Security of Government Devices Debate

Full Debate: Read Full Debate
Department: Cabinet Office
Tuesday 21st March 2023

(1 year, 8 months ago)

Lords Chamber
Read Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Collins of Highbury Portrait Lord Collins of Highbury (Lab)
- View Speech - Hansard - -

My Lords, I welcome the announcement of this ban but the question of why it has taken the United Kingdom so long to come to the same conclusions as many of our closest allies remains. As Angela Rayner noted in the Commons just weeks ago, the Secretary of State for Science, Innovation and Technology said that there was “no evidence” for a ban being brought forward. So what changed? Has there been a specific incident that prompted a shift in policy? I hope the Minister will be able to answer that. Oliver Dowden, the Chancellor of the Duchy of Lancaster, was honest that the previous list of banned apps did not apply to every government department. Can the Minister outline which departments were exempt and why?

A number of MPs asked about the rules for Ministers’ personal devices. Given recent revelations about the scale and use of WhatsApp and personal email across government, the Chancellor of Duchy of Lancaster said that any substantive government business should be done on official devices. Will new guidance on the use of personal devices and WhatsApp clearly define what is meant by “substantive government business” or will that be a matter of personal interpretation? We have already heard Grant Shapps appear to say that he wants to continue to use his own personal device and use “TikTok”.

None Portrait Noble Lords
- Hansard -

TikTok.

Lord Collins of Highbury Portrait Lord Collins of Highbury (Lab)
- Hansard - -

I did ask someone earlier what TikTok is—I thought I was a modern person, but clearly not.

Can the Minister tell us whether this sort of interpretation is going to involve a change in the Ministerial Code? A Minister may not think sharing a draft Written Ministerial Statement on personal email qualifies either as substantive business or as a security risk, but the Home Secretary was of course temporarily forced out after sending such material to the wrong people. Oliver Dowden also talked about the granting of exemptions for operational reasons. Can the Minister provide an example of why a banned app may be deemed necessary? If she cannot today, could she write with such an example?

This debate takes place in the context of wider concerns about some forms of Chinese-made technology, including CCTV camera systems. On 2 February, my noble friend Lord Bassam of Brighton asked when the Government would commence important product security provisions under the Product Security and Telecommunications Infrastructure Act, which is intended to protect users of smart products such as CCTV doorbells. The noble Lord, Lord Parkinson of Whitley Bay, was unable to provide any date. I hope the Minister can do so today. The Government said they intended to bring the first half of that Act into force as soon as practicable, so why are we still waiting?

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- View Speech - Hansard - - - Excerpts

My Lords, as a long-standing deputy chair of the all-party China group, I welcomed the proportionate approach taken in the Government’s statements in the integrated review refresh about relations with China. In the face of the current human rights position in Xinjiang and the situation in Hong Kong, however, this should not change any time soon.

On these Benches, we are in strong agreement with those who consider that the Government could and should have been a great deal more strategic about relationships with sensitive Chinese suppliers—whether internet or data based, hardware or software related—in the run-up to this Statement. This is a one-off Statement about TikTok, a social media company. It would be good to see the assessment and the evidence of potential cybersecurity issues which the Government have not yet—as far as I know—produced.

However, when it comes to makers of surveillance cameras, as the noble Lord, Lord Collins, said, the Government appear far more reluctant to act. The Surveillance Camera Commissioner, Professor Fraser Sampson, has been very clear in his warnings, in particular about Hikvision and Dahua cameras, which, as far as we know, are used extensively in Xinjiang for surveillance purposes and pose security risks here, even when live facial recognition is not enabled.

Just last week, we saw Tesco lead the way in the private sector and order the removal of these cameras from its stores. The Government have simply ceased to install them. Why are they not directing their removal, particularly in police forces? Have they mapped exactly where on the government estate and in other spaces these cameras remain?

Regarding TikTok, why act so late when the EU and US, as the noble Lord, Lord Collins, mentioned, acted earlier? Presumably they have the same security information. When did the evidence emerge that has led to this ban? Will the Government publish the review by cybersecurity experts which assesses the risks posed by these third-party apps on government devices?

As the noble Lord, Lord Collins, also mentioned, why are private devices used by government Ministers not covered? I note that Oliver Dowden repeated that position last week. After all, we know there has been extensive use of private devices by Ministers, particularly —dare I say—among former Health Ministers. What assessment of this aspect has been made? Which government departments and public bodies are actually covered? What is the process for drawing up the promised approved list of apps? What criteria will be used?

As many said in the Commons, this looks like whack-a-mole; the Statement is no substitute for a coherent cross-government strategy. Why do the Government not now move, for instance, to include the capture of biometric data in the definition of “critical national infrastructure”? Questions have been raised recently about Chinese cellular internet of things modules—CIMs—which are imbedded in many devices. What is the Government’s approach to this? Are they even aware of what CIMs are?

Finally, if the Government are concerned about information being harvested by social media and other apps, why is the Data Protection and Digital Information Bill, now before the Commons, widening the circumstances in which research data can be used for commercial purposes? Is this not a typical example of this Government’s incoherence and lack of co-ordination on issues such as this?