Yes, precisely. I think that's correct. I think Ms. Bhandari is right that the database list would not capture these types of tools. Perhaps it could be a model to build on.
I would also suggest that, in the European regime, some types of more intrusive techniques require a privacy impact assessment be filed with the data protection regulator early on in the process. Something along those lines might help. It wouldn't necessarily capture small and early-onset tools or all the tools, but it might be another way of getting a window into what's developing earlier on.