Product Security and Telecommunications Infrastructure Bill (Second sitting) Debate
Full Debate: Read Full DebateJulia Lopez
Main Page: Julia Lopez (Conservative - Hornchurch and Upminster)Department Debates - View all Julia Lopez's debates with the Department for Digital, Culture, Media & Sport
(2 years, 9 months ago)
Public Bill CommitteesThank you very much. Members of the Committee will ask you questions in turn, but we will start with the Minister.
Q
Professor Carr: That is a very good question. In terms of international alignment, aligning these kinds of laws across jurisdictions is a challenge. I want to say from the outset that regulating emerging technology is understood to be a deeply problematic and challenging area. It is something that the UK in many ways has led on. A lot of thought leadership has come out of the UK on this. As David said, the work that has led into the Bill has been going on for many years in the UK, and has been funded by the UK Government through universities and industry. A tremendous amount of background work has gone on. There is the PETRAS—privacy, ethics, trust, reliability, accessibility and security—consortium, which was originally the cyber-security of the IoT consortium. We have worked on that for many years with David and others. The UK really has led on this. When we look at what is happening here and now, you would have to say that this is a country that is able to confront those kinds of difficult challenges and think about ways through them. No one is saying that it is easy; it will not be, but this is a very good start.
When it comes to looking at international alignment and the impact on industry, and particularly the manufacturers of these devices, there is already a lot of alignment. I have been doing some work through the World Economic Forum, where I am chair of the Council on the Connected World. On 15 February, we launched a global statement that spoke to the three initiatives that are being considered here, and an additional two in terms of IoT consumer devices. That statement has been endorsed by more than 110 organisations around the world, including Microsoft, Google, Qualcomm, DCMS, RISCS—my institute—and indeed David’s organisation. There is a tremendous amount of international support for these initiatives and more. A lot of them are big industries, so I do not think there is necessarily a disconnect between governance of emerging technology and what is helpful for industry actors; I think there is actually a lot of alignment.
David Rogers: I will just point to some specifics. There is work ongoing in India, Australia, Singapore, Turkey, and the US, and many of those countries—and many I have not listed—base their work on what was originally the UK code of practice. The UK’s code of practice was taken to ETSI, the European telecoms standards body, and was made into a European norm. That really, I think, has given the confidence for other countries to be able to adopt that as a scrutinised and good piece of work.
That is obviously not in isolation. ETSI is an industry-led organisation, and a lot of the work that has gone into that in advance, including through DCMS and NCSC, has been about looking at industry-based best practice. Organisations such as the GSMA worked on this in 2014, and, prior to that, in the smartphone world, have been building in hardware security and other measures, which have hardened connected consumer devices, so that work is certainly not in isolation. We are really standing on the shoulders of giants here, because a lot of the work is done; it is in endorsing good practice, and I think that is what the other countries are seeing, and they really have seen leadership from the UK in this space.
Q
David Rogers: I will address that. The beauty of the IoT is that there are all these fantastic things being developed. When we started to look at what we could do, and a code of practice, we wanted to ensure that we did not constrain innovation by mandating specific technical measures that might prevent some fantastic product being created. That is why we took quite a high-level outcome-based approach.
That also meant that it was measurable, even by consumers. If you look at the top three guidelines of the code of practice that have made it into the draft legislation, a consumer can look at those things, which I would call “insecurity canaries”. If you see that a manufacturer does not have a vulnerability disclosure policy—so hackers and security researchers, for example, cannot report things to them—that is a big red flag, and I would not be buying that product. It is the same if the product does not have software update support, and so on.
We took a proportionate approach to the code of practice, and I think that that also led to the industry endorsement of it. This morning, I heard the techUK gentleman saying it is not specific enough; well, actually, the ETSI EN 303 645 is quite specific, and the compliance specification that goes with it is even more specific. For some bad practices, I do not think that we could be more specific than saying “Don’t have default universal passwords”. We want to get rid of “admin” and “admin”. That is a ridiculous situation, in some parts of the market, that is unacceptable, and we must eliminate it from the market.
Q
Professor Carr: Just to say that we cannot anticipate all of the new devices that will come on to the market, of course. I think what David is saying is that it is necessary to have that kind of flexibility to adapt and accommodate those, as they come on to the market. However, it is really long overdue that we do something about this.
There are two types of security in these devices that we understand at this point, which need to be taken into account. The first is the security of the data that flows through them. Although they are very different devices, that is, in many ways, a common problem in securing data—particularly, of course, personally identifiable data. The second issue arising from IoT devices is that many of them have an impact in the physical world. That then begins to blur cyber-security with safety, and we have very different ways of approaching cyber-security and safety. What we tend to do with safety is test things, over and over again, until they break; then we know how they need to be built or constructed. That kind of homogeneity in an approach to design is very bad for cyber-security, because that is what gives us vulnerabilities across the whole landscape. Those are the kinds of issues that we need to grapple with. The devices themselves will continue to emerge and evolve, but the problems that we are grappling with now are common across devices, in a way. Legislation such as this will go some way towards addressing those problems.
Q
David Rogers: Yes, originally there was a “secure by design” committee set up with various companies—Madeline and I were on that committee. There were various discussions about the best way forward. I remember one suggestion being that all we needed to do was to educate consumers. After I banged my head on the table quite a lot, I think that in the end we realised that it should not be on consumers. They are not the ones who are creating the insecurity in the product and they are not in a position to do anything about it either—they are mainly victims. It was recognised that a lot of those issues have been in products for many years; I go back to the default password issue, but there are many issues around things such as lack of support for software updates.
I drew up the original code of practice and worked closely with National Cyber Security Centre and the Department for Digital, Culture, Media and Sport. I also worked with academia and the security research community, who are hackers from around the world who have been campaigning for those issues to be dealt with for years, because they are seeing it directly in their work. We spent a lot of time getting it right; we worked at the Information Commissioner’s Office on some of the elements related to GDPR.
A voluntary code was published in 2018. However, manufacturers were put on notice at that point. By 2018, it was made public that this was the expectation; we expected the industry to improve. Some quarters were probably already compliant; you heard from Dave Kleidermacher this morning, who led the way in security improvements on mobile devices—from their perspective a lot of the stuff in the 13 requirements was already done. However, many parts of the industry have done nothing. It seems to me that they are quite happy to sit back and do nothing. That is why I think this work is necessary; there is a need for the big stick of enforcement, to be honest with you. They have been given plenty of chances, and not just since 2018—it is since the 1990s. It seems acceptable to them to carry on doing the same things that they have always done, such as buying in the really cheap software that is completely open and has old protocols and legacy issues that should have gone years ago. I am entirely supportive of taking action now— they have been given enough time. They should not wait for the 12 months—or whatever it is—for certain things to become mandatory. They should be doing this because it is the right thing to do for their customers.
My company carried out some research for the IoT Security Foundation on vulnerability disclosure. Again, that is something that is very visible; you can go to the website and see whether that company is open to security researchers and hackers reporting security issues to them. There is then a process that has been ISO-defined since 2014; it is dealt with and then the issue is made public once it is fixed so that consumers are secure. We discovered that about one in five of the companies that we surveyed—there were about 330 companies from around the world, representing thousands of products—was actually providing that to security researchers. That means that four in five IoT manufacturers did not have any way for security researchers to contact them. That is totally unacceptable, so we do need to take action. The companies have been given enough chances.
Q
Professor Carr: I think the element that will impact consumer decision making the most will be the length of time for which the product will be supported. I remember having the conversation in a room in DCMS all those years ago about how we could possibly be expected to spend £1,000 on a phone that will not work in 18 months, that the company knows will not work in 18 months—it will not be supported—and to not have access to that knowledge. This is not just about putting labels on things; it is about the fact that we could not find out even as an informed consumer. I think the length of time for which the device is supported will have a major impact on consumer decision making and probably more than the other two things, because a lot of people do not care about passwords and a lot of people do not know what a vulnerability disclosure agreement is or what that means. Knowing for how long the device will be secure is like having an expiry date put on it.
That is an example of where a kind of market driver can impact consumer decision making, but one of the things that we know about cyber-security more generally is that, very often, market drivers do not work in this space. There is not really, to be honest, all that much of a market for cyber-security, as people do not really care about that. That is why we need to think about moving beyond the dominant narrative over the last 50 years that Governments stifle innovation. Even if we go right back to the beginning of digital technologies and the ARPANET and DARPANET, those things were wholly supported by the US Government. They were funded by the US Government; they were invested in by the US Government for decades before the private sector came on board. So there are these points where it is absolutely necessary for Governments to be involved and for governance to happen, because we cannot see the future. If people begin to lose confidence in these devices and they begin to fear—“I don’t want my child to have something like that. I don’t want Alexa in my house. I don’t want people listening to my conversations etc.”—all the incredible benefits that we can extract from those technologies will go by the wayside.
I will give just one very clear example of this. If you think about the huge effort that the banking sector put into making sure that people felt confident about banking online, spending money online and tapping their card—“When something goes wrong, the bank will take care of you”—the reason, the logic, behind that was that if people began to think, “It’s not safe to bank online; it’s not safe to use my card in these little shops,” they would stop doing it. It was that investment in regulating it, locking it down and making sure it was safe that has allowed us to get to this extraordinary situation where you can walk around with no wallet and just a phone. It is that thinking that is important now.
David Rogers: I think the transparency point is fantastic. This work is not done in isolation. There is lots of work going on about lengthening software updates for lots of types of products, and there are different regulations happening in Europe and so on. Consumers should not have to know about the details. Madeline has said this. They have an expectation, a very reasonable expectation, that they will not be arbitrarily hacked into. We have all read the stories about things like baby cams being hacked into. That is totally unacceptable, because at the end of the day the company that created and sold that product that was insecure at the time it was created is responsible for it. Of course, they did not hack into it, but they left all the doors open, and they sold that product and made money and profit from it.
Yes, I believe that consumers should know that they are being looked after, and the length of time that that is provided for helps them to make an informed decision—it is a free market. Also, security should not be a luxury for the rich. You should not be required to replace your iPhone, for example, just because the support ends. At the end of the day, we are all impacted by security issues. The Mirai attack, for example, was an extremely large distributed denial of service attack, which basically took down large parts of the internet. It was all those small IoT devices, routers and things that had been taken over. The attack did not discriminate between who had those devices, those older devices or whatever, but the impact and scale of that attack was the problem.
That is why we need to ensure on an ongoing basis that, as the technology develops, we can put new requirements through the standards bodies and endorse them. This is the start of that lifecycle, to ensure that those products do not enter markets like the UK.
Q
In that vein, is there something in the idea of a reporting mechanism—either by the Department or some sort of regulator, annually or however long is appropriate—for whether these organisations and manufacturers are working to the standards that you so strongly set out? They have had years to deal with the standards, but many are still not doing it. I am suggesting naming and shaming, if you will, to give consumers better informed decisions.
A lot of people borrow money to buy these devices. On Second Reading, I expressed a concern that many people will look in a retailer or online, and go, “If that doesn’t exist for this much time—if it only has two years on it and the loan is three years—why am I bothering to purchase it if it is obsolete in that time?” That is a concern that many people have. Consumers potentially do not know what this or that means, but they know what “security” means, and if they think something is not secure, then, as Professor Carr mentioned, they think, “Well, I won’t bother having that product, because it isn’t safe”, because that is how they view the word “security”, which is logical, but not necessarily the best option given what they are looking for. There are several questions in there, forgive me, but they are interconnected with what the Minister was saying.
Professor Carr: I will try to answer as many as I can, as well as I can. I am sure that David has comments as well.
On educating consumers, that question of “Will the loan outlast my device?” is a very astute one, because consumers do not need to understand—they never will—all the ins and outs of phone or device security, but that is a very pragmatic response: “What actually am I buying? I am spending for three years to buy two years of a phone.” That type of consumer education will snowball when people are presented with information on how long the device will last and asked, “Is that what you want?”
I guess online markets are already regulated. There are things that we cannot buy in the UK and that cannot be shipped here. It would certainly have to be a consideration that, ideally, devices that did not meet UK standards were not able to be shipped to the UK, but I guess that is the case with many consumer goods that we cannot buy online. There is a tendency to blame business in this scenario and to see manufacturers as careless or irresponsible, which surely some of them are. However, it is also the reality that businesses have to make a careful calculation on how they invest. If it costs more to produce a product and they are answerable to shareholders, they have to have a conversation about why they are spending more on a device that is already selling well and returning a profit. I am not saying that that is the way it should be, but that is the way the free market works.
Look at what happened with GDPR. In my work, we work a lot with senior business leaders and talk to them about how they respond to cyber-security regulations. They did not push back against GDPR or see it as terribly negative; they saw that it unlocked budget for them to use, because they could quantify what percentage of their global turnover a data breach would cost or what the fine could amount to. They can take that calculation to the board, and say, “Right—we mustn’t have a breach or it would cost this much. How secure do we feel we are?” That is where such regulations can have a very positive effect on industries that would like to comply but cannot just invest in all the different aspects of a device without some justification. This gives that justification. It unlocks that funding in those board conversations about where investment in products should go.
David Rogers: Just to address the Amazon/eBay question, I have seen all this stuff. I have bought some of it to have a look at. A lot of counterfeit and substandard—the Chinese call them Shanzhai—products are available. I have conversations in which people say, “This is about buyer beware. You’d never buy a £9.99 smart watch. You should know that that’s going to be dodgy,” but as you said, people cannot necessarily afford it. There is a peer pressure element to it, and there is a sort of endorsement by the brand. If you go to Amazon, you expect it to be a quality product, so people are lulled into that sense of security that what they are getting is quality. In some cases, that is not the case. I fully agree that the companies that are retailing this stuff cannot just lay the blame at the door of the companies that are stocking and selling it. If it is on Amazon Prime, surely Amazon has a responsibility over that.
Earlier, Dave mentioned different regulatory regimes and that there may be some fragmentation around the world. I actually think that there is probably a lot of alignment and harmony. There has been a lot of work between DCMS and the National Institute of Standards and Technology in the US, so there is a broad understanding of what good looks like. If, either through some self-declaratory measure or by some endorsed mechanism of compliance, those companies are told to come up with a compliance statement, that helps the likes of Amazon and eBay to select their suppliers appropriately and then to remove them from their stores more easily. At the moment, it is kind of a wild west. They do not have any questions or answers.
Good afternoon. We will now hear oral evidence from Catherine Colloms, MD for corporate affairs at Openreach; Simon Holden, the group chief operating officer at CityFibre; Mark Bartlett, director of operations at Cellnex UK, appearing on behalf of Speed Up Britain; and Juliette Wallace, also of Speed Up Britain.
We have until 3.40 pm for this session. Will the witnesses introduce themselves briefly for the record, please, before I turn to the Minister? We will go left to right.
Simon Holden: I am Simon Holden. I am the group chief operating officer of CityFibre.
Catherine Colloms: I am Catherine Colloms. I am the corporate affairs director at Openreach.
Mark Bartlett: My name is Mark Bartlett. I am the operations director at Cellnex UK, representing Speed Up Britain.
Juliette Wallace: I am Juliette Wallace. I am the property director at MBNL, which is a joint venture between EE and Three. I also represent Speed Up Britain.
Q
Mark Bartlett: On behalf of Speed Up Britain, we very much believe that the changes proposed in the Bill are needed to speed up the roll-out of digital connectivity across the country. Therefore, we believe that changes are required.
In that sense, though, we need to look back to before 2017 to understand the policy behind the changes originally made, and to understand that those were made in order to achieve the outcomes that the Government were already trying to establish. Without the changes in the policy of 2017, this ambition will not be met. Speed Up Britain continues to support the policy ambitions as laid out in 2017, but the fact is that the law as put down at the time is not working and created loopholes, which have been exploited, and that has meant that we have been unable to proceed at the pace we wanted.
Catherine Colloms: To give you a bit of context, Openreach is the national broadband network. We are in the process of upgrading the existing network, which is a hybrid copper-fibre network, to a new full-fibre network. The ambition is to build 25 million full-fibre homes and businesses by the end of 2026. That is a hugely ambitious target. It underpins the Government’s 85% manifesto commitment, but we have to get to a ramp of building 4 million premises a year.
We are currently building at 50,000 premises a week, so we are heading up towards the 3 million a year kind of ramp, but from pretty much a standing start in about 2017, as there was very limited full fibre in the UK at that stage. We had finished building the old network and had not transitioned through. It is a really serious challenge. If you think about the pace of build and what we are trying to achieve, being able to do things really rapidly and operationally simply becomes incredibly important.
For us, the two big pieces that the Bill can potentially help us with enormously and help supercharge that fibre build is around access, that is access to multi-dwelling units—the approximately 6.1 million blocks of flats in the UK—and access to rural parts of the UK. There are some urban as well, but if you think about how we build, we have a duct infrastructure but we also have a very extensive pole infrastructure. For most of our rural build—we have committed to building 6.2 million commercial rural, which goes beyond the Project Gigabit programme that the Government are talking about to the hardest-to-reach areas—we are going to have to do most of that over our existing pole network. At the moment, the Bill makes some changes that are helpful and which progress us forward by allowing us access to upgrade our current infrastructure on underground ducts. What it does not do is allow us to upgrade the infrastructure we have in place, either over the pole network or in those blocks of flats.
If you think about what we have in place today, we have our existing network, so we have the ubiquitous either copper or hybrid copper network that is there today in pretty much all of these premises, all across our poles. We are trying to upgrade that network to full fibre as rapidly as possible and to do so, it would be incredibly helpful if we were able to upgrade our existing infrastructure. The Bill at the moment allows us, as I said, to do that through underground ducts. It is not going to allow us to get into either MDUs to upgrade more rapidly—we estimate that something like 1.5 million MDUs could be at risk based on our experience of unresponsive landlords and our inability to get in—and it also does not allow us to automatically upgrade our property and the infrastructure that we have over the pole network.
To give you a bit of context, we have 1 billion metres of cable over poling at the moment. The vast majority of the rural network is served over poles, so for us it is really important to be able to deliver those 6.2 million commercial rural, but also potentially the Project Gigabit programme. We have been working in Scotland on the R100 programme—the “Reaching 100%” Scottish Government programme. We need one wayleave for every 16 premises, to give you the sense of scale. We are finding the ramp very challenging and because of the scale and pace that we are trying to build at, what we really need is ease of access, ease of upgrade and that is the opportunity we think with the Bill.
Simon Holden: I think we are talking about two different sets of infrastructure here, which is worth explaining. We are talking about mobile and then we are talking about fixed-line fibre access. CityFibre is rolling out a fibre access network, mostly to consumers in the home. We are doing that across a footprint of 8 million households in the UK. The reason I wanted Catherine to go first is because we are utilising Openreach’s duct and pole infrastructure for three reasons. First, because it will allow us to go faster because we do not have to dig up the streets and lay ducts ourselves or put many more telegraph poles down. Secondly, because we are reusing and so can lower our cost, which means ultimately lower prices for the consumer. Thirdly, because it is just much more environmentally friendly if we can reuse those assets.
We are in favour of that, but at the moment we have this split between pre and post-2017 access. Our view at the time was that that made a lot of sense. Five years on from that now, it is a somewhat arbitrary split. So we think dealing with that is the right thing to do. In particular, the draft Bill’s proposals on ducts look fine to us. We would echo the point about poles. For us, poles are really important in rural, but also in Scotland. It turns out that in Scotland there are a lot of poles sitting in people’s backyards and just being able to access those to put our infrastructure on means that we can accelerate getting fibre access to all those homes. In our footprint, there are probably up to about 200,000 homes that we can access quickly if we can get that right, so we think that there is a real advantage to doing that.
For us rolling out fibre, there is a balance that you have to have here between access all the way through into the home, back to the public domain where, as a code operator, we can build in the public domain. I think we would say that our experience of getting landlords to come to the table is mixed and that the alternative dispute resolution mechanism proposed here is a good one to push that timetable down, so we can get to an answer.
I would also say, however, that when we get into the home, into a block of flats, the tenants really want the service. We have found that, once we have got the landlord and the landlord has given us the wayleave so we can connect into the front door of the block of flats, then wiring up inside is not particularly an issue. We are concerned a little with somehow grandfathering old wayleaves inside buildings, first because it does not seem balanced, but also because it will entrench the people who have those, which I would say is mostly Openreach.
In trying to promote competition and accelerate growth—to your question earlier, Minister, about whether growth has accelerated—the answer is that growth has clearly accelerated in rolling out fibre. That is absolutely happening. We have vibrant competition now, with billions of pounds being invested in this sector. Here is an opportunity to make it go faster, for us all to benefit with a frankly lower-cost solution.
We feel that what is on the table with that landlord dispute resolution mechanism is good. We do not feel that we need to go inside the building, frankly because once tenants have access to it, landlords are more than willing to give that connectivity, because they have happier tenants as a result. We have not found that that is a real impediment to us.
Juliette, did you want to add anything? You do not have to.
Juliette Wallace: I was not going to add any more to what Mark said on behalf of mobile.
Q
Mark Bartlett: Speed Up Britain represents the MNOs: Cornerstone, MBNL, Cellnex, which is a towerco, and DMSL, WIG and the industry as a whole. I will put some facts, some numbers, on the table to help us understand what we are doing.
Since 2017, we have completed about 1,000 agreements, of which 85% have been consensual and reached without any recourse to any of the processes associated with the legislation. Over and above that, 14.5% approximately required some form of exchange of letters of notice, but then moved quickly to agreement, and only 0.5% of any of those discussions ended up in the tribunal. In my experience, those that ended up in the tribunal have been the industry—us—versus the industry, or land aggregators, to be blunt.
The facts speak for themselves. In the main, as an industry, we run over 30,000 towers, which are visited frequently in order to upgrade, to maintain and to support the connectivity of the country. We do not see a landowner community, a landlord community, our partners as such, in a wall of non-co-operation, but almost the opposite. We speak to our landlords very frequently, we interact with our landlords very frequently, and therefore I do not recognise the characterisation as stated this morning.
Catherine Colloms: I am happy to talk from a fixed perspective. Generally, we have pretty good relationships with a large number of our landowners. Fibre and the copper and duct infrastructure we have is not a revenue generator for most landlords. You will have heard Charles Trotman this morning, from the CLA. We have agreements and rate cards, which were negotiated with the CLA and the NFU. We work closely in particular with those kinds of rural players to ensure that we have those in place. They are very effective and seem to work very well.
Just to give some kind of context for fixed, we do not tend to have these kinds of disputes, to the extent that you are not going to make a ton of money, frankly, by having a few poles on your land. A pole rental is between £10 and £20 a year, so even if you had a couple hundred poles, which would be unusual, that would mean only a couple of grand. If you think about ducting and cabling going through, that is anything from 19p to 49p a metre, so it is not a revenue generator per se. For us, the conversation with landowners is predominantly about access.
To Simon’s point, we find that we do have quite a lot of issues when it comes to MDU access, especially given the scale at which we are trying to build. We obviously have a machine of people who sit behind to try to negotiate, wherever possible, consensual agreements or wayleaves, but we would genuinely need an army of people to try to get stuff done.
For example, some of you will know that a couple of years ago we fully fibred Salisbury, which became one of the first full-fibre cities in the UK. We tried experimenting to test the limits of access and find out what would or would not be a problem with the roll-out. After two or three years of really concerted effort, including with John Glen, the local MP, being super-supportive and with loads of local PR, we could still get into only about 79% of MDUs, because of non-responsive and non-communicative landlords. If we were to scale the MDU team that we had for dealing with the amount of time it would have taken to tackle those unresponsive landlords, we would effectively be scaling from a team of about 17 to over 300.
As Simon says, the ADR processes are helpful predominantly when there are larger landowners, such as housing associations or local authorities. They are less helpful when it comes to the hundreds of thousands of wayleaves that we need in order to get into all the individual MDUs. That is why we think that the ability to upgrade the existing infrastructure, and therefore to give tenants the connectivity they deserve, is still the right mechanism to try to ensure that we can get the upgrade as quickly as possible.
Juliette Wallace: We do recognise, as the operator side of the industry, that in the very early days of the code—early 2018, for instance—the interpretation that we were trying to explore may have been a little too over-enthusiastic, shall we say. A lot of time has passed and we have learnt from that. I think that a lot of the examples that are provided to try to support the allegation of a David and Goliath approach are from very early in 2018, and they do not exist today. I think that we have moved on a lot, but we cannot be stuck with all the allegations of the past as well.
I do not agree that the David and Goliath approach is correct. As Mark said, to the extent that it is, what we are finding with the tribunal element of the approach is that it is actually industry arguing with industry; it is not small farmers, necessarily, who are behind that negativity. It is not David and Goliath; it is Goliath and Goliath.
Q
Catherine Colloms: The current target of 25 million full-fibre premises by 2026 did bake in some assumptions about access, particularly in relation to the upgrade rights in clauses 59 and 60, through MDU and through poles. On the impact of not having it, I think there is a kind of overarching impact. If you think of the challenges of the build and the scale of what we are trying to do, the harder it is to build and the slower it is, the less we can do. We are having to re-phase and re-look at the build that we are currently targeting, as a result of potentially not getting some of the elements in the legislation.
If I take the MDU point in particular, we have re-phased some of our MDU work to the back end of the 2026 target, the reason being that at the moment we just feel we are not going to get the access. As I said, our experience is that up to 1.5 million of those total 6.1 million MDU premises will be at risk. We are seeing that in a day-to-day aspect as we build, so we have re-phased 300,000. That will go to the end of the build, which means it does not count towards the 2025 manifesto target. It will still be planned within our build, but I think what will happen is we will just have to build different bits.
When we are building this rapidly, we cannot afford to sit and wait—wait to negotiate a wayleave, wait for an unresponsive landlord to come back, wait for an ADR process. Even though we have some of these mechanisms in place, we frankly do not use them, because there is not the time and we do not have the scalability to be able to wait for all these landlords, so while we are trying to build at such pace and scale, we effectively move on. What will happen in the short term is that we will still aim for our big 25 million target, but you will get a different mix, and we are already seeing that you will have less MDU in the mix. Obviously, the concern with that is that MDU is often urban and is often local housing or in more deprived areas, so there is a risk of creating a new digital divide—in particular, if you happen to live in a block of flats versus not—because of the access issues.
On rural land, we have this ambition to get to 6.2 million. Effectively, the way that we plan and build the network is we will pick an exchange, and we will survey that area and have a plan to build, but if we cannot get the wayleave, we will not build to the village that is beyond the wayleave. We will still get to our target, but you will get more pockets left behind in different places as we build, because instead of being able to build to 80% or 85% of an exchange area, one landlord might potentially be blocking the access that gets you to the village that is over there. If you cannot cross the land, the expense of having to circumvent it and go all the way around it means that that village build is prohibitive.
Can I ask witnesses to please keep their answers shorter? I have had a number of Back-Bench Members already indicate that they want to come in.
Catherine Colloms: Sorry. I think it just changes the mix, effectively.
Simon Holden: I might just add that if Openreach is the Goliath and CityFibre is the David—certainly in rural—we would like to go into rural. This would be really helpful for us in order to make sure we can move at speed and at a sensible cost, and take advantage of the opportunities the Government are providing to accelerate growth there, so we would be in favour of that.
Juliette Wallace: On the mobile side, you asked about rural connectivity. Predominantly, that is going to come from new sites, and the code is actually working quite well with new sites—new land build-out. Our biggest challenges come from renewing the agreements that have expired on existing sites. That is where we need the changes in the code that this Bill addresses, and also the amendments to how the Bill is drafted so that it actually addresses the Government’s ambitions that came out as a response to the consultation.
Q
Till Sommer: Yes, sure. The Bill basically does three different things: it is access to third-party land in rural areas; it is the alternative dispute resolution mechanism on a voluntary basis; and the third area is upgrade rights. Upgrade rights, as you heard from the previous panel, is one area where there is slight disagreement because, depending on how you fix that, it might give one set of providers a competitive advantage over the others. For that reason, I do not want to go into too much detail there.
At the basic level, we want more upgrade rights, because it helps to use the infrastructure that is already there, rather than digging up the road again, putting up new telegraph poles or, as was said, just not doing something at all because the money is not there to build in that area if you cannot reuse the infrastructure. Beyond that, I do not want to go into too much detail, or I will get into trouble with my members and they will all talk to you separately.
I will take the other two areas, including access to third-party land. We have a few members who are specifically focused on rural areas. They are effectively going at the moment where Openreach does not have a strong build. They are very ambitious. They have told us quite early on that this Bill is game-changing for them. Access to third-party land in rural areas is simply the one thing that will unlock additional properties in their roll-out plans.
The reason for that is that this part of the Bill effectively mirrors something that was done a year ago for multi-dwelling units in urban areas, because it looks at a problem that our members face; I will use a very simple example. Let us say they want to reach a rural hamlet and there are three routes to it—one across a farmer’s field, one across a railway line and one across a hilly area. The most economical route is across the farmer’s field, but that field might be owned by someone who is not living in the UK, or who does not look at their emails or their post; that farmer just does not respond. At the moment, there is no mechanism to get any sort of forward movement in that situation.
So, what happens is that the provider either moves on, because they decide that it is not economically viable to take one of the other routes to that hamlet, or they say, “Actually, no, we do go across the railway line, but we descope parts of the hamlet. The money just isn’t there any more to connect every single house. It’s still economically viable to go there, round the field, but it doesn’t quite reach the whole village.”
Third-party land access provides a mechanism to get access to wayleaves, or access to land, for a limited period in those very limited circumstances. That will unlock those properties that at the moment are at risk of missing out. I am sure some of you will have seen in the past an announcement from a broadband provider—you might have even done a press release with them—saying that they are building out to x number of houses in the constituency. Then, after two years—after the roll-out programme is done—the number is not quite there. Quite often the reason for that is because the build has been more difficult than expected, there have been unresponsive landlords and the money that was allocated for that area does not quite match the ambitions.
It is worthwhile keeping in mind that roll-out is privately funded. There is Government support for the hardest-to-reach areas and we appreciate that, but outside of that it is privately funded infrastructure, with a return on investment over 20 or 30 years. We need to make an investment case. The companies, our members, need to make the investment case for their investors, for their shareholders and for their owners, that they will at some point get that money back. That is why we sometimes need to make those difficult decisions where stuff is being descoped. That is why the Bill is so important; it helps avoid those areas and unlock that bottleneck.
I mentioned alternative dispute resolution; some of our members are a bit sceptical about it, and that is largely because they roll out on a very large scale. Having to deal with thousands and thousands of ADR processes can be quite daunting, time-intensive and costly. For that reason, we believe it is good that it is done on voluntary basis, with the clear incentive provided in the Bill that the tribunal will take ADR into account. It will help a lot when it comes to negotiations with large landowners; that can include local authorities, where our members often have to negotiate a headlease or a head wayleave agreement. That can be super-complicated, because there is part of the local authority that is really keen on getting broadband, but the people dealing with the wayleave stuff do not really care because it is not in their portfolio. There are then mixed messages coming from the local authority. On the one hand they are saying, “Can you please roll out broadband as quickly as possible,” but on the other hand there are people saying, “It takes another year to negotiate the agreement.” ADR will be really useful to make progress in those very large wayleave cases.
Q
Till Sommer: Yes, that is exactly right. If you cannot use existing infrastructure but you are still going to roll out the network, you need to dig up the roads. I assume you have all received lots of letters about roadworks and the problems that they cause. You either dig up the roads or put up new telegraph poles, which is more expensive and is another element of visual impairment and disruption. For that reason it is much more economical—and from a visual aspect, less intrusive—to reuse existing infrastructure.
Q
Till Sommer: We do. Basically, a key bit that our members provide to your constituents—their customers—is a router, plus other equipment, that is classed as an internet-connected device under part 1 of the Bill. We are in regular contact with your civil servants on that, to clarify timelines and how the Bill might bite. We do not have any concerns about the idea. We support the idea of the Bill; it is more about the implementation, and ensuring that the supply chain is aware of the new provisions that are coming in.
I have heard from a lot of our members that they have started to talk to their supply chain to say, “By the way, in a year, or in one and a half years, depending on when the Bill will be done, we need to ensure that your products comply with these rules.” Because a lot of the manufacturers are overseas, they are not yet aware of them. Anything that can be done to raise awareness among consumer product providers would be welcome. There are a couple of other bits that go very much into the detail around associated software, when it comes to parental controls, which could be affected. I am happy to write to you on that if you want, but we will talk with the Department about it anyway. It is very much nitty-gritty stuff.
The Minister took my last question on part 1, so I am happy to give my time to Back Benchers.
Good afternoon. We will now hear oral evidence from Rocio Concha, director of policy and advocacy at Which? and Jessica Eagleton, senior policy and public affairs officer at Refuge. We have until 5 o’clock for this session if needed, but as we have started ahead of time I am sure that nobody will mind if we finish ahead of time. Please could the witnesses introduce themselves for the record? Then I will turn to the Minister to ask the first question.
Rocio Concha: I am Rocio Concha, director of policy and advocacy and chief economist at the consumer group, Which? Thank you for the invitation to provide evidence. The Bill is quite important for consumers. We have been very supportive of the work that DCMS has done in the Bill. That is very good, and I hope that I will have the opportunity to explain how the Bill can be improved to achieve its objectives.
Jessica Eagleton: Good afternoon, everyone. Thank you for inviting me to give evidence. I am Jess Eagleton, senior policy and public affairs officer at Refuge, which is the country’s largest specialist provider of gender-based violence services. We provide a host of services including refuges, community outreach and a specialist tech abuse team. I am here today to speak to you about technology-facilitated domestic abuse.
Q
Jessica Eagleton: Of course. The first thing to say is that we are seeing technology-facilitated domestic abuse becoming ever more prevailing. Technology in all its varieties is providing domestic abusers with a host of new means and methods to perpetrate abuse—to monitor survivors, track their whereabouts, harass them and stalk them—so much so that, as I said, we set up a tech abuse specialist team a couple of years ago. Of the women and children who we supported last year, 59% said that they experienced abuse involving technology, so we are seeing a growing threat.
The specific devices that we are talking about, which are covered by part 1 of the Bill, offer a whole host of ways for abusers to abuse. I am thinking about home security cameras and home security devices such as doorbells, which provide almost 24/7 oversight of a survivor’s movements in the home. Camera and microphone functions can be used to listen in on survivors and capture intimate images without consent, which can then be used later to threaten and coerce the survivor. There are also things such as smart plugs and smart thermostats, which can be remotely accessed and used to frighten survivors—for example, by turning alarm systems on, or putting blaring music on, in the middle of the night. That is happening in the relationship and after it as well, so we are seeing remote access being used in that way.
Some of our concerns about devices relate to access. Thinking about the power imbalance in a domestic abuse relationship, it is the perpetrator who often sets up such devices. They have the password and full admin access, which means that the survivor therefore has limited ways to access a device. We have had some difficulty when talking to companies to try to support survivors to take back control of devices, particularly once a relationship has ended and a survivor has fled. Where they have devices in their home to which the perpetrator still has full admin access, it is particularly difficult to get companies to override that. That is something that we would welcome further work on, in terms of companies taking steps to support survivors to make changes to settings.
Do you have anything to add?
Rocio Concha: Your question was on whether the Bill will help consumers to understand these issues, and it will. As you know, one of the principles in the Bill is transparency—when you buy these products, you will know for how long they will be supported. That will help with awareness. There is a lot more that can be done to raise awareness of these issues. There is a limit on what consumers will know about how to protect themselves, so the direction in the Bill about banning default passwords is quite important, as is the point of contact for security vulnerabilities.
Jessica has explained very clearly the harms. There is an opportunity for the Bill to be more assertive. At the moment, the Bill says that the Secretary of State “may” include baseline security requirements. We know that these are not the right baseline security requirements, so the Bill should be clearer that they will be included. We also think that the Bill needs to list the three security requirements, which would give a clear steer to the industry that they are to be introduced. We are worried that the Bill as drafted could lead to more delays in introducing things.
If we want the Bill to achieve its objective, we must be careful to ensure that online marketplaces are within scope. I would argue that they have to be because, as a consumer, it makes no difference whether you buy your smart product on the high street or from Amazon, eBay or AliExpress; you assume that the product is compliant with the regulations in the UK, so it is important that the Bill also covers that area. Otherwise, you know where the bad actors will go—they will be selling insecure products on those online platforms.
Q
Rocio Concha: On enforceability, if you do not include online marketplaces, you are leaving a big gap, because these products can come from any country in the world when they are being sold in these online marketplaces.
Another area that is not clear in the Bill is how consumers can get redress. As part of the transparency requirement, suppose that you buy a product that says that it will be supported with security updates for four years, but two years down the line, the manufacturer decides to change its mind and to support the product for only two years. Where would the consumer go in that instance? They bought the product on the basis that it would be supported for a set amount of years.
The other thing that is not clear is who the regulator enforcing this will be. Obviously, we need to make sure that the regulator has the skills, powers and resources to enforce it.
Q
Jessica Eagleton: Perhaps I can take your second question first. You are right that we are seeing concerns about these types of products being used to stalk and to monitor. In terms of concrete measures and what the Bill can do in this respect, we welcome some of the security requirements, particularly around the vulnerability disclosure scheme, as a step forward. For example, in the work that we do to support survivors, having that public point of contact and an easily contactable place for a company to go, when we are reviewing these products and putting forward recommendations to companies, is definitely a step forward.
We would have some concerns about situations where companies might publicly disclose security flaws and perhaps not take steps first to address them. We have that concern because that could, in essence, alert an abuser to a new way to abuse a victim. It could alert them to a device that they could purchase or that is already in their home that would provide a new way of compromising, so we would like to see companies taking all reasonable steps to address and action some of these security flaws before there is that public disclosure.
On your second point about services, our tech abuse team is a unique service in the country in providing specialist frontline support to tech abuse survivors, but it is a chronically under-resourced service. Perhaps in the context of this Bill, we would really like to see thought given to a percentage of the fines that the regulators collect for non-compliance by companies going, for example, to fund some specialist support services. I think that would fit within the wider ecosystem of enforcement as well. If we have specialist services that survivors can go to and ensure that they are sustainably funded and able to support survivors, that would contribute to the wider enforcement regime and awareness.