Product Security and Telecommunications Infrastructure Bill (Second sitting) Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Ruth Edwards

Main Page: Ruth Edwards (Conservative - Rushcliffe)

Department Debates - View all Ruth Edwards's debates with the Department for Digital, Culture, Media & Sport


Product Security and Telecommunications Infrastructure Bill (First sitting)

Product Security and Telecommunications Infrastructure Bill (Second sitting)

Ruth Edwards Excerpts

Future Day:
Thu 17th Mar 2022
Product Security and Telecommunications Infrastructure Bill (Third sitting)
Committee stage & Committee Debates: 2nd sitting
Tuesday 15th March 2022

(2 years, 1 month ago)

Public Bill Committees
Share Debate
Read Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 15 March 2022 - (15 Mar 2022)
Chris Elmore Portrait Chris Elmore (Ogmore) (Lab)
- Hansard -
- - Excerpts

Q To keep the conversation on consumers, eBay, Amazon and other platforms are not part of this Bill, but an awful lot of research out there suggests that they do not regulate what they sell. There are an awful lot of suggestions from organisations like Which?, whom we are meeting later, that those platforms’ markets are often flooded with devices that are not secure, but are cheaper. Again, to go back to your comment about how security should not just be for the rich, if someone is looking for a cheaper type of product, they can go there and their thought will not be about security, but about how shiny and new, or refurbished, it is—how it looks very good and the same as what the other child in the class has, and so on. What are your views about looking at the online marketplaces? Is that the next step, through secondary legislation or this Bill? Should they be as responsible as the manufacturers, if they are wilfully selling products that they know are not secure?

In that vein, is there something in the idea of a reporting mechanism—either by the Department or some sort of regulator, annually or however long is appropriate—for whether these organisations and manufacturers are working to the standards that you so strongly set out? They have had years to deal with the standards, but many are still not doing it. I am suggesting naming and shaming, if you will, to give consumers better informed decisions.

A lot of people borrow money to buy these devices. On Second Reading, I expressed a concern that many people will look in a retailer or online, and go, “If that doesn’t exist for this much time—if it only has two years on it and the loan is three years—why am I bothering to purchase it if it is obsolete in that time?” That is a concern that many people have. Consumers potentially do not know what this or that means, but they know what “security” means, and if they think something is not secure, then, as Professor Carr mentioned, they think, “Well, I won’t bother having that product, because it isn’t safe”, because that is how they view the word “security”, which is logical, but not necessarily the best option given what they are looking for. There are several questions in there, forgive me, but they are interconnected with what the Minister was saying.

Professor Carr: I will try to answer as many as I can, as well as I can. I am sure that David has comments as well.

On educating consumers, that question of “Will the loan outlast my device?” is a very astute one, because consumers do not need to understand—they never will—all the ins and outs of phone or device security, but that is a very pragmatic response: “What actually am I buying? I am spending for three years to buy two years of a phone.” That type of consumer education will snowball when people are presented with information on how long the device will last and asked, “Is that what you want?”

I guess online markets are already regulated. There are things that we cannot buy in the UK and that cannot be shipped here. It would certainly have to be a consideration that, ideally, devices that did not meet UK standards were not able to be shipped to the UK, but I guess that is the case with many consumer goods that we cannot buy online. There is a tendency to blame business in this scenario and to see manufacturers as careless or irresponsible, which surely some of them are. However, it is also the reality that businesses have to make a careful calculation on how they invest. If it costs more to produce a product and they are answerable to shareholders, they have to have a conversation about why they are spending more on a device that is already selling well and returning a profit. I am not saying that that is the way it should be, but that is the way the free market works.

Look at what happened with GDPR. In my work, we work a lot with senior business leaders and talk to them about how they respond to cyber-security regulations. They did not push back against GDPR or see it as terribly negative; they saw that it unlocked budget for them to use, because they could quantify what percentage of their global turnover a data breach would cost or what the fine could amount to. They can take that calculation to the board, and say, “Right—we mustn’t have a breach or it would cost this much. How secure do we feel we are?” That is where such regulations can have a very positive effect on industries that would like to comply but cannot just invest in all the different aspects of a device without some justification. This gives that justification. It unlocks that funding in those board conversations about where investment in products should go.

David Rogers: Just to address the Amazon/eBay question, I have seen all this stuff. I have bought some of it to have a look at. A lot of counterfeit and substandard—the Chinese call them Shanzhai—products are available. I have conversations in which people say, “This is about buyer beware. You’d never buy a £9.99 smart watch. You should know that that’s going to be dodgy,” but as you said, people cannot necessarily afford it. There is a peer pressure element to it, and there is a sort of endorsement by the brand. If you go to Amazon, you expect it to be a quality product, so people are lulled into that sense of security that what they are getting is quality. In some cases, that is not the case. I fully agree that the companies that are retailing this stuff cannot just lay the blame at the door of the companies that are stocking and selling it. If it is on Amazon Prime, surely Amazon has a responsibility over that.

Earlier, Dave mentioned different regulatory regimes and that there may be some fragmentation around the world. I actually think that there is probably a lot of alignment and harmony. There has been a lot of work between DCMS and the National Institute of Standards and Technology in the US, so there is a broad understanding of what good looks like. If, either through some self-declaratory measure or by some endorsed mechanism of compliance, those companies are told to come up with a compliance statement, that helps the likes of Amazon and eBay to select their suppliers appropriately and then to remove them from their stores more easily. At the moment, it is kind of a wild west. They do not have any questions or answers.

Ruth Edwards Portrait Ruth Edwards (Rushcliffe) (Con)
- Hansard -
-

Q Professor Carr, you made some really interesting comments about the balance between regulation and innovation, and how it is not always as it is portrayed to be. Do you think the Bill strikes the right balance in those areas? Is there anything missing from it that should be in there?

Professor Carr: I think the Bill would be a hugely positive step. There is a lot more to be done in terms of regulating emerging technologies. As I said earlier, the UK is a country at the forefront of thinking about these issues and taking action. It is new territory, because we are not used to legislating about these things; it seems somehow interventionist, or that it stifles innovation. Actually, digital technologies have become so integrated into every aspect of our lives, from the most personal level to infrastructure, and we have not caught up with that in what we see as the acceptable responsibility of the Government, of individuals and of industry.

There has very much been a narrative that Governments need to stay out of this area. I think that is very dangerous and wrong, because that is how we have ended up in the situation we have been in. It is certainly a balance between those parties—Government, civil society and industry—but we are a long way from having that balance right. Governments are beginning to see that there is a mandate and that they have a responsibility. We see that not just in the UK, but certainly in the US, Australia, the EU. But there is a long way to go.

Ruth Edwards Portrait Ruth Edwards
- Hansard -
-

Q Are there other specific security measures that you would like to see in the Bill?

Professor Carr: I would like to see the range of devices extended—in particular, where it talks about toys and safety devices. There is a whole category of other devices that should be included, particularly when we think about children. There is a market emerging now for tracking devices for children, or these phones, which are not really phones but communication devices. I think the scope of the devices should be expanded.

If I had a magic wand and it was up to me, I would say that devices had to be supported for a minimum time. Otherwise, you end up with the very distasteful scenario that we were just talking about, where people who are less resourced are buying less secure devices and living less secure lives. I would like to see a minimum time that devices had to be supported.

I would say those two; I would go much further, but it is a good start.

Ruth Edwards Portrait Ruth Edwards
- Hansard -
-

Q Thank you. Mr Rogers, I think you mentioned that four out of five IoT manufacturers still do not have a vulnerability disclosure programme—correct me if I am wrong. I want to put something to you that we received in written evidence from techUK, who gave evidence to the Committee this morning. In its written evidence, it says:

“Current proposals risk unintended consequences for manufacturers and consumers”.

It points particularly to security requirement 2, which is to implement a means to manage reports of vulnerabilities, and notes:

“On vulnerability reporting, not all reports/vulnerabilities will require intervention. The Enforcement Body needs to carefully consider when to alert the public about security risks to ensure associated devices are not viewed as obsolete or that vulnerabilities yet to be mitigated are advertised to threat actors.”

What is your response?

David Rogers: I will be frank: I think they have misunderstood what vulnerability disclosure is. As I mentioned, there is an ISO specification for this. The security research community and the hacking community have been campaigning for this for years and years. It is well established. A lot of the bigger tech companies have recognised that this is the right way to deal with things. I am sure that you understand vulnerability disclosure, but the process is that if a security researcher or hacker discovers a vulnerability, they have an easy way to report that to the company confidentially. That process typically takes anything from 30 days to 90 days. At the end of that process, a fix is issued, if that is possible. It may even extend for a longer time if it involves other companies. Then the security researcher is able to go public with their work, but that is only after a fix is issued. This has been fought out over a long period, and is the right way of doing things. It is agreed between the hacking and the tech communities.

There may be some education work to be done for those manufacturers who do not understand that this is the right thing to do. They should be implementing vulnerability management schemes internally anyway. I think John Moor mentioned this morning that it is about quality. It is about good software quality measures and good software design. We have seen some really catastrophic problems caused by vulnerabilities that have been sitting there for years. That is the old world. We need to move on from that. The new world is about continuous software updates and a continuous product security lifecycle. People cannot just ship and dump products on to the market and leave them there.

None Portrait The Chair
- Hansard -

Can I bring in Kevin Brennan, as we only have four minutes before this panel comes to an end?

--- Later in debate ---
Ruth Edwards Portrait Ruth Edwards
- Hansard -
-

Q Ms Concha, you represent the consumer perspective. I wanted to ask about some concerns around labelling that were put to us this morning. In particular, Google mentioned that it has concerns about having a static label on the product because security information changes all the time—a product might be fine today, but it could discover a vulnerability about it tomorrow. It strikes me that we are dealing with a really wide range of security awareness, and ability to use and understand technology among consumers. Google suggested a sort of live label, such as a QR code, which could give the real-time security status. What do you think is the best way to communicate security information to consumers—such as the information in requirement 3, about the minimum time for which a product will receive security updates—bearing in mind the huge range of understanding and ability that we have in this area?

Rocio Concha: Is this about the length of time a product will be supported for? That information should be provided clearly at the point of sale, before you make a decision, so that you know you are going to buy something that may be supported for only two years, versus another product that may be supported for longer. That will hopefully provide everyone with the incentive to extend the number of years for which a product is supported.

We also need to make sure that that information is very clear. We should avoid “up to three years” and “for the lifetime of the product”, which do not really mean much for the consumer. For the consumer to be able to act on that information, it has to be very clear and easy to find when they are making that decision. That is what I would say.

On changing the security, I am a little worried about the industry saying that it may change the period during which a product will be supported. If that change is to extend that period—great; if it is to reduce it, that is very bad. At that point, the consumer has made a decision and bought a product because that product was going to be supported for longer.

If someone was told that a product would be supported for four years, and they later found out it was two years, that product would not be fit for purpose. Under the Consumer Rights Act, you have a right on the same grounds as the Consumer Protection Act 1987.

None Portrait The Chair
- Hansard -

If there are no further questions from Committee members, that brings today’s sitting to a close. On behalf of the Committee, I thank the witnesses for their evidence this afternoon. The Committee will meet again on Thursday at 11.30 am in Committee Room 14 to begin line-by-line consideration of the Bill.

Ordered, That further consideration be now adjourned. —(Steve Double.)

Return to start of debate - Return to top of page