Product Security and Telecommunications Infrastructure Bill (Second sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Chris Elmore
Main Page: Chris Elmore (Labour - Ogmore)Department Debates - View all Chris Elmore's debates with the Department for Digital, Culture, Media & Sport
Product Security and Telecommunications Infrastructure Bill (Second sitting)
Chris Elmore ExcerptsTuesday 15th March 2022
(2 years, 1 month ago)
Public Bill CommitteesRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 15 March 2022 - (15 Mar 2022)
Julia Lopez
Q
Professor Carr: I think the element that will impact consumer decision making the most will be the length of time for which the product will be supported. I remember having the conversation in a room in DCMS all those years ago about how we could possibly be expected to spend £1,000 on a phone that will not work in 18 months, that the company knows will not work in 18 months—it will not be supported—and to not have access to that knowledge. This is not just about putting labels on things; it is about the fact that we could not find out even as an informed consumer. I think the length of time for which the device is supported will have a major impact on consumer decision making and probably more than the other two things, because a lot of people do not care about passwords and a lot of people do not know what a vulnerability disclosure agreement is or what that means. Knowing for how long the device will be secure is like having an expiry date put on it.
That is an example of where a kind of market driver can impact consumer decision making, but one of the things that we know about cyber-security more generally is that, very often, market drivers do not work in this space. There is not really, to be honest, all that much of a market for cyber-security, as people do not really care about that. That is why we need to think about moving beyond the dominant narrative over the last 50 years that Governments stifle innovation. Even if we go right back to the beginning of digital technologies and the ARPANET and DARPANET, those things were wholly supported by the US Government. They were funded by the US Government; they were invested in by the US Government for decades before the private sector came on board. So there are these points where it is absolutely necessary for Governments to be involved and for governance to happen, because we cannot see the future. If people begin to lose confidence in these devices and they begin to fear—“I don’t want my child to have something like that. I don’t want Alexa in my house. I don’t want people listening to my conversations etc.”—all the incredible benefits that we can extract from those technologies will go by the wayside.
I will give just one very clear example of this. If you think about the huge effort that the banking sector put into making sure that people felt confident about banking online, spending money online and tapping their card—“When something goes wrong, the bank will take care of you”—the reason, the logic, behind that was that if people began to think, “It’s not safe to bank online; it’s not safe to use my card in these little shops,” they would stop doing it. It was that investment in regulating it, locking it down and making sure it was safe that has allowed us to get to this extraordinary situation where you can walk around with no wallet and just a phone. It is that thinking that is important now.
David Rogers: I think the transparency point is fantastic. This work is not done in isolation. There is lots of work going on about lengthening software updates for lots of types of products, and there are different regulations happening in Europe and so on. Consumers should not have to know about the details. Madeline has said this. They have an expectation, a very reasonable expectation, that they will not be arbitrarily hacked into. We have all read the stories about things like baby cams being hacked into. That is totally unacceptable, because at the end of the day the company that created and sold that product that was insecure at the time it was created is responsible for it. Of course, they did not hack into it, but they left all the doors open, and they sold that product and made money and profit from it.
Yes, I believe that consumers should know that they are being looked after, and the length of time that that is provided for helps them to make an informed decision—it is a free market. Also, security should not be a luxury for the rich. You should not be required to replace your iPhone, for example, just because the support ends. At the end of the day, we are all impacted by security issues. The Mirai attack, for example, was an extremely large distributed denial of service attack, which basically took down large parts of the internet. It was all those small IoT devices, routers and things that had been taken over. The attack did not discriminate between who had those devices, those older devices or whatever, but the impact and scale of that attack was the problem.
That is why we need to ensure on an ongoing basis that, as the technology develops, we can put new requirements through the standards bodies and endorse them. This is the start of that lifecycle, to ensure that those products do not enter markets like the UK.
Chris Elmore (Ogmore) (Lab)
Q
In that vein, is there something in the idea of a reporting mechanism—either by the Department or some sort of regulator, annually or however long is appropriate—for whether these organisations and manufacturers are working to the standards that you so strongly set out? They have had years to deal with the standards, but many are still not doing it. I am suggesting naming and shaming, if you will, to give consumers better informed decisions.
A lot of people borrow money to buy these devices. On Second Reading, I expressed a concern that many people will look in a retailer or online, and go, “If that doesn’t exist for this much time—if it only has two years on it and the loan is three years—why am I bothering to purchase it if it is obsolete in that time?” That is a concern that many people have. Consumers potentially do not know what this or that means, but they know what “security” means, and if they think something is not secure, then, as Professor Carr mentioned, they think, “Well, I won’t bother having that product, because it isn’t safe”, because that is how they view the word “security”, which is logical, but not necessarily the best option given what they are looking for. There are several questions in there, forgive me, but they are interconnected with what the Minister was saying.
Professor Carr: I will try to answer as many as I can, as well as I can. I am sure that David has comments as well.
On educating consumers, that question of “Will the loan outlast my device?” is a very astute one, because consumers do not need to understand—they never will—all the ins and outs of phone or device security, but that is a very pragmatic response: “What actually am I buying? I am spending for three years to buy two years of a phone.” That type of consumer education will snowball when people are presented with information on how long the device will last and asked, “Is that what you want?”
I guess online markets are already regulated. There are things that we cannot buy in the UK and that cannot be shipped here. It would certainly have to be a consideration that, ideally, devices that did not meet UK standards were not able to be shipped to the UK, but I guess that is the case with many consumer goods that we cannot buy online. There is a tendency to blame business in this scenario and to see manufacturers as careless or irresponsible, which surely some of them are. However, it is also the reality that businesses have to make a careful calculation on how they invest. If it costs more to produce a product and they are answerable to shareholders, they have to have a conversation about why they are spending more on a device that is already selling well and returning a profit. I am not saying that that is the way it should be, but that is the way the free market works.
Look at what happened with GDPR. In my work, we work a lot with senior business leaders and talk to them about how they respond to cyber-security regulations. They did not push back against GDPR or see it as terribly negative; they saw that it unlocked budget for them to use, because they could quantify what percentage of their global turnover a data breach would cost or what the fine could amount to. They can take that calculation to the board, and say, “Right—we mustn’t have a breach or it would cost this much. How secure do we feel we are?” That is where such regulations can have a very positive effect on industries that would like to comply but cannot just invest in all the different aspects of a device without some justification. This gives that justification. It unlocks that funding in those board conversations about where investment in products should go.
David Rogers: Just to address the Amazon/eBay question, I have seen all this stuff. I have bought some of it to have a look at. A lot of counterfeit and substandard—the Chinese call them Shanzhai—products are available. I have conversations in which people say, “This is about buyer beware. You’d never buy a £9.99 smart watch. You should know that that’s going to be dodgy,” but as you said, people cannot necessarily afford it. There is a peer pressure element to it, and there is a sort of endorsement by the brand. If you go to Amazon, you expect it to be a quality product, so people are lulled into that sense of security that what they are getting is quality. In some cases, that is not the case. I fully agree that the companies that are retailing this stuff cannot just lay the blame at the door of the companies that are stocking and selling it. If it is on Amazon Prime, surely Amazon has a responsibility over that.
Earlier, Dave mentioned different regulatory regimes and that there may be some fragmentation around the world. I actually think that there is probably a lot of alignment and harmony. There has been a lot of work between DCMS and the National Institute of Standards and Technology in the US, so there is a broad understanding of what good looks like. If, either through some self-declaratory measure or by some endorsed mechanism of compliance, those companies are told to come up with a compliance statement, that helps the likes of Amazon and eBay to select their suppliers appropriately and then to remove them from their stores more easily. At the moment, it is kind of a wild west. They do not have any questions or answers.
Ruth Edwards (Rushcliffe) (Con)
Q
Professor Carr: I think the Bill would be a hugely positive step. There is a lot more to be done in terms of regulating emerging technologies. As I said earlier, the UK is a country at the forefront of thinking about these issues and taking action. It is new territory, because we are not used to legislating about these things; it seems somehow interventionist, or that it stifles innovation. Actually, digital technologies have become so integrated into every aspect of our lives, from the most personal level to infrastructure, and we have not caught up with that in what we see as the acceptable responsibility of the Government, of individuals and of industry.
There has very much been a narrative that Governments need to stay out of this area. I think that is very dangerous and wrong, because that is how we have ended up in the situation we have been in. It is certainly a balance between those parties—Government, civil society and industry—but we are a long way from having that balance right. Governments are beginning to see that there is a mandate and that they have a responsibility. We see that not just in the UK, but certainly in the US, Australia, the EU. But there is a long way to go.
The Chair
Can I ask witnesses to please keep their answers shorter? I have had a number of Back-Bench Members already indicate that they want to come in.
Catherine Colloms: Sorry. I think it just changes the mix, effectively.
Simon Holden: I might just add that if Openreach is the Goliath and CityFibre is the David—certainly in rural—we would like to go into rural. This would be really helpful for us in order to make sure we can move at speed and at a sensible cost, and take advantage of the opportunities the Government are providing to accelerate growth there, so we would be in favour of that.
Juliette Wallace: On the mobile side, you asked about rural connectivity. Predominantly, that is going to come from new sites, and the code is actually working quite well with new sites—new land build-out. Our biggest challenges come from renewing the agreements that have expired on existing sites. That is where we need the changes in the code that this Bill addresses, and also the amendments to how the Bill is drafted so that it actually addresses the Government’s ambitions that came out as a response to the consultation.
Chris Elmore
Q
This is for Mr Bartlett. Forgive me if I am misquoting you, but I think you said 1,000 contracts have been negotiated since 2017. I am assuming those are all new sites, or are some of them renewals as well?
Mark Bartlett indicated assent.
Chris Elmore
Q
Simon Holden: We, CityFibre, are in cities. Probably 10% to 15% of our build is in multi-dwelling units. We are typically in underserved areas around the UK, and I would say that we have a disproportionate share of things like social housing that sit under our built portfolio. No. 1, we think that it is really important to be able to access those properties. I would say that big social housing landlords are embracing that, but it is patchy and we would value having the ability to accelerate negotiations as we are having them and have a really clear process where we can make sure that we get everyone to the table, with a fair resolution at the end of it.
Once you get access to the building, I think it is up to the building landlord and the tenants, obviously, as to how you are going to do the in-building wiring. As I said before, we found that once you have got hold of the landlord and you have agreed it, that does not tend to be a particular problem. What we are concerned about is that if you extend this back to historic wayleaves, all you are doing is effectively entrenching the people who have already got those, which most of the time is Openreach. We would think that that is not helpful for competition. That would be our observation, but in terms of accessing those properties, it is super key to us for our business model to be successful and, of course, for society to benefit from getting the best digital infrastructure to as many households as possible.
Catherine Colloms: As Simon says, most multi-dwelling units tend to be in towns and cities, so looking at the constituencies represented around this table, I can tell you, Chris, that you only have 3%. Hornchurch, in the Minister’s constituency, has 13%, and I think Hastings has 24%. They are very concentrated, classically, in urban areas, as Simon says, and often in potential areas of deprivation or areas which are less socially inclusive.
In terms of the access point, you are right. The idea of automatic upgrade would give us the right to do that. You still have to have a relationship with the landlord. That is still always the intent, but it comes down to the obligation. At the moment, there is no obligation for the landlord to do anything. New build legislation obligates them to put in a full-fibre connection, and there is a slightly different conversation you can then have that allows you to proceed with the wayleaves.
Mark Bartlett: To answer your question, first of all the current legislation is not working. At least over a half of all sites are stuck, so the landlord says that they are not renewing or getting new ones. Of those that are under renewal, there are absolute rights in the current legislation for landlords, if they wish to do so, to redevelop at the end of the lease and we have to leave. My estate would be measured in tens a year where it is their right and we move on.
In the current legislation there are also absolute rights for the operators to maintain that equipment if there is no redevelopment need. That is, obviously, very positive, because when we lose a site or a rooftop, whatever the infrastructure might be, that is serving hundreds of people in the community. Therefore, quite naturally, both the investment that we have made and the utility to the public need to be maintained, unless, as I said, the landowner has a genuine need to make that redevelopment, and that is enshrined in legislation, both today and in that passed pre-2017.
Shailesh Vara (North West Cambridgeshire) (Con)
Q
Mark Bartlett: I think that would be human. I have never met anybody who wants to take a reduction in the amount of money that they are paid by anyone—that is not something that people work on. However, the policy was put in place to reduce the costs to the industry to allow investment in 5G, which is happening right now for the good of the country.
On the valuation point, it is a fact and a process that if we do not behave properly and that ends up in a tribunal, we would be penalised by the tribunal for the amount of money we have paid, and the judgment would fundamentally go against us, so there is a protection for the landlord there. Secondly, normally—in almost 100% of cases, in fact—we always offer more than the valuation criteria say we should. That results, normally, in a payment of several thousands of pounds, not several tens or several hundreds of pounds.
It is my experience that the majority of people understand that the law has changed and that, like when things change in how you pay your bills, things have fundamentally moved on. So long as we, as an industry, are fair and do not attempt to be over-enthusiastic, as Juliette put it, 85% of people do sign up and say, “Okay, I get it. I am still happy with those several thousands of pounds, and I am willing to make an agreement of that sort.” That is not everyone; 15% of people do not feel that, and we have a further conversation with them, and we come to an agreement with the vast majority of them as well.
I would also point out that this is often characterised as an individual change of an agreement—x to y. We often pay incentive payments to achieve an agreement as well. I would like to put that on the record. It is not just about a reduction in rents. I would also point out that, on average, it is a 63% reduction in rent, not the high 90%-type reduction, that has perhaps been characterised, by the industry.
Julia Lopez
Q
Till Sommer: We do. Basically, a key bit that our members provide to your constituents—their customers—is a router, plus other equipment, that is classed as an internet-connected device under part 1 of the Bill. We are in regular contact with your civil servants on that, to clarify timelines and how the Bill might bite. We do not have any concerns about the idea. We support the idea of the Bill; it is more about the implementation, and ensuring that the supply chain is aware of the new provisions that are coming in.
I have heard from a lot of our members that they have started to talk to their supply chain to say, “By the way, in a year, or in one and a half years, depending on when the Bill will be done, we need to ensure that your products comply with these rules.” Because a lot of the manufacturers are overseas, they are not yet aware of them. Anything that can be done to raise awareness among consumer product providers would be welcome. There are a couple of other bits that go very much into the detail around associated software, when it comes to parental controls, which could be affected. I am happy to write to you on that if you want, but we will talk with the Department about it anyway. It is very much nitty-gritty stuff.
Chris Elmore
The Minister took my last question on part 1, so I am happy to give my time to Back Benchers.
The Chair
Do any Back Benchers have further questions for Mr Sommer? In that case, I thank you very much on behalf of the Committee, Mr Sommer, for the evidence that you have given, and we will move on to the next panel, somewhat ahead of time.
Examination of Witnesses
Rocio Concha and Jessica Eagleton gave evidence.
Julia Lopez
Q
Rocio Concha: On enforceability, if you do not include online marketplaces, you are leaving a big gap, because these products can come from any country in the world when they are being sold in these online marketplaces.
Another area that is not clear in the Bill is how consumers can get redress. As part of the transparency requirement, suppose that you buy a product that says that it will be supported with security updates for four years, but two years down the line, the manufacturer decides to change its mind and to support the product for only two years. Where would the consumer go in that instance? They bought the product on the basis that it would be supported for a set amount of years.
The other thing that is not clear is who the regulator enforcing this will be. Obviously, we need to make sure that the regulator has the skills, powers and resources to enforce it.
Chris Elmore
Q
Jessica Eagleton: Perhaps I can take your second question first. You are right that we are seeing concerns about these types of products being used to stalk and to monitor. In terms of concrete measures and what the Bill can do in this respect, we welcome some of the security requirements, particularly around the vulnerability disclosure scheme, as a step forward. For example, in the work that we do to support survivors, having that public point of contact and an easily contactable place for a company to go, when we are reviewing these products and putting forward recommendations to companies, is definitely a step forward.
We would have some concerns about situations where companies might publicly disclose security flaws and perhaps not take steps first to address them. We have that concern because that could, in essence, alert an abuser to a new way to abuse a victim. It could alert them to a device that they could purchase or that is already in their home that would provide a new way of compromising, so we would like to see companies taking all reasonable steps to address and action some of these security flaws before there is that public disclosure.
On your second point about services, our tech abuse team is a unique service in the country in providing specialist frontline support to tech abuse survivors, but it is a chronically under-resourced service. Perhaps in the context of this Bill, we would really like to see thought given to a percentage of the fines that the regulators collect for non-compliance by companies going, for example, to fund some specialist support services. I think that would fit within the wider ecosystem of enforcement as well. If we have specialist services that survivors can go to and ensure that they are sustainably funded and able to support survivors, that would contribute to the wider enforcement regime and awareness.
Chris Elmore
Q
Jessica Eagleton: It is not always thought about that the devices can be used in this way. A lot of the focus of companies in this space has been on how to prevent devices from being compromised by unknown third parties—hackers from overseas, for instance—rather than in the context of domestic abuse. Thinking about things like passwords and default passwords is a welcome step, but in the kind of relationships that we are talking about and dealing with on a daily basis, the perpetrator will force the survivor to divulge the passwords to their devices and all their online accounts. That is not necessarily always thought about by these companies.
However, we are engaging with the companies as much as we can on what we are doing as a smallish team. Thinking through what can be done in future, it is about continuing to place emphasis on and put work into safety by design, which means ensuring that, from the get-go, product manufacturers and designers are thinking about how these products could be misused by domestic abusers. It also means working in collaboration with specialist violence against women and girls services to ensure that those features are designed out as far as possible.
Chris Elmore
Q
Rocio Concha: In terms of the Bill, an example could be to change or tighten the definition that you have of distributors. In terms of implementation, online marketplaces are the gateway between the consumers and the manufacturers of these products. They are the ones that have the power to make sure that these products comply with the law. Let me give you an example. We routinely do product tests to identify security vulnerabilities with these products. Often when we go to the online marketplaces, we get the answer that, because there is no regulation, they cannot take these products out.
We need the regulation to be clear that any smart product needs to comply with these baseline security requirements. Also, we need regulation to put responsibility on the online platforms to make sure that they are monitoring proactively which products are being sold on their platforms. That is key, and I feel that it is not optional. It is quite clear what is going to happen. There are bad actors out there, manufacturing products that are not going to comply with the baseline requirements. They know that there are not going to be the necessary checks in there by the online marketplaces, but the consumer does not know. It is impossible for the consumer to make an assessment of whether the product will be secure or not. Unless we put in regulation, you can see where all these bad actors are going to go.
Sally-Ann Hart (Hastings and Rye) (Con)
Q
Rocio Concha: I personally think that yes, the Government should provide information to consumers so that they are aware of this. Organisations such as ours also play a role, and we play it. We continuously publish our findings on security vulnerabilities and the sorts of things that consumers can do to protect themselves. There is a need for more information for consumers in general so that they can be aware that when they put these products in their homes, unless they take certain steps and buy products that meet the regulations that we hope will soon be introduced, they are putting themselves at risk.
Jessica Eagleton: I would agree with what my fellow panellist has said. When we think about tech abuse, we see that awareness of it is quite low among the general public. In fact, in a survey we ran last year the results were that two thirds of women did not know where to go for information if they thought that a device in their home was compromised. There is a role there for that awareness piece. At Refuge, the approach we tend to take is to empower survivors to use technology safely and to take back control of their products and technology. We have developed a range of resources to do that, but we would welcome more work and more efforts on this more widely.