Product Security and Telecommunications Infrastructure Bill (First sitting) Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Product Security and Telecommunications Infrastructure Bill (First sitting)

Ruth Edwards Excerpts
None Portrait The Chair
- Hansard -

Copies of written evidence that the Committee receives will be made available in the Committee Room and circulated to members by email. I would usually call on the Minister at this stage to move the motion for the Committee to sit in private, but I do not think that the Front Benchers on either side want to move into a private session, so we will continue sitting in public and the proceedings are still being broadcast. Before we start hearing from the witnesses, do any hon. Members wish to make declarations of interest in connection with the Bill?

Ruth Edwards Portrait Ruth Edwards (Rushcliffe) (Con)
- Hansard - -

I am a former worker in the cyber-security industry, and have worked for a couple of the witnesses giving evidence today. One is techUK; I have also worked for BT, which of course owns Openreach. I also draw the Committee’s attention to my entry in the Register of Members’ Financial Interests: I undertook some work in cyber-security for MHR between May and December last year.

None Portrait The Chair
- Hansard -

Thank you. The Clerks will note that declaration from Ruth Edwards; and Ruth, if you wish to refer to it later in the proceedings, do so.

--- Later in debate ---
None Portrait The Chair
- Hansard -

Thank you. Will any Members wishing to ask questions please indicate that? Ruth Edwards.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Q I refer the Committee to my previous declaration of interest. Ms Turley, I want to ask a point of clarification, please. You mentioned that 33,000 site owners across the country were affected by the legislation. Is that 33,000 site owners in total or 33,000 whom you believe have been particularly badly affected?

Anna Turley: That is in total.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Q And roughly what proportion of them have reached out to your campaign?

Anna Turley: Well, we know that a third of them have had reductions of around 90% or 95%; that is from our own survey approaches. Going back to the Minister’s first question, I could write to the Committee afterwards with the exact number. Thousands of people have written to us through social media and email, and have responded to our website. I do not have a total number for all those who have contacted us, but there are thousands of case studies across the country.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

You must have a rough idea. Is it something like 10% or 50%?

Anna Turley: I would say that probably about 4,000 people have reached out to us, but again, people have to be aware of our campaign. They have to have found us—come across us on social media. They have to have been engaged with us. It does not mean that there are not an awful lot of people sitting and suffering in silence. Part of the reason for setting up this campaign was that there were people who were just in despair and really struggling. Our campaign was set up to give them a voice and to give them access. I think this is really important. When the legislation was made previously, you were hearing only from mobile operators—those on the other side. There is no roll-out and no connectivity without people hosting a site on their lands. These people are fundamental to us hitting our targets, and we need to make sure their voices are heard in this campaign.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Q How does the current rent valuation for phone masts compare to rents that other utility providers pay to landowners?

Anna Turley: I am not sure about that, but I know that internationally we compare very well. Our rents pre-2017 were not significantly higher than those in other countries, like Germany, Spain, Italy and others that are substantially ahead of us in the roll-out. I do not believe, and evidence does not suggest, that cutting these rents has actually increased our roll-out and our connectivity.

If you want to make the comparison with other utilities companies, the issue for all of those is that they are very tightly regulated industries, whereas there is very little regulation, and very little accountability and transparency, on the telecoms industries. If they are to become an essential utility—that may be the way we go, down the line—it is fundamental that the same kind of transparency, accountability and regulation is placed on them as is placed on utilities at the moment. That is not the case. We have no idea whether the savings that have been made through this have been reinvested in new infrastructure. There is no onus on these companies to do that. The Government are continuing to subsidise them with things like the shared rural network. It seems to be money after money towards these companies, without any indication of whether that money is actually being invested in helping us to achieve our connectivity outcomes.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Q Tell me more about your campaign. How is the organisation set up?

Anna Turley: We are funded by an organisation called APW, which is a company that is a telecoms—sorry, a company that owns a land infrastructure itself. But as I say, we are supported by colleagues like the NFU, the CLA and others who back our campaign, and we represent all the site owners that have contacted us over this time to get their voices heard.

There are huge organisations, like Speed Up Britain and Mobile UK, that have very good connections with Government and are able to lobby and present their side of the argument. Until Protect and Connect was set up, there was no collective voice—no unified way in which site owners could speak to Government and tell their story. I think it is really important that we hear about this. I have examples here of constituents of your own who are saying, “We have telecoms masts. In view of the impact on our rent, I would certainly not have allowed the siting of masts on my property.” A number of people and organisations around the country would not have had this voice if we were not providing this campaign.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Q Is APW APWireless?

Anna Turley: Yes.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

So that’s the phone mast lease investment firm?

Anna Turley: Yes.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

What’s their interest in this?

Anna Turley: Obviously they are a site provider—

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

So they would stand to gain substantially financially if we increased rent valuations.

Anna Turley: They have been losing substantially since 2017, so, yes, of course there is a financial interest. The point of the campaign is that they, by themselves, do not have a voice, and without their funding this campaign neither would all the other affected organisations—charities, community groups and others. If a representative of Speed Up Britain were here, you would recognise that there is a financial interest for mobile operators as well.

We have been very clear about the issue. Of course, the valuation is important and the money is important. I am a member of the campaign because bad policy has been developed over the past few years that has basically put all the power in the hands of a large number of mobile operators. Ordinary people around the country have been absolutely hammered by that and have not had the opportunity to express the impact on their lives and livelihoods. The campaign is a really important one to address that balance.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Just to be clear, I do not think that there is anything wrong with APWireless lobbying for their interest; like you say, big telcos would as well. For clarity and transparency, however, I think it is important for people to note that Protect and Connect does not just represent small landowners and community groups; it also represents APWireless, which describes itself as one of the world’s leading mast lease investment firms, with thousands of leases in 21 countries across the world. I think it important that we have that on the record.

Anna Turley: Absolutely; no problem with that.

None Portrait The Chair
- Hansard -

I remind Members that we should confine ourselves to questions, not to straightforward dialogue.

Product Security and Telecommunications Infrastructure Bill (Second sitting) Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Product Security and Telecommunications Infrastructure Bill (Second sitting)

Ruth Edwards Excerpts
Committee stage & Committee Debates: 2nd sitting
Tuesday 15th March 2022

(2 years, 9 months ago)

Public Bill Committees
Read Full debate Product Security and Telecommunications Infrastructure Act 2022 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 15 March 2022 - (15 Mar 2022)
Chris Elmore Portrait Chris Elmore (Ogmore) (Lab)
- Hansard - - - Excerpts

Q To keep the conversation on consumers, eBay, Amazon and other platforms are not part of this Bill, but an awful lot of research out there suggests that they do not regulate what they sell. There are an awful lot of suggestions from organisations like Which?, whom we are meeting later, that those platforms’ markets are often flooded with devices that are not secure, but are cheaper. Again, to go back to your comment about how security should not just be for the rich, if someone is looking for a cheaper type of product, they can go there and their thought will not be about security, but about how shiny and new, or refurbished, it is—how it looks very good and the same as what the other child in the class has, and so on. What are your views about looking at the online marketplaces? Is that the next step, through secondary legislation or this Bill? Should they be as responsible as the manufacturers, if they are wilfully selling products that they know are not secure?

In that vein, is there something in the idea of a reporting mechanism—either by the Department or some sort of regulator, annually or however long is appropriate—for whether these organisations and manufacturers are working to the standards that you so strongly set out? They have had years to deal with the standards, but many are still not doing it. I am suggesting naming and shaming, if you will, to give consumers better informed decisions.

A lot of people borrow money to buy these devices. On Second Reading, I expressed a concern that many people will look in a retailer or online, and go, “If that doesn’t exist for this much time—if it only has two years on it and the loan is three years—why am I bothering to purchase it if it is obsolete in that time?” That is a concern that many people have. Consumers potentially do not know what this or that means, but they know what “security” means, and if they think something is not secure, then, as Professor Carr mentioned, they think, “Well, I won’t bother having that product, because it isn’t safe”, because that is how they view the word “security”, which is logical, but not necessarily the best option given what they are looking for. There are several questions in there, forgive me, but they are interconnected with what the Minister was saying.

Professor Carr: I will try to answer as many as I can, as well as I can. I am sure that David has comments as well.

On educating consumers, that question of “Will the loan outlast my device?” is a very astute one, because consumers do not need to understand—they never will—all the ins and outs of phone or device security, but that is a very pragmatic response: “What actually am I buying? I am spending for three years to buy two years of a phone.” That type of consumer education will snowball when people are presented with information on how long the device will last and asked, “Is that what you want?”

I guess online markets are already regulated. There are things that we cannot buy in the UK and that cannot be shipped here. It would certainly have to be a consideration that, ideally, devices that did not meet UK standards were not able to be shipped to the UK, but I guess that is the case with many consumer goods that we cannot buy online. There is a tendency to blame business in this scenario and to see manufacturers as careless or irresponsible, which surely some of them are. However, it is also the reality that businesses have to make a careful calculation on how they invest. If it costs more to produce a product and they are answerable to shareholders, they have to have a conversation about why they are spending more on a device that is already selling well and returning a profit. I am not saying that that is the way it should be, but that is the way the free market works.

Look at what happened with GDPR. In my work, we work a lot with senior business leaders and talk to them about how they respond to cyber-security regulations. They did not push back against GDPR or see it as terribly negative; they saw that it unlocked budget for them to use, because they could quantify what percentage of their global turnover a data breach would cost or what the fine could amount to. They can take that calculation to the board, and say, “Right—we mustn’t have a breach or it would cost this much. How secure do we feel we are?” That is where such regulations can have a very positive effect on industries that would like to comply but cannot just invest in all the different aspects of a device without some justification. This gives that justification. It unlocks that funding in those board conversations about where investment in products should go.

David Rogers: Just to address the Amazon/eBay question, I have seen all this stuff. I have bought some of it to have a look at. A lot of counterfeit and substandard—the Chinese call them Shanzhai—products are available. I have conversations in which people say, “This is about buyer beware. You’d never buy a £9.99 smart watch. You should know that that’s going to be dodgy,” but as you said, people cannot necessarily afford it. There is a peer pressure element to it, and there is a sort of endorsement by the brand. If you go to Amazon, you expect it to be a quality product, so people are lulled into that sense of security that what they are getting is quality. In some cases, that is not the case. I fully agree that the companies that are retailing this stuff cannot just lay the blame at the door of the companies that are stocking and selling it. If it is on Amazon Prime, surely Amazon has a responsibility over that.

Earlier, Dave mentioned different regulatory regimes and that there may be some fragmentation around the world. I actually think that there is probably a lot of alignment and harmony. There has been a lot of work between DCMS and the National Institute of Standards and Technology in the US, so there is a broad understanding of what good looks like. If, either through some self-declaratory measure or by some endorsed mechanism of compliance, those companies are told to come up with a compliance statement, that helps the likes of Amazon and eBay to select their suppliers appropriately and then to remove them from their stores more easily. At the moment, it is kind of a wild west. They do not have any questions or answers.

Ruth Edwards Portrait Ruth Edwards (Rushcliffe) (Con)
- Hansard - -

Q Professor Carr, you made some really interesting comments about the balance between regulation and innovation, and how it is not always as it is portrayed to be. Do you think the Bill strikes the right balance in those areas? Is there anything missing from it that should be in there?

Professor Carr: I think the Bill would be a hugely positive step. There is a lot more to be done in terms of regulating emerging technologies. As I said earlier, the UK is a country at the forefront of thinking about these issues and taking action. It is new territory, because we are not used to legislating about these things; it seems somehow interventionist, or that it stifles innovation. Actually, digital technologies have become so integrated into every aspect of our lives, from the most personal level to infrastructure, and we have not caught up with that in what we see as the acceptable responsibility of the Government, of individuals and of industry.

There has very much been a narrative that Governments need to stay out of this area. I think that is very dangerous and wrong, because that is how we have ended up in the situation we have been in. It is certainly a balance between those parties—Government, civil society and industry—but we are a long way from having that balance right. Governments are beginning to see that there is a mandate and that they have a responsibility. We see that not just in the UK, but certainly in the US, Australia, the EU. But there is a long way to go.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Q Are there other specific security measures that you would like to see in the Bill?

Professor Carr: I would like to see the range of devices extended—in particular, where it talks about toys and safety devices. There is a whole category of other devices that should be included, particularly when we think about children. There is a market emerging now for tracking devices for children, or these phones, which are not really phones but communication devices. I think the scope of the devices should be expanded.

If I had a magic wand and it was up to me, I would say that devices had to be supported for a minimum time. Otherwise, you end up with the very distasteful scenario that we were just talking about, where people who are less resourced are buying less secure devices and living less secure lives. I would like to see a minimum time that devices had to be supported.

I would say those two; I would go much further, but it is a good start.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Q Thank you. Mr Rogers, I think you mentioned that four out of five IoT manufacturers still do not have a vulnerability disclosure programme—correct me if I am wrong. I want to put something to you that we received in written evidence from techUK, who gave evidence to the Committee this morning. In its written evidence, it says:

“Current proposals risk unintended consequences for manufacturers and consumers”.

It points particularly to security requirement 2, which is to implement a means to manage reports of vulnerabilities, and notes:

“On vulnerability reporting, not all reports/vulnerabilities will require intervention. The Enforcement Body needs to carefully consider when to alert the public about security risks to ensure associated devices are not viewed as obsolete or that vulnerabilities yet to be mitigated are advertised to threat actors.”

What is your response?

David Rogers: I will be frank: I think they have misunderstood what vulnerability disclosure is. As I mentioned, there is an ISO specification for this. The security research community and the hacking community have been campaigning for this for years and years. It is well established. A lot of the bigger tech companies have recognised that this is the right way to deal with things. I am sure that you understand vulnerability disclosure, but the process is that if a security researcher or hacker discovers a vulnerability, they have an easy way to report that to the company confidentially. That process typically takes anything from 30 days to 90 days. At the end of that process, a fix is issued, if that is possible. It may even extend for a longer time if it involves other companies. Then the security researcher is able to go public with their work, but that is only after a fix is issued. This has been fought out over a long period, and is the right way of doing things. It is agreed between the hacking and the tech communities.

There may be some education work to be done for those manufacturers who do not understand that this is the right thing to do. They should be implementing vulnerability management schemes internally anyway. I think John Moor mentioned this morning that it is about quality. It is about good software quality measures and good software design. We have seen some really catastrophic problems caused by vulnerabilities that have been sitting there for years. That is the old world. We need to move on from that. The new world is about continuous software updates and a continuous product security lifecycle. People cannot just ship and dump products on to the market and leave them there.

None Portrait The Chair
- Hansard -

Can I bring in Kevin Brennan, as we only have four minutes before this panel comes to an end?

--- Later in debate ---
Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Q Ms Concha, you represent the consumer perspective. I wanted to ask about some concerns around labelling that were put to us this morning. In particular, Google mentioned that it has concerns about having a static label on the product because security information changes all the time—a product might be fine today, but it could discover a vulnerability about it tomorrow. It strikes me that we are dealing with a really wide range of security awareness, and ability to use and understand technology among consumers. Google suggested a sort of live label, such as a QR code, which could give the real-time security status. What do you think is the best way to communicate security information to consumers—such as the information in requirement 3, about the minimum time for which a product will receive security updates—bearing in mind the huge range of understanding and ability that we have in this area?

Rocio Concha: Is this about the length of time a product will be supported for? That information should be provided clearly at the point of sale, before you make a decision, so that you know you are going to buy something that may be supported for only two years, versus another product that may be supported for longer. That will hopefully provide everyone with the incentive to extend the number of years for which a product is supported.

We also need to make sure that that information is very clear. We should avoid “up to three years” and “for the lifetime of the product”, which do not really mean much for the consumer. For the consumer to be able to act on that information, it has to be very clear and easy to find when they are making that decision. That is what I would say.

On changing the security, I am a little worried about the industry saying that it may change the period during which a product will be supported. If that change is to extend that period—great; if it is to reduce it, that is very bad. At that point, the consumer has made a decision and bought a product because that product was going to be supported for longer.

If someone was told that a product would be supported for four years, and they later found out it was two years, that product would not be fit for purpose. Under the Consumer Rights Act, you have a right on the same grounds as the Consumer Protection Act 1987.

None Portrait The Chair
- Hansard -

If there are no further questions from Committee members, that brings today’s sitting to a close. On behalf of the Committee, I thank the witnesses for their evidence this afternoon. The Committee will meet again on Thursday at 11.30 am in Committee Room 14 to begin line-by-line consideration of the Bill.

Ordered, That further consideration be now adjourned. —(Steve Double.)

Product Security and Telecommunications Infrastructure Bill (Third sitting) Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Product Security and Telecommunications Infrastructure Bill (Third sitting)

Ruth Edwards Excerpts
Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

I thank the hon. Member for tabling these amendments. I represent an urban constituency and, as the Minister for digital connectivity, I am very alive to any concerns about the digital divide. I have tested the legislation to make sure that we are not exacerbating that. The amendments relate to circumstances in which an operator can upgrade or share the use of their apparatus without specific permission from a landowner or a court order. Crucially, the amendments relate to rights that the Bill grants retrospectively to agreements that are already in place. The amendment seeks to expand those rights in circumstances where apparatus is situated on, under or over land owned by private landlords.

Retrospective legislation must take particular care to strike a balance between impacts on individual rights and any public benefit that the legislation aims to deliver. The Government believe at this time that expanding retrospective upgrading and sharing rights in the way these amendments suggest would not be justified. Upgrading and sharing electronic communications apparatus offers a wide range of substantial benefits. Those are benefits that the Government specifically recognised in their 2017 reforms, when limited automatic rights were introduced for operators to upgrade and share their apparatus. The exercise of the new upgrading and sharing rights was made subject to certain conditions. Those conditions were intended to strike the right balance between the rights of individual landowners hosting apparatus and the public benefits delivered by operators upgrading and sharing their apparatus.

The changes made in the 2017 reforms therefore permit upgrading and sharing to take place without a landowner’s specific consent only where any impacts on that individual will be limited. However, it was recognised that any use of those rights could have some impact, albeit very limited, on individual landowners.

Ruth Edwards Portrait Ruth Edwards (Rushcliffe) (Con)
- Hansard - -

I remind the Committee of the declaration of interest that I made: I have worked for a number of providers, including BT and techUK, that will be affected by the legislation, and I carried out cyber-security consulting for MHR last year. I agree with the Minister about the need to seek a balance between the rights of landowners and the rights of operators. However, we cannot lose sight of the fact—this is a point she has been making powerfully—that we must get behind upgrading our digital infrastructure as fast as is practicably possible.

I am aware that we are about to debate amendment 8, which would make it more expensive for operators to access land, and put them at a disadvantage compared with other utility companies. Does the Minister agree that adopting amendments 9 to 12—and then 8—would risk sending a mixed signal to the market? On the one hand we are making it more expensive and difficult for our operators to access land, but on the other hand we are rolling back the scrutiny that they have to access private property at the moment.

None Portrait The Chair
- Hansard -

Before I call the Minister, I will take this opportunity to say that interventions should be relatively short and to the point. It will not be difficult for hon. Members to catch my eye to make points in a debate if they wish to.

Product Security and Telecommunications Infrastructure Bill Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Product Security and Telecommunications Infrastructure Bill

Ruth Edwards Excerpts
Chris Elmore Portrait Chris Elmore (Ogmore) (Lab)
- View Speech - Hansard - - - Excerpts

You will be aware, Madam Deputy Speaker, that I have spent at least the last five and a half years as an Opposition Whip encouraging brevity, so I do not intend to keep the House too long. I will keep my remarks short and hopefully to the point. As I said on Second Reading and in Committee, I will not pretend that the Opposition do not support the wider principles of the Bill. I thank the Minister for the constructive way in which she has engaged on it with me from the outset.

I turn to the new clauses and amendments. New clause 1 is an improvement on the Government’s first attempt to change the definition of “occupier”, but the changes put forward are still not watertight when it comes to preventing unintended consequences. The new clause does not address the underlying issue that operators could theoretically use it in situations other than when existing agreements have expired, which could lead to financial consequences for small site providers who have been hard done by since the electronic communications code review in 2017. More work is needed when the Bill moves to the other place to ensure it does not unintentionally punish site providers further. We have no issue with the proposal in new clause 2 that grants the Secretary of State power to make regulations that provide for a function conferred by the code on the court to be exercisable in relation to Wales by the first-tier tribunal.

I will speak to amendment 14 on behalf of my hon. Friend the Member for Hackney South and Shoreditch (Dame Meg Hillier). She sends her apologies to the House; she is chairing the Public Accounts Committee. We have checked with the Clerks and the Speaker’s Office to check that that is appropriate. That amendment, and the consequential amendments 15, 16 and 17, seek to apply a different regime under the electronic communications code to private landlords. They would give operators automatic upgrade rights in respect of properties owned by private landlords, subject to the strict condition that the upgrading imposes no additional burden on the other party to the agreement.

The growing digital divide in our towns and cities has only been exacerbated by the pandemic. The Government’s broadband target has been downgraded twice, and the Digital, Culture, Media and Sport Committee doubts that the current 85% gigabit target will be met. The backlog is due to the difficulty in accessing a high number of properties, a disproportionate number of which are flats, whose absentee landlords have little to no incentive to respond to requests to upgrade and improve connectivity.

Ruth Edwards Portrait Ruth Edwards (Rushcliffe) (Con)
- Hansard - -

I have complete sympathy with the intention behind the amendments and with what the hon. Gentleman is trying to do, but many providers whom we have spoken to throughout the Bill’s passage oppose them on the grounds that they will give the incumbent provider an advantage. Is he concerned that an unintended consequence of his amendments might be to make it more difficult for new competitors to enter the market and provide our constituents with the services that they need?

Chris Elmore Portrait Chris Elmore
- Hansard - - - Excerpts

I welcome competition in the market, but I would say to the hon. Lady that we now have broadband blackspots in parts of central London, and 15% of the constituency of the hon. Member for Hastings and Rye (Sally-Ann Hart) has these MDU blackspots. This is affecting constituents up and down the land, and the demand from all our constituencies, particularly because of the pandemic, is that we require the very best sector-leading broadband. It cannot simply be the case that some operators say this must happen and some say it should not happen, therefore nothing is resolved.