Thursday 3rd October 2019

(5 years, 2 months ago)

Westminster Hall
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.

Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

My hon. Friend, who is a great champion of innovation and technology—coming from the constituency that he represents, it is appropriate—makes a critical point. I could not have put it better. Although this debate is about regulation of the internet of things, it is impossible to talk about protection and security in the internet of things without talking about the data that is its lifeblood: the flows of data that both drive and enable the internet of things. We are in a confused state about who owns and controls the data and how it can be shared. The Government, for example, had at the last count at least 80 different ways of sharing data with themselves. As long as that is the case, we cannot have real security or integrity within the internet of things.

Last year the Government finally took some action with their Secured by Design voluntary code of practice on the security of the internet of things, as well as guidance for consumers, which was later codified as ETSI TS 103 645. In May this year, the Government announced a consultation on the introduction of some mandatory legislation on labelling. For example, retailers would have to label internet-of-things products as complying with varying levels of the Secured by Design code. Labelling is necessary because the Government will not decide what is secure and make it mandatory—if everything were secure, it would not need to be labelled. We await the outcome of the consultation. However, there are at least five major issues, and many others besides.

First, the tone of the consultation is, “Regulation is very, very bad and stops innovation, so let’s just have as little as possible.” Secondly, there is no enforcement or sanction. Thirdly, while some mandatory requirements are proposed, they would simply be a declaration of adhering to standards. That approach puts a major emphasis on the consumer to understand these increasingly complex problems and does not account for the use of the devices in public spaces.

The fourth major concern is that the regulations deal only with consumer things. The clue is in the name: it is an internet of things. We need an architecture of standards and a regulatory framework that enables security and interoperability across the internet and also considers the lifeblood of the internet of things—data. Fifthly and finally, there are billions of insecure old-generation IOT devices already enmeshed in our digital infrastructure. The regulations do nothing to address them.

The Government need to recognise that technology is not something that happens to us; it is something that we actively participate in, or should do. That does not mean stifling innovation. Instead, it means using Government influence to look forward to the impact of technologies and to shape them for the public good. The Government must understand technologies in terms of social purpose, rather than just profit margins. That must be done with the tech sector, but the Government must recognise that it is their job to protect the interests of the people. During the first and second industrial revolutions, it was the trade unions, organised workers, the nascent Labour movement, feminists, abolitionists and former slaves who pushed law makers into putting legislation in place that would direct the use of technology to more egalitarian ends. I fear that it will be for a Labour Government to ensure that that is what happens here.

Technology can be used for good or ill. My hope is that intervening now to set up a framework for data and the IOT will mean that we do not face problems and resistance further down the line.

Last year, I was at CES, which is the largest computer electronics show in the world, in Las Vegas. An American start-up literally begged me to put in place security regulations for IOT devices, so that it could compete on a level playing field with the cheap but totally insecure exports from less reputable manufacturers. It is cheap and, frankly, lazy to set up a sort of binary choice between regulation and innovation. A clear regulatory framework and strong governance allows good companies that are making socially useful products to succeed without markets being flooded with poor quality and potentially dangerous products that threaten security.

I want to say a little on Labour’s plans as I understand them—I know that the shadow Minister, my right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne), will set them out in more detail—and I want to put that in context. I am a technology evangelist. Before becoming an MP, I worked all over the world building out the networks that now form the internet. One of my proudest moments was when I rolled out the first global system for mobile communications network in Nigeria and saw how mobile communications could really make a positive difference to people’s lives. Fisherman in the delta could now know the market price in Lagos and could not be cheated out of the right price for their fish; pregnant women could phone for a doctor instead of having to send vital requests on foot, which took hours. The internet of things will bring more and better benefits.

I have also seen the flip side of new technology. When I worked for Ofcom, I was asked to report to the board on internet security in 2005. When I came back with stories of bot attacks, honey traps, distributed denial of service, white hat wizards, Trojans, worms, phishing and pharming, it was as if I was describing a war in a galaxy far, far away. More than 10 years on, however, those threats are very real. They are part of everyone’s daily lived experience. Online fraud is the most common crime in the country, with almost one in 10 people falling victim to computer misuse or one sort of fraud or another. The same may happen with the internet of things—in fact, to an even greater extent—and we must not allow that.

I talk about the internet of things for everyone, because I believe that technology can be democratising and enabling, but just as cyber-crime seemed so foreign only a decade ago, we do not yet fully understand the new risks posed by the internet of things. To fully realise its benefits, we need to be able to deal with the increasingly pervasive security threats it presents. To address them, we need regulation as well as action in other areas. For example, we need to invest properly in skills and adult learning to help people to become digitally literate citizens. Labour’s pledge to create a free truly universal national education service, the NHS for the innovation age, will help everyone to become part of an innovation nation in which everyone is a creator, not simply a user, of technology.

We also need the power of Government to address our creaking infrastructure, and close the productivity gap at the same time, by enabling businesses across the country to invest in the internet of things. Our national transformation fund will do what it says on the tin—transform our infrastructure to bring it up to OECD levels.

We need to address a critical part of the tech sector that I referred to earlier, which is a lack of diversity. Diversity is not an optional add-on; it is an economic imperative. It needs to be at the heart of economic and technological policy, because we cannot build a more prosperous economy without making use of everyone’s talents. We need a more comprehensive sector-wide approach to diversity, particularly in the tech sector. It is key that the creators of new applications for the internet of things come from diverse backgrounds, so we have technologies that work for all and make use of the full array of talent in our society.

Finally, an internet of things requires the right digital rights and responsibilities to exist across our nation. That is why Labour plans to introduce a bill of digital rights that will provide strong and easily understood protections for citizens and will give us all rights and control over our own data.

As I draw to the end of my comments, I want to make sure that the Minister understands the questions that I am asking, so I will list the ones to which I would like him to respond. First, as I have mentioned, who owns and controls the data flowing to and from internet of things devices? Why is it not the people who are generating the data? The Prime Minister said that data is the new oil, but we have seen what the corruption around the oil industry did to many developing economies. Our citizens deserve to be in control of their own data.

Secondly, what steps is the Minister taking to ensure that insecure internet of things devices cannot be sold? Thirdly, will the provisions of the online harms legislation, specifically the duty of care, apply to the internet of things? I asked his predecessor that question, but the answer was not clear. Fourthly, when the internet of things is combined with facial recognition to monitor people, whether in education or on our streets, what requirements are there on consent? Fifthly—this was raised by TechNorthWest—internet of things devices take data for one stated purpose. What prevents its being used for various others? How does consent work in that case? Is the general data protection regulation sufficient?

Sixthly, I believe that all our critical national infrastructure is connected to the internet of things. I have mentioned the blackouts in Ukraine and attacks on an Iranian power station. What regulation is there of the internet of things in critical national infrastructure?

Seventhly, what analysis has been made of how the Government should respond to the misuse of internet of things devices? What scenarios are being considered and what plans are in place?

Eighthly, for the purposes of internet of things regulation, what is the nature of the relationship between the Department for Digital, Culture, Media and Sport, the National Cyber Security Centre, the Cabinet Office and the Information Commissioner’s Office?

I expect the Minister to respond to the five criticisms of the current consultation.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

We have an hour and a half, which will be more than adequate. I should perhaps have said that the Minister has a background in technology, as a tech correspondent, so I am sure that he has the answers to all the questions.

--- Later in debate ---
Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - -

I begin by saying that I will not intrude on the private grief of where the industrial revolution began; I am certain that it did not begin in Skegness, so I have no dog in the fight. I congratulate the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) on securing the debate. I well remember the work that we did together in the parliamentary internet, communications and technology forum—PICTFOR—and in other forums.

The hon. Lady says that she is a tech evangelist, and so am I. Although I regret the tone of some of her comments about some aspects of the Government’s policy, I think we agree that there is not a huge amount of partisan disagreement on many of the issues. We want to get it right. The right hon. Member for Birmingham, Hodge Hill (Liam Byrne) and I also agree on a huge number of issues, as he said, particularly around discrimination and what we should do to ensure that the well-known principles that exist in the offline world persist online. I hesitate to use the slogan, but we too want technology to work for the many, not the few.

I will begin by seeking to answer some of the questions of the hon. Member for Newcastle upon Tyne Central, which might be a novel approach, although I am sure she will not be satisfied with all the answers. In many ways, as she identified, this is a debate about data, not the internet of things. On the principle of who owns the data, the general data protection regulation applies to data controllers in exactly the same way whether they are processing data that derives from the internet of things or anywhere else, so the principles that we all subscribe to, of the consumer owning their data, should persist. That is a hugely important starting point, and we should acknowledge that there is agreement on it. The hon. Lady frowns as if she disagrees, so I invite her to intervene.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for the tone of his opening comments. It is certainly true that there are many areas on which we agree. The reason for my frowning is the idea that the GDPR recognises the right of ownership of consumers or citizens. The fact that there is a data controller who is not the citizen or consumer suggests that it does not. As I have said, the GDPR is progress, but issues of ownership and control are still far from clear. My right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne) made some excellent points in this area.

Matt Warman Portrait Matt Warman
- Hansard - -

The hon. Lady pre-empts my next point: all of this is predicated on consent. The consumer has to understand that they are giving up their data for a particular purpose and a particular benefit. As the hon. Member for Dagenham and Rainham (Jon Cruddas) said in what was a fascinating speech—albeit one where I wondered if I had at times transcended, if not humanity, at least this debate—these are fundamental issues that have effects far beyond what we might think of in an arcane debate about the ownership of data. I commend the approach that says we are dealing with issues that go far beyond a debate about technology, which will have an impact on huge aspects of humanity itself, whether we get them right or wrong. That is why it is important to consider them in that wider way.

The hon. Lady was right to point out that, in some ways, the internet of things represents a whole new chapter of how technology is becoming more common in our homes and making our lives easier and more enjoyable, but potentially also more fraught with decisions that we need to be aware we are making. I will trump the hon. Lady’s numbers: Statista says that by 2025, there will be 75 billion internet-connected devices worldwide—I am sure other analysts are available to provide even higher numbers. In our estimates, that translate to some 15 devices per household by next year. The internet of things is very real; it is already with us.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

Before the Minister moves on, I just want to clarify one point. Is it his position to accept that data that is generated as user data does have an economic value, but that it is basically fine for the individual to surrender that economic value through the way in which they consent to use a service?

Matt Warman Portrait Matt Warman
- Hansard - -

I feel like the right hon. Gentleman is going to accuse me of wilfully misunderstanding his question, but it is obviously fine for an individual to choose what they do with their own data. If that involves, as he puts it, surrendering the data for a particular purpose, that is their decision to make. I am not sure that that is quite the question he was asking. The point about consent being absolutely in the hands of the user is the most important one to make. That is why the cyber-security of the products that the hon. Member for Newcastle upon Tyne central referred to is so hugely important, in many ways; it is why we have put so much effort into delivering the code of practice for consumer IOT security.

The hon. Lady mentioned the sale of potentially insecure devices, which is one of the key planks that we are seeking to address. People want to have implicit trust in their devices and they need to have confidence in how their data is being used, not just when they first purchase that device but into the future as well.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

The Minister is helpfully helping me join some dots. Why does he think that it is right for the Government to intervene to ensure that the consumer has particular cyber-security protections but not to ensure that the consumer enjoys any particular economic protections, for example around the value that is created through third-party use of their data?

Matt Warman Portrait Matt Warman
- Hansard - -

It is obviously about a balance between different situations. The Government, in a host of ways, provide a degree of opportunity for the kind of protection that the right hon. Gentleman seeks. In other fields there are already opportunities for redress in extreme circumstances. In some ways he and the hon. Member for Newcastle upon Tyne Central are asking for greater coherence in this space, and others. It is precisely for that reason that my Department is developing the strategies that they both referred to. On the one hand he seems to attack the bonfire of the quangos, but on the other he seemed to want fewer regulators, so I am almost reduced to asking what his favourite number is.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

My point is simply that according to the Chancellor of the Exchequer I will soon not be allowed to sell my labour for less than £10.50 an hour. The Government have put a floor on the economic freedom that I enjoy, and that is giving me a degree of economic protection. Why does not the same principle apply to the way in which my data as opposed to my labour is exploited?

Matt Warman Portrait Matt Warman
- Hansard - -

That is a philosophically interesting question but it is also obvious that at the moment data is readily given up in exchange for a service. I am not sure whether the right hon. Gentleman would therefore seek to put a value on the service and say, “That service, whether offered by Facebook or whoever, should not be worth less than a certain amount.” That seems to be the logical conclusion of his argument, which is why I say it is perhaps more an interesting philosophical question than a practical one.

Daniel Zeichner Portrait Daniel Zeichner
- Hansard - - - Excerpts

Will the Minister give way?

Matt Warman Portrait Matt Warman
- Hansard - -

I am conscious of the time, but this is all very interesting, so I am happy to give way.

Daniel Zeichner Portrait Daniel Zeichner
- Hansard - - - Excerpts

It is more than interesting. It is critical. Is the Minister assured that people are involved in a free exchange, and that there is transparency—that they understand the terms and conditions of all the things that capture data on their devices? I am certainly not. I think most people who look at it are convinced that people do not know, so they are not getting the economic benefit of that behavioural data.

Matt Warman Portrait Matt Warman
- Hansard - -

Essentially I agree with the hon. Gentleman that it is obvious that not everyone reads the terms and conditions of every single thing they have signed up to for any website; but it seems to me that Government’s role in this space is not to stop people making those decisions. It is to make sure that people have a better understanding of the decisions they make, and that they trust the companies that are doing whatever it may be with their data. That obviously requires us to put certain constraints on the behaviour of companies, as we do in every other circumstance. However—and I do not think the hon. Gentleman is suggesting this—it should surely not be for us to say that people should not be allowed to make certain decisions. I think that on the Government side of the House we would be keen to free people up to make whatever decisions they reasonably want to make.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

The Minister is being incredibly generous and this is the last time I shall intervene. To round out the picture that my hon. Friend the Member for Cambridge (Daniel Zeichner) is presenting, network effects mean, obviously, that in social media land we have monopolies—or, if not monopolies, certainly oligopolies. It has long been an established principle of consumer welfare protection that there should therefore be some kind of price protection. In a debate about how we protect and enhance the economic welfare of the citizen if we do not recognise a defined value for their data—which they are not freely surrendering into a free market, but giving over to a monopoly—surely the quid pro quo is some kind of price regulation on the other side. The Minister cannot have it both ways.

Matt Warman Portrait Matt Warman
- Hansard - -

The right hon. Gentleman raises a lot of points in one short paragraph. I understand what he accuses me of seeking, when he speaks of having it both ways. Actually the services that are offered digitally, ostensibly free, are different from services in a physical world where we might talk about the kind of monopoly that he has mentioned. In that sense, all he is doing is underlining why we need to get things right, in a way where the digital challenges are understood, without reinventing the wheel and pretending that all online challenges are necessarily different from those in the physical world. It is an emerging picture, which is why I refer back to the technology innovation strategy that we published in June 2019 and that includes new measures, such as the Spark procurement programme, to enable Government and the wider public sector to benefit from new digital technologies and the service that can be provided by stimulating the UK’s world-leading tech sector. It is also why we set up the Centre for Data Ethics and Innovation, which will allow us to consider how we might best benefit from those opportunities and ensure that we seek not to design in the kind of prejudices that the hon. Member for Newcastle upon Tyne Central mentioned. One of its first papers is on smart speakers and voice assistants and on how industry and Government can work together to ensure that the products do what they are supposed to and that users consent to them.

We should also be mindful that the 75 billion devices, or however many there turn out to be, will have a physical environmental impact. I am therefore pleased that as part of its resources and waste strategy, the Department for Environment, Food and Rural Affairs has committed to updating the existing guidance for local authorities on managing the collection of smart items and similar electricals. That might sound like a minor point, but it is probably less minor than others.

The hon. Lady mentioned the Prime Minister’s speech at the United Nations General Assembly. I am not delivering the rhetorical flourishes that he delivered late at night at the UN, but it is important to say that he made that speech in that location because this country is already a world leader in this area in so many ways. It is right that our Prime Minister is addressing these issues and the legitimate public concern.

It is also right that, as several hon. Members have mentioned, when we seek to regulate in this area and on online harms, we in this country and across the parties should be proud that the UK is a liberal democracy that seeks to lead the way. We have an opportunity to shape a global debate, as my Opposition counterpart, the right hon. Member for Birmingham, Hodge Hill, observed.

In some ways, the greatest thing we can do is use Britain’s status in this area and on the world stage to try to develop global standards. The hon. Member for Newcastle upon Tyne Central mentioned those of the ETSI, which in its way is world-leading: it seeks to produce standards that can be replicated or mirrored globally, addressing some of the coherence that risks arising in the area. She says that we are not providing leadership and quotes the Prime Minister’s speech, but I say that his speech demonstrates the existing status of Britain’s leadership in the area already. If I am being kind to her, although we disagree on several minor issues, I should say that she too would agree that Britain has a huge opportunity to capitalise on its place in the world on this issue.

In June, we published a White Paper, “Regulation for the Fourth Industrial Revolution”—we are sticking to that number, although I understand that there is a dispute over whether it is correct. It confirms that the Government will establish the regulatory horizons council to identify the implications of precisely the sort of technological innovation that the hon. Lady spoke about, and to advise the Government on regulatory reform so that we can take exactly the kind of steps that she highlights.

In that process, security should not be an afterthought; it has to be embedded. Thus far, we have taken the approach of working with industry, and industry is now saying to Government—the hon. Lady will have heard these calls as well—that greater clarity, particularly in regulation, will help consumers and the industry itself. Many of the internet-connected devices that are currently on the market still lack even the most basic cyber-security provisions. Some 90% of 331 manufacturers that supply the UK market and that were reviewed in 2018 did not use a comprehensive vulnerability disclosure programme up to the level that we would expect; I think that hon. Members on all sides would agree that that is unacceptable. Organisations have a duty of care to their customers, to help make sure that they can access and use their internet-connected products safely.

Although Government have previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that stronger cyber-security is built into these products by design. That is why we launched our consultation on secure consumer IOT in May. That consultation built on the extensive work to which I have referred. It allows us to talk about minimum security principles for connected devices, which my Department elaborated on in the document published last year. Our focus will be on ensuring that there is a baseline of cyber-security built into all consumer IOT products by design, to eliminate the most harmful practices.

These are, I freely admit, low-hanging fruit. We wish we did not have to tackle issues such as forbidding the use of universal default passwords, ensuring that manufacturers provide a contact point for security researchers, and making sure that consumers are informed at the point of sale of the minimum length of time for which security updates are provided for their device. Those measures address some of the issues raised by the hon. Member for Newcastle upon Tyne Central, and we would like to go further in due course. We will respond on what that will look like as soon as possible after the consultation.

We are advocating a staged approach to enforcing those principles through regulation. Obviously, there is always a balance to be struck between regulation and legislation, and in this case I think it will be a bit of both. We will publish the formal response to our consultation on the regulatory approach later this year, but we are mindful of the urgency of this work. Our approach must keep pace with the technological change identified by the hon. Lady. We have said that we will review the code of practice every two years. The development of the code of practice may not sound exciting, but as the hon. Lady acknowledged, and as the hon. Member for Dagenham and Rainham said, these things are hugely far reaching, even if they do not sound as exciting as some people might wish, because then they would attract the attention they perhaps deserve.

There is major business support for our approach, including from the signatories to the cyber-security tech accord. I always hesitate to say “major business support”, because businesses will not always necessarily greet with enthusiasm the actions of a sensible regulator. Some would say that this is a sign of success. We will develop the strategy, but ultimately the security of the internet of things is a global challenge and it requires a global effort to get it right and to shape those norms.

In February 2019 we worked closely with international standards bodies and the National Cyber Security Centre to make sure that we publish the ETSI standard to which the hon. Lady referred, though without the complementary tone it deserves. None the less, I understand her point.

We do not think it is right to expect all users of all internet-connected devices to become cyber-security experts, and we recognise the need to take from them the burden of differentiating between good and bad. That is why we have been clear with industry what good practices will look like, and we wish to support manufacturers of all sizes to embed them and to support retailers to make sure that they are obvious.

Matt Warman Portrait Matt Warman
- Hansard - -

I will give way to the hon. Lady, but she does not have long.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for giving way. In the absence of any time to sum up, I want to thank him for his comments and to confirm that I will write to him with my list of questions so that he can answer them in full. Will the regulatory horizons council cover all regulation with regard to technology or only that relating to manufacturing, and does he agree that this is about not only consumer data but citizen data, because it relates to Government as well?

Matt Warman Portrait Matt Warman
- Hansard - -

I absolutely agree with the hon. Lady’s second point. The council will, of course, be wide ranging. I look forward to answering her comprehensive list of questions, and I will be grateful to Hansard for providing clarity on them.

Finally, in response to the intervention from the hon. Member for Cambridge, this Government do not think there is a choice between innovation and security. We have to make those two complement each other. That is at the core of our strategy and will continue to be so, and I would hope that we can move forward together with the cross-party consensus to which the hon. Member for Newcastle upon Tyne Central alluded.

Question put and agreed to.

Resolved,

That this House has considered regulating the internet of things.