House of Commons (33) - Commons Chamber (11) / Written Statements (10) / Westminster Hall (6) / Ministerial Corrections (3) / Public Bill Committees (2) / General Committees (1)
(2 years, 9 months ago)
Public Bill CommitteesWe are now sitting in public and the proceedings are being broadcast. I have a few preliminary announcements. If hon. Members with speaking notes could email them to hansardnotes@parliament.uk, that would be very helpful to Hansard. Similarly, officials in the Gallery should communicate with Ministers electronically. All electronic devices should be switched to silent mode. Unlike in Select Committees—although these proceedings are similar—tea and coffee are not allowed during sittings. Date Time Witness Tuesday 15 March Until no later than 10.25 am Protect & Connect; The Country, Land and Business Association; The National Farmers’ Union Tuesday 15 March Until no later than 11.25 am The IoT Security Foundation; The Internet of Secure Things Alliance; techUK Tuesday 15 March Until no later than 2.40 pm Professor Madeline Carr, University College London; Copper Horse Limited Tuesday 15 March Until no later than 3.40 pm Openreach; CityFibre; Speed Up Britain Tuesday 15 March Until no later than 4.20 pm BUUK Infrastructure; The Internet Service Providers’ Association Tuesday 15 March Until no later than 5.00 pm Which?; Refuge
We will first consider the programme motion on the amendment paper, and then a motion to enable the reporting of written evidence for publication, and a motion to allow us to deliberate in private about our questions before the oral evidence session. In view of the time available, I hope that we can deal with these matters formally. We discussed the programme motion last week at the Programming Sub-Committee.
Ordered,
That—
1. the Committee shall (in addition to its first meeting at 9.25 am on Tuesday 15 March) meet—
(a) at 2.00 pm on Tuesday 15 March;
(b) at 11.30 am and 2.00 pm on Thursday 17 March;
(c) at 9.25 am and 2.00 pm on Tuesday 22 March;
(d) at 11.30 am and 2.00 pm on Thursday 24 March;
(e) at 9.25 am and 2.00 pm on Tuesday 29 March;
2. the Committee shall hear oral evidence in accordance with the following Table;
3. proceedings on consideration of the Bill in Committee shall be taken in the following order: Clauses 1 to 66, the Schedule, Clauses 67 to 78, new Clauses, new Schedules, remaining proceedings on the Bill;
4. the proceedings shall (so far as not previously concluded) be brought to a conclusion at 5.00 pm on Tuesday 29 March.—(Julia Lopez.)
Resolved,
That, subject to the discretion of the Chair, any written evidence received by the Committee shall be reported to the House for publication.—(Julia Lopez.)
Copies of written evidence that the Committee receives will be made available in the Committee Room and circulated to members by email. I would usually call on the Minister at this stage to move the motion for the Committee to sit in private, but I do not think that the Front Benchers on either side want to move into a private session, so we will continue sitting in public and the proceedings are still being broadcast. Before we start hearing from the witnesses, do any hon. Members wish to make declarations of interest in connection with the Bill?
I am a former worker in the cyber-security industry, and have worked for a couple of the witnesses giving evidence today. One is techUK; I have also worked for BT, which of course owns Openreach. I also draw the Committee’s attention to my entry in the Register of Members’ Financial Interests: I undertook some work in cyber-security for MHR between May and December last year.
Thank you. The Clerks will note that declaration from Ruth Edwards; and Ruth, if you wish to refer to it later in the proceedings, do so.
This is slightly tangential, but better declared than risked. The Grundy family farm has a mobile phone mast, for which my father receives yearly payment.
Thank you. The same applies.
Examination of Witnesses
Anna Turley, Dr Charles Trotman and Eleanor Griggs gave evidence.
I welcome the witnesses to the meeting, and thank you for your time. Before calling the first Member to ask a question, I remind all Members that questions should be limited to matters within the scope of the Bill and that we must stick to the timings in the programme motion to which the Committee has agreed, so this session will end at 10.25 am sharp, or earlier if we run out of questions. I ask the witnesses to introduce themselves briefly.
Anna Turley: My name is Anna Turley and I am chair of the Protect and Connect Campaign.
Eleanor Griggs: I am Eleanor Griggs, land management adviser for the National Farmers Union, representing about 47,000 farming members.
Dr Trotman: I am Charles Trotman, chief economist at the Country Land and Business Association. We represent 28,000 members across England and Wales. I am also chair of the rural connectivity forum, which represents rural organisations to industry and Government.
Thank you. Let us move first to the Minister to ask any questions that she may have.
Q
Anna Turley: Thank you for meeting us to discuss our campaign. I should have mentioned at the outset that we represent all the site owners around the country who host telecoms communication infrastructure on their land.
I am afraid that we are not seeing the same tailing off of difficult cases; a number of cases are continuing to come to us where leases are up for renewal, yet telecoms companies are behaving in quite an appalling way. We have cases of rent reductions, often starting at 90% to 95%, and that is par for the course—it is not a small handful of extreme cases. In a large number of cases across the country telecoms companies are coming in often with very aggressive legal notices, which are quite intimidating and making people feel that they are being steamrollered by those large companies. People feel that they have no ability to participate in the legal process, and are obliged to take those cuts of 90% to 95%. If you are small community group, a church or a sports club, the difference between £4,000 and a couple of hundred is huge and has a great impact, especially when you believed that you had that income for the next 10 years. The impact on people has been huge and it has been pretty devastating since 2017.
Our frustration with the Bill is that it fails to address the root causes of that problem. The valuation issue is affecting people deeply, and the Bill will not deal with that. Those cases will continue to arise, and in fact the Bill will expand the number of people who will be affected by the 2017 code through the Landlord and Tenant Act 1954 and the Business Tenancies (Northern Ireland) Order 1996. Between another 3,000 and 4,000 people in Ireland will be affected by the 2017 code changes, as well as thousands of others across the UK. Those cases will not diminish, nor will the huge drops in rent, and that is having a devastating effect on a lot of small landowners and property owners around the country.
Q
Anna Turley: I would say that we are dealing with in the region of a few thousand. I have a number of case studies from Members’ constituencies around the country. I am afraid that I do not have a total overall figure, but there are 33,000 site owners around the country who are affected by this. Thousands of affected people have come forward to us via social media and lobbied their MPs. I would be happy to write to the Committee with a full number, but as I said, it is in the thousands. This is not a small number of unique people; this is par for the course. Colleagues here will represent their members in such cases, too. They are not a small minority that we have cherry-picked; this is happening across the board.
The campaign was set up because there was no way for, say, a church in Scotland, a rugby club in Wales and a farmer in Surrey to come together to stand up for their rights as landlords, to talk about how this was affecting them, and to have their voice heard by Government. Legislation was continuing to be developed, through pressure from mobile operators, which have long-standing and strong connections with Government through their large lobbying organisations. The views of ordinary people about the impact of the legislation on them were not being heard.
Q
Anna Turley: Absolutely. Someone in Cambridgeshire wrote to us who has two masts on their farm:
“I have recently gained Planning Approval for 5 Houses on my land Immediately next to the mast positions. Not only do I appear unable to refuse to renew the Lease…their current offer is derisory at £750 per annum which is less than 10% of the current rent.”
Another, in Peterborough, said:
“It’s been two and a half years out of lease, they had agreed all the new terms of the lease, just about to sign off. Then all change and they pulled out, and offered £500 per year and not heard anything since. These tower operators make dodgy used car salesman seem like Saints.”
We have hundreds and hundreds of those. Churches, for example, are saying that they can no longer keep to their plans for the upkeep of their buildings. Sports clubs say that they will have to ask parents for more, so that their kids can play on the team. The impact of a rent cut from £4,000 to just £350 is devastating for small community groups and small businesses. They feel that nobody is standing up for them or listening. The impact of the new legislation will make that even worse.
Q
Anna Turley: The first recommendation would be to go back to the Law Commission proposals of 2013. The Law Commission suggested a market-based valuation approach that was closer to the previous approach but still delivered savings to the operators. That was widely accepted as a very positive way forward. If that were taken as the approach to valuation, it would deal with the root causes of the issues and the imbalance brought by the 2017 changes, which essentially gave all the power to the operators.
As for the Bill, a number of further changes will damage and affect smaller landlords. For example, the Bill brings in backdated payments. Again, that could have a devastating impact on a small community group that is being asked not only to accept huge cuts in their rent, but to backdate their bills. There are issues on the definition of “occupier”, which others will talk about. That could give operators the opportunity to change or modify agreements that were entered into in good faith and still have time to run. We would like more protections for landlords, to protect them against poor behaviour by operators. For example, alternative dispute resolution should be mandatory. There should be the power to impose fines on operators for bad behaviour. We would like a statutory code of practice for them as well.
We are also very concerned about changes to the Landlord and Tenant Act 1985. We do not believe the reforms to valuation should be extended to the new legislation. That could set a huge precedent for all kinds of things such as wind turbines, and could bring the 2017 changes into effect for thousands of people who previously were not covered.
We would also like to see an evidence base; that is one of the most important things. Five years after the changes were brought in, there has been no full impact assessment of the 2017 changes. There is no evidence base, but it was promised, during the passage of the Bill in 2017, that there would be a full assessment by 2022. We have not got a clear enough sense of the impact of those changes. Here we are again, bringing forward new legislation without having a proper evidence base for those 2017 changes.
Finally, we would also like more reporting requirements on the operators. We have no evidence that the money they have saved since 2017 has gone back into building new infrastructure. Everybody wants connectivity. All our members want better connectivity and wi-fi, but the reality is that money is not being invested back into the infrastructure. It is disappearing into the profits, and there is no onus on operators to show where that money is being saved and how it is being used. We would like there to be more reporting requirements on them.
Before Chris Elmore asks another question, let me say to the other two witnesses, who are appearing virtually, that if at any stage they wish to add anything to what has been said, please indicate that to me, and I will call you.
Q
Dr Trotman: No, it does not. The Minister hit the nail on the head: you need balance in the market. What the 2017 changes did and what the part 2 changes will do in this Bill is further skew the marketplace. As Anna said, if the Government had taken forward the Law Commission’s recommendations back in 2013, we would not be in this situation. We would be moving far faster towards universal coverage, which we all want, and which, as the covid-19 pandemic proved beyond all reasonable doubt, we all need. The problem we have is that this element of distrust between site providers and operators has shifted clearly in favour of the operators. The market is not working as it needs to.
As far as the CLA and I am concerned, it is incumbent on the industry, rural organisations, telecom companies and trade associations to come together and work out the differences. It is the role of the Government to assist in that process. If we cannot get the balance right, effective deployments will be delayed. That delay will severely limit the ability of rural communities to increase social inclusion, and reduce the ability of rural businesses to pick up and recover from the pandemic, and from the cost of living crisis that we are likely to face in the next six to 12 months. We need to get the balance right, and we still have not got it right.
Q
Dr Trotman: No, it makes it worse. That is our concern. We have an opportunity here to bring the industry together. Unfortunately, what part 2 of the Bill does is pull the industry further apart. The sector and the market was beginning to settle down after the 2017 changes. The Government then decided that the changes were necessary. We do not know why—as Anna said, there has been no real assessment of the impact of the changes on the market place.
On the case numbers that the Minister was talking about, you have to bear in mind that a lot of these agreements are placed under non-disclosure agreements, so we do not have the information we need to assess how wide the problem is. Given all the cases we have, it is clearly a very serious problem. The key is for the industry to get the balance right and for the Government to assist.
Q
Dr Trotman: If the Government could give us the assurances and safeguards that we need that a voluntary system would work, I think that would be satisfactory. However, we have not seen that so far in our discussions with Government officials. If it is going to work as effectively as we want it to, it will have to be a mandatory mechanism.
If the ADR system works, it will reduce tensions in the market, because it means that site providers, for example, who are in dispute with the operators, would not be threatened with going before the courts. There would be an opportunity to negotiate under the premise of an arbitration process. However, we must ensure that that is available. That is where we need the safeguards. If we have those safeguards, and they are clear and consistent, then a voluntary system may be appropriate. However, from what we have seen so far, that will not be the case. We are not certain that the Government’s guarantees will work—that is the key point—so it has to be a mandatory system.
Q
Eleanor Griggs: My opinion is very similar to Charles’s, really. As it stands, I cannot see any option other than to make it mandatory to protect our members, who do not necessarily have that negotiating power, given the statutory powers that operators have, which could potentially be increased should the Bill, as introduced, go through.
Q
Eleanor Griggs: Yes, a lot of members have contacted us over the past few years, including quite a few recent cases. Obviously, those are under the 2017 changes. Many do focus on the rent, because that seems to be the trigger point, but then, when you look at the 90% decrease in rent, and then at the further terms that operators are trying to claim on renewals, those too are very unfavourable. They are not included within the code—they are not code powers—and have the impact of limiting what members can do across not just a small area contained within the deeds, but sometimes much larger areas, and sometimes an entire farm.
On the valuation itself—the reduction in rents—at a time when agriculture is seeing the loss of its EU subsidy payments under the common agricultural policy, it needs to be looking at alternative income streams. That, in itself, means that they will not be looking at mobile phone masts, as they did pre-2017, to get those income streams, but—this is leading on to the second part of the question—farmers will be looking to try to get income streams from every little piece of their land now. That will mean that there will not be any scope for something that does not pay very much money, but also does, or potentially could, include quite a lot of hassle through behaviours of operators and contractors when they are on land. It is not a very attractive prospect to have an operator on land now.
Thank you. Will any Members wishing to ask questions please indicate that? Ruth Edwards.
Q
Anna Turley: That is in total.
Q
Anna Turley: Well, we know that a third of them have had reductions of around 90% or 95%; that is from our own survey approaches. Going back to the Minister’s first question, I could write to the Committee afterwards with the exact number. Thousands of people have written to us through social media and email, and have responded to our website. I do not have a total number for all those who have contacted us, but there are thousands of case studies across the country.
You must have a rough idea. Is it something like 10% or 50%?
Anna Turley: I would say that probably about 4,000 people have reached out to us, but again, people have to be aware of our campaign. They have to have found us—come across us on social media. They have to have been engaged with us. It does not mean that there are not an awful lot of people sitting and suffering in silence. Part of the reason for setting up this campaign was that there were people who were just in despair and really struggling. Our campaign was set up to give them a voice and to give them access. I think this is really important. When the legislation was made previously, you were hearing only from mobile operators—those on the other side. There is no roll-out and no connectivity without people hosting a site on their lands. These people are fundamental to us hitting our targets, and we need to make sure their voices are heard in this campaign.
Q
Anna Turley: I am not sure about that, but I know that internationally we compare very well. Our rents pre-2017 were not significantly higher than those in other countries, like Germany, Spain, Italy and others that are substantially ahead of us in the roll-out. I do not believe, and evidence does not suggest, that cutting these rents has actually increased our roll-out and our connectivity.
If you want to make the comparison with other utilities companies, the issue for all of those is that they are very tightly regulated industries, whereas there is very little regulation, and very little accountability and transparency, on the telecoms industries. If they are to become an essential utility—that may be the way we go, down the line—it is fundamental that the same kind of transparency, accountability and regulation is placed on them as is placed on utilities at the moment. That is not the case. We have no idea whether the savings that have been made through this have been reinvested in new infrastructure. There is no onus on these companies to do that. The Government are continuing to subsidise them with things like the shared rural network. It seems to be money after money towards these companies, without any indication of whether that money is actually being invested in helping us to achieve our connectivity outcomes.
Q
Anna Turley: We are funded by an organisation called APW, which is a company that is a telecoms—sorry, a company that owns a land infrastructure itself. But as I say, we are supported by colleagues like the NFU, the CLA and others who back our campaign, and we represent all the site owners that have contacted us over this time to get their voices heard.
There are huge organisations, like Speed Up Britain and Mobile UK, that have very good connections with Government and are able to lobby and present their side of the argument. Until Protect and Connect was set up, there was no collective voice—no unified way in which site owners could speak to Government and tell their story. I think it is really important that we hear about this. I have examples here of constituents of your own who are saying, “We have telecoms masts. In view of the impact on our rent, I would certainly not have allowed the siting of masts on my property.” A number of people and organisations around the country would not have had this voice if we were not providing this campaign.
So that’s the phone mast lease investment firm?
Anna Turley: Yes.
What’s their interest in this?
Anna Turley: Obviously they are a site provider—
So they would stand to gain substantially financially if we increased rent valuations.
Anna Turley: They have been losing substantially since 2017, so, yes, of course there is a financial interest. The point of the campaign is that they, by themselves, do not have a voice, and without their funding this campaign neither would all the other affected organisations—charities, community groups and others. If a representative of Speed Up Britain were here, you would recognise that there is a financial interest for mobile operators as well.
We have been very clear about the issue. Of course, the valuation is important and the money is important. I am a member of the campaign because bad policy has been developed over the past few years that has basically put all the power in the hands of a large number of mobile operators. Ordinary people around the country have been absolutely hammered by that and have not had the opportunity to express the impact on their lives and livelihoods. The campaign is a really important one to address that balance.
Just to be clear, I do not think that there is anything wrong with APWireless lobbying for their interest; like you say, big telcos would as well. For clarity and transparency, however, I think it is important for people to note that Protect and Connect does not just represent small landowners and community groups; it also represents APWireless, which describes itself as one of the world’s leading mast lease investment firms, with thousands of leases in 21 countries across the world. I think it important that we have that on the record.
Anna Turley: Absolutely; no problem with that.
I remind Members that we should confine ourselves to questions, not to straightforward dialogue.
Q
Anna Turley: Yes, I think that is the case. The fact that we are back here again shows that roll-out has not improved, nor has connectivity. We have had further subsidies through the shared rural network. More than 300 cases going through court have been bogged down, whereas prior to the 2017 legislation barely a handful of cases went to court. That has resulted in a huge amount of litigation and conflict between site owners and operators, which simply did not arise before. That is holding back our roll-out and affecting GDP. We are falling behind our international competitors. The changes in the 2017 code mean that there is now so little incentive for people to host sites on their land that we are at risk of further jeopardising our connectivity goals and achieving the outcomes that we all want.
Q
Anna Turley: Going back to your point about the Bill, that was not what was envisaged at the time. The impact assessment predicted a reduction of around 40%. Even Speed Up Britain has said that the average reduction is around 67%. We would dispute that, but without the evidence it has been incredibly difficult to show that. We have a huge number of cases where the operators have come in at a 90% to 95% reduction. That is par for the course.
There is an incentive for the operators to take cases to court to try to push for the biggest cuts that they can, because they can apply that across the board. The frustration is that we see them come in with large rent reductions, often bullying small landowners, families, small charities and community groups. Those people are having to accept cuts of between 90% and 95% because they simply do not have the wherewithal to go through lengthy legal processes to combat the huge strong legal arms of those organisations. They are simply having to submit to that.
To go back to your point about outliers, we have also tried to get information about the impact on local authorities, because a huge number of local authorities host these sites, as well as a number of hospitals and other public buildings. Again, we are seeing 80% to 85% cuts to local authorities. Leeds City Council, for example, has taken a reduction of 85%. That is thousands of pounds lost to local authorities. At the same time as we have heard that dairy and other farmers are being encouraged to expand and diversify their income, or local community and charity groups are being told to be entrepreneurial and to diversify their income, local authorities have had huge cuts over the past decade, as we know, and they are trying to get their income wherever they can. It seems crazy for them, essentially, to be subsidising private companies that might be making £10 billion in profit last year. That is money taken away from our local authorities, small charities and community groups, and it is not a small handful of them; this is happening across the board.
Q
Dr Trotman: First, we have to understand what the Government’s levelling-up agenda is to begin with. If we look at the levelling-up White Paper, out of 332 pages, there are only 39 references to “rural”, so maybe the Government’s objectives do not relate to rural areas. There needs to be a levelling up not just of north and south, but of rural areas compared with urban.
We have always said—I said this earlier—that, as far as we are concerned, our overall objective is universal coverage, because we can see the benefits. The very fact that I am Zooming into this meeting at the moment illustrates the benefits of effective and affordable broadband connections. We understand what the benefits are and we want to see faster deployment, but we also want to see both parties playing fair. This is where I said that the ADR mechanism is a workable solution, if we can get it right.
We have to look at the positives of this as well. There is one big positive in terms of rural wayleaves on fixed-line infrastructure. With the NFU, we secured from Openreach and Gigaclear—the two big infrastructure providers for fixed-line connectivity—a wayleave agreement. We have had that since 1 October 2018, and it works. If we can get it right for fixed-line rural wayleaves, what I do not quite understand is why we cannot get it right for fixed-line urban wayleaves—Anna’s point about local authorities is a good one—and in the mobile sector.
The major criticism that we have of the 2017 changes and of this Bill is the fact that we are talking about mobile infrastructure. We are also talking about the tactics being employed by mobile operators, which at the beginning of 2018 were not that conducive to effective negotiation. Basically, it was, “We’ll offer you a little carrot, but if you don’t agree, we will hit you over the head with a big stick.” Hopefully, we are getting away from that, but again, it underlines the point that we have a major market imbalance, which we have to get right if we want to get to the point of universal coverage.
Before I bring in Rebecca Long Bailey, Eleanor Griggs, did you wish to say something?
Eleanor Griggs: I have just a couple of points. If statutory powers are given, there needs to be some sort of accountability on the part of operators, with, essentially, sanctions if those powers are abused or not used responsibly. That sort of thing needs to be considered, because at the moment there does not seem to be any comeuppance for the poor behaviour that my members have had to endure. Are we looking at consensual agreements that are reached by negotiation, or are we looking at consensual agreements that are reached because somebody cannot afford to defend their position or get slightly more favourable terms at tribunal? It is quite cost-prohibitive, certainly for the smaller individual landowners. I do not know about the monopoly landlords that the Bill’s impact assessment talks about quite a lot, but it is quite prohibitive for our smaller members.
I would also like to make the point that the NFU has an annual digital technology survey. The most recent figures—we have not quite had the 2021 figures in yet—are the 2020 figures. Going back to 2015, 29% of our members reported that their outdoor mobile signal was reliable. By 2017, that had risen to 42%. Obviously, that is a really big increase from 29% in 2015 to 42% in 2017. By 2020, it was still at 42%, so no advances have been made from the introduction of the code, essentially; that is quite important. Various other figures mirror that—smartphones with access to 4G and things like that. It just shows a stagnation from 2017 onwards. We just need to be careful that that does not continue or, in the worst case scenario, get any worse.
Q
Anna Turley: That imbalance of power is absolutely something that we see throughout our case studies. If I may, Ms Long Bailey, there is someone in your constituency who has had a mast and a hub on their property for 25 years, and EE is now trying to force a rent reduction of around 86%. They said:
“On this basis we will not renew any lease”
and that they will do everything in their power
“to have the site removed, all land owners near us are aware of the situation and will not entertain the idea of situating on their property.”
That goes exactly to the heart of it; people just feel powerless. Many often cannot have the site removed even when they want to, because of the legislation. It is having the knock-on effect that people do not feel incentivised, or do not want to have the site on their land, not only because of the lack of income, but because of the disparity in power and the threatening legal pressure from those companies. It is a David and Goliath issue. People are having to take on huge companies with huge legal arms, and they just do not feel that they can compete with them. That is a real issue.
We have suggested a few ways in which the Bill could at least make the negotiations fairer by making the ADR mandatory so that operators are obliged to undertake that. There ought to be fines for poor behaviour. There ought to be more scrutiny and a code of practice to put an onus on better behaviour from the operators in the way they deal with site owners. We think that would go a long way to addressing that balance, as well as putting some reporting requirements on them.
Eleanor Griggs: Yes, I would say pretty much what Anna has said. For us, it is about looking at the Landlord and Tenant Act and how it will affect a lot of our members who are currently on landlord and tenant leases that are due to expire or perhaps already have. According to the figures from Mobile UK that were used in the impact assessment, there are just over 7,000 expired leases, with another 2,000 due to expire within one year. Bringing the Landlord and Tenant Act valuation for renewals in line with the code removes the transitional provisions that were intended to ease landlords into the new 2017 code. It means that the holders of the leases that are going to expire will have no time to prepare financially for the sudden income loss that they will face. We would look at removing that proposed amendment to the Landlord and Tenant Act.
We would also look at the interim rents side of things. As Anna has alluded to, there are potential issues that could mean that a small landowner would end up having to pay back rent to a large operator. We have a member in Mr Double’s constituency who had a lease that was due to expire that was achieving a rent of £3,500 a year. The renewal figure that he received was £17.50 a year. If the operator were to apply for an interim order and that order took a long time to come through, or the court took a long time to make that order, our member would still receive the £3,500 in the meantime. Then, if that took a year, he would have to pay back almost £3,500. Operators could use the proposed interim arrangements for indefinite periods of time, rather than looking to eventually get to either a court or tribunal-imposed agreement, or a consensual agreement. There are implications for landlords.
Thank you. Dr Trotman?
Dr Trotman: There are two things here. First, we understand that there is a lack of awareness as to what the code is, what it is meant to do, how it actually operates and the various tactics that are used, whether they be operators or site providers. Secondly, leading on from the lack of awareness, there is a lack of education. We are not just talking about on a wider scale—the general public, or site providers who may be in your constituency or anywhere across the UK; there is a lack of understanding and a lack of awareness within the industry itself. That is an important point.
One of the key fundamentals in resolving that issue is to have a code of practice that actually works, which we have from the 2017 revision of the code. At the moment, the code is doing absolutely nothing. Eleanor and I were part of a working group that drafted the initial form of the code of practice. What we have now—how it actually works in practice—is not worth the paper it is written on.
If we are going to have a code of practice and that is going to be a requirement of the revised code, let us make sure that that code of practice has some legal teeth. The only way it can have legal teeth, at the moment, is if it is appended as an annex to a code agreement. Very few site providers would understand that, and from what we have seen it is likely that very few agents and solicitors who deal with the code agreements understand that either.
Again, it is a case of getting the information out there, getting people educated as to what the code is and how it works and increasing the level of awareness. By doing that—again, going back to the point I made right at the beginning—you are creating a balance in the marketplace; you are having a more equitable system as we move forward. That then leads to faster deployment, and our ultimate objective of universal coverage. With what we are doing, if we have a deadline of 2025 or 2030, it is highly unlikely that those will be met, because there are too many problems and complexities within the system as it operates at the moment.
Q
Anna Turley: That is a really interesting question. We have not seen particular companies standing out any more than others. I think that they all have strong legal arms and come in with a very strong approach. However, what we have seen change, even since the 2017 code changes, is the development of tower companies, which I think is an interesting thing that has not really been taken into account when looking at the new changes.
These middlemen have been created, where tower companies will now rent the site from the landlord and use the code to cut the rent that they are paying, but will continue to charge high amounts of money to the telecoms companies—Vodafone, EE, Three, and others. The savings are not actually going back to those original companies, but somebody is making money in the middle. I think that is an important change in the market, partly, I think, because of the 2017 changes, which has not been properly explored.
Again, I think that we should be looking at that before we change this legislation, because the development of tower companies has distorted the market even further. It has not resulted in reinvestment in infrastructure, and is essentially creating middlemen who are profiting off the changes brought in to essentially accelerate 5G roll-out, and that money is not going back into the development of infrastructure.
Q
Anna Turley: Yes, that is when we started to see them emerge. They are a recent phenomenon.
Q
Anna Turley: I think that they are certainly playing a role in it. We have seen examples where, as I said, they have continued to charge, say Vodafone, £17,000 a year for a site, but then slashed the rent to the actual site owner to a few hundred pounds. That is absolutely a huge driving force, coming from profiteering, from those guys in the middle.
If there are no more questions, I thank our three witnesses for a very informative session, and for giving us their time. Thank you very much.
Examination of Witnesses
John Moor, Dave Kleidermacher and Dan Patefield gave evidence.
Q
Dan Patefield: Good morning, everyone. I am Dan Patefield. I lead the cyber-security programme at techUK, which is the national trade association for the digital and technology sectors.
John Moor: Just before I introduce myself, let me say that it is an honour to be here. This represents a milestone moment for me, seven years in the making. Seven years ago, I set out on this journey to understand what IoT cyber-security was about and its challenges, so I am honoured to represent our membership and the executive steering board. I am John Moor, managing director of the IoT Security Foundation.
Dave Kleidermacher: Hi, everyone. My name is Dave Kleidermacher; hopefully you can hear me okay. I am the Google vice-president of engineering responsible for the security and privacy of the Android operating system, the Google Play app store, and “Made by Google” products including Pixel phones, Nest smart home products and Fitbit wearables. I am responsible for security and privacy, including the certification strategy for the company—how we assess and demonstrate compliance with security standards and privacy standards.
Q
John, you rather touched on the challenge: this is an area that is very dynamic. All of us are learning what the security risks are, and in Government—which often moves very slowly—it is a particular challenge to manage such a dynamic, changing picture. That is why in this legislation, we have set out some broad principles and basic requirements, but a lot of this has to be secondary legislation so we can keep up to speed with all the changes that are going to be happening to connected devices, and some of the risks that will come with that. I think it would be very helpful if you could set out for the benefit of the Committee how this picture has changed over the past few years, where you think things will be moving, the extent to which connected devices will be in our homes in future, and some of the security risks that will present.
John Moor: When I started out seven years ago, I was invited to take a look by the chairman of the organisation I was working for at the time, the National Microelectronics Institute. He was the CEO of an IoT company. I confess, I had not seen what the challenge was, so when he invited me—“John, go and take a look at IoT cyber-security”—I thought, “Why me? What’s the challenge? Isn’t this thing just a tiny part of a well-established body of knowledge about cyber-security, and why me?” My background is in electronic engineering—semiconductors.
As it turned out, when I went and had a look, it did not take me very long to realise, “My goodness, there is a real problem here.” I remember that at the time, a word I was using often was “egregious”. As effectively a student coming into it, trying to understand the space, I looked at the evolution of computing, broadly speaking. In one era, we had computers—desktops, laptops—and we connected them up, and the security around those was pretty dire at one point, but we started to get on top of that. It is not perfect now, but it is a lot better than it used to be, and we are all very familiar now with doing security updates. The next phase was mobile. Mobile was not quite as bad as the era of PCs. It was better—still a few problems, but much, much better. Then we got to this thing called IoT, and it took a complete reset. It was totally egregious.
I come from the world of embedded systems engineering, and one of the first events we did was a summit we ran at Bletchley Park in 2015, just to do a landscape piece—just to try to understand it from chips to systems, bringing in the regulator. We had a representative of what was then the Communications-Electronic Security Group, but is now the National Cyber Security Centre, to try to understand where the issues are. Part of the problem, I think, is what I learned there as an embedded systems guy. We had a pen tester there, and he said, “If a researcher comes knocking on your door, don’t turn him away.” I thought, “That is a really interesting thing. What is he talking about?” We were talking about vulnerability disclosure. For someone who comes from embedding air gap systems, security was not a thing. It does not take you long to realise that when you start connecting things up, suddenly you expand this thing called an attack surface. Attackers can come from many sources, not in proximity to the thing that you are working on. Suddenly, you have this massive attack surface.
The whole idea about IoT—internet of things—is about connecting things up, so by its very nature, you are vulnerable. These things can come at you from many angles. What does that mean? It means different things to different people. I tried to understand what this thing called security was about. I immersed myself in the security community and straight away I realised there were different groups. If people start talking to me about data, they are usually coming from a data security or information assurance-type background. If they talk to me about availability of systems—keeping systems up—they usually come from an operational technology. What I mean by that is the sort of things we find in industry—process and manufacturing.
Then we have this thing called IoT. One of our board members expressed it very well. He called it the “invasion of IoT”. What I took from that is that this technology is coming at us, ready or not. We established in those early days that we needed to have a response. The need is now. We could not wait for new standards and regulation, which is why we set up the IoT Security Foundation. Our centre of gravity is in best practice. It is saying, “Can we help manufacturers who do not yet see that the very fact that they are starting to connect things up poses a risk?” They did not, but now we are in a much better state. The body is developing.
I am delighted to be here to talk about this regulation. More needs to be done, without a doubt. A seminal moment for me was at the very first summit that I talked about. We had the chief technology officer of ARM, a chap called Mike Muller, give a talk in which he said, “The ugly truth is this: you will get hacked.” That was quite an epiphany for me, because coming from an engineering background, we engineer our systems to be virtually perfect, but what we are witnessing now is that security is a movable feast that evolves. Out in the wild, things change. New vulnerabilities are discovered. Yes, you can do all you can to engineer it up front, but guess what? Once it is in the wild, this thing called resilience is so important. What that means, especially in terms of this regulation, is the software updating part and especially the vulnerability disclosure. They are absolutely essential parts. That is part of what I have learned on the way.
I come to refer to IoT security as a “wicked challenge”. By that I mean that I do not think we will ever perfectly fix it, because it is always moving, but we can address it. We can mitigate the risks to a level that we are comfortable with and can accept. Again, another phrase I learned is, “Don’t let perfect be the enemy of the good.” This is all good. This is progressive. This is what the world needs. Being part of the regulatory process to get here today, it became apparent that getting regulation right is so difficult. It is so easy to get it wrong, but going through the process, this is a regulation that we can wholeheartedly back. We think it is absolutely the right thing. It takes a step; it gets us on that security journey. We often talk about an on-ramp of security. It is about maturity. In terms of regulation, this is a fantastic first step, but more will come. The way it has been set up is exemplary. We can evolve it over time as we have to ratchet up the security for the benefit of consumers and society. I hope that little ramble gives you some idea about my journey and where I think we are at.
Q
Dave Kleidermacher: Let me start by saying I am so appreciative of the leadership role that the UK Government have taken to help us get to a better place for IoT security. I have been working closely with the Department for Digital, Culture, Media & Sport and NCSC for the past couple of years leading up to this. I have worked on how to measure security in digital technology for almost 20 years, and I believe that the lack of transparency in what the security ingredients are for digital technology has been one of the headwinds facing the entire digital world, even before the IoT was called the IoT. Of course, the IoT has made it much more urgent that we address this.
I agree that the minimum requirements we are talking about here are a really good starting point, but as we move forward and look at the secondary legislation, the really big challenge is how we scale this. The question about smaller developers is something that I am quite concerned about. At Google, we build our own first-party products but we also develop global-scale platforms. On Android, we have many manufacturers of devices across all different price points. We have millions of app developers across the world with whom we connect and work in all sorts of different environments.
One of the biggest challenges is how to monitor and measure these requirements, and how to make that work for small businesses in particular. That is the area I have personally been putting a lot of time into over the past couple of years. How do we build and establish an actual practical mechanism or scheme for measuring security at scale? There are a lot of details that go into that, but at the end of the day, we need a hub and spoke model. I can give you an example of a failure mode. The UK is, again, taking a leadership role, but many countries are looking at similar kinds of ideas and legislative concepts. The problem is that if every single country decides to create its own testing scheme for how to measure this, imagine how difficult it would be to have, say, a webcam or smart display, and then go to each country and provide documentation, provide the test results, explain how it works and go through a testing mechanism for every country.
As an example, for our Nest Wifi products, Google has had public commitments and transparency about our desire to have third-party independent security labs to test the products and assess compliance to these common-sense requirements. We have been doing that for a while now. We certify all of our products that way, but then a couple of countries at the leading edge of this started to ask us to certify again their schemes, and we did. That was a lot of work, to test to one scheme and certify and then do the same for another country with a different set of rules. The product did not change at all; it did not get any better because we were already certifying it. However, the work and the cost of doing that were significant. If we scale that to the full IoT, to all the countries which are interested in this—they all should be—then you can imagine how quickly it breaks down.
The hub and spoke model is looking at how we can work together to build a public-private partnership where there are non-government organisations, typically well-regarded international standards bodies, which take the great standards that we are developing, such as the ETSI EN 303 645 international specification on security requirements, which the UK has led in developing, and translate that into a practical conformance regime. An NGO can take that specification and the test specification—a sister specification, ETSI TS 103 701—and test a product once to have it certified for use in all of the different nations which adopt the same standard. That is the trick to this—the hard part that has to be solved as we move forward.
Dan Patefield: I think John and Dave have already mapped out the ever-growing risk landscape, so I will not reiterate that. From an industry perspective, there is clearly strong support for the ambitions of the Bill we have been discussing today, in implementing a minimum baseline that everyone should work to. Certainly, large swathes of industry are going beyond that, as Dave has outlined. I think I would join the other panellists in commending DCMS on the leadership that it has shown in developing the framework, not just with this legislation, but with the code of practice in 2018. I also commend it for playing a key role in developing the globally recognised standard in this space, EN 303 645—I always get that number wrong. The challenge that we have, and I am sure that we will come on to this, is that the code of practice—we supported its development and engaged industry in it—created an outline for best practice. However, it was never prescriptive; it was broadly focused. The practical challenge now is translating that into regulation that is workable for industry and consumers. I am sure we will move on to that, so I will leave it there.
Q
Dan Patefield: Going back to the code of practice, I am confident that across all 13 of those areas many companies have made good progress, and will continue to develop best practice that goes far beyond those requirements. I think it is a good approach to start with the three requirements that are included in the Bill; it is not the case that industry will be surprised by what comes out in secondary legislation. The practical challenge is translating the non-prescriptive code of practice into something that will be more prescriptive by definition.
There are a number of areas where I think there is more work to be done to smooth the path to compliance, if you like. We have got various elements. We have got the standard—that is not going to be a surprise. We know the security requirements—they are not a surprise. What we have not got is the boring bit—the technical specification that people in compliance teams within manufacturers are worried about. Quite often they have to then communicate that to their HQs—which are often in different parts of the world—and say, “We have got legal certainty that this is how it is going to work and this is how we achieve compliance”. That is the bit that we have not yet got.
Q
Dave Kleidermacher: It is a really important distinction, as we look at the so-called security ingredients in digital products. The analogy to food is a good one—but it also has its limits. What is good about it is that consumers deserve to have information at their disposal to be able to make better decisions about their health; in the case of food, that is their physical health, but in the case of digital technology it is their digital health. The concept that a consumer should easily be able to get a sense of the security status of a product is a very good idea. However, the main challenge is that food contents do not typically change—there can be a printed label that works okay. However, in the digital world, it could happen that you ship a product today and then there is a severe critical vulnerability, perhaps a hardware problem, that cannot effectively be mitigated or even patched. If that happens in the future, even a day after you have shipped it—this is a worst-case scenario—then if you try to put an attestation on the static label that the product is “secure” or meets these requirements, that attestation could be immediately incorrect. In fact, it could be dangerously misleading, and give consumers a false sense of security, so I believe that, while the ingredients label is essential, the user needs to have transparency. The consumer needs to have visibility here.
That label needs to be a live label. A simple example would be a QR code on packaging, although I am not sure how much consumers really go back to their packaging. We should also stress in-product experience wherever that is practical. It will not be practical in the case of every electronic product, but there is typically an app to manage many of our consumer IoT products. The app can provide an experience where the consumer can get the real-time, current status. That status can be as simple as a link that takes you to the certification page. As I mentioned earlier, we can have NGOs that establish the conformance programmes that we need to help to measure the security. It could just take you to the certification page to see the real-time status. If a product is deemed unsafe for use, it will become decertified, and the user will then know it.
Q
Dan Patefield: There are two points on the timescales. There is the point at which the grace period will begin. For industry, we strongly think that that should be when the regulatory framework is confirmed and we know who the regulator is. That is the point at which that countdown should start. There are different views in industry on how long an appropriate grace period would be. Obviously, DCMS has confirmed that it will be no less than 12 months. Once we see that technical specification, a lot of parts of industry will have interpreted the code of practice in such a way that complies, so that will not be a problem for them, but some might have an interpretation that the compliance framework rules out—for example, around passwords. They might have to go back, certainly for security requirement 1, and make a hardware change. For a lot of these products, the supply chains are enormously long. Take a projector coming over from Malaysia. That will be 15 weeks in transit, and eight weeks getting through the broader supply chain in the UK through distributors and re-sellers. That already reduces the 12 months to seven months for manufacture and design. That is the difficulty that some manufacturers might face.
To the obsolescence point, there are two points again. In terms of when this comes in, we have to communicate it to consumers in such a way that it does not cause them to think that any devices that they currently have are obsolete in any way. That is a communication piece. It is about DCMS and the Government broadening that out, and helping consumers to understand what the legislation is for. More broadly, I am sure that we will come to the timescales for security updates but we do not want that to turn into some kind of perceived sell-by date. That is the minimum we will give you security requirements for, but the device is not useless after two or three years. Both those elements might lead to an increase in electronic waste and the kind of things that we want to avoid in a practical framework.
Do either of the other two witnesses wish to comment?
Dave Kleidermacher: I would like to make a quick comment. Especially as we look forward in time, beyond the minimum requirements to the larger set that are codified into the ETSI EN 303 645, and extended requirements even beyond that, in different vertical markets there will be a desire to have additional requirements. For example, on the Android side, a Google-certified Android device already meets baseline requirements, so we are working with NGOs on how to define higher levels. For example, the strength of a biometric is really important on a smartphone, and that is not currently covered by the baseline requirements.
As we go forward, there will be an increasing set of requirements, and there is a way to balance that challenge. You will always hear of some manufacturers, including smaller ones, that have more difficulty meeting a certain requirement in a certain timeframe, and one way to help balance that is by focusing more on transparency about whether the requirement is met, versus requiring that all those requirements be met. I like to say that transparency is the tide that raises all boats. That is the key.
To go back to our analogy with food, it is not that on a label it says that you cannot have more than 50 grams of something; it is that you can compare the number of grams of carbohydrates and other ingredients between products. If you look at EN 303 645 and all its provisions—there are many—you could ask manufacturers simply to attest as to whether those are met. Yes, I still believe that there are minimum requirements that are critical, but in as much as we run into some difficulties on timeframes, you could just ask them to state whether they meet those requirements. That transparency will still be really valuable for consumers. Again, the NGOs that are setting up those conformance schemes can take the attestations of yes or no across the requirements and translate that into a health score, if you will, to help consumers make better decisions.
Thank you. John, did you wish to add anything?
John Moor: Yes, I have a few points to make. First and foremost, most of my comments are about the here and now: what we are looking at, what is in front of us and the three requirements that are coming. Our assumption and that of our members is that, as we add to that, there will be an equally robust and rigorous process to determine what might follow. That is essential.
The labelling question is really interesting, along with certifications and attestations. All we can say about certification is, under these conditions, on this day, in these tests, those conditions were satisfied. I have heard the discussion about food labelling schemes come up time and time again as a “We ought to do something like that”, but in our view that is not really practical.
One of the things that I had to get my head round when I came into this space was some people talking to me, saying, “Safety and security are the same, aren’t they, John?” I had never had to get my head around that in the past, but I thought about it for about an hour, and I concluded, “Actually, they are not the same.” They are not the same because safety is much more determinable. You can define the situation, the operating environment, the characteristics, the materials, etc., and you can figure out, “This is safe under these conditions.” The difference in security is that it is dynamic—there is a changing environment, there is a human adversary at the other end. We might consider something to be safe today, as David said, but that changes over time.
Where do we place our trust? Do we place it in the product? I do not know that we do. Do we want to be looking up thousands of products to see what the certificates are? Where we really place our trust is in the companies that provide those products. It is interesting that, of the three provisions that we are talking about, only one is really related specifically to the product, and that is passwords. The other two are really about the processes that are involved in the providers of the technology—vulnerability disclosure and keeping the software updated.
I do think that certification is useful, but it is not a panacea; it only goes so far. What we are really looking for is something that we would term “continuous assurance”. How do you do continuous assurance? That is the question for the industry to answer going forward, but some of the mechanisms that we have done in the past do not map well into a future world that is changing rapidly.
That is on the labelling front. It should be as simple as possible for consumers and for the producers of the technology. There is a discussion about whether we need another label. Certainly, many of our members favour integrating this into something that is already known. For example, could it become part of a CE labelling scheme, so that we add the security elements too? Those processes are well known.
Some of the discussions among our members about keeping software updated come down to considering what is a reasonable time to keep software updated. If you make it too short, that process is almost meaningless, and means that consumers probably will not buy a product if the update is, let’s say, after only six months. If that update is too long, the company is carrying a financial legacy burden. What is the right point? I think we will find that out. Is it three years, five years, one year? We do not quite know yet. My own view is that it should be a length of time that is beyond the life cycle of the product. In that regard, it is variable and I do not know how that would quite be implemented, but that is what we have in front of us. For the here and now, this is what we are talking about; as for the future, we are assuming the rigorous.
In my view, security is an awful lot like quality. As we go into the digital world, we will see profound changes not only in the way that we use products, but how they are produced. We already know that: among our membership whole engineering teams have been reconstructed. The selling of physical products must be reviewed too, because are we buying a physical product? Often we are not, often we are buying a service. Do we actually own it? No, we don’t.
Those are things that we will be working out as we go forward. We must understand those limitations as we do that, because we do not want to be taking the past into the future when the future looks quite a lot different from the past.
Q
Dan Patefield: I will lead on that question. techUK would be happy to give more thoughts on that in a written submission, but it is not an area I focus on. Internally, we split the Bill; I lead on the cyber-security element and another colleague leads on telecoms infrastructure. I am happy to get that question answered in a written submission.
If there are no other questions from Committee members, I thank our witnesses for their time and contributions. I am sure that when Committee members come to consider the Bill in detail they will find those comments very helpful. Thank you.
Ordered, That further consideration be now adjourned. —(Steve Double.)
(2 years, 9 months ago)
Public Bill CommitteesWe are now sitting in public and the proceedings are being broadcast. We will start this afternoon’s session with oral evidence from Professor Madeline Carr, professor of global politics and cyber-security, and David Rogers MBE, the chief executive officer of Copper Horse and an Internet of Things Security Foundation board member. We have until 2.40 pm for this session. May I ask the witnesses to introduce themselves for the record, please?
Professor Carr: Good afternoon. Thank you for having me. I am a professor of global politics and cyber-security at University College London in the computer science department, though I am actually an international relations academic, so I blend those two. I am also the director of the Research Institute in Sociotechnical Cyber Security, and I am the deputy director of REPHRAIN, the National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online, which looks specifically at protecting citizens online. It is a big consortium.
David Rogers: I was the original author of the code of practice and the lead editor during the process that is the basis for the legislation. I also chair the fraud and security group at the global mobile industry association, the GSMA. As you mentioned, I am also on the board of the IoT Security Foundation.
Thank you very much. Members of the Committee will ask you questions in turn, but we will start with the Minister.
Q
Professor Carr: That is a very good question. In terms of international alignment, aligning these kinds of laws across jurisdictions is a challenge. I want to say from the outset that regulating emerging technology is understood to be a deeply problematic and challenging area. It is something that the UK in many ways has led on. A lot of thought leadership has come out of the UK on this. As David said, the work that has led into the Bill has been going on for many years in the UK, and has been funded by the UK Government through universities and industry. A tremendous amount of background work has gone on. There is the PETRAS—privacy, ethics, trust, reliability, accessibility and security—consortium, which was originally the cyber-security of the IoT consortium. We have worked on that for many years with David and others. The UK really has led on this. When we look at what is happening here and now, you would have to say that this is a country that is able to confront those kinds of difficult challenges and think about ways through them. No one is saying that it is easy; it will not be, but this is a very good start.
When it comes to looking at international alignment and the impact on industry, and particularly the manufacturers of these devices, there is already a lot of alignment. I have been doing some work through the World Economic Forum, where I am chair of the Council on the Connected World. On 15 February, we launched a global statement that spoke to the three initiatives that are being considered here, and an additional two in terms of IoT consumer devices. That statement has been endorsed by more than 110 organisations around the world, including Microsoft, Google, Qualcomm, DCMS, RISCS—my institute—and indeed David’s organisation. There is a tremendous amount of international support for these initiatives and more. A lot of them are big industries, so I do not think there is necessarily a disconnect between governance of emerging technology and what is helpful for industry actors; I think there is actually a lot of alignment.
David Rogers: I will just point to some specifics. There is work ongoing in India, Australia, Singapore, Turkey, and the US, and many of those countries—and many I have not listed—base their work on what was originally the UK code of practice. The UK’s code of practice was taken to ETSI, the European telecoms standards body, and was made into a European norm. That really, I think, has given the confidence for other countries to be able to adopt that as a scrutinised and good piece of work.
That is obviously not in isolation. ETSI is an industry-led organisation, and a lot of the work that has gone into that in advance, including through DCMS and NCSC, has been about looking at industry-based best practice. Organisations such as the GSMA worked on this in 2014, and, prior to that, in the smartphone world, have been building in hardware security and other measures, which have hardened connected consumer devices, so that work is certainly not in isolation. We are really standing on the shoulders of giants here, because a lot of the work is done; it is in endorsing good practice, and I think that is what the other countries are seeing, and they really have seen leadership from the UK in this space.
Q
David Rogers: I will address that. The beauty of the IoT is that there are all these fantastic things being developed. When we started to look at what we could do, and a code of practice, we wanted to ensure that we did not constrain innovation by mandating specific technical measures that might prevent some fantastic product being created. That is why we took quite a high-level outcome-based approach.
That also meant that it was measurable, even by consumers. If you look at the top three guidelines of the code of practice that have made it into the draft legislation, a consumer can look at those things, which I would call “insecurity canaries”. If you see that a manufacturer does not have a vulnerability disclosure policy—so hackers and security researchers, for example, cannot report things to them—that is a big red flag, and I would not be buying that product. It is the same if the product does not have software update support, and so on.
We took a proportionate approach to the code of practice, and I think that that also led to the industry endorsement of it. This morning, I heard the techUK gentleman saying it is not specific enough; well, actually, the ETSI EN 303 645 is quite specific, and the compliance specification that goes with it is even more specific. For some bad practices, I do not think that we could be more specific than saying “Don’t have default universal passwords”. We want to get rid of “admin” and “admin”. That is a ridiculous situation, in some parts of the market, that is unacceptable, and we must eliminate it from the market.
Q
Professor Carr: Just to say that we cannot anticipate all of the new devices that will come on to the market, of course. I think what David is saying is that it is necessary to have that kind of flexibility to adapt and accommodate those, as they come on to the market. However, it is really long overdue that we do something about this.
There are two types of security in these devices that we understand at this point, which need to be taken into account. The first is the security of the data that flows through them. Although they are very different devices, that is, in many ways, a common problem in securing data—particularly, of course, personally identifiable data. The second issue arising from IoT devices is that many of them have an impact in the physical world. That then begins to blur cyber-security with safety, and we have very different ways of approaching cyber-security and safety. What we tend to do with safety is test things, over and over again, until they break; then we know how they need to be built or constructed. That kind of homogeneity in an approach to design is very bad for cyber-security, because that is what gives us vulnerabilities across the whole landscape. Those are the kinds of issues that we need to grapple with. The devices themselves will continue to emerge and evolve, but the problems that we are grappling with now are common across devices, in a way. Legislation such as this will go some way towards addressing those problems.
Q
David Rogers: Yes, originally there was a “secure by design” committee set up with various companies—Madeline and I were on that committee. There were various discussions about the best way forward. I remember one suggestion being that all we needed to do was to educate consumers. After I banged my head on the table quite a lot, I think that in the end we realised that it should not be on consumers. They are not the ones who are creating the insecurity in the product and they are not in a position to do anything about it either—they are mainly victims. It was recognised that a lot of those issues have been in products for many years; I go back to the default password issue, but there are many issues around things such as lack of support for software updates.
I drew up the original code of practice and worked closely with National Cyber Security Centre and the Department for Digital, Culture, Media and Sport. I also worked with academia and the security research community, who are hackers from around the world who have been campaigning for those issues to be dealt with for years, because they are seeing it directly in their work. We spent a lot of time getting it right; we worked at the Information Commissioner’s Office on some of the elements related to GDPR.
A voluntary code was published in 2018. However, manufacturers were put on notice at that point. By 2018, it was made public that this was the expectation; we expected the industry to improve. Some quarters were probably already compliant; you heard from Dave Kleidermacher this morning, who led the way in security improvements on mobile devices—from their perspective a lot of the stuff in the 13 requirements was already done. However, many parts of the industry have done nothing. It seems to me that they are quite happy to sit back and do nothing. That is why I think this work is necessary; there is a need for the big stick of enforcement, to be honest with you. They have been given plenty of chances, and not just since 2018—it is since the 1990s. It seems acceptable to them to carry on doing the same things that they have always done, such as buying in the really cheap software that is completely open and has old protocols and legacy issues that should have gone years ago. I am entirely supportive of taking action now— they have been given enough time. They should not wait for the 12 months—or whatever it is—for certain things to become mandatory. They should be doing this because it is the right thing to do for their customers.
My company carried out some research for the IoT Security Foundation on vulnerability disclosure. Again, that is something that is very visible; you can go to the website and see whether that company is open to security researchers and hackers reporting security issues to them. There is then a process that has been ISO-defined since 2014; it is dealt with and then the issue is made public once it is fixed so that consumers are secure. We discovered that about one in five of the companies that we surveyed—there were about 330 companies from around the world, representing thousands of products—was actually providing that to security researchers. That means that four in five IoT manufacturers did not have any way for security researchers to contact them. That is totally unacceptable, so we do need to take action. The companies have been given enough chances.
Q
Professor Carr: I think the element that will impact consumer decision making the most will be the length of time for which the product will be supported. I remember having the conversation in a room in DCMS all those years ago about how we could possibly be expected to spend £1,000 on a phone that will not work in 18 months, that the company knows will not work in 18 months—it will not be supported—and to not have access to that knowledge. This is not just about putting labels on things; it is about the fact that we could not find out even as an informed consumer. I think the length of time for which the device is supported will have a major impact on consumer decision making and probably more than the other two things, because a lot of people do not care about passwords and a lot of people do not know what a vulnerability disclosure agreement is or what that means. Knowing for how long the device will be secure is like having an expiry date put on it.
That is an example of where a kind of market driver can impact consumer decision making, but one of the things that we know about cyber-security more generally is that, very often, market drivers do not work in this space. There is not really, to be honest, all that much of a market for cyber-security, as people do not really care about that. That is why we need to think about moving beyond the dominant narrative over the last 50 years that Governments stifle innovation. Even if we go right back to the beginning of digital technologies and the ARPANET and DARPANET, those things were wholly supported by the US Government. They were funded by the US Government; they were invested in by the US Government for decades before the private sector came on board. So there are these points where it is absolutely necessary for Governments to be involved and for governance to happen, because we cannot see the future. If people begin to lose confidence in these devices and they begin to fear—“I don’t want my child to have something like that. I don’t want Alexa in my house. I don’t want people listening to my conversations etc.”—all the incredible benefits that we can extract from those technologies will go by the wayside.
I will give just one very clear example of this. If you think about the huge effort that the banking sector put into making sure that people felt confident about banking online, spending money online and tapping their card—“When something goes wrong, the bank will take care of you”—the reason, the logic, behind that was that if people began to think, “It’s not safe to bank online; it’s not safe to use my card in these little shops,” they would stop doing it. It was that investment in regulating it, locking it down and making sure it was safe that has allowed us to get to this extraordinary situation where you can walk around with no wallet and just a phone. It is that thinking that is important now.
David Rogers: I think the transparency point is fantastic. This work is not done in isolation. There is lots of work going on about lengthening software updates for lots of types of products, and there are different regulations happening in Europe and so on. Consumers should not have to know about the details. Madeline has said this. They have an expectation, a very reasonable expectation, that they will not be arbitrarily hacked into. We have all read the stories about things like baby cams being hacked into. That is totally unacceptable, because at the end of the day the company that created and sold that product that was insecure at the time it was created is responsible for it. Of course, they did not hack into it, but they left all the doors open, and they sold that product and made money and profit from it.
Yes, I believe that consumers should know that they are being looked after, and the length of time that that is provided for helps them to make an informed decision—it is a free market. Also, security should not be a luxury for the rich. You should not be required to replace your iPhone, for example, just because the support ends. At the end of the day, we are all impacted by security issues. The Mirai attack, for example, was an extremely large distributed denial of service attack, which basically took down large parts of the internet. It was all those small IoT devices, routers and things that had been taken over. The attack did not discriminate between who had those devices, those older devices or whatever, but the impact and scale of that attack was the problem.
That is why we need to ensure on an ongoing basis that, as the technology develops, we can put new requirements through the standards bodies and endorse them. This is the start of that lifecycle, to ensure that those products do not enter markets like the UK.
Q
In that vein, is there something in the idea of a reporting mechanism—either by the Department or some sort of regulator, annually or however long is appropriate—for whether these organisations and manufacturers are working to the standards that you so strongly set out? They have had years to deal with the standards, but many are still not doing it. I am suggesting naming and shaming, if you will, to give consumers better informed decisions.
A lot of people borrow money to buy these devices. On Second Reading, I expressed a concern that many people will look in a retailer or online, and go, “If that doesn’t exist for this much time—if it only has two years on it and the loan is three years—why am I bothering to purchase it if it is obsolete in that time?” That is a concern that many people have. Consumers potentially do not know what this or that means, but they know what “security” means, and if they think something is not secure, then, as Professor Carr mentioned, they think, “Well, I won’t bother having that product, because it isn’t safe”, because that is how they view the word “security”, which is logical, but not necessarily the best option given what they are looking for. There are several questions in there, forgive me, but they are interconnected with what the Minister was saying.
Professor Carr: I will try to answer as many as I can, as well as I can. I am sure that David has comments as well.
On educating consumers, that question of “Will the loan outlast my device?” is a very astute one, because consumers do not need to understand—they never will—all the ins and outs of phone or device security, but that is a very pragmatic response: “What actually am I buying? I am spending for three years to buy two years of a phone.” That type of consumer education will snowball when people are presented with information on how long the device will last and asked, “Is that what you want?”
I guess online markets are already regulated. There are things that we cannot buy in the UK and that cannot be shipped here. It would certainly have to be a consideration that, ideally, devices that did not meet UK standards were not able to be shipped to the UK, but I guess that is the case with many consumer goods that we cannot buy online. There is a tendency to blame business in this scenario and to see manufacturers as careless or irresponsible, which surely some of them are. However, it is also the reality that businesses have to make a careful calculation on how they invest. If it costs more to produce a product and they are answerable to shareholders, they have to have a conversation about why they are spending more on a device that is already selling well and returning a profit. I am not saying that that is the way it should be, but that is the way the free market works.
Look at what happened with GDPR. In my work, we work a lot with senior business leaders and talk to them about how they respond to cyber-security regulations. They did not push back against GDPR or see it as terribly negative; they saw that it unlocked budget for them to use, because they could quantify what percentage of their global turnover a data breach would cost or what the fine could amount to. They can take that calculation to the board, and say, “Right—we mustn’t have a breach or it would cost this much. How secure do we feel we are?” That is where such regulations can have a very positive effect on industries that would like to comply but cannot just invest in all the different aspects of a device without some justification. This gives that justification. It unlocks that funding in those board conversations about where investment in products should go.
David Rogers: Just to address the Amazon/eBay question, I have seen all this stuff. I have bought some of it to have a look at. A lot of counterfeit and substandard—the Chinese call them Shanzhai—products are available. I have conversations in which people say, “This is about buyer beware. You’d never buy a £9.99 smart watch. You should know that that’s going to be dodgy,” but as you said, people cannot necessarily afford it. There is a peer pressure element to it, and there is a sort of endorsement by the brand. If you go to Amazon, you expect it to be a quality product, so people are lulled into that sense of security that what they are getting is quality. In some cases, that is not the case. I fully agree that the companies that are retailing this stuff cannot just lay the blame at the door of the companies that are stocking and selling it. If it is on Amazon Prime, surely Amazon has a responsibility over that.
Earlier, Dave mentioned different regulatory regimes and that there may be some fragmentation around the world. I actually think that there is probably a lot of alignment and harmony. There has been a lot of work between DCMS and the National Institute of Standards and Technology in the US, so there is a broad understanding of what good looks like. If, either through some self-declaratory measure or by some endorsed mechanism of compliance, those companies are told to come up with a compliance statement, that helps the likes of Amazon and eBay to select their suppliers appropriately and then to remove them from their stores more easily. At the moment, it is kind of a wild west. They do not have any questions or answers.
Q
Professor Carr: I think the Bill would be a hugely positive step. There is a lot more to be done in terms of regulating emerging technologies. As I said earlier, the UK is a country at the forefront of thinking about these issues and taking action. It is new territory, because we are not used to legislating about these things; it seems somehow interventionist, or that it stifles innovation. Actually, digital technologies have become so integrated into every aspect of our lives, from the most personal level to infrastructure, and we have not caught up with that in what we see as the acceptable responsibility of the Government, of individuals and of industry.
There has very much been a narrative that Governments need to stay out of this area. I think that is very dangerous and wrong, because that is how we have ended up in the situation we have been in. It is certainly a balance between those parties—Government, civil society and industry—but we are a long way from having that balance right. Governments are beginning to see that there is a mandate and that they have a responsibility. We see that not just in the UK, but certainly in the US, Australia, the EU. But there is a long way to go.
Q
Professor Carr: I would like to see the range of devices extended—in particular, where it talks about toys and safety devices. There is a whole category of other devices that should be included, particularly when we think about children. There is a market emerging now for tracking devices for children, or these phones, which are not really phones but communication devices. I think the scope of the devices should be expanded.
If I had a magic wand and it was up to me, I would say that devices had to be supported for a minimum time. Otherwise, you end up with the very distasteful scenario that we were just talking about, where people who are less resourced are buying less secure devices and living less secure lives. I would like to see a minimum time that devices had to be supported.
I would say those two; I would go much further, but it is a good start.
Q
“Current proposals risk unintended consequences for manufacturers and consumers”.
It points particularly to security requirement 2, which is to implement a means to manage reports of vulnerabilities, and notes:
“On vulnerability reporting, not all reports/vulnerabilities will require intervention. The Enforcement Body needs to carefully consider when to alert the public about security risks to ensure associated devices are not viewed as obsolete or that vulnerabilities yet to be mitigated are advertised to threat actors.”
What is your response?
David Rogers: I will be frank: I think they have misunderstood what vulnerability disclosure is. As I mentioned, there is an ISO specification for this. The security research community and the hacking community have been campaigning for this for years and years. It is well established. A lot of the bigger tech companies have recognised that this is the right way to deal with things. I am sure that you understand vulnerability disclosure, but the process is that if a security researcher or hacker discovers a vulnerability, they have an easy way to report that to the company confidentially. That process typically takes anything from 30 days to 90 days. At the end of that process, a fix is issued, if that is possible. It may even extend for a longer time if it involves other companies. Then the security researcher is able to go public with their work, but that is only after a fix is issued. This has been fought out over a long period, and is the right way of doing things. It is agreed between the hacking and the tech communities.
There may be some education work to be done for those manufacturers who do not understand that this is the right thing to do. They should be implementing vulnerability management schemes internally anyway. I think John Moor mentioned this morning that it is about quality. It is about good software quality measures and good software design. We have seen some really catastrophic problems caused by vulnerabilities that have been sitting there for years. That is the old world. We need to move on from that. The new world is about continuous software updates and a continuous product security lifecycle. People cannot just ship and dump products on to the market and leave them there.
Can I bring in Kevin Brennan, as we only have four minutes before this panel comes to an end?
Q
Professor Carr: Yes, I would.
Q
Professor Carr: No.
Why not?
Professor Carr: Because I do not trust them. There we go. I will not have one, because I do not trust it.
Q
Professor Carr: No, to be honest.
Q
Professor Carr: It is impossible to answer that. That is what makes this type of legislation difficult. We do not know how the threats will emerge or change. A couple of years ago we could not have imagined that ransomware would be the threat that it has become, but the fact that we cannot anticipate the future with certainty does not mean that we cannot act now. Nothing will be sufficient to fix the insecurity of the digital world that we live in. No Bill will change that, but small bits of legislation beginning to address these vulnerabilities is the right way to go. I do not think that anyone should be afraid of doing this. This is the beginning of the future. Governments will not stand by forever and watch the damage and destruction that can be done by digital devices. We have to start somewhere, and I think that this is it.
David Rogers: I am coming from a slightly different position, but obviously I would like to see all 13 requirements implemented. I think that it does provide future proofing, because this provides the foundation of future trust for everything. Everything that we have written in there provides future underpinnings. If we are allowing industry-based organisations such as the European Telecommunications Standards Institute to maintain the specification for the future, that allows organisations to improve and add things. I think Dave mentioned biometrics, for example. They can go to ETSI and add to it, and let’s allow industry to develop that. Organisations such as NCSC and DCMS are also there to input into those standard bodies. I think it is a really strong start.
Thank you. That brings us to a slightly premature end of this evidence session. I thank the witnesses, on behalf of the Committee, for their evidence.
Examination of Witnesses
Catherine Colloms, Simon Holden, Mark Bartlett and Juliette Wallace gave evidence.
Good afternoon. We will now hear oral evidence from Catherine Colloms, MD for corporate affairs at Openreach; Simon Holden, the group chief operating officer at CityFibre; Mark Bartlett, director of operations at Cellnex UK, appearing on behalf of Speed Up Britain; and Juliette Wallace, also of Speed Up Britain.
We have until 3.40 pm for this session. Will the witnesses introduce themselves briefly for the record, please, before I turn to the Minister? We will go left to right.
Simon Holden: I am Simon Holden. I am the group chief operating officer of CityFibre.
Catherine Colloms: I am Catherine Colloms. I am the corporate affairs director at Openreach.
Mark Bartlett: My name is Mark Bartlett. I am the operations director at Cellnex UK, representing Speed Up Britain.
Juliette Wallace: I am Juliette Wallace. I am the property director at MBNL, which is a joint venture between EE and Three. I also represent Speed Up Britain.
Q
Mark Bartlett: On behalf of Speed Up Britain, we very much believe that the changes proposed in the Bill are needed to speed up the roll-out of digital connectivity across the country. Therefore, we believe that changes are required.
In that sense, though, we need to look back to before 2017 to understand the policy behind the changes originally made, and to understand that those were made in order to achieve the outcomes that the Government were already trying to establish. Without the changes in the policy of 2017, this ambition will not be met. Speed Up Britain continues to support the policy ambitions as laid out in 2017, but the fact is that the law as put down at the time is not working and created loopholes, which have been exploited, and that has meant that we have been unable to proceed at the pace we wanted.
Catherine Colloms: To give you a bit of context, Openreach is the national broadband network. We are in the process of upgrading the existing network, which is a hybrid copper-fibre network, to a new full-fibre network. The ambition is to build 25 million full-fibre homes and businesses by the end of 2026. That is a hugely ambitious target. It underpins the Government’s 85% manifesto commitment, but we have to get to a ramp of building 4 million premises a year.
We are currently building at 50,000 premises a week, so we are heading up towards the 3 million a year kind of ramp, but from pretty much a standing start in about 2017, as there was very limited full fibre in the UK at that stage. We had finished building the old network and had not transitioned through. It is a really serious challenge. If you think about the pace of build and what we are trying to achieve, being able to do things really rapidly and operationally simply becomes incredibly important.
For us, the two big pieces that the Bill can potentially help us with enormously and help supercharge that fibre build is around access, that is access to multi-dwelling units—the approximately 6.1 million blocks of flats in the UK—and access to rural parts of the UK. There are some urban as well, but if you think about how we build, we have a duct infrastructure but we also have a very extensive pole infrastructure. For most of our rural build—we have committed to building 6.2 million commercial rural, which goes beyond the Project Gigabit programme that the Government are talking about to the hardest-to-reach areas—we are going to have to do most of that over our existing pole network. At the moment, the Bill makes some changes that are helpful and which progress us forward by allowing us access to upgrade our current infrastructure on underground ducts. What it does not do is allow us to upgrade the infrastructure we have in place, either over the pole network or in those blocks of flats.
If you think about what we have in place today, we have our existing network, so we have the ubiquitous either copper or hybrid copper network that is there today in pretty much all of these premises, all across our poles. We are trying to upgrade that network to full fibre as rapidly as possible and to do so, it would be incredibly helpful if we were able to upgrade our existing infrastructure. The Bill at the moment allows us, as I said, to do that through underground ducts. It is not going to allow us to get into either MDUs to upgrade more rapidly—we estimate that something like 1.5 million MDUs could be at risk based on our experience of unresponsive landlords and our inability to get in—and it also does not allow us to automatically upgrade our property and the infrastructure that we have over the pole network.
To give you a bit of context, we have 1 billion metres of cable over poling at the moment. The vast majority of the rural network is served over poles, so for us it is really important to be able to deliver those 6.2 million commercial rural, but also potentially the Project Gigabit programme. We have been working in Scotland on the R100 programme—the “Reaching 100%” Scottish Government programme. We need one wayleave for every 16 premises, to give you the sense of scale. We are finding the ramp very challenging and because of the scale and pace that we are trying to build at, what we really need is ease of access, ease of upgrade and that is the opportunity we think with the Bill.
Simon Holden: I think we are talking about two different sets of infrastructure here, which is worth explaining. We are talking about mobile and then we are talking about fixed-line fibre access. CityFibre is rolling out a fibre access network, mostly to consumers in the home. We are doing that across a footprint of 8 million households in the UK. The reason I wanted Catherine to go first is because we are utilising Openreach’s duct and pole infrastructure for three reasons. First, because it will allow us to go faster because we do not have to dig up the streets and lay ducts ourselves or put many more telegraph poles down. Secondly, because we are reusing and so can lower our cost, which means ultimately lower prices for the consumer. Thirdly, because it is just much more environmentally friendly if we can reuse those assets.
We are in favour of that, but at the moment we have this split between pre and post-2017 access. Our view at the time was that that made a lot of sense. Five years on from that now, it is a somewhat arbitrary split. So we think dealing with that is the right thing to do. In particular, the draft Bill’s proposals on ducts look fine to us. We would echo the point about poles. For us, poles are really important in rural, but also in Scotland. It turns out that in Scotland there are a lot of poles sitting in people’s backyards and just being able to access those to put our infrastructure on means that we can accelerate getting fibre access to all those homes. In our footprint, there are probably up to about 200,000 homes that we can access quickly if we can get that right, so we think that there is a real advantage to doing that.
For us rolling out fibre, there is a balance that you have to have here between access all the way through into the home, back to the public domain where, as a code operator, we can build in the public domain. I think we would say that our experience of getting landlords to come to the table is mixed and that the alternative dispute resolution mechanism proposed here is a good one to push that timetable down, so we can get to an answer.
I would also say, however, that when we get into the home, into a block of flats, the tenants really want the service. We have found that, once we have got the landlord and the landlord has given us the wayleave so we can connect into the front door of the block of flats, then wiring up inside is not particularly an issue. We are concerned a little with somehow grandfathering old wayleaves inside buildings, first because it does not seem balanced, but also because it will entrench the people who have those, which I would say is mostly Openreach.
In trying to promote competition and accelerate growth—to your question earlier, Minister, about whether growth has accelerated—the answer is that growth has clearly accelerated in rolling out fibre. That is absolutely happening. We have vibrant competition now, with billions of pounds being invested in this sector. Here is an opportunity to make it go faster, for us all to benefit with a frankly lower-cost solution.
We feel that what is on the table with that landlord dispute resolution mechanism is good. We do not feel that we need to go inside the building, frankly because once tenants have access to it, landlords are more than willing to give that connectivity, because they have happier tenants as a result. We have not found that that is a real impediment to us.
Juliette, did you want to add anything? You do not have to.
Juliette Wallace: I was not going to add any more to what Mark said on behalf of mobile.
Q
Mark Bartlett: Speed Up Britain represents the MNOs: Cornerstone, MBNL, Cellnex, which is a towerco, and DMSL, WIG and the industry as a whole. I will put some facts, some numbers, on the table to help us understand what we are doing.
Since 2017, we have completed about 1,000 agreements, of which 85% have been consensual and reached without any recourse to any of the processes associated with the legislation. Over and above that, 14.5% approximately required some form of exchange of letters of notice, but then moved quickly to agreement, and only 0.5% of any of those discussions ended up in the tribunal. In my experience, those that ended up in the tribunal have been the industry—us—versus the industry, or land aggregators, to be blunt.
The facts speak for themselves. In the main, as an industry, we run over 30,000 towers, which are visited frequently in order to upgrade, to maintain and to support the connectivity of the country. We do not see a landowner community, a landlord community, our partners as such, in a wall of non-co-operation, but almost the opposite. We speak to our landlords very frequently, we interact with our landlords very frequently, and therefore I do not recognise the characterisation as stated this morning.
Catherine Colloms: I am happy to talk from a fixed perspective. Generally, we have pretty good relationships with a large number of our landowners. Fibre and the copper and duct infrastructure we have is not a revenue generator for most landlords. You will have heard Charles Trotman this morning, from the CLA. We have agreements and rate cards, which were negotiated with the CLA and the NFU. We work closely in particular with those kinds of rural players to ensure that we have those in place. They are very effective and seem to work very well.
Just to give some kind of context for fixed, we do not tend to have these kinds of disputes, to the extent that you are not going to make a ton of money, frankly, by having a few poles on your land. A pole rental is between £10 and £20 a year, so even if you had a couple hundred poles, which would be unusual, that would mean only a couple of grand. If you think about ducting and cabling going through, that is anything from 19p to 49p a metre, so it is not a revenue generator per se. For us, the conversation with landowners is predominantly about access.
To Simon’s point, we find that we do have quite a lot of issues when it comes to MDU access, especially given the scale at which we are trying to build. We obviously have a machine of people who sit behind to try to negotiate, wherever possible, consensual agreements or wayleaves, but we would genuinely need an army of people to try to get stuff done.
For example, some of you will know that a couple of years ago we fully fibred Salisbury, which became one of the first full-fibre cities in the UK. We tried experimenting to test the limits of access and find out what would or would not be a problem with the roll-out. After two or three years of really concerted effort, including with John Glen, the local MP, being super-supportive and with loads of local PR, we could still get into only about 79% of MDUs, because of non-responsive and non-communicative landlords. If we were to scale the MDU team that we had for dealing with the amount of time it would have taken to tackle those unresponsive landlords, we would effectively be scaling from a team of about 17 to over 300.
As Simon says, the ADR processes are helpful predominantly when there are larger landowners, such as housing associations or local authorities. They are less helpful when it comes to the hundreds of thousands of wayleaves that we need in order to get into all the individual MDUs. That is why we think that the ability to upgrade the existing infrastructure, and therefore to give tenants the connectivity they deserve, is still the right mechanism to try to ensure that we can get the upgrade as quickly as possible.
Juliette Wallace: We do recognise, as the operator side of the industry, that in the very early days of the code—early 2018, for instance—the interpretation that we were trying to explore may have been a little too over-enthusiastic, shall we say. A lot of time has passed and we have learnt from that. I think that a lot of the examples that are provided to try to support the allegation of a David and Goliath approach are from very early in 2018, and they do not exist today. I think that we have moved on a lot, but we cannot be stuck with all the allegations of the past as well.
I do not agree that the David and Goliath approach is correct. As Mark said, to the extent that it is, what we are finding with the tribunal element of the approach is that it is actually industry arguing with industry; it is not small farmers, necessarily, who are behind that negativity. It is not David and Goliath; it is Goliath and Goliath.
Q
Catherine Colloms: The current target of 25 million full-fibre premises by 2026 did bake in some assumptions about access, particularly in relation to the upgrade rights in clauses 59 and 60, through MDU and through poles. On the impact of not having it, I think there is a kind of overarching impact. If you think of the challenges of the build and the scale of what we are trying to do, the harder it is to build and the slower it is, the less we can do. We are having to re-phase and re-look at the build that we are currently targeting, as a result of potentially not getting some of the elements in the legislation.
If I take the MDU point in particular, we have re-phased some of our MDU work to the back end of the 2026 target, the reason being that at the moment we just feel we are not going to get the access. As I said, our experience is that up to 1.5 million of those total 6.1 million MDU premises will be at risk. We are seeing that in a day-to-day aspect as we build, so we have re-phased 300,000. That will go to the end of the build, which means it does not count towards the 2025 manifesto target. It will still be planned within our build, but I think what will happen is we will just have to build different bits.
When we are building this rapidly, we cannot afford to sit and wait—wait to negotiate a wayleave, wait for an unresponsive landlord to come back, wait for an ADR process. Even though we have some of these mechanisms in place, we frankly do not use them, because there is not the time and we do not have the scalability to be able to wait for all these landlords, so while we are trying to build at such pace and scale, we effectively move on. What will happen in the short term is that we will still aim for our big 25 million target, but you will get a different mix, and we are already seeing that you will have less MDU in the mix. Obviously, the concern with that is that MDU is often urban and is often local housing or in more deprived areas, so there is a risk of creating a new digital divide—in particular, if you happen to live in a block of flats versus not—because of the access issues.
On rural land, we have this ambition to get to 6.2 million. Effectively, the way that we plan and build the network is we will pick an exchange, and we will survey that area and have a plan to build, but if we cannot get the wayleave, we will not build to the village that is beyond the wayleave. We will still get to our target, but you will get more pockets left behind in different places as we build, because instead of being able to build to 80% or 85% of an exchange area, one landlord might potentially be blocking the access that gets you to the village that is over there. If you cannot cross the land, the expense of having to circumvent it and go all the way around it means that that village build is prohibitive.
Can I ask witnesses to please keep their answers shorter? I have had a number of Back-Bench Members already indicate that they want to come in.
Catherine Colloms: Sorry. I think it just changes the mix, effectively.
Simon Holden: I might just add that if Openreach is the Goliath and CityFibre is the David—certainly in rural—we would like to go into rural. This would be really helpful for us in order to make sure we can move at speed and at a sensible cost, and take advantage of the opportunities the Government are providing to accelerate growth there, so we would be in favour of that.
Juliette Wallace: On the mobile side, you asked about rural connectivity. Predominantly, that is going to come from new sites, and the code is actually working quite well with new sites—new land build-out. Our biggest challenges come from renewing the agreements that have expired on existing sites. That is where we need the changes in the code that this Bill addresses, and also the amendments to how the Bill is drafted so that it actually addresses the Government’s ambitions that came out as a response to the consultation.
Q
This is for Mr Bartlett. Forgive me if I am misquoting you, but I think you said 1,000 contracts have been negotiated since 2017. I am assuming those are all new sites, or are some of them renewals as well?
Mark Bartlett indicated assent.
Q
Simon Holden: We, CityFibre, are in cities. Probably 10% to 15% of our build is in multi-dwelling units. We are typically in underserved areas around the UK, and I would say that we have a disproportionate share of things like social housing that sit under our built portfolio. No. 1, we think that it is really important to be able to access those properties. I would say that big social housing landlords are embracing that, but it is patchy and we would value having the ability to accelerate negotiations as we are having them and have a really clear process where we can make sure that we get everyone to the table, with a fair resolution at the end of it.
Once you get access to the building, I think it is up to the building landlord and the tenants, obviously, as to how you are going to do the in-building wiring. As I said before, we found that once you have got hold of the landlord and you have agreed it, that does not tend to be a particular problem. What we are concerned about is that if you extend this back to historic wayleaves, all you are doing is effectively entrenching the people who have already got those, which most of the time is Openreach. We would think that that is not helpful for competition. That would be our observation, but in terms of accessing those properties, it is super key to us for our business model to be successful and, of course, for society to benefit from getting the best digital infrastructure to as many households as possible.
Catherine Colloms: As Simon says, most multi-dwelling units tend to be in towns and cities, so looking at the constituencies represented around this table, I can tell you, Chris, that you only have 3%. Hornchurch, in the Minister’s constituency, has 13%, and I think Hastings has 24%. They are very concentrated, classically, in urban areas, as Simon says, and often in potential areas of deprivation or areas which are less socially inclusive.
In terms of the access point, you are right. The idea of automatic upgrade would give us the right to do that. You still have to have a relationship with the landlord. That is still always the intent, but it comes down to the obligation. At the moment, there is no obligation for the landlord to do anything. New build legislation obligates them to put in a full-fibre connection, and there is a slightly different conversation you can then have that allows you to proceed with the wayleaves.
Mark Bartlett: To answer your question, first of all the current legislation is not working. At least over a half of all sites are stuck, so the landlord says that they are not renewing or getting new ones. Of those that are under renewal, there are absolute rights in the current legislation for landlords, if they wish to do so, to redevelop at the end of the lease and we have to leave. My estate would be measured in tens a year where it is their right and we move on.
In the current legislation there are also absolute rights for the operators to maintain that equipment if there is no redevelopment need. That is, obviously, very positive, because when we lose a site or a rooftop, whatever the infrastructure might be, that is serving hundreds of people in the community. Therefore, quite naturally, both the investment that we have made and the utility to the public need to be maintained, unless, as I said, the landowner has a genuine need to make that redevelopment, and that is enshrined in legislation, both today and in that passed pre-2017.
Q
Mark Bartlett: I think that would be human. I have never met anybody who wants to take a reduction in the amount of money that they are paid by anyone—that is not something that people work on. However, the policy was put in place to reduce the costs to the industry to allow investment in 5G, which is happening right now for the good of the country.
On the valuation point, it is a fact and a process that if we do not behave properly and that ends up in a tribunal, we would be penalised by the tribunal for the amount of money we have paid, and the judgment would fundamentally go against us, so there is a protection for the landlord there. Secondly, normally—in almost 100% of cases, in fact—we always offer more than the valuation criteria say we should. That results, normally, in a payment of several thousands of pounds, not several tens or several hundreds of pounds.
It is my experience that the majority of people understand that the law has changed and that, like when things change in how you pay your bills, things have fundamentally moved on. So long as we, as an industry, are fair and do not attempt to be over-enthusiastic, as Juliette put it, 85% of people do sign up and say, “Okay, I get it. I am still happy with those several thousands of pounds, and I am willing to make an agreement of that sort.” That is not everyone; 15% of people do not feel that, and we have a further conversation with them, and we come to an agreement with the vast majority of them as well.
I would also point out that this is often characterised as an individual change of an agreement—x to y. We often pay incentive payments to achieve an agreement as well. I would like to put that on the record. It is not just about a reduction in rents. I would also point out that, on average, it is a 63% reduction in rent, not the high 90%-type reduction, that has perhaps been characterised, by the industry.
Sixty-three per cent. is still a significant sum for a small farmer who is counting every penny in his budget. The Committee can understand your reasoning in terms of policy and so on, but as far as the individual is concerned, I maintain—we will have to agree to disagree—that the 85% figure is somewhat misleading if taken in its individual context. I have made my point. Thank you.
Q
Catherine Colloms: That is the current target.
The manifesto target was for full gigabit by 2025, but that was dropped to 85% in November 2020, wasn’t it?
Catherine Colloms: I think you are right.
Q
Juliette Wallace: When the new code came into effect, it set out how sites should be valued for the use of mobile infrastructure. Previously, there was no mention of how sites should be valued. Pre-2017, we had an industry that had been built up over the previous 20 years or so and that had got somewhat out of hand. Rather than paying a fair price to install infrastructure on land, a fair price being one that recognises what else the landowner could rent the land for—
Q
Juliette Wallace: We have learned from the past. My comment about being over-enthusiastic related to the suggestion of David and Goliath with respect to the valuations. The valuations that were proposed very early, in 2018, were much lower than we are going out with now. As this Bill does not intend, currently, to adapt the valuation methodology, there should be no reason to think that the valuations that are currently being offered will change.
Q
Mark Bartlett: It was 63%.
That is the average. Could you tell us some of the figures for those who were worst affected? If 63% is the average, what were some of the biggest drops in income for people affected?
Mark Bartlett: At this point I obviously do not know—
Would anybody have suffered a 90% reduction?
Mark Bartlett: I was about to say that at this point I can only talk about Cellnex UK, because obviously I am not aware of the commercial agreements of any other members of Speed Up Britain. I can be clear that there have, in a handful of cases, been—we have been open about this—90%-plus reductions in rent. But in the main, that normally means the rent itself was over-rented at the point of agreement—that is, we were paying drastically too much. On average, 63% is in line with the Cellnex UK achievement. We have to understand that we have an ongoing relationship with our landlords above and beyond a renewal. There is no interest in the industry for us to behave in a way that alienates our landlords.
Q
Juliette Wallace: I was going to pretty much echo the Cellnex example. We have a handful that are towards 90%—in that sort of area. We also have some sites where the rent has gone up as a result of the new code.
But the average has been a reduction.
Juliette Wallace: The average is a reduction, but it is creating a fair environment that says, “We will reimburse you for the land that we’re utilising.” As I say, we have a lot of sites where there has been no reduction and we have a small number where the rent actually increased.
Thanks. I think everyone understood there was going to be a reduction, but I cannot remember those sorts of figures ever being mentioned at the time of the 2017 Bill.
Q
Catherine Colloms: Effectively—let me take a multi-dwelling unit and then I will take a pole—we need to put a new fibre cable over some of these pieces of infrastructure. I actually have my kit behind me, which I can show you in a second. With an MDU, there is often fibre outside a premises; we will build to the curtilage. What we have inside an MDU is the existing cable—the existing hybrid fibre—that is going up inside the risers. You basically cannot see it. It then kind of pops on to a room. We would reinstall the new part of the full-fibre kit in the classic plant room downstairs, so that it is all with the maintenance bits. We then need a new small cable—this one is basically it; it is called InvisiLight—which we would run up through the risers. This is what you would see, or not see, running through corridors or along the wall. When you put this on a wall, you cannot find it because it is absolutely tiny. This cable has all the fibres running through it.
The visual impact is going to be minimal.
Catherine Colloms: It is minimal. You often need a very small box that just sits on the top of someone’s door and you effectively put this cable inside someone’s flat to a new box. That is for an MDU.
For a pole network, it is similar in the sense that you need slightly more than this amount, because we will probably have some more cables in it. Over the existing pole infrastructure, you will have a new cable that basically has fibres in it. As you can see, this cable is absolutely tiny compared with copper, and it will serve hundreds of premises, as opposed to the copper, which needs to be a different size. You would effectively need a cable that is slightly larger than the one that I have here—because it would be protected—that runs across the existing infrastructure. You sometimes need some termination points, so there might be a few pieces of black plastic, which is effectively where you put various bits of the access network.
On the telegraph pole.
Catherine Colloms: On the telegraph pole, but not every pole. It will be only on a few of the access poles, but we try to minimise the impact and keep it as small as we can.
Simon Holden: We are using exactly the same process and procedures, and the ducts and poles that are available, so my answer is the same.
Q
Catherine Colloms: At the moment, the way that clauses 59 and 60 are drafted, they talk about “no adverse impact” as opposed to minimal adverse visual impact. The existing code under which we are currently operating talks about “minimal adverse impact”, which is why we have been able to put infrastructure in as we are doing today. That has not been transposed in the Bill. We are suggesting that if we could change the definition to “minimal adverse impact” as opposed to “no adverse impact”—with, for example, the MDU having something like this cable—that would allow us the ability to go in and upgrade with minimal adverse impact where we currently have the infrastructure.
Q
Catherine Colloms: For me, it is the critical clauses 59 and 60. If we could extend the measure to multi-dwelling units, that solves your urban problem, but, critically, if we can extend it over the pole network, that is what will make the difference in rural areas. As I was explaining to the Minister, it is not necessarily that the target changes, because we will still try to do everything we can to meet the target, but the danger of not being able to upgrade existing infrastructure over poles is that you end up with pockets that are excluded as you upgrade. We are effectively trying to avoid getting all these pockets of digital divide in MDUs and cities, but also the little pockets as we are upgrading through rural areas at the same time.
Simon Holden: I would add one administrative point. The way that the Bill is drafted at the moment means that the main operator, which would typically be Openreach, has to notify the private landowner. The fact of the matter is that if we wanted to use it, we could equally notify the private landowner. What I do not want to do is either to burden Openreach with lots of my administration, or for that to become a bottleneck to the speed of my roll-out. We would propose that if it is the main operator or the new operator that has utilised that infrastructure, it could give the noticing. By the way, we are giving noticing to local authorities for works all over the place; we have a process for doing that. That would actually accelerate things from our perspective and not create an inadvertent administrative bottleneck from a process perspective. We can provide you wording on that.
Q
Mark Bartlett: First of all, towercos have been around in the industry since the start. The BBC became National Grid became Crown wireless became Arqiva became Cellnex, and so on. This is not a 2017 phenomenon. Secondly, Cellnex itself has invested billions of pounds in the UK over the last couple of years and invests hundreds of millions of pounds a year, whether that is in connecting the Brighton main line or providing DAS, small cells, tower upgrades or new towers. To describe a huge enabler of connectivity across the UK as a middleman is, I think, a step too far. Fundamentally, we are an industry that is bringing connectivity to the whole of the UK; we are part of it, and we believe that these changes are needed to deliver it.
Q
Mark Bartlett: That is a good question. First of all, do we collaborate as an industry to use shared infrastructure? We are required to do so under planning laws. In fact, towercos’ reason for being is to create efficiencies and share infrastructure, to the benefit of the community. We are, through the planning process, not allowed to stick one tower next to another. Those sorts of things protect the community, but also make sure that we exploit the infrastructure that we have today to maximum effect.
Secondly, in terms of sharing upgrade rights, obviously we have existing towers. At the point at which we need to upgrade for 5G, often we need to put more equipment on those towers, so it is important that we are able to do that without having to negotiate higher costs under the old regime, and that we are able to do that very quickly. To Catherine’s point, where we do not get agreement to upgrade a tower, it simply means—the local community around that tower is much further than 500 metres; depending on which technology you use, it might be 500 metres, but I will not go into that, and one big tower serves many hundreds of people—that that tower does not get upgraded and the money is spent on a different tower in a different community.
The power of the individual to affect the outcomes of the community is very high in the process that we have today, especially where the legislation does not work. To be frank, that is why the changes are required. It is not necessarily to overcome some battle with a land agent. We are simply attempting to create this connectivity solution across the UK as fast as we possibly can, and having the simplicity—while remaining fair to the landlord—of legislation that works and an operational process that works is going to enable that.
Is there anything else you want to add, Juliette? If I may, I will refer to Juliette on the technical—
Juliette Wallace: I do not think there is anything particular to add, other than to say that the shared rural network absolutely relies on the ability both to roll out new sites to new areas that are total notspots at the moment and to roll out sharing and upgrade capability on existing sites. If we do not get the changes in this Bill, we are going to be seriously reduced in our ability to effectively roll out, share and upgrade those existing sites. There are some sites where currently we have no mechanic to be able to renew those agreements. As Mark said, the power of the individual to frustrate the roll-out of new technology or increase technology to a geographical area is huge currently.
Q
Mark Bartlett: With respect, I am unable to answer that question as part of Speed Up Britain, because that is often commercially sensitive, but we can write to you. Mobile UK is part of Speed Up Britain, and they are the best people to ask. I will ask them to write to you directly to give you that clarity.
Q
Simon Holden: We architect what we call polygons, which basically go around our cities, and our objective is basically to cover every premise in the city polygon that we build. That is a commercial decision that we have made. We think that super-high-density fibre networks are the best way to cover a population and offer the best marketing opportunity to end customers. By the way, they allow you to do the densest 5G networks overlay on those.
In our architecture—which does not follow the Openreach architecture; it is our own—we use a series of ducts and poles in rings going around, and then run off coming from that. We plan, in our builds on our city polygons, not to have notspots. Sometimes we cannot go down a private road, because we need a wayleave and there is a process to go through to get that, but our policy is to try to cover as much as we possibly can. Typically, we cover 85% to 90% in what we call the first pass of the build, and then we start going back to do infill around that. At least where we are building today, we do not have that as a problem.
In rural areas, I think that will be affected by the BDUK process and the roll-out—we would like to participate in that—but our expectation is that we would be building and connecting from our cities all the way out to the deep rural areas, picking up the small towns and villages on the way. In those commuter towns, we would look to cover all those premises; if we are there building, we would rather just build it once and cover everyone. That is the best commercial opportunity that we see.
I do not think that we see what you are describing as a problem that we would be planning in to avoid; it would only be because we could not get particular wayleaves or particular access, a little bit as Catherine described, that we would end up trying to go around that. That is why this legislation will help us.
Catherine Colloms: If you think about the existing architecture—obviously, we have the existing architecture; we are still building new, but we are trying to reuse wherever we can, because that is cheaper and avoids digging up all your constituencies as we go—it is true to say that there is a greater proportion of underground ducting in urban areas, which this legislation, as drafted, would allow us to upgrade more easily than over the pole network or in multi-dwelling units. We have a much denser proportion of poles in suburban and rural areas, so at the moment, as the Bill is drafted, it is harder to upgrade rural areas than it might be to use the existing underground infrastructure, which is predominantly in urban areas, as you say.
If there are no further questions from Members, on behalf of the Committee I thank the witnesses for their evidence. I hope I have not hurried you along too much.
Examination of Witness
Till Sommer gave evidence.
Q
Till Sommer: I am Till Sommer, head of policy at the Internet Service Providers’ Association. We are basically the trade body for the fixed-line ISP sector in the UK. We represent a whole range of companies, from the largest infrastructure providers that you heard about from the previous panel, such as Openreach and CityFibre, to the smaller start-up companies and ambitious alternative network providers who roll out their own networks in urban or rural areas. Some of them are focused on Wales, and others are focused on England and Scotland—there are a whole variety.
Then, on top of that, we have a lot of companies in our membership that provide services across these networks. That includes some of the household names, such as Sky Broadband, but also smaller challenger brands or business-focused providers. So it is a really diverse sector and a very ambitious sector. There is a lot of competition in the sector and quite often that gets overlooked when you just look at the sector from the outside and you see a few large companies. As I said, there is a lot of variety in the sector.
Interestingly, because there is so much competition in the sector, our members hardly agree on anything; they always bicker about policy positions. And wayleaves is actually one of the few things where every single member who builds networks is saying, “This is the single biggest barrier to rolling out broadband for me.” That is one of the few areas where literally every single ISPA member says, “Something needs to change.” That is unique. On almost everything else, I could tell you a variety of views, and this is one of the few areas where everybody says, “Something needs to change.”
Q
Till Sommer: Yes, sure. The Bill basically does three different things: it is access to third-party land in rural areas; it is the alternative dispute resolution mechanism on a voluntary basis; and the third area is upgrade rights. Upgrade rights, as you heard from the previous panel, is one area where there is slight disagreement because, depending on how you fix that, it might give one set of providers a competitive advantage over the others. For that reason, I do not want to go into too much detail there.
At the basic level, we want more upgrade rights, because it helps to use the infrastructure that is already there, rather than digging up the road again, putting up new telegraph poles or, as was said, just not doing something at all because the money is not there to build in that area if you cannot reuse the infrastructure. Beyond that, I do not want to go into too much detail, or I will get into trouble with my members and they will all talk to you separately.
I will take the other two areas, including access to third-party land. We have a few members who are specifically focused on rural areas. They are effectively going at the moment where Openreach does not have a strong build. They are very ambitious. They have told us quite early on that this Bill is game-changing for them. Access to third-party land in rural areas is simply the one thing that will unlock additional properties in their roll-out plans.
The reason for that is that this part of the Bill effectively mirrors something that was done a year ago for multi-dwelling units in urban areas, because it looks at a problem that our members face; I will use a very simple example. Let us say they want to reach a rural hamlet and there are three routes to it—one across a farmer’s field, one across a railway line and one across a hilly area. The most economical route is across the farmer’s field, but that field might be owned by someone who is not living in the UK, or who does not look at their emails or their post; that farmer just does not respond. At the moment, there is no mechanism to get any sort of forward movement in that situation.
So, what happens is that the provider either moves on, because they decide that it is not economically viable to take one of the other routes to that hamlet, or they say, “Actually, no, we do go across the railway line, but we descope parts of the hamlet. The money just isn’t there any more to connect every single house. It’s still economically viable to go there, round the field, but it doesn’t quite reach the whole village.”
Third-party land access provides a mechanism to get access to wayleaves, or access to land, for a limited period in those very limited circumstances. That will unlock those properties that at the moment are at risk of missing out. I am sure some of you will have seen in the past an announcement from a broadband provider—you might have even done a press release with them—saying that they are building out to x number of houses in the constituency. Then, after two years—after the roll-out programme is done—the number is not quite there. Quite often the reason for that is because the build has been more difficult than expected, there have been unresponsive landlords and the money that was allocated for that area does not quite match the ambitions.
It is worthwhile keeping in mind that roll-out is privately funded. There is Government support for the hardest-to-reach areas and we appreciate that, but outside of that it is privately funded infrastructure, with a return on investment over 20 or 30 years. We need to make an investment case. The companies, our members, need to make the investment case for their investors, for their shareholders and for their owners, that they will at some point get that money back. That is why we sometimes need to make those difficult decisions where stuff is being descoped. That is why the Bill is so important; it helps avoid those areas and unlock that bottleneck.
I mentioned alternative dispute resolution; some of our members are a bit sceptical about it, and that is largely because they roll out on a very large scale. Having to deal with thousands and thousands of ADR processes can be quite daunting, time-intensive and costly. For that reason, we believe it is good that it is done on voluntary basis, with the clear incentive provided in the Bill that the tribunal will take ADR into account. It will help a lot when it comes to negotiations with large landowners; that can include local authorities, where our members often have to negotiate a headlease or a head wayleave agreement. That can be super-complicated, because there is part of the local authority that is really keen on getting broadband, but the people dealing with the wayleave stuff do not really care because it is not in their portfolio. There are then mixed messages coming from the local authority. On the one hand they are saying, “Can you please roll out broadband as quickly as possible,” but on the other hand there are people saying, “It takes another year to negotiate the agreement.” ADR will be really useful to make progress in those very large wayleave cases.
Q
Till Sommer: Yes, that is exactly right. If you cannot use existing infrastructure but you are still going to roll out the network, you need to dig up the roads. I assume you have all received lots of letters about roadworks and the problems that they cause. You either dig up the roads or put up new telegraph poles, which is more expensive and is another element of visual impairment and disruption. For that reason it is much more economical—and from a visual aspect, less intrusive—to reuse existing infrastructure.
Q
Till Sommer: We do. Basically, a key bit that our members provide to your constituents—their customers—is a router, plus other equipment, that is classed as an internet-connected device under part 1 of the Bill. We are in regular contact with your civil servants on that, to clarify timelines and how the Bill might bite. We do not have any concerns about the idea. We support the idea of the Bill; it is more about the implementation, and ensuring that the supply chain is aware of the new provisions that are coming in.
I have heard from a lot of our members that they have started to talk to their supply chain to say, “By the way, in a year, or in one and a half years, depending on when the Bill will be done, we need to ensure that your products comply with these rules.” Because a lot of the manufacturers are overseas, they are not yet aware of them. Anything that can be done to raise awareness among consumer product providers would be welcome. There are a couple of other bits that go very much into the detail around associated software, when it comes to parental controls, which could be affected. I am happy to write to you on that if you want, but we will talk with the Department about it anyway. It is very much nitty-gritty stuff.
The Minister took my last question on part 1, so I am happy to give my time to Back Benchers.
Do any Back Benchers have further questions for Mr Sommer? In that case, I thank you very much on behalf of the Committee, Mr Sommer, for the evidence that you have given, and we will move on to the next panel, somewhat ahead of time.
Examination of Witnesses
Rocio Concha and Jessica Eagleton gave evidence.
Good afternoon. We will now hear oral evidence from Rocio Concha, director of policy and advocacy at Which? and Jessica Eagleton, senior policy and public affairs officer at Refuge. We have until 5 o’clock for this session if needed, but as we have started ahead of time I am sure that nobody will mind if we finish ahead of time. Please could the witnesses introduce themselves for the record? Then I will turn to the Minister to ask the first question.
Rocio Concha: I am Rocio Concha, director of policy and advocacy and chief economist at the consumer group, Which? Thank you for the invitation to provide evidence. The Bill is quite important for consumers. We have been very supportive of the work that DCMS has done in the Bill. That is very good, and I hope that I will have the opportunity to explain how the Bill can be improved to achieve its objectives.
Jessica Eagleton: Good afternoon, everyone. Thank you for inviting me to give evidence. I am Jess Eagleton, senior policy and public affairs officer at Refuge, which is the country’s largest specialist provider of gender-based violence services. We provide a host of services including refuges, community outreach and a specialist tech abuse team. I am here today to speak to you about technology-facilitated domestic abuse.
Q
Jessica Eagleton: Of course. The first thing to say is that we are seeing technology-facilitated domestic abuse becoming ever more prevailing. Technology in all its varieties is providing domestic abusers with a host of new means and methods to perpetrate abuse—to monitor survivors, track their whereabouts, harass them and stalk them—so much so that, as I said, we set up a tech abuse specialist team a couple of years ago. Of the women and children who we supported last year, 59% said that they experienced abuse involving technology, so we are seeing a growing threat.
The specific devices that we are talking about, which are covered by part 1 of the Bill, offer a whole host of ways for abusers to abuse. I am thinking about home security cameras and home security devices such as doorbells, which provide almost 24/7 oversight of a survivor’s movements in the home. Camera and microphone functions can be used to listen in on survivors and capture intimate images without consent, which can then be used later to threaten and coerce the survivor. There are also things such as smart plugs and smart thermostats, which can be remotely accessed and used to frighten survivors—for example, by turning alarm systems on, or putting blaring music on, in the middle of the night. That is happening in the relationship and after it as well, so we are seeing remote access being used in that way.
Some of our concerns about devices relate to access. Thinking about the power imbalance in a domestic abuse relationship, it is the perpetrator who often sets up such devices. They have the password and full admin access, which means that the survivor therefore has limited ways to access a device. We have had some difficulty when talking to companies to try to support survivors to take back control of devices, particularly once a relationship has ended and a survivor has fled. Where they have devices in their home to which the perpetrator still has full admin access, it is particularly difficult to get companies to override that. That is something that we would welcome further work on, in terms of companies taking steps to support survivors to make changes to settings.
Do you have anything to add?
Rocio Concha: Your question was on whether the Bill will help consumers to understand these issues, and it will. As you know, one of the principles in the Bill is transparency—when you buy these products, you will know for how long they will be supported. That will help with awareness. There is a lot more that can be done to raise awareness of these issues. There is a limit on what consumers will know about how to protect themselves, so the direction in the Bill about banning default passwords is quite important, as is the point of contact for security vulnerabilities.
Jessica has explained very clearly the harms. There is an opportunity for the Bill to be more assertive. At the moment, the Bill says that the Secretary of State “may” include baseline security requirements. We know that these are not the right baseline security requirements, so the Bill should be clearer that they will be included. We also think that the Bill needs to list the three security requirements, which would give a clear steer to the industry that they are to be introduced. We are worried that the Bill as drafted could lead to more delays in introducing things.
If we want the Bill to achieve its objective, we must be careful to ensure that online marketplaces are within scope. I would argue that they have to be because, as a consumer, it makes no difference whether you buy your smart product on the high street or from Amazon, eBay or AliExpress; you assume that the product is compliant with the regulations in the UK, so it is important that the Bill also covers that area. Otherwise, you know where the bad actors will go—they will be selling insecure products on those online platforms.
Q
Rocio Concha: On enforceability, if you do not include online marketplaces, you are leaving a big gap, because these products can come from any country in the world when they are being sold in these online marketplaces.
Another area that is not clear in the Bill is how consumers can get redress. As part of the transparency requirement, suppose that you buy a product that says that it will be supported with security updates for four years, but two years down the line, the manufacturer decides to change its mind and to support the product for only two years. Where would the consumer go in that instance? They bought the product on the basis that it would be supported for a set amount of years.
The other thing that is not clear is who the regulator enforcing this will be. Obviously, we need to make sure that the regulator has the skills, powers and resources to enforce it.
Q
Jessica Eagleton: Perhaps I can take your second question first. You are right that we are seeing concerns about these types of products being used to stalk and to monitor. In terms of concrete measures and what the Bill can do in this respect, we welcome some of the security requirements, particularly around the vulnerability disclosure scheme, as a step forward. For example, in the work that we do to support survivors, having that public point of contact and an easily contactable place for a company to go, when we are reviewing these products and putting forward recommendations to companies, is definitely a step forward.
We would have some concerns about situations where companies might publicly disclose security flaws and perhaps not take steps first to address them. We have that concern because that could, in essence, alert an abuser to a new way to abuse a victim. It could alert them to a device that they could purchase or that is already in their home that would provide a new way of compromising, so we would like to see companies taking all reasonable steps to address and action some of these security flaws before there is that public disclosure.
On your second point about services, our tech abuse team is a unique service in the country in providing specialist frontline support to tech abuse survivors, but it is a chronically under-resourced service. Perhaps in the context of this Bill, we would really like to see thought given to a percentage of the fines that the regulators collect for non-compliance by companies going, for example, to fund some specialist support services. I think that would fit within the wider ecosystem of enforcement as well. If we have specialist services that survivors can go to and ensure that they are sustainably funded and able to support survivors, that would contribute to the wider enforcement regime and awareness.
Q
Jessica Eagleton: It is not always thought about that the devices can be used in this way. A lot of the focus of companies in this space has been on how to prevent devices from being compromised by unknown third parties—hackers from overseas, for instance—rather than in the context of domestic abuse. Thinking about things like passwords and default passwords is a welcome step, but in the kind of relationships that we are talking about and dealing with on a daily basis, the perpetrator will force the survivor to divulge the passwords to their devices and all their online accounts. That is not necessarily always thought about by these companies.
However, we are engaging with the companies as much as we can on what we are doing as a smallish team. Thinking through what can be done in future, it is about continuing to place emphasis on and put work into safety by design, which means ensuring that, from the get-go, product manufacturers and designers are thinking about how these products could be misused by domestic abusers. It also means working in collaboration with specialist violence against women and girls services to ensure that those features are designed out as far as possible.
Q
Rocio Concha: In terms of the Bill, an example could be to change or tighten the definition that you have of distributors. In terms of implementation, online marketplaces are the gateway between the consumers and the manufacturers of these products. They are the ones that have the power to make sure that these products comply with the law. Let me give you an example. We routinely do product tests to identify security vulnerabilities with these products. Often when we go to the online marketplaces, we get the answer that, because there is no regulation, they cannot take these products out.
We need the regulation to be clear that any smart product needs to comply with these baseline security requirements. Also, we need regulation to put responsibility on the online platforms to make sure that they are monitoring proactively which products are being sold on their platforms. That is key, and I feel that it is not optional. It is quite clear what is going to happen. There are bad actors out there, manufacturing products that are not going to comply with the baseline requirements. They know that there are not going to be the necessary checks in there by the online marketplaces, but the consumer does not know. It is impossible for the consumer to make an assessment of whether the product will be secure or not. Unless we put in regulation, you can see where all these bad actors are going to go.
Q
Rocio Concha: I personally think that yes, the Government should provide information to consumers so that they are aware of this. Organisations such as ours also play a role, and we play it. We continuously publish our findings on security vulnerabilities and the sorts of things that consumers can do to protect themselves. There is a need for more information for consumers in general so that they can be aware that when they put these products in their homes, unless they take certain steps and buy products that meet the regulations that we hope will soon be introduced, they are putting themselves at risk.
Jessica Eagleton: I would agree with what my fellow panellist has said. When we think about tech abuse, we see that awareness of it is quite low among the general public. In fact, in a survey we ran last year the results were that two thirds of women did not know where to go for information if they thought that a device in their home was compromised. There is a role there for that awareness piece. At Refuge, the approach we tend to take is to empower survivors to use technology safely and to take back control of their products and technology. We have developed a range of resources to do that, but we would welcome more work and more efforts on this more widely.
Q
Jessica Eagleton: The national domestic abuse helpline is the gateway to a wide range of domestic abuse services across the country. If she phoned the national domestic abuse helpline, we would be able to help her there, and help her with safety planning and next steps. We have some resources on our website and have recently developed a home safety tool that talks you through various devices in the home and gives tips on how to secure them.
Q
Rocio Concha: Yes, we would support that. If it is not possible to include it in the Bill, we would ask that the Bill allows for it to be included in secondary legislation in the future. We would be very supportive of introducing minimum supporting periods for products.
Q
Rocio Concha: No, we have not, but we have provided amendments in other areas. We have provided an amendment to allow the Bill to introduce this through secondary legislation in the future, and there is an amendment there. We would be happy to discuss that in more detail.
Q
Rocio Concha: It depends. On these baseline security requirements, we firmly believe that the Bill should list them and be very clear that they will be included. In terms of the minimum security periods you provide to different products, it will depend on the different products and we do not want to delay the legislation to get to the bottom of that. It would be preferable to allow that legislation to be introduced as secondary legislation.
Q
Jessica Eagleton: Some of the most common devices we see reported to us include your smart home hubs, smart voice assistants, smart TVs, plugs, light switches and fitness trackers. Those are some of the most commonly misused. I myself have various different connected products at home.
Perpetrators quite often set up a host of different devices in the home. Recently, we supported a woman whose former partner had bought a whole host of devices, including smart cameras, a smart doorbell, a smart thermostat—all those kinds of things. She and her child felt like they were constantly being monitored; they talked about how exhausted they were by that constant surveillance.
Q
Jessica Eagleton: It is definitely a big consideration. That is why we advise that people get in touch with us and then we can help with safety planning. If a perpetrator has access to those devices and a survivor moves to take back control of them and change the settings, that can be detected by someone with that access. We would work with a survivor to safety-plan how to control her technology.
Q
Jessica Eagleton: My fellow panellist may have some thoughts here as well, but that could certainly be useful for industry. Thinking about the general low awareness of tech abuse, it could be useful to provide industry with some certainty. It could play into that broader awareness piece, as well.
Q
Rocio Concha: Is this about the length of time a product will be supported for? That information should be provided clearly at the point of sale, before you make a decision, so that you know you are going to buy something that may be supported for only two years, versus another product that may be supported for longer. That will hopefully provide everyone with the incentive to extend the number of years for which a product is supported.
We also need to make sure that that information is very clear. We should avoid “up to three years” and “for the lifetime of the product”, which do not really mean much for the consumer. For the consumer to be able to act on that information, it has to be very clear and easy to find when they are making that decision. That is what I would say.
On changing the security, I am a little worried about the industry saying that it may change the period during which a product will be supported. If that change is to extend that period—great; if it is to reduce it, that is very bad. At that point, the consumer has made a decision and bought a product because that product was going to be supported for longer.
If someone was told that a product would be supported for four years, and they later found out it was two years, that product would not be fit for purpose. Under the Consumer Rights Act, you have a right on the same grounds as the Consumer Protection Act 1987.
If there are no further questions from Committee members, that brings today’s sitting to a close. On behalf of the Committee, I thank the witnesses for their evidence this afternoon. The Committee will meet again on Thursday at 11.30 am in Committee Room 14 to begin line-by-line consideration of the Bill.
Ordered, That further consideration be now adjourned. —(Steve Double.)