(5 years, 1 month ago)
Westminster HallWestminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
I beg to move,
That this House has considered regulating the internet of things.
It is a pleasure to serve under your chairmanship, Mr Gapes, in a debate on such an important subject. I am a tech evangelist. I believe that technology is an engine of progress. Growing up in the north-east, in Newcastle, the home of the first industrial revolution—although I know that some from the north-west may debate that—gave me a love of science, technology and innovation. The achievements of local greats such as Armstrong, Stephenson and Parsons—that is Rachel Parsons, the world’s first female naval engineer—inspired me to study electrical engineering and embark on a two-decade career as a chartered engineer working in telecoms all over the world.
Newcastle’s experience of the industrial revolution was captured in the excellent BBC series “A House Through Time” with David Olusoga, which showed a mixture of life-changing technological progress and huge social problems, as in many other cities. We are now in the midst of what some consider to be the fourth industrial revolution—although how to count them is not agreed—powered by data and renewable energy, instead of labour, discipline and steam.
Last week the Prime Minister made what I can only call an interesting speech to the United Nations on technology, with this historical analysis:
“When I think of the great scientific”—
I cannot pretend to do his way of speaking, so I will just quote—
“revolutions of the past—print, the steam engine, aviation, the atomic age—I think of new tools that we acquired but over which we—the human race—had the advantage”.
The industrial revolution radically changed society, but it is a mistake—one, if I may say, of privilege—to say that the human race had the advantage. The steam engine rapidly increased productivity but also powered factories and mills with brutal working conditions that produced textiles from slave-milled cotton. Those new tools brought benefits, but the benefits were not equally shared. Of course, that happened before the United Kingdom had universal suffrage or a labour movement and a Labour party, and when many in the world were colonial subjects. Our opportunity, and our duty, in the fourth industrial revolution is to make those technologies work for the many, not the few. In that context, I will today set out what the internet of things is, the benefits it brings, the concerns and the current state of regulation.
What is the internet of things? I was surprised to see that in the Prime Minister’s speech on the gov.uk website, the internet of things was in inverted commas. I am sure that the Minister is aware that IOT is not sci-fi, but a reality of our daily lives. I was the first Member of Parliament to mention the internet of things, in my Westminster Hall debate on machine-to-machine communication in June 2011, just a year after I entered Parliament. One of the Minister’s predecessors, the right hon. Member for Wantage (Mr Vaizey), responded, so I think he was the second MP to mention it.
I called that debate because my experience as a chartered electrical engineer and as Ofcom’s head of telecoms technology had brought home to me, even then, the opportunities and threats that the internet of things represented. At the time, Ericsson estimated that 50 billion things would be connected to the internet of things by 2020. In fact, that was a bit of an exaggeration, because we have about 7 billion. However, global spending on IOT is forecast to reach $745 billion by the end of this year, Ericsson now estimates that by 2023 we will have 31 billion things connected to the internet, and the Government’s own estimate is that there will be 420 million internet-connected devices in the UK within the next two years.
The internet of things is basically things connected to the internet—it does what it says on the tin, for once. That allows everyday objects to talk to each other and to people. In fact, the first internet-connected toaster was revealed in 1989. While there has been speculation for years about how the internet of things will change our lives, it is now that we are really beginning to see its full implications for how we live, work, play and do everything in between.
Smart homes and connected appliances are perhaps the most commonly understood applications. Smart meters mean that we can turn our heating on when we leave work, whatever time that is. A fridge can tell someone when they are out of milk. More poignantly, a child’s teddy bear could record their first words and share them with the whole family.
However, IOT is about much more than household gadgets and cuddly toys. Scaling up IOT will bring us smart cities, where bins can signal when they are full, parking spaces can tell us when they are empty, and traffic lights can tell an autonomous car how fast to drive, so that it never has to hit a red light. Every time I wait at a bus stop—despite the ridiculously high cost of bus travel in Newcastle, that is still quite often—I look forward to an IOT-enabled and truly integrated public transport system, which will mean buses stopping when and where people want them to, and not stopping if there is no one at a bus stop. That means a saving in fuel efficiency, and a saving in all our time.
IOT is also transforming industry. The fourth industrial revolution has at its heart smart factories, and intelligent and flexible automation, making manufacturing cheaper, quicker, more efficient, more personalised and more reliable. Indeed, the smart factory might be in someone’s home—3D printing plus IOT could equal home manufacturing.
I am an internet of things believer. I have studied it, lived it and effectively built bits of it all over the world. It has huge economic and social benefits, as well as environmental benefits, ranging from energy management to tracking endangered species. We cannot address climate change without the internet of things. It allows the monitoring of energy usage but also enables a smart grid. IOT can literally save the planet, which is just as well now that it accounts for 8% to 10% of European electricity consumption.
However, I hope that the Minister will agree that people, and not technology or things, must be at the heart of the internet of things revolution. An IOT that works for everyone requires action—action that this Government seem unwilling to take. IOT will be as pervasive as electricity, and found in every home and handbag. And, like electricity, IOT is an enabling technology, only the enabler is not electric current but data—people’s data—and right now we have no idea who owns that data.
Take personal health tech. A company called OrCam has developed discreet camera glasses for the visually impaired, which can read text and recognise people, while the L'Oréal UV sensor, which detects ultraviolet exposure, is small enough to be worn comfortably on someone’s fingernail. However, who owns and controls the data gleaned by these devices? I hope that the Minister can tell us that, and say why it is not the people who generate that data.
As companies bring more IOT devices to market, this is a pressing issue. Although the GDPR represented progress, it is already years out of date: it addresses privacy, not control; it barely takes account of artificial intelligence and algorithmic management; and it ignores completely the internet of things. The Information Commissioner’s responsibilities over IOT are unclear.
The more interconnected things are—which in itself is a good thing—the bigger the potential for cyber-attack, which is already a huge area of concern. In 2018 there was a 500% increase in the average size of a botnet attack. There are more than 7 billion IOT devices in circulation, and that number is only going to grow. Given that each IOT device is always on, it is possible to build and deploy large-scale attacks within minutes.
In 2017 the US Food and Drug Administration recalled almost half a million pacemakers due to fears that they were vulnerable to hacking, while a Chinese IOT firm recalled 4 million cameras for the same reason. November 2018 saw the first scaled botnet attack using smart TVs. Other household appliances can also be used not only to bring down internet platforms such as Spotify, Amazon and Twitter, as happened in 2016, but to take control of our homes or any networked utility. Back in 2010 an Iranian nuclear facility was targeted by a malicious computer worm, which led to the shutdown of multiple gas centrifuges, and in 2015 blackouts in Ukraine were caused by cyber-attacks. Although we call them “cyber-attacks”, they have very physical consequences. In 2017 the Federal Network Agency, the German communications regulator, told parents to destroy a talking doll called Cayla, because its smart technology can reveal personal data. A couple of years ago I wrote about the implications of internet of things security for sex toys, but today I will spare Members’ blushes.
The lack of security on IOT devices is not only a risk to the individual user; it threatens huge economic and social damage. Importantly, security for IOT devices does not just need to be built in at the start, even though that in itself takes time and money; it needs to be upgradeable over time as threats evolve. However, producers of IOT devices are simply not incentivised to consider security concerns, with global supply chains competing mainly on costs for devices that can be sold for only a few cents or even less. Of course, the lowest-cost device is, inevitably, the lowest-security device. This is one problem that the market cannot and will not solve on its own, which means that it is up to Governments to correct.
In his speech, the Prime Minister used quite lurid language on the issue of internet of things surveillance:
“But this technology could also be used to keep every citizen under round-the-clock surveillance. A future Alexa will pretend to take orders. But this Alexa will be watching you, clucking her tongue and stamping her foot”.
The Prime Minister shows both his lack of respect for women and his lack of understanding of technology in caricaturing it as a nagging housewife arguing with an unfaithful husband. That sort of gendered view is, sadly, far from uncommon. Technology is far too often the creation of well-off men and, unsurprisingly, it reproduces their biases and prejudices.
There is an important issue of surveillance to address, both in the private and public domain. The recent book by Shoshana Zuboff, “The Age of Surveillance Capitalism”, addresses the ways in which data is used not just to monitor us but to direct and control what we do. We see it already in the practices of Amazon, Sports Direct, Uber and Deliveroo, to name just a few, where the companies’ control of data can control work life.
Research by Defend Digital Me shows that the internet of things has an increased presence within our classrooms, from direct monitoring through biometrics to facial recognition and tracking technologies as part of a smart campus project, in some cases run by the Office for Students. Many of the applications that are marketed claim noble aims around improved health or scholastic performance, but they are rather less clear when it comes to consent. When we consider how the internet of things can be used to monitor children in compulsory education, how can the child or parent be said to consent if it is a generalised practice?
The Government have repeatedly ignored warnings on cyber, much less done anything to ensure that small businesses and citizens, as opposed to big businesses and national security agencies, are protected. There are no current regulations that require a security standard for internet of things devices. About 30 groups are developing security standards for the internet of things, but if we have 30 standards, we do not have a standard. Our public response needs to be as joined up as our networks, but it is not. Responsibility for cyber-security lies across several disconnected Government silos. The Home Office publishes cyber-security stats; the cyber-security strategy comes from the Cabinet Office, although it was launched with a speech by the then Chancellor; the Department for Digital, Culture, Media and Sport takes care of cyber-skills for young people; and the cyber-essentials scheme sits in the Department for Business, Energy and Industrial Strategy. Responsibility for cyber-security is defused across Government. There is a lack of leadership and, even worse, a lack of concern. The policies seem largely to ignore mobile devices and the internet of things.
At the same time, and for some years now, the Government have been encouraging us to take up smart meters, for example, without a regulatory framework to protect us from attack. Personally, if a device is called smart, I do not buy it, at least not without a one-hour technical interrogation, which few customer service agents can pass.
My hon. Friend is making a very important speech. I, too, have spent time reading the Zuboff book, and the more I read it, the more alarmed I became. Does she agree with me that the real issue is the one she started with: whose data is it? Without that being resolved, there is an inevitable drift towards big tech companies using it for profit. Why wouldn’t they? But it is our data, and on every one of these issues, if we could pin that down, it would completely disrupt their business model. That is why it is a tough thing to do, but it would ultimately resolve the issue.
My hon. Friend, who is a great champion of innovation and technology—coming from the constituency that he represents, it is appropriate—makes a critical point. I could not have put it better. Although this debate is about regulation of the internet of things, it is impossible to talk about protection and security in the internet of things without talking about the data that is its lifeblood: the flows of data that both drive and enable the internet of things. We are in a confused state about who owns and controls the data and how it can be shared. The Government, for example, had at the last count at least 80 different ways of sharing data with themselves. As long as that is the case, we cannot have real security or integrity within the internet of things.
Last year the Government finally took some action with their Secured by Design voluntary code of practice on the security of the internet of things, as well as guidance for consumers, which was later codified as ETSI TS 103 645. In May this year, the Government announced a consultation on the introduction of some mandatory legislation on labelling. For example, retailers would have to label internet-of-things products as complying with varying levels of the Secured by Design code. Labelling is necessary because the Government will not decide what is secure and make it mandatory—if everything were secure, it would not need to be labelled. We await the outcome of the consultation. However, there are at least five major issues, and many others besides.
First, the tone of the consultation is, “Regulation is very, very bad and stops innovation, so let’s just have as little as possible.” Secondly, there is no enforcement or sanction. Thirdly, while some mandatory requirements are proposed, they would simply be a declaration of adhering to standards. That approach puts a major emphasis on the consumer to understand these increasingly complex problems and does not account for the use of the devices in public spaces.
The fourth major concern is that the regulations deal only with consumer things. The clue is in the name: it is an internet of things. We need an architecture of standards and a regulatory framework that enables security and interoperability across the internet and also considers the lifeblood of the internet of things—data. Fifthly and finally, there are billions of insecure old-generation IOT devices already enmeshed in our digital infrastructure. The regulations do nothing to address them.
The Government need to recognise that technology is not something that happens to us; it is something that we actively participate in, or should do. That does not mean stifling innovation. Instead, it means using Government influence to look forward to the impact of technologies and to shape them for the public good. The Government must understand technologies in terms of social purpose, rather than just profit margins. That must be done with the tech sector, but the Government must recognise that it is their job to protect the interests of the people. During the first and second industrial revolutions, it was the trade unions, organised workers, the nascent Labour movement, feminists, abolitionists and former slaves who pushed law makers into putting legislation in place that would direct the use of technology to more egalitarian ends. I fear that it will be for a Labour Government to ensure that that is what happens here.
Technology can be used for good or ill. My hope is that intervening now to set up a framework for data and the IOT will mean that we do not face problems and resistance further down the line.
Last year, I was at CES, which is the largest computer electronics show in the world, in Las Vegas. An American start-up literally begged me to put in place security regulations for IOT devices, so that it could compete on a level playing field with the cheap but totally insecure exports from less reputable manufacturers. It is cheap and, frankly, lazy to set up a sort of binary choice between regulation and innovation. A clear regulatory framework and strong governance allows good companies that are making socially useful products to succeed without markets being flooded with poor quality and potentially dangerous products that threaten security.
I want to say a little on Labour’s plans as I understand them—I know that the shadow Minister, my right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne), will set them out in more detail—and I want to put that in context. I am a technology evangelist. Before becoming an MP, I worked all over the world building out the networks that now form the internet. One of my proudest moments was when I rolled out the first global system for mobile communications network in Nigeria and saw how mobile communications could really make a positive difference to people’s lives. Fisherman in the delta could now know the market price in Lagos and could not be cheated out of the right price for their fish; pregnant women could phone for a doctor instead of having to send vital requests on foot, which took hours. The internet of things will bring more and better benefits.
I have also seen the flip side of new technology. When I worked for Ofcom, I was asked to report to the board on internet security in 2005. When I came back with stories of bot attacks, honey traps, distributed denial of service, white hat wizards, Trojans, worms, phishing and pharming, it was as if I was describing a war in a galaxy far, far away. More than 10 years on, however, those threats are very real. They are part of everyone’s daily lived experience. Online fraud is the most common crime in the country, with almost one in 10 people falling victim to computer misuse or one sort of fraud or another. The same may happen with the internet of things—in fact, to an even greater extent—and we must not allow that.
I talk about the internet of things for everyone, because I believe that technology can be democratising and enabling, but just as cyber-crime seemed so foreign only a decade ago, we do not yet fully understand the new risks posed by the internet of things. To fully realise its benefits, we need to be able to deal with the increasingly pervasive security threats it presents. To address them, we need regulation as well as action in other areas. For example, we need to invest properly in skills and adult learning to help people to become digitally literate citizens. Labour’s pledge to create a free truly universal national education service, the NHS for the innovation age, will help everyone to become part of an innovation nation in which everyone is a creator, not simply a user, of technology.
We also need the power of Government to address our creaking infrastructure, and close the productivity gap at the same time, by enabling businesses across the country to invest in the internet of things. Our national transformation fund will do what it says on the tin—transform our infrastructure to bring it up to OECD levels.
We need to address a critical part of the tech sector that I referred to earlier, which is a lack of diversity. Diversity is not an optional add-on; it is an economic imperative. It needs to be at the heart of economic and technological policy, because we cannot build a more prosperous economy without making use of everyone’s talents. We need a more comprehensive sector-wide approach to diversity, particularly in the tech sector. It is key that the creators of new applications for the internet of things come from diverse backgrounds, so we have technologies that work for all and make use of the full array of talent in our society.
Finally, an internet of things requires the right digital rights and responsibilities to exist across our nation. That is why Labour plans to introduce a bill of digital rights that will provide strong and easily understood protections for citizens and will give us all rights and control over our own data.
As I draw to the end of my comments, I want to make sure that the Minister understands the questions that I am asking, so I will list the ones to which I would like him to respond. First, as I have mentioned, who owns and controls the data flowing to and from internet of things devices? Why is it not the people who are generating the data? The Prime Minister said that data is the new oil, but we have seen what the corruption around the oil industry did to many developing economies. Our citizens deserve to be in control of their own data.
Secondly, what steps is the Minister taking to ensure that insecure internet of things devices cannot be sold? Thirdly, will the provisions of the online harms legislation, specifically the duty of care, apply to the internet of things? I asked his predecessor that question, but the answer was not clear. Fourthly, when the internet of things is combined with facial recognition to monitor people, whether in education or on our streets, what requirements are there on consent? Fifthly—this was raised by TechNorthWest—internet of things devices take data for one stated purpose. What prevents its being used for various others? How does consent work in that case? Is the general data protection regulation sufficient?
Sixthly, I believe that all our critical national infrastructure is connected to the internet of things. I have mentioned the blackouts in Ukraine and attacks on an Iranian power station. What regulation is there of the internet of things in critical national infrastructure?
Seventhly, what analysis has been made of how the Government should respond to the misuse of internet of things devices? What scenarios are being considered and what plans are in place?
Eighthly, for the purposes of internet of things regulation, what is the nature of the relationship between the Department for Digital, Culture, Media and Sport, the National Cyber Security Centre, the Cabinet Office and the Information Commissioner’s Office?
I expect the Minister to respond to the five criticisms of the current consultation.
How long do you think we’ve got?
We have an hour and a half, which will be more than adequate. I should perhaps have said that the Minister has a background in technology, as a tech correspondent, so I am sure that he has the answers to all the questions.
Loth as I am to interrupt the exam paper, which I am sure will come to an end soon, a practical application of the questions came up not long ago with the facial recognition monitoring of my constituents at King’s Cross station. I hope that the Minister will be able to explain how they can be protected in future.
That is another excellent intervention from my hon. Friend. I look forward to the Minister’s response about facial recognition technology and consent.
I have asked the Minister nine questions and here is the 10th and final one: can we have a comprehensive forward-looking review of digital rights and responsibilities to deliver a regulatory framework fit for the future, which encompasses data rights and delivers an internet of things security architecture in which citizens can have confidence?
I hope that the Minister noted that when US presidential candidate Elizabeth Warren talks of regulating the tech giants for the benefit of consumers Facebook trembles—so much that Mark Zuckerberg has promised to “go to the mat” and fight her over it. However, when the Prime Minister talks about “pink-eyed terminators” the world laughs. That matters, particularly as the Minister advocates a hard Brexit, after which we would not have the support of our European friends and colleagues in establishing internet of things regulation.
The internet of things could represent a more profound technological change than anything since electricity, as I have said. To make it work we need to understand the problems that it raises, and lay out a clear framework for technology companies to work in. However, to take advantage of the changes, we need a Government who understand the opportunities of the internet of things, and who work with industry to mitigate the threats. That is a question not primarily of technology but of standards, interoperability, protocols, control, industry co-operation, self-regulation, legislation and enforcement. If we get that right we can look forward not just to a future of the internet of things but to a prosperous future of innovation that works for all, and things that have yet to be thought of, the benefits of which will be shared by everyone.
I, too, look forward to hearing the Minister’s response to all those questions in a few minutes’ time. I congratulate my hon. Friend the Member for Newcastle upon Tyne Central (Chi Onwurah) on securing the debate, which covers some of the most challenging issues that society— indeed, humanity—will face over the coming years, many of which are rarely discussed in Parliament. Her speech was quite brilliant.
The internet of things is such a vast subject that it is difficult to know where to start, but I will restrict myself to the ethical questions that underlie the regulation issues that my hon. Friend spoke about, given the epochal technological challenges. In a general sense, many challenges that the country faces appear inversely related to our capacity as politicians to properly discuss them, let alone resolve them. Increasingly, liberal democracies appear unable to navigate the complexities of the modern world. One obvious example is the escalating authoritarianism across Europe and the globe—where is the political diagnosis and response to it, and where is the defence of liberal democracy? To give another example, do we really talk, post referendum, about the issues and feelings that ushered in the referendum, or are we preoccupied instead with the technical aspects of Brexit?
Maybe politics has lost its ethical grip and become too technocratic, and maybe today’s populism is a backlash against that managerialism. Maybe we require a different conversation that addresses moral and ethical questions about the lives that people wish to live. I realise that that point appears unrelated to questions of robotics, the internet of things and artificial intelligence, but I would argue that it is imperative to embed our discussion of those technological changes in a deeper conversation. I welcome this debate because maybe we can start that conversation—arguably the most profound conversation that confronts us as politicians and public policy makers in this country and across the planet.
Whether the forecasts are apocalyptic or utopian, no one doubts the significance of artificial intelligence and the internet of things. They have the potential to affect all aspects of policy, from education to the labour market, and from policing to health and social care. However, much of the current political thinking about artificial intelligence is reactive and geared simply towards ensuring that Britain is at the forefront of technological change—we might describe that as the utilitarian approach. Maybe we should begin instead by discussing what role technology should and should not play in our societies, our workplaces and our personal lives. That departure point would be different from the one that tends to dominate the utilitarian approach: instead of focusing simply on utility or economic benefit to Britain plc, it would focus on justice and how society should be organised.
Shrinking the political debate down to technical rather than ethical terms is especially dangerous in this area of technological change, owing to our lack of expertise in it—notwithstanding some notable exceptions, some of whom have just spoken. For example, being unable to evaluate the claims of developers or independently discern the likely outcomes and risks of their products means that politicians and the public are prone to being swayed by either apocalyptic or utopian technological narratives. Many technologists have bought into what has been termed techno-solutionism: the idea that all problems that humanity faces can be solved using technology—even those that technology has caused.
I thank my hon. Friend for his excellent remarks, which cover the ethical debate about technology that we too rarely have about the internet of things. One example of the approach he describes—the idea that technology can solve all our problems—is the proposals for alternative arrangements on the island of Ireland, which I understand are being driven by blockchain and other technologies that the Government are not fully familiar with. That libertarian idea that technology is the answer to everything has driven our regulatory approach for too long, so he is right to say that we need experts on technology who can stand up for and consider its future applications from the point of view of society and citizens.
That is bang on. For many in silicon valley, that confidence in the potential of technology goes hand in hand with a widespread libertarianism: as the role of technology and profit margin expands, so the role of the state should contract.
My hon. Friend did not mention those who come at the issues from a transhumanist approach. Modern transhumanism asserts that technological change creates the opportunity to transcend the human condition and become transhuman, and that that is to be celebrated, while resistance is deemed nostalgic or parochial. Politicians now and in the future will have to defend a discernible human condition in these debates, which will be a huge challenge.
For example, what happens when transhumanist thinking informs the technologists? Nick Bostrom is the director both of Humanity+, an international transhumanist organisation, and the Future of Humanity Institute at Oxford University, which regularly produces policy recommendations for Government. The point is that politicians and policy makers need to avoid being captivated by the promise of technological progress without an appreciation of the philosophical assumptions that inform the thinking behind the policies being advocated by those with agendas. Consequently, philosophers such as Jürgen Habermas have argued that politicians and policy makers should maintain a “species ethic” when navigating this terrain. These are deep waters, yet such questions are not really addressed in modern political debate.
On a slightly more practical level, the potential risks of mismanaging artificial intelligence are phenomenal. The most obvious example is mass unemployment. It is not possible to pick up a newspaper without reading about the march of the robots and the end of work. Estimates of the proportion of jobs in the UK that could, over the next two decades, be replaced by artificial intelligence and related technologies range from some 22% to between 40% and 45%. There are a wide range of estimates—some of them quite dodgy—of future structural unemployment, and they point to a range of conflicting policy options, such as universal basic income versus full employment. That suggests a wider range of policy remedies, but we are not spending enough time scrutinising the assumptions and empirical data that underscore those policy debates. Maybe we should.
To give a further example, we have already seen data analytics being used malignly in targeted political campaigns, and that practice will become ever more sophisticated, at the expense of our democratic process. As has been mentioned, in the corporate world facial recognition software is now being trialled for the purpose of marketing, to detect the efficacy of an advert on the viewer by judging their facial expressions. Businesses now have the potential to reach into people’s lives in the way Orwell’s “1984” imagined for totalitarian regimes.
Similarly, we have seen the social media filter bubble effect on civic and social life. It feeds us information that aligns with our preconceived notions of the world, closing us off from any contradictory information. Perhaps in the future our children will ask why we as parents allowed them to be so unprotected against such technological power. Left unchallenged, future public debate will suffer from the ease with which fake news could be produced on an industrial scale, given that AI makes the processing and manipulating of all forms of digital data substantially easier and cheaper.
Our very knowledge of the world around us and notions of truth are at stake. That may seem melodramatic, but I do not think it is. The greatest threat to the established political parties, however, could come from the powerlessness and exclusion felt by many as they feel that decisions about them—from hiring, to policing, to insurance—are made by machines. In its evidence to the Lords inquiry into AI, Future Intelligence said that
“the most challenging point relating to AI and democracy is the lack of choice that is offered to the population at large about the adoption of technology. It is, to say the least, undemocratic”.
As wealth becomes increasingly concentrated in the hands of businesses that employ fewer and fewer humans, our society will be riven by inequality on a scale perhaps never before seen. Brexit pales by comparison.
My hon. Friend is making excellent points. Although my remarks on Brexit and technology were limited, I want to emphasise his point. If we agree that part of the Brexit vote was based on people’s sense of disconnect from Brussels and the corridors of power, how much greater will that sense of disconnect be when all decisions are made through technology that monitors but is not under the control of the people?
Exactly. These are essential issues for the democratic character of western market democracies. That takes us back to the question my hon. Friend asked the Minister about the Government’s proposed remedies and policies. As it stands, policy proposals to meet these challenges are phenomenally weak. For instance, they include developers undergoing training in ethics as part of their computer science degrees, companies ensuring that their workplaces are diverse, and individuals who are made redundant by AI, perhaps repeatedly, being able to train for a new career. As I mentioned earlier, universal basic income is one proposal floated to ensure that those who lose their jobs are not made destitute, but that would mean the state taking on a phenomenal welfare burden just at the time when fewer people were able to pay income tax. To make up the deficit, people such as Bill Gates have suggested a robot tax, but would we tax algorithms as well as robots? Trying to define a robot is a legal and regulatory nightmare.
Returning to the question of regulation, before we make good policy, perhaps we need to return to first principles, asking questions about the values we place on work, freedom, privacy, community and justice—in short, what we want our society to look like. From there, we can then discern the role that we wish to allocate to technology, rather than being seduced by the hype of novelty and processing power. We decide the ethical environment and responsibilities of technologists and their platforms, not vice versa. If we do not build policy on a well-defined vision of human flourishing, policy makers run the risk of slipping into techno- solutionism, thereby putting technological and economic progress above people, leaving them to become citizens of those corporations.
Alternatively, we could endorse a somewhat softer technological determinism and use policy only to manage what we euphemistically call “risk”, when what is really at stake is huge social issues: rising inequality, the accumulation of power in the hands of private companies and human dignity itself. Deeper political conversations are required about what constitutes a good life and a good society. That should inform our approach to regulation. We literally need to rethink human rights in a different way, in terms of the preservation of the species. Thanks to my hon. Friend the Member for Newcastle upon Tyne Central, we can start that conversation.
It is a pleasure to serve under your chairmanship, Mr Gapes. I congratulate my friend the hon. Member for Newcastle upon Tyne Central (Chi Onwurah), with whom I serve on the all-party parliamentary group for Africa, on securing this debate and being very fleet of foot in doing so. Of course, we were not supposed to be meeting this week, so goodness knows when she might have had time to secure the debate otherwise. It has been a pretty profound and comprehensive debate, and there is plenty for the Minister to respond to, so I do not want to take desperately long in reflecting as the Scottish National party spokesperson. However, given that we started with some debate about the industrial revolution, I remind Members that if they care to take a stroll through Glasgow Green, they will find the boulder that commemorates the spot where James Watt conceived of the condensing steam engine, and much has flown from there.
I thank the hon. Gentleman for giving way. I recognise that while I did acknowledge a debate between the north-east and the north-west of England as to whether they were the home of the industrial revolution, I failed to acknowledge Scotland’s claim, which is equal. I will only add that obviously Watt’s initial invention was perfected and made commercial as a steam engine in my constituency in Newcastle.
I think there is enough credit for it to be happily shared. It is a timely debate, not least in the context of the Prime Minister’s speech at the UN General Assembly. Both the hon. Lady and the hon. Member for Dagenham and Rainham (Jon Cruddas) have made comprehensive contributions in which there was much to agree with that does not necessarily need repeating.
I am not certain whether the SNP has an established view on transhumanism. We have a vision for the future of Scotland and our population, but whether that extends into the far future of the human race, I am not entirely sure. It is important that we have these opportunities to reflect on this kind of thing, and the idea of starting from first principles is important. A range of significant and exciting opportunities come with the internet of things, but it clearly raises challenges, too. It is already part of some people’s daily lives, perhaps without them even realising or with them already taking it for granted. I know several people who take for granted being able to control central heating from a remote location and switch it on when they are on their way home.
On the roll-out of automated and electric vehicles, I saw a report today on the first tests that will take place in London. The hon. Member for Newcastle upon Tyne Central spoke about her experience of the roll-out of such technology in Africa. I am aware of parts of Africa—Rwanda, for example—where drones are used to deliver medicine and medical devices. That all relies on the technology of the internet of things.
There are undoubted challenges, to which I will return, but I want to reflect briefly on the position in Scotland. Notwithstanding the challenges and the importance of getting regulation right—the United Kingdom Government and devolved Administrations need to co-operate in doing so—the Scottish Government welcome many of the opportunities presented by these technologies. Last year they announced a £6 million project to develop the internet of things across the country. To support businesses to develop new and innovative applications, IoT Scotland provides a wireless sensor network for applications and services to collect and send data from devices without the need for 3G, 4G or wi-fi. Examples include installing smart bins in local high streets that can indicate to local authorities when they require emptying; making the best use of bin lorries through the correct collection cycle, which in turns helps to reduce carbon emissions; and monitoring office environments to lower costs by saving energy. That three-year project includes investment from both the public and private sector, with the Scottish Government investing almost £2.7 million.
Some of that is already coming to fruition in Glasgow, which will become one of the first cities to offer that technology across the board, working in partnership with some private companies to provide the city with over 99% coverage via 22 different gateways installed across the city. Up in the far north in the highlands and islands, progress is being made in using internet of things technology to gather data from the council’s water systems, providing effective ways to monitor and control the risk of waterborne diseases.
Many positive examples of the technology are already being rolled out and working in people’s day-to-day lives. However, it is important that we consider the serious impacts that have been raised. The fact that the Government have consulted is welcome, but whenever the Government publish consultations we want to see the response and we want to know exactly what the next steps will be. I echo the calls for clarity around that.
We already see the challenges arising from data handling in the social media networks and the traditional internet, and these questions will only get bigger. Who controls access to data is a question not only because people can hack and misuse devices or control access and be physically disruptive, but because mass monitoring of data has led to attempts to influence human behaviour as we have seen in the growth of fake news online and fake consumer goods. That kind of manipulation is undoubtedly a real concern and it is important that this is all properly thought through and that we do not rush ahead. This is a global challenge that relies on international co-operation. Every debate in this place seems to touch on Brexit consequences. How will the Government make up for the withdrawal from international co-operation that Brexit represents? How will they re-establish such co-operation on these important issues?
We must also consider our own personal responsibilities. We are forever being reminded in Parliament about the importance of cyber-security and best practice in sharing passwords, devices and so on. That applies equally to any such systems that we and the wider population install for domestic use, whether in households, vehicles or elsewhere. Getting that message out to the public is hugely important. It is right that we have had an opportunity to consider these issues. How does the Minister intend to work with the devolved Administrations on these matters as they become a more and more fundamental part of our daily lives?
What a fantastic debate we have had this afternoon. I congratulate my hon. Friend the Member for Newcastle upon Tyne Central (Chi Onwurah) very warmly on securing it. I am extremely glad that she started with a brief account of the industrial revolution, which started in 1712 when the Newcomen steam engine was demonstrated at Dudley castle, a day that we commemorate every year on Black country day.
The debate that unfolded subsequently illustrated an important point. The steam engine was not perfected until James Watt joined Matthew Boulton at the Soho manufactory. It was 1789 before the first rotary steam engine was sold to a man called Peter Drinkwater, who created the first steam-powered textile factory and lit the spark on a textile revolution in Manchester, which was the beginning of Manchester’s claim. Peter Drinkwater’s factory manager was a man called Robert Owen, who went on to found New Lanark mill in Glasgow. It was 1825 before steam technology was incorporated into Locomotion No.1, which was set to work on the Stockton to Darlington railway. The point is that it was 113 years over which the steam revolution unfolded and began to transform every aspect of this country, including our economy.
The speech made by my hon. Friend the Member for Dagenham and Rainham (Jon Cruddas) was important in setting the wider stage and the bigger story, because the new technology required a revolution in law and regulation. Over the course of the 19th century there was not one factory Act but 22 different factory Acts and Bills, and over this century there will no doubt be just as many different attempts to reform, revise, regulate, legalise and make lawful or unlawful different aspects of the technology that we are debating here today. So my hon. Friend the Member for Dagenham and Rainham was right to say that what is needed from the Government is a plan for a just transition. We now understand what “just transition” means when it comes to climate change, but we need a plan for technology just as much, just as we need a plan for just transition given the new trade conflicts that are now ensuing. The rise of temperature, robots and conflicts will define our economy over the next 20 or 30 years, so we need not only just transition but just transitions, and at the moment we have nothing from the Government to tell us how that journey will be steered over the years to come.
As the Minister knows, because he was at the sharp end of these debates during the proceedings on the Data Protection Bill, which became the Data Protection Act 2018, our approach is rooted in a particular philosophy. Our inspiration is the work of Amartya Sen and the work that he set out first in “Development as Freedom”. Over the course of the revolution in this century, we must ask ourselves what capabilities we want every citizen in this country to have.
Adam Smith talked about how a man might need a linen shirt to go out in public. That was something that people needed in order to participate in civilised society at the time when Adam Smith was writing. These days the capabilities that people need will be different. We therefore have to ask ourselves what those capabilities are and how we turn them into rights. That is why, given the complexity and the regulation and re-regulation that is to come in this century, it would be wise now to set out a document of first principles. We believe that a Bill of digital rights will make the business of regulating far simpler over the next 50, 60, perhaps 113 years. Who knows what the life cycle of this debate might be?
We set out in the debate some of the rights that we think should feature in a charter. We set them out because we wanted to have a debate, and I am pleased to be able to have a bit of that debate this afternoon. I think that some of the issues are uncontested; I think we agree on equality of treatment and on the right to security. I also think we agree on the right of free expression, although we believe that we should incorporate lessons from Germany, which has pioneered the NetzDG legislation to take out hate speech online. I think we agree on equality of access, although, as my hon. Friend the Member for Newcastle upon Tyne Central said, ideas such as the national education service are important here, because of course they will transform rights to digital literacy. We believe in universal digital literacy; we believe that it is a fundamental right for the 21st century. We also believe in a right to privacy; I believe that is uncontested.
However, what is perhaps not agreed on is the kind of rights to algorithmic justice that my hon. Friend the Member for Cambridge (Daniel Zeichner) insisted on during the Committee stage of the Bill that became the Data Protection Act 2018. Crucially, we also believe that there should be some kind of right of ownership and control of data that is created through our use of technology. That was absolutely at the heart of the speech by my hon. Friend the Member for Newcastle upon Tyne Central. At some point, the Government will have to step up and provide some answers as to what they think about this issue. I hope that the Minister will begin that business of stepping up in about five minutes’ time.
These charters—these bills of rights—are meaningless without two further pieces of the puzzle. The first is an effective system of powerful regulation. We are now facing off against some of the biggest, wealthiest and most powerful companies on earth, yet the regulatory infrastructure that we have today would be described by Sidney Webb as a mish-mash: Ofcom; the Information Commissioner’s Office; the Competition and Markets Authority; the Payment Systems Regulator; the Financial Conduct Authority; the Advertising Standards Authority; and the Independent Press Standards Organisation. There is a slew of non-regulatory advisory bodies.
Something like 13 different advisers and regulators have some kind of bite in relation to what happens online. They all do an important job and they are all staffed by excellent people. My hon. Friend used to work for one of them—indeed, she helped to set it up—so she knows very well how long it takes to set up a regulator or to merge regulators. Consequently, we are not calling for some kind of bonfire of the quangos here. What we are asking for is for some proper thought about how those 13 different regulators and advisory bodies might number something closer to one—not one, but not 13, either. We believe that we will have to start bringing these regulators together, if we are to concentrate the firepower that is needed to take on the biggest and most complicated regulatory challenge in human history.
I thank my right hon. Friend for giving way and for the excellent comments that he is making, which have raised some of the key issues we face. In 2002-03, the then Labour Government held a wide-ranging review of the communications sector and the many regulators that existed for television, for radio and for spectrum, etc. Then, in concert with the industry sector, civil society and so on, they developed a plan to bring them all together in Ofcom. That process took time, but it also built consensus and agreement about what the key challenges were. In addition, it enabled the right technical talent to come together. Could that not be a model for developing the right regulatory approach to these challenges?
It absolutely could and it absolutely should, because the truth is that that work will have to happen at some point, so all we are arguing about is when and how. It is inconceivable that we will have 13— now 14—different regulators and advisers; the Data Protection Act 2018 brought in a new organisation, or institution, which is the Centre for Data Ethics and Innovation. We cannot keep multiplying these regulators and allowing them to proliferate.
Equally, however, we cannot take the approach that was taken back in 2010-11, when the Government sought to wipe out many different quangos. They had their bonfire of the quangos and it sounded excellent in the pages of The Daily Mail. Of course, in practical terms, it was a bureaucratic disaster and many of the efforts to abolish organisations that were doing an important job had to be reversed. It was a complete waste of time, energy and money, at a time when civil service bandwidth was under tremendous pressure. So what we are asking for is a road map—a proper one—with a timetable to be debated, in order to bring together the regulatory firepower that is needed to hold to account the biggest companies on Earth.
There is a final piece of the puzzle. We have discussed rights and regulators; the third piece of the puzzle is redress. If we do not have accessible forms of redress, this debate is a waste of time. Yesterday, in the Court of Appeal, the three senior judges handed down a challenge to the Minister by saying that the process that we suggested during the passage of the Data Protection Act 2018 for class action should be implemented. My key question to the Minister is whether he will introduce what is required under that 2018 Act, which is the review that was promised of opt-out class actions, given the advice that was handed down to him in the judgment on Lloyd v. Google in the Court of Appeal yesterday.
For those who have not seen the case, it began in November 2017 and was brought by Mr Richard Lloyd on behalf of millions of iPhone users who, he alleges, had their personal data taken between 2011 and 2012. The Court of Appeal basically ruled that that representative action could now proceed. It found that personal data has economic value—the principle at the heart of the contribution of my hon. Friend the Member for Newcastle upon Tyne Central; that a violation of that right to privacy was a damage; that individuals do not need to demonstrate pecuniary loss and distress; that a loss of control of personal data is the same loss and the same interest, as if there had been economic loss or economic damage; and finally, and perhaps most importantly for the Minister, that representative actions, in which people opt out rather than opt in, are effectively the only way in which such claims could be pursued.
The judges have underlined the argument that we underlined a number of months ago in the Committee that considered the Data Protection Bill and which is at the core of this debate: if we do not have redress, those rights, even the rights that we have enshrined in the Act, are meaningless. We are talking about humble individuals taking on some of the biggest firms on earth. The only way those rights can be made a reality is if we allow effective remedies in court. We have now heard from the judges that those effective remedies are most likely to be class actions. I look forward to the Minister confirming that he will introduce that review forthwith, so that we can at least begin to make some progress on the critical issues that my hon. Friend the Member for Newcastle upon Tyne Central has highlighted to the Chamber.
I begin by saying that I will not intrude on the private grief of where the industrial revolution began; I am certain that it did not begin in Skegness, so I have no dog in the fight. I congratulate the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) on securing the debate. I well remember the work that we did together in the parliamentary internet, communications and technology forum—PICTFOR—and in other forums.
The hon. Lady says that she is a tech evangelist, and so am I. Although I regret the tone of some of her comments about some aspects of the Government’s policy, I think we agree that there is not a huge amount of partisan disagreement on many of the issues. We want to get it right. The right hon. Member for Birmingham, Hodge Hill (Liam Byrne) and I also agree on a huge number of issues, as he said, particularly around discrimination and what we should do to ensure that the well-known principles that exist in the offline world persist online. I hesitate to use the slogan, but we too want technology to work for the many, not the few.
I will begin by seeking to answer some of the questions of the hon. Member for Newcastle upon Tyne Central, which might be a novel approach, although I am sure she will not be satisfied with all the answers. In many ways, as she identified, this is a debate about data, not the internet of things. On the principle of who owns the data, the general data protection regulation applies to data controllers in exactly the same way whether they are processing data that derives from the internet of things or anywhere else, so the principles that we all subscribe to, of the consumer owning their data, should persist. That is a hugely important starting point, and we should acknowledge that there is agreement on it. The hon. Lady frowns as if she disagrees, so I invite her to intervene.
I thank the Minister for the tone of his opening comments. It is certainly true that there are many areas on which we agree. The reason for my frowning is the idea that the GDPR recognises the right of ownership of consumers or citizens. The fact that there is a data controller who is not the citizen or consumer suggests that it does not. As I have said, the GDPR is progress, but issues of ownership and control are still far from clear. My right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne) made some excellent points in this area.
The hon. Lady pre-empts my next point: all of this is predicated on consent. The consumer has to understand that they are giving up their data for a particular purpose and a particular benefit. As the hon. Member for Dagenham and Rainham (Jon Cruddas) said in what was a fascinating speech—albeit one where I wondered if I had at times transcended, if not humanity, at least this debate—these are fundamental issues that have effects far beyond what we might think of in an arcane debate about the ownership of data. I commend the approach that says we are dealing with issues that go far beyond a debate about technology, which will have an impact on huge aspects of humanity itself, whether we get them right or wrong. That is why it is important to consider them in that wider way.
The hon. Lady was right to point out that, in some ways, the internet of things represents a whole new chapter of how technology is becoming more common in our homes and making our lives easier and more enjoyable, but potentially also more fraught with decisions that we need to be aware we are making. I will trump the hon. Lady’s numbers: Statista says that by 2025, there will be 75 billion internet-connected devices worldwide—I am sure other analysts are available to provide even higher numbers. In our estimates, that translate to some 15 devices per household by next year. The internet of things is very real; it is already with us.
Before the Minister moves on, I just want to clarify one point. Is it his position to accept that data that is generated as user data does have an economic value, but that it is basically fine for the individual to surrender that economic value through the way in which they consent to use a service?
I feel like the right hon. Gentleman is going to accuse me of wilfully misunderstanding his question, but it is obviously fine for an individual to choose what they do with their own data. If that involves, as he puts it, surrendering the data for a particular purpose, that is their decision to make. I am not sure that that is quite the question he was asking. The point about consent being absolutely in the hands of the user is the most important one to make. That is why the cyber-security of the products that the hon. Member for Newcastle upon Tyne central referred to is so hugely important, in many ways; it is why we have put so much effort into delivering the code of practice for consumer IOT security.
The hon. Lady mentioned the sale of potentially insecure devices, which is one of the key planks that we are seeking to address. People want to have implicit trust in their devices and they need to have confidence in how their data is being used, not just when they first purchase that device but into the future as well.
The Minister is helpfully helping me join some dots. Why does he think that it is right for the Government to intervene to ensure that the consumer has particular cyber-security protections but not to ensure that the consumer enjoys any particular economic protections, for example around the value that is created through third-party use of their data?
It is obviously about a balance between different situations. The Government, in a host of ways, provide a degree of opportunity for the kind of protection that the right hon. Gentleman seeks. In other fields there are already opportunities for redress in extreme circumstances. In some ways he and the hon. Member for Newcastle upon Tyne Central are asking for greater coherence in this space, and others. It is precisely for that reason that my Department is developing the strategies that they both referred to. On the one hand he seems to attack the bonfire of the quangos, but on the other he seemed to want fewer regulators, so I am almost reduced to asking what his favourite number is.
My point is simply that according to the Chancellor of the Exchequer I will soon not be allowed to sell my labour for less than £10.50 an hour. The Government have put a floor on the economic freedom that I enjoy, and that is giving me a degree of economic protection. Why does not the same principle apply to the way in which my data as opposed to my labour is exploited?
That is a philosophically interesting question but it is also obvious that at the moment data is readily given up in exchange for a service. I am not sure whether the right hon. Gentleman would therefore seek to put a value on the service and say, “That service, whether offered by Facebook or whoever, should not be worth less than a certain amount.” That seems to be the logical conclusion of his argument, which is why I say it is perhaps more an interesting philosophical question than a practical one.
I am conscious of the time, but this is all very interesting, so I am happy to give way.
It is more than interesting. It is critical. Is the Minister assured that people are involved in a free exchange, and that there is transparency—that they understand the terms and conditions of all the things that capture data on their devices? I am certainly not. I think most people who look at it are convinced that people do not know, so they are not getting the economic benefit of that behavioural data.
Essentially I agree with the hon. Gentleman that it is obvious that not everyone reads the terms and conditions of every single thing they have signed up to for any website; but it seems to me that Government’s role in this space is not to stop people making those decisions. It is to make sure that people have a better understanding of the decisions they make, and that they trust the companies that are doing whatever it may be with their data. That obviously requires us to put certain constraints on the behaviour of companies, as we do in every other circumstance. However—and I do not think the hon. Gentleman is suggesting this—it should surely not be for us to say that people should not be allowed to make certain decisions. I think that on the Government side of the House we would be keen to free people up to make whatever decisions they reasonably want to make.
The Minister is being incredibly generous and this is the last time I shall intervene. To round out the picture that my hon. Friend the Member for Cambridge (Daniel Zeichner) is presenting, network effects mean, obviously, that in social media land we have monopolies—or, if not monopolies, certainly oligopolies. It has long been an established principle of consumer welfare protection that there should therefore be some kind of price protection. In a debate about how we protect and enhance the economic welfare of the citizen if we do not recognise a defined value for their data—which they are not freely surrendering into a free market, but giving over to a monopoly—surely the quid pro quo is some kind of price regulation on the other side. The Minister cannot have it both ways.
The right hon. Gentleman raises a lot of points in one short paragraph. I understand what he accuses me of seeking, when he speaks of having it both ways. Actually the services that are offered digitally, ostensibly free, are different from services in a physical world where we might talk about the kind of monopoly that he has mentioned. In that sense, all he is doing is underlining why we need to get things right, in a way where the digital challenges are understood, without reinventing the wheel and pretending that all online challenges are necessarily different from those in the physical world. It is an emerging picture, which is why I refer back to the technology innovation strategy that we published in June 2019 and that includes new measures, such as the Spark procurement programme, to enable Government and the wider public sector to benefit from new digital technologies and the service that can be provided by stimulating the UK’s world-leading tech sector. It is also why we set up the Centre for Data Ethics and Innovation, which will allow us to consider how we might best benefit from those opportunities and ensure that we seek not to design in the kind of prejudices that the hon. Member for Newcastle upon Tyne Central mentioned. One of its first papers is on smart speakers and voice assistants and on how industry and Government can work together to ensure that the products do what they are supposed to and that users consent to them.
We should also be mindful that the 75 billion devices, or however many there turn out to be, will have a physical environmental impact. I am therefore pleased that as part of its resources and waste strategy, the Department for Environment, Food and Rural Affairs has committed to updating the existing guidance for local authorities on managing the collection of smart items and similar electricals. That might sound like a minor point, but it is probably less minor than others.
The hon. Lady mentioned the Prime Minister’s speech at the United Nations General Assembly. I am not delivering the rhetorical flourishes that he delivered late at night at the UN, but it is important to say that he made that speech in that location because this country is already a world leader in this area in so many ways. It is right that our Prime Minister is addressing these issues and the legitimate public concern.
It is also right that, as several hon. Members have mentioned, when we seek to regulate in this area and on online harms, we in this country and across the parties should be proud that the UK is a liberal democracy that seeks to lead the way. We have an opportunity to shape a global debate, as my Opposition counterpart, the right hon. Member for Birmingham, Hodge Hill, observed.
In some ways, the greatest thing we can do is use Britain’s status in this area and on the world stage to try to develop global standards. The hon. Member for Newcastle upon Tyne Central mentioned those of the ETSI, which in its way is world-leading: it seeks to produce standards that can be replicated or mirrored globally, addressing some of the coherence that risks arising in the area. She says that we are not providing leadership and quotes the Prime Minister’s speech, but I say that his speech demonstrates the existing status of Britain’s leadership in the area already. If I am being kind to her, although we disagree on several minor issues, I should say that she too would agree that Britain has a huge opportunity to capitalise on its place in the world on this issue.
In June, we published a White Paper, “Regulation for the Fourth Industrial Revolution”—we are sticking to that number, although I understand that there is a dispute over whether it is correct. It confirms that the Government will establish the regulatory horizons council to identify the implications of precisely the sort of technological innovation that the hon. Lady spoke about, and to advise the Government on regulatory reform so that we can take exactly the kind of steps that she highlights.
In that process, security should not be an afterthought; it has to be embedded. Thus far, we have taken the approach of working with industry, and industry is now saying to Government—the hon. Lady will have heard these calls as well—that greater clarity, particularly in regulation, will help consumers and the industry itself. Many of the internet-connected devices that are currently on the market still lack even the most basic cyber-security provisions. Some 90% of 331 manufacturers that supply the UK market and that were reviewed in 2018 did not use a comprehensive vulnerability disclosure programme up to the level that we would expect; I think that hon. Members on all sides would agree that that is unacceptable. Organisations have a duty of care to their customers, to help make sure that they can access and use their internet-connected products safely.
Although Government have previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that stronger cyber-security is built into these products by design. That is why we launched our consultation on secure consumer IOT in May. That consultation built on the extensive work to which I have referred. It allows us to talk about minimum security principles for connected devices, which my Department elaborated on in the document published last year. Our focus will be on ensuring that there is a baseline of cyber-security built into all consumer IOT products by design, to eliminate the most harmful practices.
These are, I freely admit, low-hanging fruit. We wish we did not have to tackle issues such as forbidding the use of universal default passwords, ensuring that manufacturers provide a contact point for security researchers, and making sure that consumers are informed at the point of sale of the minimum length of time for which security updates are provided for their device. Those measures address some of the issues raised by the hon. Member for Newcastle upon Tyne Central, and we would like to go further in due course. We will respond on what that will look like as soon as possible after the consultation.
We are advocating a staged approach to enforcing those principles through regulation. Obviously, there is always a balance to be struck between regulation and legislation, and in this case I think it will be a bit of both. We will publish the formal response to our consultation on the regulatory approach later this year, but we are mindful of the urgency of this work. Our approach must keep pace with the technological change identified by the hon. Lady. We have said that we will review the code of practice every two years. The development of the code of practice may not sound exciting, but as the hon. Lady acknowledged, and as the hon. Member for Dagenham and Rainham said, these things are hugely far reaching, even if they do not sound as exciting as some people might wish, because then they would attract the attention they perhaps deserve.
There is major business support for our approach, including from the signatories to the cyber-security tech accord. I always hesitate to say “major business support”, because businesses will not always necessarily greet with enthusiasm the actions of a sensible regulator. Some would say that this is a sign of success. We will develop the strategy, but ultimately the security of the internet of things is a global challenge and it requires a global effort to get it right and to shape those norms.
In February 2019 we worked closely with international standards bodies and the National Cyber Security Centre to make sure that we publish the ETSI standard to which the hon. Lady referred, though without the complementary tone it deserves. None the less, I understand her point.
We do not think it is right to expect all users of all internet-connected devices to become cyber-security experts, and we recognise the need to take from them the burden of differentiating between good and bad. That is why we have been clear with industry what good practices will look like, and we wish to support manufacturers of all sizes to embed them and to support retailers to make sure that they are obvious.
I thank the Minister for giving way. In the absence of any time to sum up, I want to thank him for his comments and to confirm that I will write to him with my list of questions so that he can answer them in full. Will the regulatory horizons council cover all regulation with regard to technology or only that relating to manufacturing, and does he agree that this is about not only consumer data but citizen data, because it relates to Government as well?
I absolutely agree with the hon. Lady’s second point. The council will, of course, be wide ranging. I look forward to answering her comprehensive list of questions, and I will be grateful to Hansard for providing clarity on them.
Finally, in response to the intervention from the hon. Member for Cambridge, this Government do not think there is a choice between innovation and security. We have to make those two complement each other. That is at the core of our strategy and will continue to be so, and I would hope that we can move forward together with the cross-party consensus to which the hon. Member for Newcastle upon Tyne Central alluded.
Question put and agreed to.
Resolved,
That this House has considered regulating the internet of things.