Fair enough, but if we look at proposed subsection 23(1), we see that it specifically mentions that the activities done by the centre “must not be directed at a Canadian or any person in Canada”, while proposed section 24 says, “Despite subsections 23(1) and (2), the Establishment may carry out”, and it goes on to what was already read. Essentially, we're saying that normally it wouldn't be against Canadians or any person in Canada, but now that's no longer the case, because it's specifically saying that it's “despite” proposed section 23.
Certainly, I understand the hypotheticals that are being offered, but does that section not allow for the retention and use of technology that can create these large webs that will inevitably catch people in Canada? We think of StingRay technology and things like that which can be used. Is that not going to be a potential...? The way this section is drafted, certainly it could, when we're looking at this:
acquiring, using, analysing, retaining or disclosing infrastructure information for the purpose of research and development, for the purpose of testing systems or conducting cybersecurity and information assurance activities on the infrastructure from which the information was acquired
To me, that seems to create a situation whereby you could be collecting information from infrastructure here in Canada, which obviously Canadians are using, without necessarily the same accountability that's created by omitting Canadians in proposed section 23.