift in the way the government investigates cyber crime. This proposed solution essentially gives the government a blank check to infringe upon our civil liberties. The change greatly expands the hacking power of the Federal Government, allowing the search of potentially millions of Americans' devices with a single warrant. What this means is that the victims of hacks could be hacked again by their very own government. You would think such a drastic policy change that directly impacts our Fourth Amendment right would need to come before Congress. It would need to have a hearing and be heard before the American people with full transparency. But, in fact, we have had no hearings. There has been no real debate on this issue. My colleagues and I have introduced bipartisan, bicameral legislation to stop the rule change and ensure that the American people have a voice. The American people deserve transparency, and Congress needs time to review this policy to ensure that the privacy rights of Americans are protected. The fact that the Department of Justice is insisting this rule change take effect on December 1--that is tonight at midnight--frankly, should send a shiver down the spines of all Americans. My colleagues and I are here today to not only wake up Americans to this great expansion of powers by our government but also to urge our colleagues to join this bipartisan effort to stop rule 41 changes without duly considering the impact to our civil liberties. Our civil liberties and our Fourth Amendment can be chipped away little by little until we barely recognize them anymore. We simply can't give unlimited power for unlimited hacking which puts Americans' civil liberties at risk. Again, I thank my colleagues from Delaware and Oregon for joining me here today, and I yield to my friend and colleague from Delaware, Senator Coons. The PRESIDING OFFICER. The Senator from Delaware. ____________________ [Congressional Record Volume 162, Number 171 (Wednesday, November 30, 2016)] [Senate] [Pages S6588-S6591] From the Congressional Record Online through the Government Publishing Office [www.gpo.gov] UNANIMOUS CONSENT REQUEST--S. 3485 Mr. WYDEN. Senator Cornyn has now objected to passage of the two bills relating to rule 41, and he is certainly within his right to do so. I wish to offer the theory--not exactly a radical one, in my view-- that if we can't pass bills with respect to mass surveillance or have hearings, we at least ought to have a vote so that the American people can actually determine if their Senators support authorizing unprecedented, sweeping government hacking without a single hearing. There is a lot more debate in this body over the tax treatment of race horses than massive expansion of surveillance authority. In a moment, I will ask unanimous consent that the body move to an immediate rollcall vote on the Stalling Mass Damaging Hacking Act which would delay rule 41 changes until March 31. I don't condone Congress kicking cans down the road. This is one example of where, with a short delay, it would be possible to have at least one hearing in both bodies so that Congress would have a chance to debate a very significant change in our hacking policy. Congress has not weighed, considered, amended, or acted like anything resembling an elected legislature on this issue. There have been some who have looked into the issue, but--I call it Senate 101--we should at least have a hearing on a topic with enormous potential consequences for millions of Americans. That had not been done, despite a bipartisan bill being introduced in the House and the Senate, days after the changes were approved. Lawmakers and the public ought to know more about a novel, complicated, and controversial topic, and they would be in a position to have that information if there was a hearing and Members of both sides of the aisle could ask important questions. Since the Senate has not had a hearing on this issue, lawmakers have still been trying to get answers to important questions. Twenty-three elected representatives from the House and Senate, Democrats and Republicans spanning the philosophical spectrum, have asked substantive questions that the Department of Justice has failed to answer, and they barely went through the motions. They spectacularly failed to respond to both concerns of Democrats and Republicans in both the Senate and in the House. I ask unanimous consent that the letter that was sent to the DOJ, signed by myself and 22 bipartisan colleagues from the House and Senate, be printed in the Record. There being no objection, the material was ordered to be printed in the Record, as follows: Congress of the United States, Washington, DC, October 27, 2016. Hon. Loretta Lynch, U.S. Attorney General, Department of Justice, Washington, DC. Dear Attorney General Lynch: We write to request information regarding the Department of Justice's proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure. These amendments were approved by the Supreme Court and transmitted to Congress pursuant to the Rules Enabling Act on April 30, 2016. Absent congressional action the amendments will take effect on December 1, 2016. The proposed amendments to Rule 41 have the potential to significantly expand the Department's ability to obtain a warrant to engage in ``remote access,'' or hacking of computers and other electronic devices. We are concerned about the full scope of the new authority that would be provided to the Department of Justice. We believe that Congress--and the American public--must better understand the Department's need for the proposed amendments, how the Department intends to use its proposed new powers, and the potential consequences to our digital security before these rules go into effect. In light of the limited time for congressional consideration of the proposed amendments, we request that you provide us with the following information two weeks after your receipt of this letter. 1. How would the government prevent ``forum shopping'' under the proposed amendments? The proposed amendments would allow prosecutors to seek a warrant in any district ``where activities related to a crime may have occurred.'' Will the Department issue guidance to prosecutors on how this should be interpreted? 2. We are concerned that the deployment of software to search for and possibly disable a botnet may have unintended consequences on internet-connected devices, from smartphones to medical devices. Please describe the testing that is conducted on the viability of `network investigative techniques' (``NITs'') to safely search devices such as phones, tablets, hospital information systems, and internet- connected video monitoring systems. 3. Will law enforcement use authority under the proposed amendments to disable or otherwise render inoperable software that is damaging or has damaged a protected device? In other words, will network investigative techniques be used to ``clean'' infected devices, including devices that belong to innocent Americans? Has the Department ever attempted to ``clean'' infected computers in the past? If so, under what legal authority? 4. What methods will the Department use to notify users and owners of devices that have been searched, particularly in potential cases where tens of thousands of devices are searched? 5. How will the Department maintain proper chain of custody when analyzing or removing evidence from a suspect's device? Please describe how the Department intends to address technical issues such as fluctuations of internet speed and limitations on the ability to securely transfer data. 6. Please describe any differences in legal requirements between obtaining a warrant for a physical search versus obtaining a warrant for a remote electronic search. In particular, and if applicable, please describe how the principle of probable cause may be used to justify the remote search of tens of thousands of devices. Is it sufficient probable cause for a search that a device merely be ``damaged'' and connected to a crime? 7. If the Department were to search devices belonging to innocent Americans to combat a complicated computer crime, please describe what procedures the Department would use to protect the private information of victims and prevent further damage to accessed devices. Sincerely, Ron Wyden; Patrick Leahy; Tammy Baldwin; Christopher A. Coons; Ted Poe; John Conyers, Jr.; Justin Amash; Jason Chaffetz; Steve Daines; Al Franken; Mazie K. Hirono; Mike Lee; Jon Tester; Elizabeth Warren; Martin Heinrich; Judy Chu; Steve Cohen; Suzan DelBene; Louie Gohmert; Henry C. ``Hank'' Johnson; Ted W. Lieu; Zoe Lofgren; Jerrold Nadler. Mr. WYDEN. I also ask unanimous consent that the response from the Department of Justice, which I have characterized as extraordinarily unresponsive to what legislators have said, be printed in the Record as well. There being no objection, the material was ordered to be printed in the Record, as follows: U.S. Department of Justice, Office of Legislative Affairs, Washington, DC, November 18, 2016. Hon. Ron Wyden, U.S. Senate, Washington, DC. Dear Senator Wyden: This responds to your letter to the Attorney General, dated October 27, 2016, regarding proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure, recently approved by the Supreme Court. We are sending identical responses to the Senators and Members who joined in your letter. The amendments to Rule 41, which are scheduled to take effect on December 1, 2016, [[Page S6589]] mark the end of a three-year deliberation process, which included extensive written comments and public testimony. After hearing the public's views, the federal judiciary's Advisory Committee on the Federal Rules of Criminal Procedure, which includes federal and state judges, law professors, attorneys in private practice, and others in the legal community, approved the amendments and rejected criticisms of the proposal. The amendments were then considered and unanimously approved by the Standing Committee on Rules and the Judicial Conference, and adopted by the United States Supreme Court. It is important to note that the amendments do not change any of the traditional protections and procedures under the Fourth Amendment, such as the requirement that the government establish probable cause. Rather, the amendments would merely ensure that venue exists so that at least one court is available to consider whether a particular warrant application comports with the Fourth Amendment. Further, the amendments would not authorize the government to undertake any search or seizure or use any remote search technique, whether inside or outside the United States, that is not already permitted under current law. The use of remote searches is not new, and warrants for remote searches are currently issued under Rule 41. In addition, courts already permit the search of multiple computers pursuant to a single warrant, so long as the necessary legal requirements are met with respect to each computer. Nothing in the amendments changes the existing legal requirements. The amendments apply in two narrow circumstances. First, where a criminal suspect has hidden the location of his computer using technological means, the changes to Rule 41 would ensure that federal agents know which magistrate judge to go to in order to apply for a warrant. For example, if agents are investigating criminals who are sexually exploiting children and uploading videos of that exploitation for others to see--but concealing their locations through anonymizing technology--agents will be able to apply for a search warrant to discover where they are located. An investigation of the Playpen website--a Tor site used by more than 100,000 pedophiles to encourage sexual abuse and exploitation of children and to trade sexually explicit images of the abuse--illustrates the importance of this change. During the investigation, authorities were able to wrest control of the site from its administrators, and then obtained approval from a federal court to use a remote search tool to undo the anonymity promised by Tor. The search would occur only if a Playpen user accessed child pornography on the site (a federal crime), in which case the tool would cause the user's computer to transmit to investigators a limited amount of information, including the user's true IP address, to help locate and identify the user and his computer. Based on that information, investigators could then conduct a traditional, real-world investigation, such as by running a criminal records check, interviewing neighbors, or applying for an additional warrant to search a suspect's house for incriminating evidence. Those court-authorized remote searches in the Playpen case have led to more than 200 active prosecutions--including the prosecution of at least 48 alleged abusers--and the identification or rescue of at least 49 American children who were subject to sexual abuse. Nonetheless, despite the success of the Playpen investigation, Federal courts have ordered the suppression of evidence in some of the resulting prosecutions because of the lack of clear venue in the current version of Rule 41. In other cases, courts have declined to suppress evidence because the law was not clear, but have suggested that they would do so in future cases. Second, where the crime involves criminals hacking computers located in five or more different judicial districts, the changes to Rule 41 would ensure that federal agents may identify one judge to review an application for a search warrant rather than be required to submit separate warrant applications in each district--up to 94--where a computer is affected. For example, agents may seek a search warrant to assist in the investigation of a ransomware scheme facilitated by a botnet that enables criminals abroad to extort thousands of Americans. Such botnets, which range in size from hundreds to millions of infected computers and may be used for a variety of criminal purposes, represent one of the fastest-growing species of computer crime and are among the key cybersecurity threats facing American citizens and businesses. Absent the amendments to Rule 41, however, the requirement to obtain up to 94 simultaneous search warrants may prevent cyber investigators from taking needed action to liberate computers infected with such malware. This change would not permit indiscriminate surveillance of thousands of victim computers--that is not permissible now and will continue to be prohibited when the amendment goes into effect. This is because other than identifying a court to consider the warrant application, the amendment makes no change to the substantive law governing when a warrant application should be granted or denied. The amended rule limits forum shopping by restricting the venue in which a magistrate judge may issue a warrant for a remote search to ``any district where activities related to a crime may have occurred.'' Often, this language will leave only a single district in which investigators can seek a warrant. For example, where a victim has received death threats, extortion demands, or ransomware demands from a criminal hiding behind Internet anonymizing technologies, the victim's district would likely be the only district in which a warrant could be issued for a remote search to identify the perpetrator. In cases involving widespread criminal conduct, activities related to the crime may have occurred in multiple districts, and thus there may be multiple districts in which investigators may seek a warrant under the new amendment. For many years, however, existing laws have recognized the need for warrants to be issued in a district connected to criminal activity even when the information sought may not be present in the district. The language of the new Rule 41(6)(6) amendment limiting warrant venue to ``any district where activities related to a crime may have occurred'' was copied verbatim from the existing warrant venue provisions in Rule 41(6)(3) and (b)(5), which authorize judges to issue out-of-district warrants in cases involving terrorism and searches of U.S. territories and overseas diplomatic premises. Thus, the new venue provision of Rule 41(b)(6) for remote searches is consistent with existing practices in these other contexts. Similarly, warrants for email and other stored electronic communications are sought tens of thousands of times a year in a wide range of investigations. Such warrants may be issued in any district by a court that ``has jurisdiction over the offense being investigated.'' 18 U.S.C. Sec. Sec. 2703 & 2711(3). As with law enforcement activities in the physical world, law enforcement actions to prevent or redress online crime can never be completely free of risk. Before we conduct online investigations, the Department of Justice (the Department) carefully considers both the need to prevent harm to the public caused by criminals and the potential risks of taking action. In particular, when conducting complex online operations, we typically work closely with sophisticated computer security researchers both inside and outside the government. As part of operational planning, investigators conduct pre-deployment verification and validation of computer tools. Such testing is designed to ensure that tools work as intended and do not create unintended consequences. That kind of careful consideration of any future technical measures will continue, and we welcome continued collaboration with the private sector and cybersecurity experts in the development and use of botnet mitigation techniques. The Department's antibotnet successes have demonstrated that the Department can disrupt and dismantle botnets while avoiding collateral damage to victims. And of course, choosing to do nothing has its own cost: leaving victims' computers under the control of criminals who will continue to invade their privacy, extort money from them through ransomware, or steal their financial information. Law enforcement could obtain identifying information (such as an IP address) from infected computers comprising a botnet in order to make sure owners are warned of the infection (typically, by their Internet service provider). Or law enforcement might engage in an online operation that is designed to disrupt the botnet and restore full control over computers to their legal owners. Both of these techniques, however, could involve conduct that some courts might hold constitutes a search or seizure under the Fourth Amendment. In general, we anticipate that the items to be searched or seized from victim computers pursuant to a botnet warrant will be quite limited. For example, we believe that it may be reasonable in a botnet investigation to take steps to measure the size of the botnet by having each victim computer report a unique identifier; but it would not be lawful in such circumstances to search the victims' unrelated private files. Whether or not a warrant authorizing a remote search is proper is a question of Fourth Amendment law, which is not changed by the amendments to Rule 41. Simply put, the amendments do not authorize the government to undertake any search or seizure or use any remote search technique that is not already permitted under the Fourth Amendment. They merely ensure that searches that are appropriate under the Fourth Amendment and necessary to help free victim computers from criminal control are not, as a practical matter, blocked by outmoded venue rules. The amendment's notice requirement mandates that when executing a warrant for a remote search, ``the officer must make reasonable efforts to serve a copy of the warrant on the person whose property was searched or whose information was seized or copied,'' and that ``[s]ervice may be accomplished by any means, including electronic means, reasonably calculated to reach that person.'' What means are reasonably available to notify an individual who has concealed his location and identity will of course vary from case to case. If the remote search is successful in identifying the suspect, then notice can be provided in the traditional manner (following existing rules for delaying notice where appropriate in ongoing investigations). If the search is unsuccessful, then investigators would have to consider other means that may be available, for example through a known email address. In an investigation involving botnet victims, the Department would make reasonable efforts to [[Page S6590]] notify victims of any search conducted pursuant to warrant. For example, if investigators obtained victims' IP addresses at a particular date and time in order to measure the size of the botnet, investigators could ask the victims' Internet service providers to notify the individuals whose computers were identified as being under the control of criminal bot herders. Under such an approach, it would not even be necessary for investigators to learn the identities of specific victims. The Department will, of course, also consider other appropriate mechanisms to provide notice consistent with the amended Rule 41. Under the Federal Rules of Evidence, the government must establish the authenticity of any item of electronic evidence it moves to admit in evidence. To do so, it must offer evidence ``sufficient to support a finding that the item is'' what the government claims it to be, and a criminal defendant may object to the admission of evidence on the basis that the government has not established its authenticity. The amendments to Rule 41 do not make any change to the law governing the admissibility of lawfully obtained evidence at trial, whether on the basis of authenticity or any other basis, and to our knowledge authenticity objections have not played a substantial role in prior federal criminal trials at which evidence obtained as a result of remote searches was introduced. Protecting victims' privacy is one of the Department's top priorities. To the extent that investigators collect any information concerning botnet victims, the Department will take all appropriate steps to safeguard any such information from improper use or disclosure. The Department presently and vigorously protects the private information collected pursuant to search warrants for computers and documents seized from a home or business and the Department will follow the same exacting standards for any warrant executed under the amendments to Rule 41. We hope that this information is helpful. Please do not hesitate to contact this office if we may provide additional assistance regarding this or any other matter. Sincerely, Peter J. Kadzik, Assistant Attorney General. Mr. WYDEN. Colleagues are going to see that substantive, clear questions, posed by Democrats and Republicans in writing, were not responded to. Because of the lack of genuine answers from the Justice Department to this letter, signed by 23 Members of Congress, and the substantial nature of these unprecedented changes in surveillance policy, I ask now for unanimous consent for a vote on the SMDH Act to give Congress time to debate these sweeping changes to government's hacking authority. I ask unanimous consent that the Senate proceed to the immediate consideration of S. 3485, introduced earlier today; that at a time to be determined by the majority leader, in consultation with the Democratic leader, but no later than 4 p.m. today, the Senate proceed to vote in relation to this bill. The PRESIDING OFFICER. Is there objection? The majority whip. Mr. CORNYN. Mr. President, I object. The PRESIDING OFFICER. Objection is heard. Mr. CORNYN. Mr. President, I know sometimes that when people hear us engage in these debates, they think we don't like each other and we can't work together; that we are so polarized, we are dysfunctional. Actually, these Senators are my friends in addition to being colleagues. Let me just explain how I think their concerns are misplaced. First of all, we all care about, on the spectrum of privacy to security, how that is dialed in. As the Presiding Officer knows, as the former attorney general of Alaska, we always try to strike the right balance between individual privacy and safety and security and law enforcement, and sometimes we have differences of opinion as to where exactly on that spectrum that ought to be struck, but the fundamental problem with the requests that have been made today is, Federal Rule Of Criminal Procedure 41 has already been the subject of a lengthy 3-year process with a lot of thoughtful input, public hearings, and deliberation. As the Presiding Officer knows, the courts have the inherent power to write their own rules of procedure, and that is what this is, part of the Federal Rules of Criminal Procedure. What happens is a pretty challenging process when we want to change a Federal rule of criminal procedure. We have to get it approved by the Rules Advisory Committee. It is made up of judges, law professors, and practicing lawyers. Then it has to be approved by the Judicial Conference. Then, as in this case, they have to be endorsed by the U.S. Supreme Court, which is Federal Rule of Criminal Procedure 41, which happened on May 1, 2016. If there was any basis for the claim that this is somehow a hacking of personal information without due process of law or without adequate consideration, I just--I think the process by which the Supreme Court has set up, through the Rules Advisory Committee and through the Judicial Conference, dispels any concerns that the objections that were raised were not adequately considered. I am also told, Senator Graham from South Carolina chaired a subcommittee hearing of the Senate Judiciary Committee--I believe it was last spring--on this very issue. So there has been some effort in the Congress to do oversight and to look into this, although perhaps it didn't get the sort of attention that it has gotten now. The biggest, most important point to me is that for everybody who cares about civil liberties and for everybody who cares about the personal right of privacy we all have in our homes and the expectation of privacy we have against intrusion by the government without due process, this still requires the government to come forward and do what it always has to do when it seeks a search warrant under the Fourth Amendment. You still have to go before a judge--an impartial magistrate--you still have to show probable cause that a crime has been committed, and the defendant can still challenge the lawfulness of the search. The defendant always reserves that right to challenge the lawfulness of the search. I believe all of these constitutional protections, all of these procedural protections, all the concerns about lack of adequate deliberation can be dispelled by the simple facts. There is a challenge when cyber criminals use the Internet and social media to prey on innocent children, to traffic in human beings, to buy and sell drugs, and there has to be a way for law enforcement--for the Federal Government--to get a search warrant approved by a judge based on the showing of probable cause to be able to get that evidence so the law can be enforced and these cyber criminals can be prosecuted. That is what we are talking about. All this rule 41 does is creates a circumstance where if the criminal is using an anonymizer, or some way to scramble the IP address--the Internet Protocol address of the computer they are operating from--then this rule of procedure allows the U.S. attorney, the Justice Department, to go to any court that will then require probable cause, that will then allow the defendant to challenge that search warrant--but to provide a means by which you can go to court and get a search warrant and investigate the facts and, if a crime has been committed, to make sure that person is prosecuted under the letter of the law. I appreciate the concerns my colleagues have expressed, that somehow we have gotten the balance between security and privacy wrong, but I believe that as a result of the process by which the Rules Advisory Committee, the Judicial Conference, and the Supreme Court have approved this rule after 3 years of deliberation, including public hearings, scholarly input by academicians, practicing lawyers, law professors and the like, I think that ought to allay their concerns that somehow this is an unthought-through or hasty rule that is going to have unintended consequences. I think the fundamental protection we all have under the Fourth Amendment of the Constitution against unreasonable searches and seizures and the requirement that the government come to court in front of a judge and show probable cause that a crime has been committed, and that even once the search warrant is issued, that the defendant can challenge the lawfulness of the search--all of that ought to allay the concerns of my colleagues that somehow we have gotten that balance between privacy and security right because I think this does strike an appropriate balance. Those are the reasons I felt compelled to object to the unanimous consent requests, and I appreciate the courtesy of each of my colleagues. The PRESIDING OFFICER. The Senator from Oregon. Mr. WYDEN. Mr. President, before he leaves the floor, I wish to engage my friend for a moment with respect to his remarks. He is absolutely right that we [[Page S6591]] have been friends since we arrived here, and we are working together on a whole host of projects right now. So this is debate about differences of opinion with respect to some of the key issues. I wish to make a couple of quick points in response to my colleague. My colleague said there had been an inclusive process for discussing this. As far as I can tell, the vast amount of discussion basically took place between the judges and the government. My guess is, if you and I walked into a coffee shop in Houston or Dallas, or in my home State, in Coos Bay or Eugene, people wouldn't have any idea what was going to happen tonight at midnight. Tonight at midnight is going to be a significant moment in this discussion. My colleague made the point with respect to security and privacy. I definitely feel those two are not mutually exclusive; we can have both, but it is going to take smart policies. My colleague has done a lot of important work on the Freedom of Information Act issues. These are complicated, important issues, and nobody up here has had a chance to weigh in. There has been a process with some judges, and I guess some folks got a chance to submit a brief. Maybe there was a notice in the Federal Register; that is the way it usually works, but nobody at home knows anything about that. My guess is, none of our hospitals know anything about something like this, and it has real implications for them because our medical facilities--something we all agree on that have been major sources of cyber hackings--they have been major kinds of targets. Again, this is not the kind of thing where somebody is saying something derogatory about somebody personally; we just have a difference of opinion with respect to the process. To me, at home, when people hear about a government process, they say: Hey, I guess that means I get a chance to weigh in. That is why I have townhall meetings in every county every year because that is what the people think the process is, not judges talking among themselves. The second point my friend touched on was essentially the warrant policies and that he supports the Fourth Amendment and this is about the Fourth Amendment. I think that is worth debating. To me, at a minimum, this is an awful novel approach to the Fourth Amendment. One judge, one warrant for thousands and potentially millions of computers which could result in more damage to the citizen after the citizen has already been hit once with the hack. So my colleague said this is what the fourth Amendment is about. I think that is a fair point for debate. I would argue this is an awful novel approach to the Fourth Amendment. This is not what I think most people think the Fourth Amendment is. Hey, this is about me and somebody is going to have to get a warrant about me. It is about individuals. To me, the Senate has now--and we still have officially 12 hours to do something about it--but as of now, the Senate has given consent to an expansion of government hacking and surveillance. In effect, the Senate, by not acting, has put a stamp of approval on a major policy change that has not had a single hearing, no oversight, no discussion. In effect, the Senate--this is not even Senate 101. That is what everybody thinks Senators are supposed to be about. When we are talking about search and seizure, that is an issue for Congress to debate, and the Justice Department shouldn't have the ability to, at a minimum, as I indicated in my conversation with my colleague from Texas, come up with a very novel approach to the Fourth Amendment without elected officials being able to weigh in. Now I will close by way of saying that when Americans find out that the Congress is allowing the Justice Department to just wave its arms in the air and grant itself new powers under the Fourth Amendment without the Senate even being a part of a single hearing, I think law abiding Americans are going to ask: So what were you people in the Senate thinking about? What are you thinking about when the FBI starts hacking the victims of a botnet attack or when a mass attack breaks their device or an entire hospital system, in effect, has great damage done, faces great damage, and possibly puts lives at risk? My hope is that Congress would add protections for Americans surrounding the whole issue of government hacking. I have said again and again and again that the smart technology policy, the smart surveillance policy from the get-go is built around the idea that security and liberty are not mutually exclusive, that a smart policy will do both, but increasingly, policies coming out of here aren't doing a whole lot of either. In this case, I think the Senate is abdicating its obligations. Certainly, in the digital era, Americans do not throw their Fourth Amendment rights out the window because they use a device that connects to the Internet. So I am going to close by way of saying that I think this debate about government hacking is far from over. My guess is that Senators are going to hear from their constituents about this policy sooner rather than later, and we will be back on the floor then, looking to do what should have been done prior to midnight tonight, which is to have hearings, to involve the public--not just Justices and maybe a few people who can figure out how to find that section of the Federal Register so they can weigh in. Americans are going to continue to demand from all of us in the Senate policies that protect their security and their liberty. They are right to do so. That cause will be harmed if the Senate doesn't take steps between now and midnight. With that, Mr. President, I yield the floor. I suggest the absence of a quorum. The PRESIDING OFFICER. The clerk will call the roll. The legislative clerk proceeded to call the roll. Ms. WARREN. Mr. President, I ask unanimous consent that the order for the quorum call be rescinded. The PRESIDING OFFICER. Without objection, it is so ordered. ____________________