First of all, I think if the spyware is regulated in the hands of RCMP and federal agencies, that doesn't address the municipal and the provincial law enforcement agencies, so it has to be all encompassing.
I think it's a matter of crafting laws—again, without the direct or indirect influence of industry—that put the liability first on the hardware and software companies and their executives who sell products that are full of vulnerabilities that allow spyware, ransomware and malware attacks. Ban federal procurement or use, directly or indirectly, of spyware by legislation, regulation or order in council, with equivalent bans in each province and territory, and work with foreign governments to ban the sale, export, distribution, use of and investment in commercial spyware.
We already have international free trade agreements that have mandatory cross-border information-sharing provisions and all sorts of other provisions. They need to include provisions where signatories agree to criminalize and prosecute the individuals and the organizations that create, test, market, fund and distribute spyware—and the executives and the investors. There have to be penalties because, otherwise, it's like policy: It's on the books, but if someone in another country can use these products against us, their own governments have to be involved in stopping it because that's in that country, of course. It's out of our reach.