Internet of Things: Regulation Debate
Full Debate: Read Full DebateDaniel Zeichner
Main Page: Daniel Zeichner (Labour - Cambridge)Department Debates - View all Daniel Zeichner's debates with the Department for Digital, Culture, Media & Sport
(5 years, 1 month ago)
Westminster HallWestminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
I beg to move,
That this House has considered regulating the internet of things.
It is a pleasure to serve under your chairmanship, Mr Gapes, in a debate on such an important subject. I am a tech evangelist. I believe that technology is an engine of progress. Growing up in the north-east, in Newcastle, the home of the first industrial revolution—although I know that some from the north-west may debate that—gave me a love of science, technology and innovation. The achievements of local greats such as Armstrong, Stephenson and Parsons—that is Rachel Parsons, the world’s first female naval engineer—inspired me to study electrical engineering and embark on a two-decade career as a chartered engineer working in telecoms all over the world.
Newcastle’s experience of the industrial revolution was captured in the excellent BBC series “A House Through Time” with David Olusoga, which showed a mixture of life-changing technological progress and huge social problems, as in many other cities. We are now in the midst of what some consider to be the fourth industrial revolution—although how to count them is not agreed—powered by data and renewable energy, instead of labour, discipline and steam.
Last week the Prime Minister made what I can only call an interesting speech to the United Nations on technology, with this historical analysis:
“When I think of the great scientific”—
I cannot pretend to do his way of speaking, so I will just quote—
“revolutions of the past—print, the steam engine, aviation, the atomic age—I think of new tools that we acquired but over which we—the human race—had the advantage”.
The industrial revolution radically changed society, but it is a mistake—one, if I may say, of privilege—to say that the human race had the advantage. The steam engine rapidly increased productivity but also powered factories and mills with brutal working conditions that produced textiles from slave-milled cotton. Those new tools brought benefits, but the benefits were not equally shared. Of course, that happened before the United Kingdom had universal suffrage or a labour movement and a Labour party, and when many in the world were colonial subjects. Our opportunity, and our duty, in the fourth industrial revolution is to make those technologies work for the many, not the few. In that context, I will today set out what the internet of things is, the benefits it brings, the concerns and the current state of regulation.
What is the internet of things? I was surprised to see that in the Prime Minister’s speech on the gov.uk website, the internet of things was in inverted commas. I am sure that the Minister is aware that IOT is not sci-fi, but a reality of our daily lives. I was the first Member of Parliament to mention the internet of things, in my Westminster Hall debate on machine-to-machine communication in June 2011, just a year after I entered Parliament. One of the Minister’s predecessors, the right hon. Member for Wantage (Mr Vaizey), responded, so I think he was the second MP to mention it.
I called that debate because my experience as a chartered electrical engineer and as Ofcom’s head of telecoms technology had brought home to me, even then, the opportunities and threats that the internet of things represented. At the time, Ericsson estimated that 50 billion things would be connected to the internet of things by 2020. In fact, that was a bit of an exaggeration, because we have about 7 billion. However, global spending on IOT is forecast to reach $745 billion by the end of this year, Ericsson now estimates that by 2023 we will have 31 billion things connected to the internet, and the Government’s own estimate is that there will be 420 million internet-connected devices in the UK within the next two years.
The internet of things is basically things connected to the internet—it does what it says on the tin, for once. That allows everyday objects to talk to each other and to people. In fact, the first internet-connected toaster was revealed in 1989. While there has been speculation for years about how the internet of things will change our lives, it is now that we are really beginning to see its full implications for how we live, work, play and do everything in between.
Smart homes and connected appliances are perhaps the most commonly understood applications. Smart meters mean that we can turn our heating on when we leave work, whatever time that is. A fridge can tell someone when they are out of milk. More poignantly, a child’s teddy bear could record their first words and share them with the whole family.
However, IOT is about much more than household gadgets and cuddly toys. Scaling up IOT will bring us smart cities, where bins can signal when they are full, parking spaces can tell us when they are empty, and traffic lights can tell an autonomous car how fast to drive, so that it never has to hit a red light. Every time I wait at a bus stop—despite the ridiculously high cost of bus travel in Newcastle, that is still quite often—I look forward to an IOT-enabled and truly integrated public transport system, which will mean buses stopping when and where people want them to, and not stopping if there is no one at a bus stop. That means a saving in fuel efficiency, and a saving in all our time.
IOT is also transforming industry. The fourth industrial revolution has at its heart smart factories, and intelligent and flexible automation, making manufacturing cheaper, quicker, more efficient, more personalised and more reliable. Indeed, the smart factory might be in someone’s home—3D printing plus IOT could equal home manufacturing.
I am an internet of things believer. I have studied it, lived it and effectively built bits of it all over the world. It has huge economic and social benefits, as well as environmental benefits, ranging from energy management to tracking endangered species. We cannot address climate change without the internet of things. It allows the monitoring of energy usage but also enables a smart grid. IOT can literally save the planet, which is just as well now that it accounts for 8% to 10% of European electricity consumption.
However, I hope that the Minister will agree that people, and not technology or things, must be at the heart of the internet of things revolution. An IOT that works for everyone requires action—action that this Government seem unwilling to take. IOT will be as pervasive as electricity, and found in every home and handbag. And, like electricity, IOT is an enabling technology, only the enabler is not electric current but data—people’s data—and right now we have no idea who owns that data.
Take personal health tech. A company called OrCam has developed discreet camera glasses for the visually impaired, which can read text and recognise people, while the L'Oréal UV sensor, which detects ultraviolet exposure, is small enough to be worn comfortably on someone’s fingernail. However, who owns and controls the data gleaned by these devices? I hope that the Minister can tell us that, and say why it is not the people who generate that data.
As companies bring more IOT devices to market, this is a pressing issue. Although the GDPR represented progress, it is already years out of date: it addresses privacy, not control; it barely takes account of artificial intelligence and algorithmic management; and it ignores completely the internet of things. The Information Commissioner’s responsibilities over IOT are unclear.
The more interconnected things are—which in itself is a good thing—the bigger the potential for cyber-attack, which is already a huge area of concern. In 2018 there was a 500% increase in the average size of a botnet attack. There are more than 7 billion IOT devices in circulation, and that number is only going to grow. Given that each IOT device is always on, it is possible to build and deploy large-scale attacks within minutes.
In 2017 the US Food and Drug Administration recalled almost half a million pacemakers due to fears that they were vulnerable to hacking, while a Chinese IOT firm recalled 4 million cameras for the same reason. November 2018 saw the first scaled botnet attack using smart TVs. Other household appliances can also be used not only to bring down internet platforms such as Spotify, Amazon and Twitter, as happened in 2016, but to take control of our homes or any networked utility. Back in 2010 an Iranian nuclear facility was targeted by a malicious computer worm, which led to the shutdown of multiple gas centrifuges, and in 2015 blackouts in Ukraine were caused by cyber-attacks. Although we call them “cyber-attacks”, they have very physical consequences. In 2017 the Federal Network Agency, the German communications regulator, told parents to destroy a talking doll called Cayla, because its smart technology can reveal personal data. A couple of years ago I wrote about the implications of internet of things security for sex toys, but today I will spare Members’ blushes.
The lack of security on IOT devices is not only a risk to the individual user; it threatens huge economic and social damage. Importantly, security for IOT devices does not just need to be built in at the start, even though that in itself takes time and money; it needs to be upgradeable over time as threats evolve. However, producers of IOT devices are simply not incentivised to consider security concerns, with global supply chains competing mainly on costs for devices that can be sold for only a few cents or even less. Of course, the lowest-cost device is, inevitably, the lowest-security device. This is one problem that the market cannot and will not solve on its own, which means that it is up to Governments to correct.
In his speech, the Prime Minister used quite lurid language on the issue of internet of things surveillance:
“But this technology could also be used to keep every citizen under round-the-clock surveillance. A future Alexa will pretend to take orders. But this Alexa will be watching you, clucking her tongue and stamping her foot”.
The Prime Minister shows both his lack of respect for women and his lack of understanding of technology in caricaturing it as a nagging housewife arguing with an unfaithful husband. That sort of gendered view is, sadly, far from uncommon. Technology is far too often the creation of well-off men and, unsurprisingly, it reproduces their biases and prejudices.
There is an important issue of surveillance to address, both in the private and public domain. The recent book by Shoshana Zuboff, “The Age of Surveillance Capitalism”, addresses the ways in which data is used not just to monitor us but to direct and control what we do. We see it already in the practices of Amazon, Sports Direct, Uber and Deliveroo, to name just a few, where the companies’ control of data can control work life.
Research by Defend Digital Me shows that the internet of things has an increased presence within our classrooms, from direct monitoring through biometrics to facial recognition and tracking technologies as part of a smart campus project, in some cases run by the Office for Students. Many of the applications that are marketed claim noble aims around improved health or scholastic performance, but they are rather less clear when it comes to consent. When we consider how the internet of things can be used to monitor children in compulsory education, how can the child or parent be said to consent if it is a generalised practice?
The Government have repeatedly ignored warnings on cyber, much less done anything to ensure that small businesses and citizens, as opposed to big businesses and national security agencies, are protected. There are no current regulations that require a security standard for internet of things devices. About 30 groups are developing security standards for the internet of things, but if we have 30 standards, we do not have a standard. Our public response needs to be as joined up as our networks, but it is not. Responsibility for cyber-security lies across several disconnected Government silos. The Home Office publishes cyber-security stats; the cyber-security strategy comes from the Cabinet Office, although it was launched with a speech by the then Chancellor; the Department for Digital, Culture, Media and Sport takes care of cyber-skills for young people; and the cyber-essentials scheme sits in the Department for Business, Energy and Industrial Strategy. Responsibility for cyber-security is defused across Government. There is a lack of leadership and, even worse, a lack of concern. The policies seem largely to ignore mobile devices and the internet of things.
At the same time, and for some years now, the Government have been encouraging us to take up smart meters, for example, without a regulatory framework to protect us from attack. Personally, if a device is called smart, I do not buy it, at least not without a one-hour technical interrogation, which few customer service agents can pass.
My hon. Friend is making a very important speech. I, too, have spent time reading the Zuboff book, and the more I read it, the more alarmed I became. Does she agree with me that the real issue is the one she started with: whose data is it? Without that being resolved, there is an inevitable drift towards big tech companies using it for profit. Why wouldn’t they? But it is our data, and on every one of these issues, if we could pin that down, it would completely disrupt their business model. That is why it is a tough thing to do, but it would ultimately resolve the issue.
My hon. Friend, who is a great champion of innovation and technology—coming from the constituency that he represents, it is appropriate—makes a critical point. I could not have put it better. Although this debate is about regulation of the internet of things, it is impossible to talk about protection and security in the internet of things without talking about the data that is its lifeblood: the flows of data that both drive and enable the internet of things. We are in a confused state about who owns and controls the data and how it can be shared. The Government, for example, had at the last count at least 80 different ways of sharing data with themselves. As long as that is the case, we cannot have real security or integrity within the internet of things.
Last year the Government finally took some action with their Secured by Design voluntary code of practice on the security of the internet of things, as well as guidance for consumers, which was later codified as ETSI TS 103 645. In May this year, the Government announced a consultation on the introduction of some mandatory legislation on labelling. For example, retailers would have to label internet-of-things products as complying with varying levels of the Secured by Design code. Labelling is necessary because the Government will not decide what is secure and make it mandatory—if everything were secure, it would not need to be labelled. We await the outcome of the consultation. However, there are at least five major issues, and many others besides.
First, the tone of the consultation is, “Regulation is very, very bad and stops innovation, so let’s just have as little as possible.” Secondly, there is no enforcement or sanction. Thirdly, while some mandatory requirements are proposed, they would simply be a declaration of adhering to standards. That approach puts a major emphasis on the consumer to understand these increasingly complex problems and does not account for the use of the devices in public spaces.
The fourth major concern is that the regulations deal only with consumer things. The clue is in the name: it is an internet of things. We need an architecture of standards and a regulatory framework that enables security and interoperability across the internet and also considers the lifeblood of the internet of things—data. Fifthly and finally, there are billions of insecure old-generation IOT devices already enmeshed in our digital infrastructure. The regulations do nothing to address them.
The Government need to recognise that technology is not something that happens to us; it is something that we actively participate in, or should do. That does not mean stifling innovation. Instead, it means using Government influence to look forward to the impact of technologies and to shape them for the public good. The Government must understand technologies in terms of social purpose, rather than just profit margins. That must be done with the tech sector, but the Government must recognise that it is their job to protect the interests of the people. During the first and second industrial revolutions, it was the trade unions, organised workers, the nascent Labour movement, feminists, abolitionists and former slaves who pushed law makers into putting legislation in place that would direct the use of technology to more egalitarian ends. I fear that it will be for a Labour Government to ensure that that is what happens here.
Technology can be used for good or ill. My hope is that intervening now to set up a framework for data and the IOT will mean that we do not face problems and resistance further down the line.
Last year, I was at CES, which is the largest computer electronics show in the world, in Las Vegas. An American start-up literally begged me to put in place security regulations for IOT devices, so that it could compete on a level playing field with the cheap but totally insecure exports from less reputable manufacturers. It is cheap and, frankly, lazy to set up a sort of binary choice between regulation and innovation. A clear regulatory framework and strong governance allows good companies that are making socially useful products to succeed without markets being flooded with poor quality and potentially dangerous products that threaten security.
I want to say a little on Labour’s plans as I understand them—I know that the shadow Minister, my right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne), will set them out in more detail—and I want to put that in context. I am a technology evangelist. Before becoming an MP, I worked all over the world building out the networks that now form the internet. One of my proudest moments was when I rolled out the first global system for mobile communications network in Nigeria and saw how mobile communications could really make a positive difference to people’s lives. Fisherman in the delta could now know the market price in Lagos and could not be cheated out of the right price for their fish; pregnant women could phone for a doctor instead of having to send vital requests on foot, which took hours. The internet of things will bring more and better benefits.
I have also seen the flip side of new technology. When I worked for Ofcom, I was asked to report to the board on internet security in 2005. When I came back with stories of bot attacks, honey traps, distributed denial of service, white hat wizards, Trojans, worms, phishing and pharming, it was as if I was describing a war in a galaxy far, far away. More than 10 years on, however, those threats are very real. They are part of everyone’s daily lived experience. Online fraud is the most common crime in the country, with almost one in 10 people falling victim to computer misuse or one sort of fraud or another. The same may happen with the internet of things—in fact, to an even greater extent—and we must not allow that.
I talk about the internet of things for everyone, because I believe that technology can be democratising and enabling, but just as cyber-crime seemed so foreign only a decade ago, we do not yet fully understand the new risks posed by the internet of things. To fully realise its benefits, we need to be able to deal with the increasingly pervasive security threats it presents. To address them, we need regulation as well as action in other areas. For example, we need to invest properly in skills and adult learning to help people to become digitally literate citizens. Labour’s pledge to create a free truly universal national education service, the NHS for the innovation age, will help everyone to become part of an innovation nation in which everyone is a creator, not simply a user, of technology.
We also need the power of Government to address our creaking infrastructure, and close the productivity gap at the same time, by enabling businesses across the country to invest in the internet of things. Our national transformation fund will do what it says on the tin—transform our infrastructure to bring it up to OECD levels.
We need to address a critical part of the tech sector that I referred to earlier, which is a lack of diversity. Diversity is not an optional add-on; it is an economic imperative. It needs to be at the heart of economic and technological policy, because we cannot build a more prosperous economy without making use of everyone’s talents. We need a more comprehensive sector-wide approach to diversity, particularly in the tech sector. It is key that the creators of new applications for the internet of things come from diverse backgrounds, so we have technologies that work for all and make use of the full array of talent in our society.
Finally, an internet of things requires the right digital rights and responsibilities to exist across our nation. That is why Labour plans to introduce a bill of digital rights that will provide strong and easily understood protections for citizens and will give us all rights and control over our own data.
As I draw to the end of my comments, I want to make sure that the Minister understands the questions that I am asking, so I will list the ones to which I would like him to respond. First, as I have mentioned, who owns and controls the data flowing to and from internet of things devices? Why is it not the people who are generating the data? The Prime Minister said that data is the new oil, but we have seen what the corruption around the oil industry did to many developing economies. Our citizens deserve to be in control of their own data.
Secondly, what steps is the Minister taking to ensure that insecure internet of things devices cannot be sold? Thirdly, will the provisions of the online harms legislation, specifically the duty of care, apply to the internet of things? I asked his predecessor that question, but the answer was not clear. Fourthly, when the internet of things is combined with facial recognition to monitor people, whether in education or on our streets, what requirements are there on consent? Fifthly—this was raised by TechNorthWest—internet of things devices take data for one stated purpose. What prevents its being used for various others? How does consent work in that case? Is the general data protection regulation sufficient?
Sixthly, I believe that all our critical national infrastructure is connected to the internet of things. I have mentioned the blackouts in Ukraine and attacks on an Iranian power station. What regulation is there of the internet of things in critical national infrastructure?
Seventhly, what analysis has been made of how the Government should respond to the misuse of internet of things devices? What scenarios are being considered and what plans are in place?
Eighthly, for the purposes of internet of things regulation, what is the nature of the relationship between the Department for Digital, Culture, Media and Sport, the National Cyber Security Centre, the Cabinet Office and the Information Commissioner’s Office?
I expect the Minister to respond to the five criticisms of the current consultation.
We have an hour and a half, which will be more than adequate. I should perhaps have said that the Minister has a background in technology, as a tech correspondent, so I am sure that he has the answers to all the questions.
Loth as I am to interrupt the exam paper, which I am sure will come to an end soon, a practical application of the questions came up not long ago with the facial recognition monitoring of my constituents at King’s Cross station. I hope that the Minister will be able to explain how they can be protected in future.
That is another excellent intervention from my hon. Friend. I look forward to the Minister’s response about facial recognition technology and consent.
I have asked the Minister nine questions and here is the 10th and final one: can we have a comprehensive forward-looking review of digital rights and responsibilities to deliver a regulatory framework fit for the future, which encompasses data rights and delivers an internet of things security architecture in which citizens can have confidence?
I hope that the Minister noted that when US presidential candidate Elizabeth Warren talks of regulating the tech giants for the benefit of consumers Facebook trembles—so much that Mark Zuckerberg has promised to “go to the mat” and fight her over it. However, when the Prime Minister talks about “pink-eyed terminators” the world laughs. That matters, particularly as the Minister advocates a hard Brexit, after which we would not have the support of our European friends and colleagues in establishing internet of things regulation.
The internet of things could represent a more profound technological change than anything since electricity, as I have said. To make it work we need to understand the problems that it raises, and lay out a clear framework for technology companies to work in. However, to take advantage of the changes, we need a Government who understand the opportunities of the internet of things, and who work with industry to mitigate the threats. That is a question not primarily of technology but of standards, interoperability, protocols, control, industry co-operation, self-regulation, legislation and enforcement. If we get that right we can look forward not just to a future of the internet of things but to a prosperous future of innovation that works for all, and things that have yet to be thought of, the benefits of which will be shared by everyone.
That is a philosophically interesting question but it is also obvious that at the moment data is readily given up in exchange for a service. I am not sure whether the right hon. Gentleman would therefore seek to put a value on the service and say, “That service, whether offered by Facebook or whoever, should not be worth less than a certain amount.” That seems to be the logical conclusion of his argument, which is why I say it is perhaps more an interesting philosophical question than a practical one.
I am conscious of the time, but this is all very interesting, so I am happy to give way.
It is more than interesting. It is critical. Is the Minister assured that people are involved in a free exchange, and that there is transparency—that they understand the terms and conditions of all the things that capture data on their devices? I am certainly not. I think most people who look at it are convinced that people do not know, so they are not getting the economic benefit of that behavioural data.
Essentially I agree with the hon. Gentleman that it is obvious that not everyone reads the terms and conditions of every single thing they have signed up to for any website; but it seems to me that Government’s role in this space is not to stop people making those decisions. It is to make sure that people have a better understanding of the decisions they make, and that they trust the companies that are doing whatever it may be with their data. That obviously requires us to put certain constraints on the behaviour of companies, as we do in every other circumstance. However—and I do not think the hon. Gentleman is suggesting this—it should surely not be for us to say that people should not be allowed to make certain decisions. I think that on the Government side of the House we would be keen to free people up to make whatever decisions they reasonably want to make.