(2 years, 6 months ago)
Lords ChamberMy Lords, I rise to move Amendment 1 in my name and that of my noble friend Lord Clement-Jones, who is sadly unable to be here today. Should your Lordships feel at times that I am going on a bit long, just think of the alternative: it could have been both of us.
I should first say in the spirit of co-operation that the aim of this amendment is wholly positive; it is designed to firmly support the intentions of the first half of this Bill—support which we heard right across your Lordships’ House at Second Reading. While introducing this part of the Bill, the Minister set out a clear need for improved security. He told us:
“The average UK household now has nine internet-connected devices, and over 50% of all UK households purchased an additional consumer connectable product during the pandemic.”
The danger to individuals is getting worse. As the Minister also said:
“In the first half of last year alone, we saw 1.5 billion attacks on connectable products—double the figure of the year before.”
With this rise in connectable devices, the Minister said:
“Thousands of people in the UK have been victims of cyberattacks.”—[Official Report, 6/6/22; col. 1033.]
I suggest that this is understating the situation—it must be tens if not hundreds of thousands—but frankly, we just do not know.
This is an international business, which preys on poor security and badly configured devices. Further, our household devices can be co-opted by sophisticated criminal or political hackers to present significant threats to our national infrastructure. That is why this part of the Bill is important; I think we all agree on that. For a connectable device to be secure, it needs to be set up right but then supported throughout its active life to meet the changing environment of security threats. We are all used to updating our laptop security regularly, but how many times have we updated other household-connectable devices? A baby alarm, for example, is never updated.
At Second Reading, I described my fruitless search within the Bill for a definition of the security support that a consumer might reasonably expect for consumer-connectable products in the house. This Bill takes the secondary-legislative route. Rather than set out what consumers should legally expect in terms of through-life product security support, we were promised some SIs, and we heard what the focus would be.
In a letter sent last week, the Minister gave the Government’s reasons for choosing those three areas; I will come back to them briefly. He wrote:
“we are starting with a focus on the three security requirements that will make the most substantial change to consumer device security at a proportionate cost to business”.
But why just these three? The Bill is heavily based on the Code of Practice for Consumer IoT Security, in which 13 security issues were highlighted. To be clear, the first two—“No default passwords” and
“Implement a vulnerability disclosure policy”—
match those of the Minister. Interestingly, on the third one, there is a big difference in language between the Bill—which mentions providing transparency on how long, at a minimum, the product will receive security updates—and the code, which says, “Keep software updated”.
But there are 10 other major areas. I will not list them, but the fourth is:
“Securely store credentials and security-sensitive data”.
The eighth is
“Ensure that personal data is protected”.
Why are those two not as important as the other three? I cannot fathom why those have been left out and the previous three selected. So, given the choice of 13—the Minister can look them up—what was the logic in choosing just those three and dropping the fourth and eighth in particular?
There is also the issue of changing technology. Without a set of principles, the Government’s aim is to chase technological development with a string of statutory instruments, simultaneously keeping up with the world’s most innovative companies and pitting their ingenuity against the world’s top criminals. Life is moving fast—for example, a recent issue of Wired announced the beginning of the end for passwords:
“At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using ‘Passkeys’ with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.”
On that basis, this legislation will be partially obsolete before it is enacted.
I have one further technical problem for the Minister to explain. Once again, different bits of government are moving in parallel. A seemingly entirely different exercise—a consultation on app security and privacy interventions—was published in May this year. The suggested interventions include
“a voluntary Code of Practice for App Store Operators and Developers that is intended as a first step.”
Other possible future options set out in the document include
“certification for app store operators and regulating aspects of the Code to help protect users.”
The document then says:
“These proposals link into the National Cyber Strategy through requiring providers of digital services to meet appropriate standards of cyber security and developing frameworks to secure future technologies.”
No mention of this legislation is made.
So where does a connected device end and an app start? Where does the Bill stop and this new code of practice start? If I install my temperature control system, it will involve connected hardware and an app; which of these two pieces of government activity will cover my system, and how are they connected? The Government have not joined this up, and, once again, two things are going on with no connection to each other.
So, I borrowed some of the Code of Practice for Consumer IoT Security for this amendment, which sets out some of the principles. Proposed subsection 2(a) sets a simple obligation for “manufacturers, importers and distributors” to demonstrate a “duty of care”. Proposed subsection 2(b) sets out that
“customers are entitled to have a reasonable expectation that manufacturers, importers, and distributors make sure their consumer connectable products meet minimum cyber security requirements before they are placed on the UK market”.
Proposed subsection 2(c) calls for
“manufacturers, importers, and distributors … to demonstrate an understanding of emerging security threats and a proactive, ongoing support programme to mitigate these risks and ensure that their products are safe by design.”
The Minister would be hard-pressed to argue against these—and his planned SI on accessibility vulnerability is close to proposed subsection 2(c) anyway.
I would like to hear that the Government recognise the benefits that having clear principles in the Bill can deliver. I am sure that the Minister can see these benefits. Secondly, I am not proprietorial over the exact wording. We can use the time between Committee and Report to fine-tune and wordsmith those principles, but I hope that this is a constructive and helpful start.
My Lords, I restate these Benches’ support for Part 1, which introduces a range of important powers and processes relating to the security of consumer-connectable products, including smart TVs, smartphones, connected baby monitors and connected alarm systems, all of which we use in our day-to-day lives. For me, the legislation that we seek to improve today is much needed and needs to move with the times and the way we live. For example, in 2006 there were just 13 million of these devices but in 2024, there is likely to be more than 150 million in the UK alone—a huge projected rise.
I am grateful to the noble Lord, Lord Fox, for introducing this sensible amendment, and to the noble Lord, Lord Clement-Jones, whose name is also on it. It seeks to introduce or suggest some guiding principles relating to product security. For me, the key principles are that manufactures, importers and distributors have a responsibility and a duty of care to meet minimum cybersecurity requirements and look forward to emerging security threats. It seems wise and sensible to include these, so I hope the Minister will take them into account. As the noble Lord, Lord Fox, said, the exact wording of the amendment does not have to be used; it is about the principles. Indeed, it is about not just principles but practice: the message given to consumers as well as to manufacturers, importers and distributors.
I know that in other legislation the Government are often nervous about using the phrase “duty of care”, but, as the Minister knows, there are very real concerns about data collection and privacy. I suggest that this is the very least that consumers should be able to expect. While it may be said that the other principles are not necessary to include, there have been several cases of manufacturers knowing about, yet failing to act on, significant security flaws. I feel this is something we need to guard against.
My Lords, I want to say just a couple of words because, having read this and listened, I think the amendment has a very good point. I like the concept of a duty of care, because if we do not have that, who are we worrying about? In fact, Clause 7, on “Relevant persons”, is all about the manufacturers, importers, distributors, et cetera, with nothing about the customer, the poor person who is going to get hit by it. It is a very good idea to put that in at the beginning, setting down some principles and duties, because the other trouble is that by the time that we have done all these bits and pieces, made the regulations and the provisions, we are always acting after the event. What we need is a bit of proactivity, and we get that in this suggested new clause, because manufacturers, importers and distributors would have to make sure that products met certain minimum requirements. They would need to understand what “emerging security threats” there were; in other words, thinking ahead to the next stage and not just saying, “Oh, well, it complied with those things last year”, by which time the horse has bolted and we are far too late. So, I like it.
I am grateful to the noble Lord, Lord Fox, and, in his absence, the noble Lord, Lord Clement-Jones, for their Amendment 1 and for the wholly positive intention with which it has been tabled. I was grateful to have had the opportunity to talk to them about it before Second Reading as well. As the noble Lord set out today, he has argued that customers deserve some high-level principles setting out the security protections they should expect when purchasing consumer-connectable technology. In fact, Amendment 1 goes further, as noble Lords have noted, and would require manufacturers to owe their customers a “duty of care” to protect them. We are not as keen as the noble Earl, Lord Erroll, on that.
The first problem we have with a duty of care is that it could give consumers a false sense of security. If consumers buy well-designed technology products which meet the best standards, it considerably lowers risk, but with cybersecurity there is no such thing as zero risk: the most aggressive and well-resourced hacker will find a way. Somebody may have a quality product, but have they secured their wi-fi router? Do they have some legacy technology on their network? Manufacturers of a single device do not control the whole range of apparatus which constitutes the attack surface so cannot always provide an absolute security warranty, and they cannot always predict the next attack vector.
The second problem we have is that we have learned that the security of devices is best served by standards rather than principles. If one sets standards, one can send a device to a laboratory and assure oneself that those standards have been met. If one sets principles, that does not apply. That is why the Bill is designed to give force to standards. Those standards, developed here in the UK and now adopted by Governments and jurisdictions across the globe as well as by international standards bodies, are widely recognised significantly to lower risk for consumers.
Of course, we believe that the responsibility for the security of connectable products most effectively lies with the manufacturer. We expect manufacturers to take security seriously, to implement measures to develop and maintain an awareness of the security of their products, and to be up front with customers about the security support they can expect. We have tried voluntary compliance, with our code of practice which was published in 2018. We now need mandatory requirements, and that needs specific security requirements that can be independently assessed. The legislation must enable the Government to keep pace with market dynamics and the changing technological landscape—as the noble Baroness, Lady Merron, said, it is important that we move with the times. The flexibility to be able to set different security requirements for manufacturers, for importers and for distributors is key to this.
Amendment 1 in the form drafted would place an equal weight on the duties of each of these three groups to secure products. Compelling the Secretary of State to have regard to this general duty could constrain the Government’s ability to set specific security requirements in the future. Crucially, these principles could restrict the use of powers in this part of the Bill, working against the Government’s ability to bring this regime into force and impeding our ability to keep that regime future-proof. I should also say to noble Lords that industry and consumer groups have not raised the need for general principles such as this. Our efforts to engage and communicate our intentions have been clear, and the requirements we have set out for the relevant persons have been widely understood and are in line with international standards.
The noble Lord, Lord Fox, asked why the Government have chosen these three specific security requirements rather than others. During the consultation in 2019, we explored a number of options including mandating that all consumer-connectable products meet all 13 guide- lines in the code of practice. They are all important, but the majority of respondents supported the option that the top three security requirements represented the most appropriate baseline, by balancing the important requirements that are testable, being applicable across a range of devices and creating the right incentives to improve security in these products. That is why the Government are initially mandating the implementation of security requirements that will make the most fundamental impact on the risks posed by insecure consumer-connectable products for consumers, businesses and the wider economy.
The noble Lord also asked about where products end and apps begin. The powers in Part 1 allow Ministers to set out requirements that include products and software. The proposals in the consultation he mentioned relate to those who operate app stores. So, while I acknowledge the good intentions behind it, I hope I have been able to set out why the Government feel that this amendment—
I thank the Minister for giving way. That does not answer the question of where an app starts. If I am downloading Nest for my heating system, I am getting it from an app store, so where is the regulation coming? Is it the app that is coming from the app store, or is it the connectable device law that is coming through here? In which case, I think some explicit connectivity between the apps that run the connected devices needs to be written into the Bill.
Perhaps, if the noble Lord is happy, we can explore this. The example he gives, as he knows, includes software and technology. Perhaps we can have a detailed discussion where we can work through some of those examples. I would be very happy to talk to him about them because on the question he poses the line is drawn in a different place depending on the product and its nature.
The Minister talked about standards a moment ago. If we are going to rely on standards, who is writing them? I presume that he is talking about British standards; to write a standard will take a year or two. I hope that the Government are going to fund it. We got no help from them in trying to fund stuff around age verification, even though that was core to the Digital Economy Act. If we are going to elevate it to an international standard, that will take another year or two, so we will not see any action for a long time if we are going to rely on externally written standards. I have chaired two BSI standards so far, and it does not happen just like that.
Some of the standards in this area have been set in the UK and have already been adopted by other jurisdictions, so I hope that we can give the noble Earl some reassurances. While I acknowledge his point about the time it takes for these to be adopted internationally, in some areas the UK is setting the way, and these are being picked up across the globe.
As I said, while I note the good intentions behind Amendment 1, these are the reasons why the Government are unable to support it. However, I am very happy to pick up the questions about apps and products with the noble Lord and others who wish to join that conversation. I hope that, for now, the noble Lord will be content to withdraw his amendment.
My Lords, while that was a relatively disappointing response, I am pleased that we can have the discussion about apps. I thank noble Baroness, Lady Merron, and the noble Earl, Lord Erroll. I think he put his finger on it. If we are to keep pace with the speed of change only through a standards regime without making the companies delivering these products in some way responsible—whether through a code of practice or a duty of care, I am not quibbling—there is no way that a standards regime can keep pace with the innovative speed that international crime is running at on cybercrime.
The idea that we can chase this down the road is wholly wrong. I ask the Minister to sit down with the department and perhaps we can come up with a different way of doing it. I am totally agnostic about how we go about it, but some sense that we are not just chasing this needs to be in this Bill, otherwise it is going to be after the fact. That said, I am happy to beg leave to withdraw Amendment 1.
My Lords, I am happy to move Amendment 2 in this group and will speak also to Amendment 4. I am grateful to the noble Lord, Lord Fox, for signing up to our Amendment 2. Part 1, as we have said, represents a step in the right direction on product security. The Bill is, as is increasingly the case with this Administration, a general framework Bill which will have much of the detail filled in later by regulations—a point that the noble Lord, Lord Fox, among others, has persistently made, and we have made from our Benches.
Noble Lords might say that Amendment 2 is a rather crude way of discussing the processes and timescales attached to the regulation-making powers in this part of the Bill but, as was mentioned in the previous group, we need much more information about when these regulations are going to be brought forward. Have some already been drafted? If so, can we see them in advance of Report and certainly before Third Reading? If not, why not? Do any of them need to be consulted on, and if so, what implications will this have on the implementation of new rules and systems? This is, as we have heard before, a time-critical Bill so the regulations are time critical as well and, we argue, need an early airing.
Colleagues in the Commons expressed concern that it has taken too long to get to this stage. We, too, regret that the Government have not worked to introduce some of these measures at greater speed and that more of the detail is not in the legislation, a point which the noble Lord, Lord Fox, eloquently made earlier. Surely it would have been possible to do this, given that the Bill was carried over from the previous Session.
Turning to Amendment 4, it
“seeks to place certain product security minimum standards, including the prohibition of so-called ‘default” passwords, on the face of the Bill.”
We think this is an important amendment. I credit Which? as where it draws its inspiration from. It is right that we have some core security principles in the Bill. We know that the Government have form on overpromising and underdelivering. Surely these important security matters should not be left to the whim of the Secretary of State at an undetermined point in the future. This process provides a perfectly good opportunity for us to enshrine the requirements in primary legislation, whether in the form of Amendment 4 or Amendment 5 or something else. We believe that there is a strong case for action
My Lords, I will speak to Amendments 3 and 5 and in support of the other two amendments in this group. All these amendments refer to Clause 1 and seek to add some specificity to its general nature. The first amendment in my name and that of my noble friend Lord Clement-Jones is Amendment 3. This inserts a new paragraph (c) into Clause 1(1), adding the text
“children where they are not primary users of products but are subjects of product use”.
Why is this necessary? Here I am indebted to a report on cybersecurity, the UK Code of Practice for Consumer IoT Security produced by the PETRAS National Centre of Excellence for IoT Systems Cybersecurity. Noble Lords may be aware of this group; it has a very strong record in this area. It is a consortium of leading UK universities dedicated to understanding the critical issues of the privacy, ethics, trust, reliability, acceptability and security of IoT. I commend this organisation to the small number of noble Lords in this Chamber interested in this area.
This report highlighted, among other things, the importance of children’s connected toys receiving the necessary scrutiny, due to the implications of embedded cameras and microphones, with the aim of ensuring the child’s and the parents’ protection and right to privacy. Such devices include a wide range of everyday artefacts with internet connectivity intended for use by children or in caring for them, such as interactive toys, learning development devices and baby or child monitors.
These connected toys and tools have the potential for misuse and unauthorised contact with vulnerable minors. The British Toy & Hobby Association has responded by offering a range of guidance notes and by interpreting the code of practice, but with SMEs manufacturing most of these devices, there is much more to be done to ensure that those organisations are sufficiently informed and equipped to produce and market toys that are secure.
Security is not straightforward, as the Minister has already pointed out. While these devices offer a range of advantages through their connectivity, they also potentially expose children and their families to risks that have not yet been fully articulated to many of the consumers who are buying these toys.
A real-life example is that the toy giant Mattel launched Hello Barbie. The Minister may be familiar with it—I do not know. This was as far back as 2015. It was a very innovative toy which it launched with a start-up business called ToyTalk. The principle of this toy was that it could converse using internet connectivity with speech recognition, so as well as talking it could listen. Hello Barbie also allowed parents to log in later and eavesdrop on their children’s conversations with their toys. I will leave your Lordships to decide the ethics of that.
But this connectivity raised some concerns, primarily around who could listen in and record these devices and store conversations and behavioural and location data, and for what purpose this data could be used. Toys like these are now prevalent and they raise significant questions about the appropriate support and guidance for the toy manufacturers, which understand an awful lot about conventional safety—they know how to make physically safe toys—but do not have a track record on developing informationally and data-safe toys because they have never been asked to do that before. This is a new venture for them, and it requires a totally new set of skills and standards, as the Minister might say.
As technology evolves hacking is increasing in sophistication, so it is necessary to keep moving forward. The challenge for cybersecurity in remaining ahead of the risks is inevitably a technological one, and the Minister may remember that the Hello Barbie toy, having been launched and lauded for its security, was ultimately found at some point to have serious security issues. Even that toy, from a very large manufacturer, fell foul of the progress of information crime.
Nevertheless, it is clear that today some toy manufacturers are releasing connected toys without adequate safety and security features. This is a competitive and dynamic marketplace—a lot of it is to do with price—and first movers are rewarded. In addition, the skillset and knowledge base, as I have just said, for conventional toy safety is mismatched with these new toys and we need to find a way of addressing that divergence. This is going to require investment and new learning and will not happen unless the toy manufacturers are required to do it.
Secure software development and cybersecurity are novel demands on this sector. However, the fact remains that these toy manufacturers are potentially placing consumer safety and privacy at risk. It does not matter whether this occurs due to the immaturity of the sector, market pressures or the lack of sectoral attention to the problem.
In the view of the Petras report,
“there are no indications that this will be addressed through market forces. Instead, the certainty of legislation to maintain standards would level the playing field and make clear for SMEs where they need to invest to make their toys market ready.”
Thus, more than the technological challenge of staying ahead of hackers, what is salient here are the challenges to the implementation of basic security features in manufacturing such as basic authentication and encryption, without which children’s safety and security is at risk.
This amendment explicitly places child security front and centre in this Bill. In other legislation involving the internet and digital issues, such as the Online Safety Bill, the Government have imposed more onerous duties on those delivering services to children than to adults. This amendment would be entirely consistent with that approach—very much in the spirit of understanding that our children and young people are more vulnerable and therefore need more protection from harms.
I turn next to Amendment 5. The eagle-eyed among your Lordships will spot that it is very similar to Amendment 4, proposed by the noble Baroness, Lady Merron, and set out very elegantly by the noble Lord, Lord Bassam. In fact, I would suggest that, largely, its construction is better than ours because they managed to do the same thing in fewer words. I will speak to Amendment 5 but my comments apply to Amendment 4 as well.
Amendment 5 seeks to ensure that:
“Regulations under this section must include provision that all security requirements specified in accordance with this Act are included as essential requirements in statutory conformity assessments and marking procedures under the Radio Equipment Regulations 2017 … and in any other such assessments and procedures applicable to relevant connectable products.”
I am speaking to the spirit of both these amendments. Amendment 5—similar to that of the noble Lord, Lord Bassam—follows on from the advice and help of Which? I thank that organisation, which has really been at the forefront of the consumer issues involved. In essence, the amendment picks up on three of the issues that the Minister tells us will be dealt with in SIs as soon as the Bill becomes an Act, but it takes the rather stronger approach of placing them in the Bill.
Paragraph (a) of proposed new subsection (2A) goes further than the general principle in specifying that passwords are not to be weak. As Which? explains, many smart products push the user to create a password themselves, rather than use a default password. However, they then allow weak and easily guessable passwords to be created, meaning that the risk of compromise stays high.
One of the outcomes of this amendment would be the introduction of a requirement for responsible password policy guidance to be adopted by the industry to ensure that security liability is not simply passed from the device manufacturer to the consumer. The Bill and associated guidance should be amended to clarify that every individual device must have a unique or user-set password that meets effective complexity requirements.
Paragraph (b) of proposed new subsection (2A) seeks to avoid the risk of disclosures going into a black hole or taking many years to fix. The Bill and associated guidance should be amended to make clear what is required of manufacturers, importers and distributors on provision of disclosure policy information, particularly around vulnerabilities. The appointed regulator should also clearly define and distribute a risk assessment framework for vulnerabilities that removes any sense of subjectivity and ensures that the response is effectively mandated.
Paragraphs (c) and (d) of our proposed new subsection concern the length of time a product is supported. The Government should introduce mandatory minimum support periods for smart products and consider whether these periods should reflect how long consumers, on average, continue to use such products. There is a precedent here. New ecodesign and energy labelling requirements came into force in England, Scotland and Wales in 2021. They include a requirement for electronic display items, including televisions, to be provided with firmware and security update support for a minimum of eight years after the last unit of a model has been placed on the market. A consistent approach to support periods for a range of products therefore needs to be considered, and it has already been considered in this other legislation.
Customers need absolute clarity on the support period manufacturers will offer, so that they are able to make more informed purchasing decisions. There must be a clear definition of what the “point of sale” means and how this relates to the definitions of “supply” in Clause 55. Without clearer specifications on what form the transparency requirements will take, there is a risk that this information could be hidden, obfuscated or even mislead. This amendment is designed to probe the Government’s thinking on these very important issues.
Finally, and very briefly, as a signatory to Amendment 2, I give it my full support.
I am very grateful to noble Lords for setting out the cases for Amendments 2, 4 and 5. Since January 2020 the Government have been clear on introducing security requirements based on the three guidelines to which I referred in the previous group.
The commitment to set requirements has been made in response to consultations, published strategies and indeed to the Explanatory Notes to this Bill. Our notification to the World Trade Organization also contained reference to some of these documents. We have put manufacturers, trade bodies and industry representatives on notice. Supply chains are long and surprises unwelcome, so the Government have been very clear on whither we are heading.
Amendment 2 would remove any discretion the Secretary of State has to make regulations. I appreciate that the intention behind tabling it is to explore this issue, and I hope I can assure noble Lords that it is not needed. The regulations will be made, and swiftly. Indeed, we have already consulted on them, in 2020, which I hope gives noble Lords some reassurance that we intend to move swiftly in this area.
Amendments 4 and 5 would insert specific security requirements into the Bill. As several noble Lords mentioned at Second Reading, it is important that technology regulation enables the Government to respond to changes in threat and technology, and to the regulatory landscape. That is precisely why the Bill does not contain details of the requirements that the Government have assured industry they will set out.
Perhaps the Minister should consult whoever drew up the legislation that managed to mandate that televisions should be updated for firmware and software for up to eight years after they have stopped being manufactured. Clearly, those people managed to find consensus among the industry—or decided to ignore consensus—and deliver something. If it can be done for electrical display devices, such as televisions, I do not see why it cannot be done here if there is a will to do it. However, I think the Minister is telling us that there is no will to do it.
The noble Lord referred to mandatory minimum support periods for electronic display items and the Ecodesign for Energy-Related Products and Energy Information Regulations 2021. It is not quite correct to say that those requirements are applicable. They ensure that the last available security update continues to be available for at least eight years after the last unit of a product has been placed on the market but the requirement does not ensure that manufacturers continue to provide new security updates over that period to ensure that the product remains secure in response to changing threats.
I did not say that those requirements are applicable; I implied that they are analogous. Frankly, the fact that there is some mandating of security support after the product has stopped being manufactured is a heck of a lot better than the situation for all the connectable devices we are currently talking about, where there is no requirement at the moment.
I do not think that they are quite analogous. As I say, it is about the requirement to keep the last available updates available to consumers for eight years rather than evolving them. We do not yet consider that there is sufficient evidence to justify minimum security update periods for connectable products, including display equipment—certainly not before the impact of the initial security requirements is known.
It is important to stress that, as consumers learn more, they will expect more. This will drive industry to respond to market pressure. If the market does not respond to this effectively, the Government have been clear that they will consider the case for further action at that point, but we think that consumer expectation will drive the action we want to see in this area.
Amendment 3, tabled by the noble Lords, Lord Clement-Jones and Lord Fox, refers to children. All noble Lords will agree, I am sure, that protecting children from the risks associated with connectable products is vital. I assure noble Lords that the security requirements we will introduce are designed with consideration for the security of all users, including children, alongside businesses and infrastructure. The Bill already gives the Government the flexibility to introduce further measures to protect children, whether they are the users of the products or subject to other people’s use of a product. We therefore do not think that this amendment is necessary as this issue is already covered in the Bill.
The Bill, and forthcoming secondary legislation, will cover products specifically designed to be used by or around children, such as baby monitors and connectable toys; they include Hello Barbie, which I was not familiar with but on which I will certainly brief myself further. However, we recognise that the cyber risks to children are not limited to the connectable products in the scope of this Bill; indeed, a lot of the issues referred to by the noble Lord, Lord Fox, were about the data captured by some of the technology, rather than the security of the products themselves. That is precisely why the Government have implemented a broader strategy to offer more comprehensive protection to children—including through the Online Safety Bill, to which the noble Lord, Lord Bassam, referred.
I hope noble Lords will agree that Amendment 3 is not needed to make a difference to the Bill’s ability to protect children from the risks associated with insecure connectable products—this is already provided for—and will be willing either to withdraw their amendments or not move them.
My Lords, this has been a useful and interesting exchange.
In my lordly world, “may” and “must” are sort of interchangeable; they were a useful peg on which to hang our discussion about the statutory instrument nature of this piece of legislation. I am somewhat reassured by what the Minister had to say about that, and acknowledge that some of the regulations were brought forward and consulted on at an earlier stage. However, we on this side of the House—I am sure that I speak for the noble Lord, Lord Fox, as well—want to see increased transparency throughout this process. So much of what is in front of us will be in secondary legislation; it is essential that we, the industry and the sector are properly consulted so that we understand exactly what we are dealing with. I make that plea at the outset.
I was pleased to hear what the Minister said about children as the primary users of particular products. I am glad that we have got beyond the “Peppa Pig” world that the Prime Minister occasionally occupies and are giving this issue proper, serious consideration. It certainly needs to be that way.
I am not entirely convinced by what the Minister said on Amendment 4. I look at our amendment; it is pretty basic, actually. It is hard to argue against setting out a particular prohibition in legislation. The ones that we have picked out for prohibition and restriction are quite important and essential. Of course, the Minister is right that those subjects will change and technology will overtake the words we use. We understand that point but we are trying to secure some basic minimum standards and protections here. Clearly, we will retreat with our amendment and give it some further thought before Report, but we may need some further persuasion on this. That said, I am quite happy to withdraw Amendment 2 and not move Amendment 4.
My Lords, in his response to the Minister, the noble Lord, Lord Bassam, talked about transparency. The Minister said that he hoped we were reassured by the presence, and indeed the draft, of particular regulations. More specifically on the point made by the noble Lord, Lord Bassam, we would be reassured if the Minister were prepared to share those drafts with Her Majesty’s loyal Opposition and those of us on this Bench, but the Minister has set his face against pre-publishing draft regulations so that we can have a chance. That trust will come if we are trusted in this process, but it does not come for nothing.
I rise to speak to these—whatever the collective noun for amendments is; perhaps a raft or a shedload—amendments, all of which are around delegated powers and secondary legislation, and to move Amendment 6. As we have discussed, in Part 1,
“The core provision is clause 1, which allows the Secretary of State to make regulations specifying the requirements that are to apply for the purpose of protecting or enhancing the security of internet-connectable products made available to consumers in the UK. The security requirements can be applied to … relevant persons.
Clause 3 allows the Secretary of State to make regulations providing that a relevant person is to be treated as complying with the security standard if specified conditions are met. No limits are imposed on the circumstances in which this power would be capable of being used. Subsection (2) provides that the specified conditions may include, “among other things”, compliance with specified standards. But this does not limit the circumstances in which this power may be exercised.
The explanation for the power is given in paragraphs 20 to 22 of the memorandum. The point is made that improving the security of connectable products is a critical global issue”—
which we have discussed,
“and therefore it is likely that many other countries and international standards bodies will introduce standards similar to or aligned with the security requirements imposed under this Bill. The purpose of the power is to allow products which meet these alternative standards to be excepted from the regime under this Bill, provided that those standards achieve equivalent security outcomes and do not weaken the regime established by the Bill.”
Are noble Lords still with me? The Bill’s
“powers will also facilitate mutual recognition agreements and therefore help the UK to avoid placing an undue burden on industry by restricting the free flow of international trade.”
I think we all can see this. I agree with the Delegated Powers and Regulatory Reform Committee,
“that this provides a reasonable explanation for the power contained in Clause 3, it does not explain why it is considered necessary or appropriate for the power to be at large and not limited so that it can only be used where a product is subject to an alternative security regime imposed outside the UK”
and that the Minister needs
“to explain whether the failure to limit the powers in this way is inadvertent; and, if not, why (whether by reference to technological change or otherwise) it is considered necessary to draw the powers more widely than indicated in the memorandum.
Regulations under Clause 3 are subject to the negative resolution procedure. That is based in part on the fact that the regulations will not reduce the effect of the legal framework. But that assumes that other international standards will apply instead.”
This amendment puts forward the DPRRC’s recommendation that
“the affirmative resolution procedure is more appropriate if the width of the regulation-making power is to be retained.”
The alternative is for the Government to narrow that regulation power.
Amendment 9 focuses on regulations under Clause 9(7), which are subject to the negative resolution procedure. This amendment implements the DPRRC recommendation that
“the affirmative resolution procedure is more appropriate if there are to be no limits on the circumstances in which the duty under clause 9 to provide a statement of compliance may be waived.”
Then we have tabled an amendment that removes Clause 9 altogether. Clause 9 is designed to take power to except manufacturers from the duty to provide a statement of compliance. The clause
“requires manufacturers to provide a statement of compliance when a product that is subject to security requirements is made available to the UK. Subsection (7) of clause 9 confers a power by regulations to provide that a manufacturer is to be treated as complying with this requirement if specified conditions are met.
The explanation in the memorandum links this power to the power in Clause 3 to treat a relevant person as complying with a security requirement.
‘Where the government has recognised another standard as being equivalent to compliance with a security requirement using the provisions of clause 3(1), it may be appropriate under certain conditions, for instance where the government has entered into a mutual recognition arrangement with another regime, for the duty to ensure that a product is accompanied by a statement of compliance to be waived for relevant persons in relation to products that meet that standard.’
However, this limitation on the circumstances in which the power will be used is not reflected in clause 9(7) itself, which simply confers a power to treat the manufacturer as complying with the duty to provide the statement of compliance ‘if specified conditions are met’, without any indication of or limit on what those conditions might be.”
As such, the purpose of giving notice of our intention to oppose the question that Clause 9 stand part of the Bill amendment is designed to get to the bottom of the issue and to get the Minister to explain whether the failure to limit the power, as described in the memorandum, is inadvertent; and, if not, why it is necessary to draw the power more widely than indicated in the memorandum.
My Lords, I am grateful, as ever, to the Delegated Powers and Regulatory Reform Committee for its very helpful report on this Bill. It would be fair to say that, in general, this Bill has fared better than most Bills, so that gives some comfort. Nevertheless, it is also true to say that the committee has raised a number of concerns and has put forward a very helpful range of recommendations, which are encapsulated in this suite of amendments. I thank the noble Lord, Lord Fox, for his detailed canter through what might be called a veritable feast of amendments.
As I say, this group of amendments very much reflects the concerns of the committee. I should also put on record that as the amendments were tabled at a relatively late stage, these Benches have not signed them. I say to the Minister that there is nothing to deduce from that, because I can confirm that we hope that he will take the concerns that are seriously and sensibly set out in this group and will look at revising the scope of procedures relating to certain powers when it comes to Report stage.
The feast of amendments in this group aim to implement the recommendations of your Lordships’ Delegated Powers and Regulatory Reform Committee. We welcome the committee’s report and are considering its recommendations, as we always do. It will infuriate the noble Lords who have asked detailed questions when I say that, ahead of setting out our response to the committee, I will not be able to cover all the issues they have pressed the Government on today. I am happy to say that we will set out our response in writing ahead of Report. Perhaps once we have done that, and noble Lords have seen the Government’s full thinking in their response to the committee, it might be helpful for us to speak in detail.
The legislation has been designed to protect people, networks and infrastructure from the harms of insecure consumer connectable products, while minimising the unnecessary regulatory burden on businesses. It does so in the context of rapid technological and regulatory change, evolving cybercriminal activities and a growing impact on people in businesses, all of which require us to ensure that the legislation can evolve quickly and effectively. The UK, as I have noted, is leading the world with its approach to regulating connectable products. As other jurisdictions increasingly turn their attention to this important issue, we will use this flexibility to achieve alignment with equivalent regulatory regimes, avoiding unnecessary duplication. These powers, and the others conferred by the Bill to make delegated legislation, are crucial for it to remain effective. We have carefully considered the number, scope and necessity of these powers, and believe we have struck the right balance between the need for that flexibility and the importance of Parliamentary scrutiny, which noble Lords rightly stressed again today.
We welcome the report of your Lordships’ committee and are considering its recommendations. I am afraid I cannot, at this stage, pre-empt our response, which has to be made while considering the recommendations’ impact on the broader framework. We will return to these matters on Report, and I am very happy to have a detailed conversation with the noble Lords about our response after we have responded to the DPRRC.
The noble Lord, Lord Fox, focused on Clauses 9 and 11. I am happy to confirm that nothing about how the powers are drawn in Clause 9 is inadvertent; this was our intent. Clause 9 contains four delegated powers; they will be used predominantly to provide administrative detail deemed too technical for primary legislation. For example, they will explain what must be included as a minimum in a statement of compliance, what steps must be taken to determine compliance, where appropriate, and for how long a manufacturer should keep a statement of compliance. They will also provide flexibility to respond swiftly to changes in the market. In addition, the delegated powers in this clause may be used in the future to provide that the statement of compliance is equivalent to certain product markings, or external conformity assessments, such that a manufacturer may be deemed to have provided a statement of compliance where such markings or assessments have been made or completed. This is dependent on regulatory changes to product markings and on the development of the assurance sector for product security.
At this stage, and awaiting our response to your Lordships’ committee, I hope noble Lords will agree that it goes without saying that the Government feel these clauses should stand part of the Bill.
I sort of thank the Minister for his response, which is really no response at all. He did say that it would infuriate me and he is fairly accurate about that.
As correctly noted, I am merely a cipher for the DPRRC, a very serious committee that does not produce these reports lightly. The point it is making, particularly on Clause 27, is front and centre to this Bill. Who is going to enforce it? Who decides who will enforce the Bill, and how will Parliament know if the Secretary of State decides not to tell it, under the current regulations? These are very serious matters and not ones that your Lordships’ House should step back from. I am sure that the Minister will, on reflection, understand that the DPRRC has a very important point to make. The others are important points, particularly around Clause 3, but the Clause 27 piece is absolutely central to the future of this Bill. That said, I beg leave to withdraw Amendment 6.
My Lords, Amendment 7 is also in the name of my noble friend Lady Merron. This amendment, as the notes to the Bill’s amendments set out, brings online marketplaces which allow relevant products to be listed for sale within the scope of the security requirements outlined in the Bill. We wish to express again our gratitude to Which? and others for their work in relation to online marketplaces, including, but not limited to, Amazon and eBay, which facilitate the sale of many of these products.
Research suggests that a significant number of products listed on online marketplaces could have security and privacy risks. This is prior to the introduction of the new rules for producers, importers and distributors, but it does highlight the importance of ensuring that marketplaces are subject to at least some of the new measures. Following Second Reading, the Minister kindly wrote to noble Lords, as he promised he would, and suggested that in many cases these websites will fall under “at least one” of the categories and, even if they do not, earlier parts of the supply chain will be subject to the new duties. On that basis, the Government say they will not explicitly bring marketplaces within scope of these measures but will keep the matter under review. It is disappointing that the Minister decided to rule out this change without even having this Committee debate. I hope the Minister’s response will go into more detail than the letter, and he will outline exactly what this review process will look like. Importantly, if it becomes apparent that obligations need to be imposed on these businesses, can he outline the process for achieving this? Can it be done under existing powers, or would it require an additional, albeit simple, piece of primary legislation?
This may not be a gaping hole in the Bill, but it does feel like a gap that needs to be addressed. We hope the Government will be persuaded of that in the run-up to Report stage. It is important because we do not often get legislation on this subject and we do not often get the opportunity to deal with issues such as this. I say to the Minister that we need considerable reassurance on this point because of that very fact. The Minister may say that it is all going to be down to regulations. That is not really a complete answer but we look forward to hearing his response.
My Lords, I rise to speak to Amendment 8 in my name and that of my noble friend Lord Clement-Jones. These are two ways of doing the same thing so I support the spirit of Amendment 7, about which we have just heard from the noble Lord, Lord Bassam.
This amendment adds the following wording to Clause 7:
“Any person who is a provider of an internet service that allows or facilitates the making by consumers of distance contracts with traders or other consumers for the sale or supply of a relevant connectable product is to be regarded as a distributor for the purposes of this Act, if not a manufacturer or an importer of the product.”
This amends the language that defines a distributor in the scope of the Bill. Online marketplaces are a mainstream form of today’s retail. Which? research in 2019 found that more than 90% of the UK population had shopped through an online marketplace within the month it was polling. That has increased during the pandemic. However, its research also consistently highlighted how online marketplaces are flooded with insecure products. It has previously demonstrated issues with the lack of legal responsibility of online marketplaces for the security and safety of products sold through their platforms.
The Government have recognised the problem, in their response to the call for evidence on product safety, that current safety rules were designed to fit supply chains as they operated before the world of internet shopping. In the realm of product safety, the Government have acknowledged that this can result in the peculiar situation where no actor is responsible for ensuring product safety. This has resulted in organisations such as Electrical Safety First repeatedly finding unsafe and non-compliant products listed on online marketplaces. Therefore, the traditional conception of actors in the supply chain is now outdated.
The Bill defines “distributor” as
“any person who … makes the product available in the United Kingdom, and … is not a manufacturer or an importer of the product.”
At present, it seems unlikely that certain online marketplaces, including eBay, Amazon Marketplace and Wish.com, will be included within the scope of that definition of distributors in the Bill. This will leave, without overstating it, a sizeable gap in the regulatory scope of this market.
Given the amount of insecure tech readily available on online marketplaces, it is paramount that these platforms are given obligations in the Bill to ensure the safety and security of the products sold on their sites, regardless of whether the seller is a third party. However, the Clause 7(5) definition of “distributor” in terms of making products available on the market is in line with existing product safety law, so we know that certain marketplaces are not classed as distributors and hence not obligated to take action. Amazon Marketplace, Wish.com and eBay are marketplaces where other people are selling; this is the issue.
This amendment seeks to expand the definition of distributors in Clause 7 to include appropriate online retailers, such as listings platforms and auction sites, including eBay, Amazon Marketplace and AliExpress. I feel sure that the Minister did not intend for the legislation to miss these marketplaces out; rather than risk this loophole going any further, we will work with the Minister and Her Majesty’s loyal Opposition to come up with some wording that absolutely iron-clads the Bill to ensure that these sorts of marketplaces are also included.
I am grateful to noble Lords for speaking to their amendments in this group, both of which seek to make online marketplaces a “distributor”. It is vital that all products offered to consumers are secure, including those listed through online marketplaces, and we want to ensure that this is achieved in the most efficient way.
The explanatory statement for Amendment 7 suggests that products listed on online marketplaces might not be protected by the security requirements set out in the Bill. I reassure noble Lords, particularly those who tabled Amendment 7, that the security requirements will need to be met for all new connectable products offered to consumers in the UK, including those offered through online marketplaces. These marketplaces often act as a manufacturer, importer or distributor and, in those cases, they are subject to the same duties and security requirements as those three types of economic actor. If, however, the online marketplace does not fall into one of these three categories, the manufacturers, importers and distributors of those products are all still fully responsible for complying with security requirements.
This has piqued my interest; how does this exercise relate to the Bill? This process of dealing with the online acquisition of unsafe products would seem to be what the Bill is doing front and centre, so what is that process? How do the two connect?
They are complementary; the new product security framework sits alongside existing legislation on product safety, which is why we want to conduct a review of the safety framework and publish the consultation. I am certainly happy to write and endeavour to explain.
The noble Lord asked whether products sold through online marketplaces fall into a gap in the Bill. The Bill requires in-scope products offered for sale through online marketplaces to customers in the UK to be as secure as in-scope products sold, for example, in physical stores. We are mindful of the variety of services offered by different online marketplaces. Some act only as advertising platforms, while others facilitate transactions and store and ship products on behalf of the seller. As noble Lords have noted, this changes all the time. This must be carefully considered to ensure that businesses can comply with their legal obligations and that any regulation is necessary, appropriate and proportionate to provide the best protection to consumers.
I am sorry to keep popping up; being a practical person, I will try to give the Minister a scenario and, if he cannot answer straightaway, he can write. I have bought a product through an online auction that turns out to be unsafe; I go back to the auction site, which tells me, “Not my problem. You have to return to the international manufacturer which made this product”, which turns out to be a brick wall and nothing comes back. First, is that online auction site correct in handing me over to the international manufacturer, which turns out to be a dead end? Secondly, if that site is correct, to whom do I go? Do I go to my local council trading officer or to the person who, under Clause 27, has been mysteriously made the enforcer for the Bill? I may or may not know who they are. How do I seek redress, and from whom?
I will try answer the noble Lord’s question, and I am happy to write with further detail. Products sold on online marketplaces are covered by the Bill. All products sold to customers in the UK will have to comply with the security requirements set out under this framework. Where a product is sold on a third-party online marketplace, the seller will be responsible for ensuring that it is compliant. Third-party sellers who sell new products directly to customers on those platforms will also be covered under the “distributor” definition. I will happily write to the noble Lord with further detail ahead of Report but I hope that, for now, that goes some way towards addressing his question.
My Lords, I would be grateful if my noble friend included me in his replies and letters. Is he aware of the lamentable performance of Her Majesty’s Revenue and Customs when it comes to trying to enforce VAT in similar circumstances, and the enormous difficulty it has had with third-party sellers operating out of the Far East in particular? It is extremely difficult, and the volume of VAT lost runs into the billions. This is a large-scale enterprise and it will easily channel a large volume of unsatisfactory products into the UK if we do not take effective action.
I hope that the Government, in their new consultation, which I look forward to learning about, will be taking a robust attitude towards the platforms. For instance, it is entirely unsatisfactory that there should be a way in which unsafe toys can get into the hands of children at Christmas, and for which there is no effective means of prevention or redress. In other jurisdictions, these online marketplaces have proved amenable to a forceful approach by government. I very much hope that we will be joining in with that.
I am happy to include my noble friend in the replies and the letter I send. This touches on work which falls under the Department for Business, Energy and Industrial Strategy, and the points he raised, of course, fall to Her Majesty’s Revenue and Customs. We will make sure that, having consulted officials there, we provide some details of the work those departments are doing as well.
My Lords, I am looking forward to the correspondence on this; I fancy that the noble Lord’s civil servants will have a tricky job on their hands. I do not think I quite got a response to what the nature of “being kept under review” really meant, but I await word in the future.
I have been reading the Explanatory Notes, as the Minister will probably be unhappy to hear, and I can see the difficulties. In trying to ensure that the legislation is focused, rightly, on the producers, manufacturers, importers and distributors, it is hard to work round that and not capture people who are simply installers of a product. On the other hand, there are circumstances where installers are primarily responsible for the effectiveness and working of the product, and if it was not for the way they install it, it would not be effective. The terms of the contract are such that it makes that difficult.
I can see the difficulty here, but for now I am happy to withdraw our amendment. In doing so, we are equally supportive of the amendment in the name of the noble Lord, Lord Fox, because the two are contiguous in their formulation.