It goes on in proposed paragraphs 24(1)(a) and (b), with (a) “acquiring” the information and (b) talking about “infrastructure information for the purpose of research and development...testing”, and so on. Then, in 24(1)(c), it has “testing or evaluating products, software and systems, including testing or evaluating them for vulnerabilities.”
Is there not a concern that we can get a web of inference here and that, despite the publicly available nature of this, we can start going through someone's social media information that might be public, creating profiles of people who might not necessarily be national security threats, and having this data stored? That's my first question.
Second, what is meant by “disclosing”? Who exactly is that information being disclosed to?