Those are good questions. If I could, I would like to spend just a minute on the question you addressed to Mr. Lawford.
One way of assessing the legislation is by comparing it to international norms. It was represented to this committee back when CASL was being reviewed that this legislation was the same as what was in Australia, the same as what was in New Zealand; that was incorrect. Although the law was somewhat modelled after that, the definition of CEM in those countries was closed, not open-ended, and the consents were not only expressed consents but included inferred consents without narrow, closed categories. If you look at international norms, even the closest norm we were trying to model was not in line with international standards. It was ratcheted up to make it even more of a straitjacket.
To get to your question, I think that is something somebody should really look at. In terms of cybersecurity, this is a problem with third parties inserting computer programs into systems and thereby hijacking systems, turning them into botnets or acquiring information, including—if you look at 142 million individuals' recent information in the Equifax case—2.5 million more. These are the kinds of things that the legislation does target, except that it doesn't permit the installation of programs where needed to combat cybersecurity.
I've always thought that, in addition to that, the legislation should actually permit the installation of counter-cybersecurity programs on the target that is attacking, in order to protect Canadians. I've also thought, as well, that ISPs should have the power to block foreign spamming sites and foreign malicious sites, to protect Canadians. It would be sort of an umbrella, if you will, to protect Canadians at large, as opposed to every ISP doing it or every organization doing it.
There's a lot that this committee could do, both with CASL and otherwise, to protect Canadians on cybersecurity.